Reversing a Custom Cipher to Extract Quasar RAT: From Raw Disassembly to Decrypted C2 Config

Reverse engineering a custom byte-level cipher from raw x64 disassembly to extract a 3.2MB Quasar RAT payload, then cracking the PBKDF2/AES-256 config to reveal the C2 server. Full Python extraction pipeline included.

Apr 11, 2026 malware-reversing, threat-intel

DcRAT in 48KB: Cracking the Config, Mapping the Plugin Loader, and Why the Stub IS the Malware

Reversing a 48KB DcRAT stub, cracking AES-256 encrypted config via PBKDF2 key derivation, mapping the fileless plugin architecture, and documenting why a minimal loader with zero offensive code scores 100/100 on CAPA.

Apr 10, 2026 malware-reversing, threat-intel

XWorm crypter analysis with bootkit and rootkit

Cracking a .NET Crypter to Extract a Weaponized XWorm: Bootkit, Rootkit, and a Zero-Day UAC Bypass

Tearing apart a .NET crypter to extract dual XWorm RAT payloads, then decompiling the RAT to find a UEFI bootkit with BlackLotus DBX bypass, an r77 rootkit, driver infection, CVE-2026-20817 zero-day UAC bypass, and D/Invoke API evasion.

Apr 9, 2026 malware-reversing, threat-intel

Backdoor.Win64.Gsb: A Go Implant Hiding Behind Nuclear Reactor Simulations

Reversing a novel Go-compiled backdoor distributed by GCleaner that uses nuclear reactor physics type names and CJK-obfuscated function names to evade detection, with only 15.8% VirusTotal detection despite allocating RWX memory and calling SyscallN directly.

Apr 8, 2026 malware-reversing, threat-intel

njRAT v0.7d 'HacKed' Campaign: Config Extraction, C2 Protocol, and Full Capability Mapping

Static analysis of a novel njRAT v0.7d im523 build with 'HacKed' campaign tag: C2 config extraction, 30+ command dispatch mapping, USB worm propagation, and credential theft, with reproducible Python tooling and YARA rules.

Apr 7, 2026 malware-reversing, threat-intel

Pulsar RAT .NET Reversing: C2 Protocol Recovery, Costura Extraction, and DPAPI Credential Theft Pipeline

Offline static analysis of an MPRESS-packed Pulsar RAT variant: Costura extraction, AES-256 C2 protocol reversal, DPAPI credential theft, ConfuserEx deobfuscation, and Windows RE persistence, with reproducible tooling and YARA rules.

Apr 6, 2026 malware-reversing, threat-intel

Kaiji-Like Linux ELF Reversing: Persistence, C2 Token Recovery, and Ares Module Mapping

Offline static analysis of a Kaiji-like Linux ELF sample: persistence, decoded C2 token, Ares module mapping, and reproducible analyst artifacts.

Mar 6, 2026 malware-reversing, threat-intel

Mirai-like Stage1 analysis social preview card

Mirai-like ELF Reversing, Part I: Stage1 Trust Gate, Command Dispatch, and Killer Loop

Static analysis of a Mirai-lineage ELF bot covering C2 trust verification, seven-method command dispatch, anti-competition killer logic, and reproducible extraction scripts.

Feb 25, 2026 malware-reversing, threat-intel

Stage1 22.exe loader reverse-engineering analysis

Stage1 (22.exe) Loader Reversing, Part I: Stage Decryption, Evasion, and Attribution

Reverse engineering a staged loader that patches AMSI and ETW, decrypts an AES-256-CBC payload in memory, and hands off to a Vidar-like credential stealer.

Feb 23, 2026 malware-reversing, threat-intel

From log.dll To A Decrypted Chrysalis Main Module

End-to-end offline unpacking of the Lotus Blossom Chrysalis backdoor chain, from DLL sideloading through shellcode extraction, region decryption, and RC4 config recovery, without a live Windows debugger.

Feb 20, 2026 malware-reversing, threat-intel