We have reason to assume with high confidence that #Emotet is active again and currently distributed via #Trickbot

Check out my latest blog post on having fun with a #ursnif vbs dropper. some funny anti-sandbox tricks inside.. https://t.co/RhqfEzkzAe @JAMESWT_MHT @hasherezade @VK_Intel @tbarabosch

Don't forget! When you get into your new job, rebase-squash the codebase into 1 commit with the message "Legacy code"

Want to see what EDR sensors see when you practice attacks and develop bypasses, without tipping off defenders? I'm starting a new series on reversing and evading EDRs, with a paper on how to divert telemetry to private infrastructure. Check it out! https://t.co/i7zy1xbNPh

Windows APC internals Series: In this post I explain about KiUserApcDispatcher, Wow64 internals, The Wow64 APC, APC Injection from a 64 bit process to Wow64 and backwards and more! In the next post we'll finally talk about Kernel APC! Stay tuned 😺 https://t.co/kEAKZYN3tc

I just published How to avoid falling down the rabbit hole while analyzing malware

The Dnschess challenge was quite nice. But now my brain is fried and I need a break #flareon6

"We build our computer systems the way we build our cities: over time, without a plan, on top of ruins." — Ellen Ullman

The FormBook malware has a creative approach to hiding encrypted strings - it stores them in gibberish code as operands and retrieves them using a small disassembly engine. Wrote a short post about it here: https://t.co/ey1UVxX1Vq

🔥 New blog: Hancitor's packer demystified 🔥: https://t.co/horTtcf02M | 📖 step-by-step unpacking guide | 🧐 insight into a packer which has been used by many malware families | 🙏 h/t for sharing samples & writeups: @James_inthe_box @0verfl0w_ @VK_Intel @malware_traffic

We found the full CARBANAK source code & previously unseen plugins. Our #FLARE team spent 500 hours analyzing the 100,000+ lines of code. @mykill & @jtbennettjr just dropped day 1 of their 4-part blog series: https://t.co/0DULpYoDzq Source code linked in blog. #CarbanakWeek 🦈💳

Dissecting Emotet’s network communication protocol ~ https://t.co/drLKvCOkSE #Emotet

We just released mkYARA: a tool to generate YARA rules based on executable code, wildcarding variable values such as stack offsets, memory addresses etc. https://t.co/9XwAVIuDCu

Using IDA Python to analyze Trickbot: How to deal with encrypted strings and an IAT created during runtime in IDA Python. My latest piece on

#KARTA - A new, super cool, #ida plugin we just released. A modular framework for identifying and matching open source library symbols within large binaries. kudos to @EyalItkin for creating it (!) Check it out.

A tutorial walking through the process of devirtualising programmes protected by VMProtect 3

Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development https://t.co/KSe8Wykrmq #MALWARE #BLACKMOON #KRBANKER #BINDIFF

I've finally got around to completing my first post on reversing #ISFB, specifically, unpacking and analyzing the first stage loader (executable): https://t.co/IMYXRcG4UZ As always, all samples mentioned have been uploaded to @virusbay_io

Two popular games and one gaming plaform application were found having a similar backdoor planted by a group that compromised the asian developpers. Our analysis: