About
About Me
I’m a security professional with a focus on malware analysis, reverse engineering, and operating system internals. My work centers on taking apart real-world threats, understanding how they operate at the binary level, and producing analysis that other researchers can reproduce and build on.
This blog documents my reversing workflow across Windows PE, Linux ELF, and Go-compiled malware. Every post includes decompiled source code, extracted configurations, detection rules, and downloadable analysis artifacts. If I claim something in a write-up, there’s a script or a disassembly slice to back it up.
What I Cover
- .NET malware reversing (ILSpy decompilation, config extraction, crypter teardowns)
- Native binary analysis (IDA Pro, radare2, Ghidra)
- Go malware (GoReSym, symbol recovery, CJK obfuscation analysis)
- Detection engineering (YARA rules, Suricata signatures, IOC extraction)
- Cryptographic analysis (AES, PBKDF2, RC4 config decryption with Python tooling)
- Threat intelligence (C2 infrastructure mapping, campaign tracking, attribution analysis)
Repositories
| Repo | What’s Inside |
|---|---|
| reverse-engineer | This blog. Source markdown, diagrams, and IDA screenshots |
| analysis_data | Scripts, decompiled source code, extraction tools, and reports for every analyzed sample |
| YARA | Detection rules organized by malware family (stealers, RATs, botnets, backdoors) |
Published Analyses
| Family | Type | Key Findings |
|---|---|---|
| Chrysalis | .NET backdoor | Multi-stage unpacking, Unicorn emulation, RC4 config recovery |
| 22.exe / Vidar | Staged loader | AMSI/ETW bypass, AES-256-CBC decryption, Vidar attribution |
| Mirai | Linux botnet | Trust gate, 7-method command dispatch, cross-variant validation |
| Kaiji | Linux botnet | Go ELF, systemd/cron persistence, Ares module mapping |
| Pulsar RAT | .NET RAT | ConfuserEx deobfuscation, C2 protocol reversal, DPAPI credential theft |
| njRAT | .NET RAT | Full decompilation, 30+ command dispatch, Win32 API deep dives |
| Gsb Backdoor | Go backdoor | Nuclear reactor decoy obfuscation, CJK garble, Factory-v3 builder |
| XWorm | .NET crypter + RAT | UEFI bootkit, r77 rootkit, CVE-2026-20817, dual payload extraction |
| DcRAT | .NET RAT | PBKDF2/AES config cracking, fileless plugin architecture |
Contact
Find me on GitHub: github.com/taogoldi