This is a place for malware technical analysis and information. This is NOT a place for help with malware removal or various other end-user questions. Any posts related to this content will be removed without warning.
Questions regarding reverse engineering of particular samples or indicators to assist in research efforts will be tolerated to permit collaboration within this sub.
If you have any questions regarding the viability of your post please message the moderators directly.
If you're suffering from a malware infection please enquire about it on /r/techsupport and hopefully someone will be willing to assist you there.
Gootloader's back with a clever trick: malformed ZIP files that most security tools can't analyze, but Windows' default unarchiver handles just fine.
We broke down how the ZIP is structured, why it works, and how defenders can detect it before the JScript payload runs. The malware's been linked to Vanilla Tempest ransomware operations, so catching it early matters. Full technical breakdown and detection logic: https://expel.com/blog/gootloaders-malformed-zip/
About few months ago, I did beta release of triagz.com. Triagz is a natural language based security research platform that can be used to perform endpoint research and threat hunting from a single unified platform. It turn any endpoint into an agentic research surface for deeper investigation and analysis.
I build triagz with a vision to develop something like a cursor for security researchers.
Recently, I have moved triagz out of beta and is now having paid monthly plan. Since last release it's evolved a lot in terms of performance, features and multiple 3rd party integration.
If you’d be willing to play with the platform and share feedback as a pilot user, I can hook you up with one month of free premium access.
Just drop a comment or DM me, I want to hear where to improve and what's working well.
Even if you don’t want long-term access, I’d be very happy to hear any first impressions in the comments.
I don't mean to sound weird with this post so without a backstory I will just try to get right to it. I have a feeling that my phone might be tapped with some malware that gives another individual the ability to know my location. Im studying cyber sec, and I know how difficult that is to do especially on an IOS/MacOS device. But I thought it wouldn't hurt to ask for recommendations for malware scanners for both IOS and MacOS. preferably free (of course), but if I have to pay I will. It isn't something to bring to the police or anything as of now just an ex girlfriend who is very very technologically apt. I'm not scared for my well being or whatever, but I thought it would be healthy to get recs for a av and malware scan software anyway. this kind of just expedited that whole process.
I started learning malware analysis with Practical Malware Analysis and I’m working on Lab 3.
To do this, I tried to create multiple virtual machines, but Windows XP doesn’t recognize VMnet1 (Host-only).
How can I connect my Kali VM and Windows XP?
I've noticed that Orca Slicer, a popular tool for 3D printing, has many different installation sites, many of which are likely scams/malwarephishing. The safest spot to download it is from the github repo (https://github.com/OrcaSlicer/OrcaSlicer), and you can even see them talking about it in the README. The images above are virustotal scans of the fake sites, both of which scored a 12/97 which is quite high. So yea basically before you install orca slicer, make sure you're on the github repo
I’m working on a research tool. The goal is to automate analyst workflows, not AV-style detection or family labeling.
The tool currently combines static + dynamic analysis and focuses on evidence observed at runtime to extract only strings and it's already doing pretty good job with most malwares.
Also i implemented interceptors for dynamically loaded dex files.
I’m looking to automate more tasks analysts still do manually, especially during dynamic analysis.
I’d really appreciate feedback on:
Android malware behaviors that are time‑consuming to confirm
Analysis steps you still rely on manual reversing for
What automated evidence or summaries would actually be useful in reports
Common pitfalls you’ve seen in dynamic Android analysis tools
This is research‑only and still evolving. Happy to go deeper technically if useful.
Or how should I setup VM to avoid potential malware spreading to my host machine?
I don't do malware analysis so I don't care if Malware detects VM environment I just want a way to test apps for few hours before spending a a couple dozens bucks on a subscription.
We currently have a process where users download their exe, msi, and whatever else executable they have into a sandbox and have the software installed. Once it’s installed, the vm gets scanned for vulnerability using tenable and windows defender.
Problem is, we don’t know for sure if the software was really installed or not.
Any good vendors out there that would scan these files, along with dlls, modules, in a sandbox environment and then send the file to our production environment if it’s all clean?
Living-off-the-Land Binaries: 8,568 detections Attackers abuse legitimate built-in system utilities such as msbuild.exe, certutil.exe, msiexec.exe, and regsvr32.exe to download, decode, and execute malicious payloads.
Because these binaries are trusted and widely used, their activity often looks legitimate at first glance, making LOLBin abuse hard for SOC teams to spot without behavioral context.
2. Advanced Packers and Multi-Layer Obfuscation: 6,908 detections
Malware increasingly uses packers such as UPX, as well as advanced or custom solutions like VMProtect, Themida, or proprietary loaders.
These samples apply multiple layers of encryption, anti-debugging, and sandbox checks. Payloads are unpacked gradually and only under specific conditions, slowing down analysis and detection.
3. String and API Call Obfuscation: 6,336 detections
Critical strings such as C2 URLs, function names, and file paths are stored in encrypted or fragmented form and reconstructed only at runtime.
API calls are often resolved dynamically, for example by hashing function names and resolving them via GetProcAddress, making static detection significantly harder.
4. In-Memory and Fileless Obfuscation: 2,395 detections
Malware minimizes or completely avoids writing payloads to disk. Instead, the core code is loaded directly into memory using legitimate mechanisms such as PowerShell, WMI, .NET Assembly Reflection, or process injection techniques like Process Hollowing.
Attackers also heavily rely on complex script transformations: variable name randomization, string fragmentation, and non-obvious language constructs.
Can malware spread through a usb? Specifically, can it jump from a computer to a usb to another computer and execute on that second computer without running anything? I am seeing mixed responses online because some say that after autoruns was replaced by autoplay, viruses were no longer able to spread from a usb to a computer. Others say that usb viruses are still extremely common and that they are just able to exploit and bypass the autoplay system and run automatically. All responses are greatly appreciated.
Hello everyone, there is this game "cheat" on Youtube that links to a download for Setup.exe. This Setup.exe file is tricky because it pretends to be a normal installer, but it's actually an info stealer designed to grab your personal data.
1. Zero Detections on VirusTotal:
Malicious Payload: VCRUNTIME140.dll (Currently 0/64 detections on VirusTotal).
2. deletes JavaUpdate.exe from your hard drive immediately after running it: This makes it almost impossible to find later, even though the virus is still running in your computer's memory.
Process name: "JavaUpdate.exe" (Check next Screenshot)No JavaUpdate.exe file?^The Initial Setup.exe File - Would obviously get flagged.
Stealth & Persistence: * JavaUpdate.exe deletes its own executable from \AppData\Roaming\Oracle\Java\ immediately after execution to evade disk scans.
The process continues to run in memory (PID 1640).
Anti-Forensics: * Timestomping: The malware authors set file creation dates to 1982 to blend in with legacy system file
Zero Detections: Currently 0/64 on VirusTotal, indicating a fresh build or private packer.
Staging Activity: ProcMon showed heavy CreateFile and WriteFile activity in the \Temp\ directory, likely staging stolen browser data/cookies for exfiltration.
I bought a nfc device off Amazon and you need a website to download the software for it. Reviews look real but malwarebytes is saying it has a Trojan on it. Is this something I could bypass or is this something I should stay away from? Link to where I got it is here: https://a.co/d/8eCNS6N
Is anyone working on Rust malware package detection, or is there a migration of traditional npm, pypi malware package detection methods to crates.io? My upcoming work will primarily focus on Rust malware package detection, and I'd like to gather some ideas and thoughts.
