📆 Are you looking to spend your training budget for 2026?
🦀 Are you struggling with reversing Rust binaries, and not even sure where to get started?
🇨🇦 Are you looking for high-quality technical training located in Canada?

Consider our 3-day training, "Deconstructing Rust Binaries", at @NorthSec from May 11-13 in Montréal: https://nsec.io/training/2026-deconstructing-rust-binaries/

This is the first comprehensive training course focused solely on reverse engineering Rust binaries. You will learn how to effectively triage Rust binaries, how to trace data flow through Rust binaries, and how to tackle common techniques found in the Rust malware ecosystem. Real Rust malware samples are used in the course, ensuring that you have the practical skills to tackle your next Rust sample.

Early bird pricing is available now until Feb. 28th! https://registrations.nsec.io/northsec/2026/

#rust #rustlang #ReverseEngineering #reversing #infosec #MalwareAnalysis #malware #InfosecTraining

Recent research into the StealC info-stealing malware revealed a web-based flaw that exposed active attacker sessions and infrastructure details.

The findings highlight:
• Risks inherent in malware-as-a-service platforms
• How XSS flaws can impact both sides of the threat landscape
• The role of OPSEC failures in threat actor exposure

How useful are these insights for defender threat modeling?

Source: https://www.bleepingcomputer.com/news/security/stealc-hackers-hacked-as-researchers-hijack-malware-control-panels/

Engage in the discussion and follow @technadu for objective InfoSec coverage.

#InfoSec #MalwareAnalysis #ThreatResearch #MaaS #CyberDefense #SecurityOperations #TechNadu

System Devil: From AUR to Systemd persistence:

https://evilcel3ri.github.io/2026/01/16/system-devil.html

Write up on a supply chain attack on AUR packages from October 2025.

#ArchLinux #Aur #MalwareAnalysis
#Infosec #blog #systemd

Analyst burnout can’t be solved by automation alone.

“No matter how much you automate the process, with the current rate of malicious activity and increasingly sophisticated attacks, some manual work is inevitable.”

— Aleksey Lapshin, CEO of ANY.RUN

Full interview:
https://www.technadu.com/solving-analyst-burnout-from-manual-malware-analysis-to-interactive-sandboxing/617022/

#InfoSec #SOC #MalwareAnalysis #ThreatDetection

Recent threat research outlines a spear-phishing campaign delivering a Rust-based RAT, targeting organizations across multiple Middle East sectors.

Notable observations:
• Continued effectiveness of macro-enabled documents
• Shift toward custom, modular implants
• Emphasis on low-noise persistence and C2

This activity reinforces the need for strong email controls, user awareness, and behavioral detection.

Share insights and follow @technadu for factual threat intelligence reporting.

#InfoSec #ThreatIntel #MalwareAnalysis #RustSecurity #PhishingDefense #CyberOperations

RustyWater (aka RUSTRIC, Archer RAT) has been added to the Rust Malware Sample Gallery: https://github.com/decoderloop/rust-malware-gallery#rustywater

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing #MuddyWater

FunkSec Ransomware (aka FunkLocker) has been added to the Rust Malware Sample Gallery: https://github.com/decoderloop/rust-malware-gallery#funksec-ransomware

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing #ransomware #FunkSec #FunkLocker

A new Rust DDoS Botnet family has been added to the Rust Malware Sample Gallery: https://github.com/decoderloop/rust-malware-gallery#unnamed-rust-ddos-botnet

This malware family is currently unnamed, but was analyzed in this 2025-11-30 article by Beelzebub: https://beelzebub.ai/blog/rust-ddos-botnet-honeypot-c2-decoding/

(h/t to @cydave ; I learned about the Beelzebub article from his link to it, in his article about setting up a honeypot: https://0dave.ch/posts/flying-whales-in-a-pot-of-honey/)

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing #botnet

VVS Stealer: How This Python-Based Malware Targets Discord Users Through Advanced Obfuscation

https://techlife.blog/posts/vvs-stealer-discord-malware/

#VVSStealer #DiscordMalware #Pyarmor #Infostealer #PythonMalware #Cybersecurity #BrowserSecurity #CredentialTheft #MalwareAnalysis

The Rust ransomware KCVY OSLOCK has been added to the Rust Malware Sample Gallery: https://github.com/decoderloop/rust-malware-gallery#kcvy-oslock

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing #ransomware

Collection of scripts to automate the Malware Analysis process: https://github.com/ShadowOpCode/Malware-Analysis-Toolkit

#malwareanalysis #automation

Recent research highlights a phishing campaign leveraging tax-related lures to deploy ValleyRAT, a modular RAT with strong persistence and evasion features.

The infection chain demonstrates continued abuse of trusted binaries, DLL sideloading, and plugin-based architectures to enable targeted post-compromise activity. The campaign underscores the importance of monitoring user-facing entry points and low-noise persistence mechanisms.

Open to insights on effective detection and response strategies for similar campaigns.
Follow TechNadu for objective threat intelligence reporting.

#InfoSec #ThreatHunting #MalwareAnalysis #PhishingDefense #EndpointSecurity #CyberThreats

EmEditor disclosed a supply chain compromise where a modified download link briefly delivered a malicious installer.

Third-party analysis indicates the payload functioned as an infostealer with credential harvesting, persistence via a browser extension, and clipboard hijacking capabilities. The incident reinforces ongoing challenges around software distribution integrity and monitoring.

Would welcome practitioner insights on mitigations for download-chain tampering and installer validation.

Follow TechNadu for practical, unbiased security coverage.

#InfoSec #SupplyChainSecurity #MalwareAnalysis #ThreatResearch #CredentialTheft #CyberDefense

📣🦀 We're very excited to announce TWO sessions for our flagship Rust reverse engineering course, Deconstructing Rust Binaries, coming to you in early 2026!

1) Deconstructing Rust Binaries at @ringzer0 COUNTERMEASURE, March 23-26 2026, 16 hours, Remote: https://ringzer0.training/countermeasure-spring-2026-deconstructing-rust-binaries/

2) Deconstructing Rust Binaries at @NorthSec, May 11-13 2026, 24 hours, Onsite in Montréal, Canada and Remote: https://nsec.io/training/2026-deconstructing-rust-binaries/

Deconstructing Rust Binaries is the first comprehensive training course focused _solely_ on reverse engineering Rust binaries. This course is for any reverse engineer who needs a rapid, practical upskill in your ability to analyze Rust binaries. You will learn how to effectively triage Rust binaries, how to trace data flow through Rust binaries, and how to tackle common techniques found in the Rust malware ecosystem.

This course is taught and written by an experienced malware reverse engineer, @cxiao, with extensive experience specifically in reversing Rust binaries. Want a preview of the technical expertise we offer? Check out the 120+ FREE slides on Rust reversing from our recent workshop, "Reversing a (Not-so-Simple) Rust Loader"! https://github.com/decoderloop/2025-11-07-ringzer0-countermeasure-not-so-simple-rust-loader-workshop/

A few key things about the course:

1) No previous experience with reversing Rust binaries, or writing Rust code, is required!
2) The course will use Binary Ninja as the primary reverse engineering tool. You will be provided a Binary Ninja student license as part of the course.
3) We're excited to offer flexibility in the training format and course depth. You have the choice of either taking:

a) A fully remote, 4 hour per day, shorter class at Ringzer0 (https://ringzer0.training/countermeasure-spring-2026-deconstructing-rust-binaries/)
b) A remote or onsite, 8 hour per day, comprehensive class at NorthSec (https://nsec.io/training/2026-deconstructing-rust-binaries/)

We look forward to seeing you in 2026!

#infosec #InfosecTraining #malware #MalwareAnalysis #ReverseEngineering #reversing #rust #rustlang #binaryninja #NorthSec #ringzer0 #Ringzer0Training

A recent analysis revealed Firefox extensions using icon-based steganography to bypass detection, embedding JavaScript loaders beyond PNG image data.

The campaign highlights:
Limitations in static extension scanning
Risks of trusted UI elements
Long-dwell, low-noise monetization tactics
How should browser ecosystems adapt detection models to account for non-code attack surfaces?

Discuss below and follow TechNadu for continued threat research coverage.

#MalwareAnalysis #Steganography #BrowserSecurity #ThreatResearch #ExtensionAbuse

A recent analysis revealed Firefox extensions using icon-based steganography to bypass detection, embedding JavaScript loaders beyond PNG image data.

The campaign highlights:
Limitations in static extension scanning
Risks of trusted UI elements
Long-dwell, low-noise monetization tactics
How should browser ecosystems adapt detection models to account for non-code attack surfaces?

Source: https://cybernews.com/security/firefox-extensions-hide-malware-in-icons-infect-thousands/

Discuss below and follow @technadu for continued threat research coverage.

#MalwareAnalysis #Steganography #BrowserSecurity #ThreatResearch #ExtensionAbuse

Process Hacker, PEB et NTDLL : les clés pour des applications natives ultra-minimalistes

🤯 Dans certains cas, on veut maîtriser chaque octet. Pourtant, même un programme basique peut embarquer des DLL dont on pourrait se passer. Plongeons ensemble dans les entrailles de l'exécutable.

Un 'Hello World' basue compilé en C++ pèse environ 11KB, il dépend de Kernel32.dll et VCRuntime140.dll. Avec un lien statique avec le CRT, la taille monte à 136KB ! 😱
Le CRT gère l'appel de `main`, l'exécution des constructeurs d'objets C++, les variables comme `errno`, et les opérateurs `new`/`delete`. Mais cette commodité a un coût en taille et en dépendances.

Pour des binaires ultra-minimalistes, réduire le CRT implique de paramétrer le linker pour réduire les librairies par défaut, de désactiver la vérification de sécurité du tampon (/GS), et de modifier le point d'entrée pour `mainCRTStartup`.

Adieu `printf` ! On le remplace par `WriteConsoleA` de `Kernel32.dll` pour l'affichage. Le résultat : un exécutable de seulement 4KB, avec juste deux imports de `Kernel32.dll`. C'est une belle victoire, non ? 😎

Mais on peut aller encore plus loin: chaque processus Windows charge systématiquement `NTDLL.dll` qui propose de nombreuses fonctions similaires au CRT, comme `sprintf_s`. La subtilité : la `NtDll.lib` standard de Microsoft n'exporte pas toujours toutes ces fonctions. On a alors deux options : soit créer une bibliothèque d'import personnalisée, soit recourir au linking dynamique via `GetModuleHandle` et `GetProcAddress`. ✨

Et pour les arguments de la ligne de commande `argc`/`argv` ? Sans le CRT, le système passe à `mainCRTStartup` un unique argument : le `PPEB` (Process Environment Block) et son membre `ProcessParameters` permettent d'accéder aux informations comme `ImagePathName` ou `CommandLine`. C'est le mode de fonctionnement des applications natives.

Pourquoi s'engager dans cette démarche de "minimisation" ? 🤔 Pour les DevSecOps et Purple Teams:

* Légèreté: Pour des outils offensifs discrets, des charges utiles ou des situations avec des contraintes de taille strictes, un binaire de 4KB est un avantage considérable.
* Les applications natives, dépendant uniquement de `NTDLL`, peuvent s'exécuter très tôt dans le démarrage de Windows (comme `Smss.exe` ou `autochk.exe`). Elles offrent une perspective unique sur le fonctionnement bas niveau du système.

Pour explorer ces concepts, l'article original est une mine d'or : https://scorpiosoftware.net/2023/03/16/minimal-executables/

C'est un sujet passionnant qui conduit vers d'autres sujets de développements passionants dans le domaine de la cybersécurité offensive et du reverse engineering 🤯

Quelle méthode préférez-vous pour remplacer les fonctions CRT par NTDLL ? Débattez dans les commentaires ! 👇

#Cybersécurité #DevSecOps #ReverseEngineering #WindowsInternals #Programmation #MalwareAnalysis #ExploitDevelopment #SecureCoding #ThreatHunting

Analysis of VolkLocker ransomware reveals a critical implementation flaw where encryption master keys are hard-coded and stored locally in plaintext, enabling free decryption.

Despite employing AES-256-GCM and exhibiting common ransomware behaviors, the design oversight significantly undermines its extortion model. The case illustrates how technical maturity varies widely across ransomware-as-a-service ecosystems.

What defensive lessons should teams take from flawed ransomware implementations like this?

Source: https://thehackernews.com/2025/12/volklocker-ransomware-exposed-by-hard.html

Engage in the discussion and follow TechNadu for objective infosec coverage.

#InfoSec #Ransomware #MalwareAnalysis #ThreatResearch #CyberDefense #SecurityEngineering #TechNadu

🦀 Looking for Rust malware samples to practice analyzing? Our Rust Malware Sample Gallery just received a major update, with 20 new families added! https://github.com/decoderloop/rust-malware-gallery

The Sample Gallery collects links to articles about malware written in Rust, organizes them by malware family, and includes a download link to a publicly available sample for every malware family. This is a resource for any malware analyst who wants to get hands-on with real Rust malware.

The last time the Sample Gallery was updated was almost 2 years ago, in January 2024. Since then, there's been an explosive growth in new Rust malware, including all of the following families that are now in the Sample Gallery:

SPICA, KrustyLoader, RustDoor, SSLoad, Fickle Stealer, Cicada3301 Ransomware, RustyClaw, Embargo Ransomware, RustyAttr, Akira Ransomware (both the Akira_v2 and Megazord variants), Banshee (Rust variant), RALord Ransomware, RustoBot, Tetra Loader, EDDIESTEALER, Myth Stealer, Rustonotto, RustyPages, ChaosBot

This is nearly one new Rust malware family observed in the wild, every month. Rust as a programming language for malware is here to stay!

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing

Researchers have documented a campaign abusing GitHub repositories themed as OSINT tools, GPT utilities, and developer resources to deliver PyStoreRAT, a modular, multi-stage remote access trojan.

The operation leverages delayed malicious commits, minimal loader stubs, reputation manipulation, and HTA-based execution to reduce early detection. In parallel, a separate RAT campaign demonstrates region- and language-aware targeting logic.

These cases underscore evolving tradecraft around trust abuse and script-based implants.
How are you adapting repository vetting and execution controls in your environment?

Source: https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html

Engage in the discussion and follow TechNadu for measured infosec reporting.

#InfoSec #ThreatIntel #MalwareAnalysis #GitHubSecurity #OpenSourceRisk #TechNadu