Malware Under the Microscope 🔍

 __  __ ______ 
|  \/  |___  /
| |\/| |  / / 
| |  | | / /__
|_|  |_|/____|
 MZ HEADER

A deep dive into the world of malware analysis. Here, I break down real-world samples with practical techniques - from unpacking and deobfuscation to debugging, disassembly, and memory forensics.

I use tools that are freely available, most of which come pre-installed on FLARE VM, so you can follow along without extra setup.

All samples referenced are publically available on VirusTotal and MalwareBazaar and you can also grab them from my repo.

Write-ups

• From ClickFix to MacSync: Execution Chain Analysis on macOS

  MacSync is a macOS infostealer that harvests passwords, browser and crypto wallet data, Keychain items, and sensitive files. Investigation revealed its manipulation of legitimate crypto apps like Ledger and Trezor to capture additional user information.

  — Dec 21, 2025
• UPATRE Downloader: Replication, Decryption, and Execution

  UPATRE is a lightweight downloader that spreads across systems by replicating itself and removing its original dropper. Our analysis focused on its XOR-based decryption and decompression routines, uncovering how it retrieves and executes second-stage payloads.

  — Dec 10, 2025
• Huntress CTF: 2025 - Reverse Engineering Challenge Writeups

  Write-ups for the Huntress 2025 CTF's reverse engineering challenges.

  — Nov 1, 2025
• The Invisible Loader: Winos 4.0’s Journey from Disk to C2

  Winos 4.0 is a multi-stage Windows loader delivered via trojanized installers. Investigation revealed its in-memory execution layers, process checks, and adaptive behavior depending on installed apps like WhatsApp and Telegram.

  — Jun 21, 2025
• Analyzing KoiLoader: WinDbg‑Driven Reverse Engineering of a Multi‑Stage Malware Loader

  KoiLoader and its companion KoiStealer are known for complex memory unpacking and anti-VM protections. Using WinDbg, we traced its execution, bypassed its anti-analysis checks, and documented the exact mechanisms it uses to retrieve and execute its payload.

  — Jun 20, 2025
• Huntress CTF: 2024 Writeups

  A collection of write-ups for the Huntress 2024 CTF.

  — Nov 7, 2024
• Inside Quasar RAT: Unpacking a Multi-Stage PowerShell Loader

  This post dissects a PowerShell loader used by Quasar RAT. It covers its execution chain, including payload decoding, process injection, and persistence mechanisms. The loader uses AES encryption for securing its configuration and employs process hollowing to evade detection.

  — Mar 26, 2024
• Following the Execution Trail: An XWorm Loader Autopsy

  XWorm RAT often relies on obfuscated loaders to evade detection. This sample starts as a batch script that decodes, AES-decrypts, and GZip-decompresses a .NET payload directly into memory.

  — Feb 3, 2024
• Dissecting ClipBanker: From JavaScript Loader to Process Injection

  ClipBanker is focused on clipboard hijacking and cryptocurrency theft. We followed its journey from a JavaScript loader to in‑memory executable payloads, showing how it monitors clipboard activity to detect and replace cryptocurrency wallet addresses during transactions.

  — Jan 8, 2024
• Breaking Down NJRat: A Full Kill Chain Analysis

  NJRat is a long-standing RAT with versatile capabilities. Our investigation reconstructed the full infection chain, from malicious document to loaders and dropped binaries, highlighting the RAT’s persistence strategies and its approach to gaining control over compromised systems.

  — Nov 29, 2023