Full static teardown of StudioSecGhost, a novel native x64 hVNC agent that piggybacks on Chrome/Edge/Firefox via per-window ghost cloaking, skipping CreateDesktopW entirely. C2: 2.26.122[.]211:4444. Pure disassembly, no sandbox required.

Three real-world PoolParty samples reverse-engineered end to end. Sample A is a 50 KB TP_DIRECT dropper that incidentally defeats capa's nursery TP_WORK rule; Sample B is the canonical SafeBreach research build with all eight variants and boost::log phase strings still in the binary; Sample C is a March 2026 ITW campaign artifact whose .text is byte-identical to Sample B after trim, wrapped in a hasherezade pe_to_shellcode reflective loader with a malformed-MZ trampoline. Includes a cross-variant YARA rule with four detection paths, five draft capa nursery candidates for the variants no one has rules for, and a CRC32-IEEE-802.3 API-hash reverser for the wrapper.

Reversing a 2025 GuLoader (CloudEye) NSIS-3 build that drops 19 files into %TEMP% under 17.6 MB of constant-byte sandbox-bypass padding, builds Windows API names from random Danish nouns to call through the System.dll plugin, decodes a 4-byte-XOR'd shellcode container, hash-resolves 31 APIs, and stages an MPRESS-packed Remcos 7.2.3 Pro from Google Drive that beacons raw TCP to 31.57.184.186:2404.

Reversing the historic Sony Pictures-signed Destover backdoor (Lazarus / DarkSeoul, Dec 2014): Authenticode chain stamped with the stolen SPE certificate, a 10-entry C2 server table with two live IPs, dot-space API obfuscation that hides 111 Win32 names, a date-keyed payload trigger, and a service-mode persistence path. Includes paired YARA rules and a static config extractor.

Reversing the cred64.dll plugin distributed by Amadey 5.78 (botnet 54e64e): three-stage Vigenère + Base64 string-decode pipeline, contiguous .rdata config block, RC4-encrypted exfil over plain HTTP, and a live C2 panel that handed back the byte-identical bot plus an x86 sibling plugin.

Reverse engineering a 64-bit MinGW VERSION.dll proxy carrier from the FUD Crypt MaaS platform: ROR-13 hash resolver, single-byte ETW patch, AMSI bypass via hardware breakpoint and VEH, RC4 plus 32-byte rolling XOR pipeline, and a live catbox stage-2 payload that politely told me it was a FudCrypt Test.

A reversing walkthrough of a Gafgyt variant uploaded as assailant.x86, branded YakuzaBotnet and operated by the handle Scarface1337. Covers C2 protocol, eight attack commands, the classic NeTiS banner heritage, and a Python config extractor.

Static analysis of a from-scratch .NET infostealer that masquerades as svchost.exe and exfiltrates 52 categories of stolen data to a Telegram bot. Covers MPRESS unpacking, Chrome v10/v20 App-Bound Encryption, winlogon token impersonation, Discord token theft, seed-phrase hunter, and a full capability boundary analysis.

Reverse-engineering moom825's Discord RAT 2.0: Discord WebSocket C2, 50 ! commands, a ransomware module that only encrypts one byte, and a modular loader that pulls r77-rootkit and the BlackNET password stealer off GitHub at runtime.

Reverse-engineering a 2012-era Pony/Fareit credential stealer: the GetTickCount-mod-7 anti-emulation gate that stalls Speakeasy at 9,980 ticks, MD5-vs-API-hashing identification, and released Python and IDAPython tooling.