About
About Me
I’m a security professional with a focus on malware analysis, reverse engineering, and operating system internals. My work centers on taking apart real-world threats, understanding how they operate at the binary level, and producing analysis that other researchers can reproduce and build on.
This blog documents my reversing workflow across Windows PE, Linux ELF, and Go-compiled malware. Every post includes decompiled source code, extracted configurations, detection rules, and downloadable analysis artifacts. If I claim something in a write-up, there’s a script or a disassembly slice to back it up.
What I Cover
- .NET malware reversing (ILSpy decompilation, config extraction, crypter teardowns)
- Native binary analysis (IDA Pro, radare2, Ghidra)
- Go malware (GoReSym, symbol recovery, CJK obfuscation analysis)
- Detection engineering (YARA rules, Suricata signatures, IOC extraction)
- Cryptographic analysis (AES, PBKDF2, RC4 config decryption with Python tooling)
- Threat intelligence (C2 infrastructure mapping, campaign tracking, attribution analysis)
Repositories
| Repo | What’s Inside |
|---|---|
| reverse-engineer | This blog. Source markdown, diagrams, and IDA screenshots |
| analysis_data | Scripts, decompiled source code, extraction tools, and reports for every analyzed sample |
| YARA | Detection rules organized by malware family (stealers, RATs, botnets, backdoors) |
Published Analyses
| Family | Type | Key Findings |
|---|---|---|
| Chrysalis | .NET backdoor | Multi-stage unpacking, Unicorn emulation, RC4 config recovery |
| 22.exe / Vidar | Staged loader | AMSI/ETW bypass, AES-256-CBC decryption, Vidar attribution |
| Mirai | Linux botnet | Trust gate, 7-method command dispatch, cross-variant validation |
| Kaiji | Linux botnet | Go ELF, systemd/cron persistence, Ares module mapping |
| Pulsar RAT | .NET RAT | ConfuserEx deobfuscation, C2 protocol reversal, DPAPI credential theft |
| njRAT | .NET RAT | Full decompilation, 30+ command dispatch, Win32 API deep dives |
| Gsb Backdoor | Go backdoor | Nuclear reactor decoy obfuscation, CJK garble, Factory-v3 builder |
| XWorm | .NET crypter + RAT | UEFI bootkit, r77 rootkit, CVE-2026-20817, dual payload extraction |
| DcRAT | .NET RAT | PBKDF2/AES config cracking, fileless plugin architecture |
| Quasar Loader | x64 loader + Quasar RAT | Custom byte-level cipher from raw disassembly, 3.2MB Quasar extraction, PBKDF2/AES-256 config crack |
| Chaos/Ares | Go Linux botnet | 12 DDoS vectors, DNS-based C2 with AES/DES, 11 persistence mechanisms including SELinux bypass |
| NanoCore RAT | .NET RAT | v1.2.2.0 decompilation, plugin architecture, commercial-trojan persistence |
| ZyreC2 | Linux DDoS botnet | Mirai fork, 9-method Minecraft flooder, Discord attack module, unstripped debug symbols |
| Pony / Fareit | x86 credential stealer | 60+ FTP clients, GetTickCount-mod-7 anti-emulation gate, MD5 vs API-hashing identification |
| Discord RAT 2.0 | .NET Discord-gateway RAT | 50-command WebSocket C2, one-byte fake ransomware, r77 rootkit + BlackNET stealer supply chain, operator snowflake timeline |
Contact
Find me on GitHub: github.com/taogoldi