Disclosure: The tooling code was generated through a LLM. I provided the ideas and directed the model to create the relevant code. Without this assistance, it would have taken me longer to codify the concept, given that I’m not deeply versed in JS.

We will look at:. ● Removal of junk comments. ● Removal of junk unused variables. ● Simplifying function bodies. ● Signaturizing ASTs to auto-rename functions. ● Deobfuscating the recently reported MintsLoader malware.

Blog post alert!. This one is about developing tooling to deobfuscate JavaScript malware using Abstract Syntax Trees (ASTs). #windows #malware #javascript #llm.

Turla backdoor tries to bypass ETW, EventLog and AMSI by disabling PSEtwLogProvider and patching specific functions. But some of its patching is buggy. This blog describes the bypass techniques and why some of the function patches are faulty.

RT @shanselman: Join @markrussinovich and I as we learn to Influence without Authority! #podcast.

Blog link: (2/2).

This blog is about the Emansrepo infostealer - Python code extraction from PyInstaller-based sample followed by deobfuscation. The final code is so clean, well-written, with comments and great variable names, that I believe it was written with the help of an LLM. (1/2)

This blog is about PE process injection as implemented in BugSleep backdoor loader. This is an old technique, but I go over why the implementation in the loader is buggy and easily blocked by EDRs.

While this technique has been around for a while, I think people getting into malware analysis (or veterans who might need a refresher) can use this info to quickly understand this obfuscation technique. There's lots of WinDbg and PEB internals info in there!.

In this one, I go into great detail about how malware walks the Process Environment Block (PEB) to find particular DLLs and parses their export table to find address of functions.

RT @Shreylocks: माननीय पोलीस,. एकवेळ त्या वेदांत अगरवाल ला शिक्षा नाही झाली तरी चालेल🙏🏽. पण त्या गरीब निर्दोष बिचाऱ्या ड्रायव्हर ला फसवू न….

RT @TanushreePande: No country for the less privileged. #PuneHitandRun

RT @Ax_Sharma: A GitHub flaw lets attackers upload executables that appear to be hosted on a company's official repo, such as Microsoft's—w….

I also provide a hypothesis about the malformed SSH packet with the "hi" string.

Blog post!. In this one, I take a MIPS little-endian sample: NoaBot botnet, submit it to the ELFEN sandbox and get solid insights within 3m. This is where ELFEN shines - no need to reverse MIPS disassembly to know more about the sample!. #malware #sandbox.

Blog post alert! In this one - I take an INC Linux ransomware sample (targets ESXi), submit it to the ELFEN sandbox and get solid insights within 2m. For completeness, I also dive into IDA's decompilation and describe the encryption mechanism. #malware.

RT @nullcon: 👾Linux #Malware. 💻Nikhil @ka1do9 shared insights on how using open-source technologies, an in-depth analysis of #Linux based m….

RT @TBIJ: How did London become “the libel capital of the world”?. Our latest investigation looks into Carter-Ruck – Britain’s scariest law….

RT @_saagarjha: How security engineers flex on each other

RT @ValdikSS: Well, shit. Encrypted traffic interception on Hetzner and Linode targeting the largest Russian XMPP….