Technical malware analysis, reverse engineering, and threat intelligence.
Try checking your spelling or selecting a different threat category filter.
PoisonX WindowsTelemetry chain: VERSION.dll sideloading, BYOVD scheduler, 10FX RAT protocol, SOCKS relay, plugin loading, and C2 reuse across two archives.
Static reverse engineering of a 6.9 MB Go RAT delivered through a C stub loader with XOR, ChaCha20, DEFLATE, AES-GCM strings, and WebSocket C2.
A Go 1.25.4 Vidar v1.5 sample uses a twelve-category sandbox scoring system, Telegram and Steam dead-drop C2 discovery, and process injection APIs.
Five-layer delivery chain from a RAR5 archive through a signed carrier DLL side-load, AES-CBC hidden in a fake zlib DLL, IExpress extraction, AutoIt process hollowing, and a .NET C2 beacon on WebSocket.
A VECT 2.0 Windows sample can recover small files with a static ChaCha20 key and saved 12-byte nonce, but its large-file path keeps only the final nonce and loses the rest.
M3rx surfaced with a small leak-site burst and a Go ransomware sample using gzip+gob config data, X25519, AES-CTR file encryption, AES-GCM key wrapping, and a 0x400-byte footer.
A Rust Kyber ransomware sample uses AES-256-CTR style file encryption, Kyber1024-sized material, active X25519 arithmetic, and a fixed 0x744 trailer.
A fresh Urelas cluster shows thousands of March-April 2026 samples, Korean ISP command-and-control hosts, a bit-flipped MSMP config, and JPEG capture records built for Korean card-game clients.
A PowerShell sample installs a GitHub-hosted Node controller, uses a BNB Smart Chain contract to resolve its backend, then hands elevated Windows hosts to a native rpc.exe helper.
Teardown of the CheckQilin Windows build from 2025's top ransomware crew: BYOVD EDR killer, AES/ChaCha20 dispatch, RSA-OAEP footer, one-byte password bypass.
Same operator, new delivery chain. ClickFix through Cloudflare tunnels drops five RAT families simultaneously - including Brute Ratel C4 wrapping PureHVNC.
Axios 1.14.1 supply chain attack torn apart. XOR dropper deobfuscated, macOS Mach-O decompiled, Windows PowerShell RAT reversed, C2 protocol mapped.
Five code obfuscation layers broken, transport encryption reversed, and the full server-pushed config decrypted from a live Aura Stealer C2. Heaven's Gate, CFF, FNV-1a hash tables, and AES-256-CBC.
Crypto analysis of a Jan 2026 Pay2Key encryptor. ChaCha20 + Curve25519 via OpenSSL, null nonce, session.tmp on disk. Intermittent mode leaves 70-87% plaintext in large files.
Analysis of a Go binary that sends host telemetry to GPT-4 and only drops its Sliver C2 payload if the model says the environment is safe. We recovered the full system prompt.
Static analysis of 15 InterLock samples: ScreenConnect delivery, NodeSnake implants in three languages, a shared crypter, and dual-platform ransomware.
Full static analysis of the Payload ransomware group. Curve25519 + ChaCha20 encryption, Windows + ESXi builds, 12 victims, 2,603 GB exfiltrated.
A 10-stage ClickFix chain uses finger.exe, EtherHiding smart contracts, and Hell's Gate syscalls to deliver a memory-resident x64 backdoor.
Analysis of Tranium, a Go wiper disguised as ransomware. AES-CBC encryption, MBR overwrite, 30+ system files destroyed, 10 persistence mechanisms, zero payment infrastructure.
A TAG-124 fileless PowerShell RAT with 1/76 VT detection. We decoded the wire protocol, four DGA systems, persistence modes, and probed the live C2 server.
A Vietnamese operator has run 600+ malicious ZIPs through 47+ GitHub accounts for 13 months. C2 resolves via Polygon smart contract. Final payload is StealC.
A three-stage VBSEdit botnet uses BSC testnet smart contracts to resolve C2 URLs at runtime. One blockchain transaction rotates every bot to a new domain.
An operator hides .NET injector DLLs in 4K wallpaper JPEGs on archive.org, rotating daily across four accounts to deliver Remcos and AsyncRAT.
Static analysis of IronChain, a Python wiper disguised as ransomware. The RSA-4096 private key is never saved or exfiltrated -- encrypted files are permanently lost.
Five generations of Python loader encryption in a 9-RAT campaign: from plaintext RC4 to polymorphic Unicode bytecode, with Donut Chaskey CTR shellcode bridging to .NET.
Three AutoIt persistence chains deliver Remcos v7.0.1 Pro for Canadian banking fraud. The third delivers PureHVNC on shared PureLogs C2 infrastructure.
Technical analysis of PureCrypter, a builder-generated .NET crypter from the PureCoder malware-as-a-service ecosystem, recovered from a multi-stage intrusion tracked as SERPENTINE#CLOUD. Two builds fully reversed.
Technical analysis of VioletWorm v4.7 (also tracked as Violet RAT) -- a .NET RAT with ransomware, HVNC, USB spreading, crypto clipping, and 120 command branches dispatched through C2-delivered plugin DLLs -- recovered from a multi-stage intrusion with tooling overlap to SERPENTINE#CLOUD.
Technical analysis of two PureLogs variants from the PureCoder MaaS ecosystem -- a plugin stager and a monolithic crypto-stealing fat client -- recovered from a multi-stage intrusion tracked as SERPENTINE#CLOUD.
Reverse engineering a fund-draining honeypot smart contract disguised as a MEV arbitrage bot on GitHub, exposing the hidden backdoor and withdrawal mechanism.
