All news with #malware analysis tag

🕒 This post introduces Time Travel Debugging (TTD) via WinDbg as a high-value tool for accelerating analysis of obfuscated, multi-stage .NET droppers that perform process hollowing. The authors demonstrate recording a TTD trace, querying the Debugger Data Model with LINQ to find CreateProcess and WriteProcessMemory calls, and extracting a hidden AgentTesla payload. It highlights practical tips, tooling (TTD.exe, FLARE-VM), and limitations such as user-mode scope and proprietary trace formats.

🔍 Check Point Research applied generative AI to accelerate reverse engineering of XLoader 8.0, reducing days of manual work to hours. The models autonomously identified multi-layer encryption routines, decrypted obfuscated functions, and uncovered hidden command-and-control domains and fake infrastructure. Analysts were able to extract IoCs far more quickly and integrate them into defenses. The AI-assisted workflow delivered timelier, higher-fidelity threat intelligence and improved protection for users worldwide.

🛠️ This post introduces dynamic binary instrumentation (DBI) and provides a hands-on guide to building DBI tooling using DynamoRIO on Windows 11. It explains the difference between static and dynamic instrumentation and highlights practical uses such as malware analysis, anti-anti-analysis techniques, runtime de-obfuscation, and automated unpacking. The tutorial includes example clients, build instructions, and a GitHub repository with sample code to help researchers get started.

🛡️ The Python Software Foundation (PSF) withdrew a $1.5 million proposal to the U.S. National Science Foundation after the approved award included conditions that would bar all PSF programs from activities that 'advance or promote diversity, equity, and inclusion.' The funding, under NSF’s Safety, Security, and Privacy of Open Source Ecosystems program, was intended to support automated malware-detection tools for PyPI and to be ported to other package ecosystems. PSF leaders said DEI is central to their mission, creating an unacceptable conflict that led the board to unanimously decline the grant and ask the community for donations and membership support.

🛡️ Mandiant Academy’s new Basic Static and Dynamic Analysis course teaches foundational techniques for safely examining and triaging Windows binaries. The hands-on curriculum combines PE file inspection, metadata and strings extraction, and controlled execution in a provided virtual machine to observe behavior, network activity, and memory artifacts. No advanced programming prerequisites are required, though familiarity with command-line basics, hexadecimal data, and operating system concepts is recommended.

🔍 VirusTotal has added Exodia Labs to its Crowdsourced AI lineup to provide automated analysis of Chrome extension (.CRX) files. The new contributor issues a clear verdict — benign, suspicious, or malicious — alongside a behavioral narrative to complement existing AI streams such as Code Insight. Exodia Labs results are indexed in VirusTotal Intelligence with dedicated search operators and surface in the web UI to help analysts rapidly triage extension-related threats.

🔍 CISA released a technical analysis of malware used in attacks exploiting two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The agency details two distinct malware sets that used a common web-install.jar loader and malicious listener classes to inject and execute code, exfiltrate data, and maintain persistence. Attackers targeted the /mifs/rs/api/v2/ endpoint via HTTP GET requests with a ?format= parameter, delivering segmented, Base64-encoded payloads. CISA published IOCs, YARA and SIGMA rules and advises immediate patching and treating MDM systems as high-value assets.

🛡️ CISA released a Malware Analysis Report analyzing two malware families recovered from an organization compromised via CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. The report, titled Malicious Listener for Ivanti EPMM Systems, provides indicators of compromise and detection content including YARA and SIGMA rules to support hunting and response. Recommended mitigations stress upgrading Ivanti EPMM to the latest versions and treating mobile device management systems as high-value assets with enhanced monitoring, access controls, and restrictions.

🔍 CISA analyzed malicious artifacts deployed after threat actors exploited CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The report details two distinct loader/listener sets written to /tmp that enable arbitrary code execution through crafted HTTP requests. CISA provides IOCs, YARA and SIGMA detection rules, and recommends immediate patching and treating MDM systems as high-value assets.

🛡️ Bitdefender attributed a campaign against a Philippines-based military contractor to a China-linked APT that deployed a previously undocumented fileless framework named EggStreme. The multi-stage operation begins with EggStremeFuel (mscorsvc.dll), which profiles systems, opens a C2 channel, stages loaders, and triggers in-memory execution of the core backdoor via DLL sideloading. EggStremeAgent functions as a central backdoor, injecting a session-specific keylogger (EggStremeKeylogger), communicating over gRPC, and exposing a 58-command toolkit for discovery, lateral movement, privilege escalation and data theft. An auxiliary implant, EggStremeWizard (xwizards.dll), provides reverse-shell access and resilient C2 options; Bitdefender warned that fileless execution and heavy DLL sideloading make detection and forensics difficult.

🔍 VirusTotal’s Code Insight now parses SWF and SVG formats and quickly uncovered an undetected campaign impersonating the Colombian justice system. The tool differentiated a benign, heuristic-flagged SWF game from a malicious SVG that evaded all AV engines by hiding inline JavaScript which decodes and injects a Base64 phishing page and a ZIP dropper. Code Insight plus VirusTotal Intelligence exposed dozens of polymorphic SVGs and enabled a retrohunt linking hundreds of samples to the same campaign.

🛡️ The EMBER2024 release modernizes the popular EMBER malware benchmark by providing metadata, labels, and computed features for over 3.2 million files spanning six file formats. It supplies a 6,315-sample challenge set of initially evasive malware, updated feature extraction code using pefile, and supplemental raw bytes and disassembly for 16.3 million functions. The package also includes source code to reproduce feature calculation, labeling, and dataset construction so researchers can replicate and extend benchmarks.

🔍 Unit 42 highlights two threat intelligence interns, Sakthi Vinayak and Gabrielle Calderon, who completed a 12-week program contributing to practical research and automation projects. Sakthi concentrated on mechanizing data ingestion, implementing a fidelity scoring framework, and building dashboards to surface trends and gaps in the knowledge repository. Gabrielle focused on malware ticket analysis and developing an automation tool to identify malware families and extract indicators of compromise. Both interns credited Unit 42’s collaborative mentorship and cross-team exposure for accelerating their technical growth and real-world impact.

🔎 VirusTotal has extended Code Insight to analyze disassembled and decompiled code via a new API endpoint that returns a concise summary and a detailed description for each queried function. The endpoint accepts prior requests as a history input so analysts can chain, correct, and refine context across iterations. An updated VT-IDA plugin for IDA Pro demonstrates integration inside an analyst notebook, allowing selection of functions, iterative review, and acceptance of insights into a shared corpus. The feature is available in trial mode; results have been promising in testing but are not guaranteed complete or perfectly accurate, and community feedback is encouraged.

🛡️ VirusTotal’s Code Insight now analyzes a broader set of software supply chain formats — including CRX, XPI, VSIX, Python WHL, NPM packages, and MCP protocol integrations. The tool inspects code logic to detect obfuscation, dynamic code fetching, credential theft, and remote command execution in extensions and packages. Recent findings include malicious Chrome and Firefox extensions, a deceptive VS Code extension, and compromised Python and NPM packages. This capability complements traditional signature- and ML-based classification by surfacing behavior-based risks.

🧩 This Unit 42 tutorial walks analysts through a complete infection chain that uses Donut-generated shellcode, showing how a small position-independent routine computes its own base address via a call/pop/sub pattern and how that base drives payload offsets. The authors use step-by-step static and dynamic analysis with IDA Pro, x64dbg, dnSpy, and ProcessHacker to validate findings. Readers are shown common techniques such as dynamic API resolution, process injection, and AMSI bypass through memory patching, and are directed to a full PDF on the authors' GitHub for the complete walkthrough.

🔒 This AWS blog explains how security teams can run malware analysis in the cloud while complying with AWS policies and minimizing risk. It recommends an architecture that uses an isolated VPC with no internet egress, ephemeral EC2 detonation hosts accessed via AWS Systems Manager Session Manager, and secure S3 storage via VPC gateway endpoints with encryption. The post emphasizes strong IAM and SCP guardrails, immutable hosts, automated teardown, centralized logging, and monitoring with CloudTrail and GuardDuty to maintain visibility and lifecycle control.

🛡️ CISA, in partnership with Sandia National Laboratories, released Thorium, an automated, scalable malware and forensic analysis platform that consolidates commercial, custom, and open-source tools into unified, automated workflows. Thorium is configured to ingest over 10 million files per hour per permission group and schedule more than 1,700 jobs per second, enabling rapid, large-scale binary and artifact analysis while maintaining fast query performance. It scales on Kubernetes with ScyllaDB, supports Dockerized tools and VM/bare-metal integrations, and enforces strict group-based access controls along with tag and full-text filtering for results.

🛡️ ESET Research reviews the sprawling ecosystem of AsyncRAT, an open-source C# remote access trojan first published in 2019, and the many forks that have proliferated since. The post maps major families—most notably DcRat and VenomRAT—and outlines rapid identification techniques based on client configuration, embedded certificates, and behavior. It highlights uncommon plugins (USB spreaders, screamers, clipboard clippers, distributed brute modules) and stresses evolving obfuscation and evasion tactics.