#ESETResearch is releasing Nimfilt, an #IDAPro plugin to help reverse engineering #Nim malware – a language increasingly used by both the red-teaming community, and malware developers. Nimfilt demystifies Nim's custom mangling scheme. github.com/eset/nimfilt @[email protected] 1/3

In my experience the value of a degree is largely that it gives you a socially acceptable reason to ignore the real world and spend 4 years tinkering with computers. Ideally, do your degree at a uni *not* renowned for hard coursework (largely not useful, and eats your free time).

#Breaking #ESETresearch releases a paper about Ebury, among the most advanced server-side Linux malware, which was deployed to 400,000 servers over the course of 15 years, primarily for financial gain. Marc-Etienne M.Léveillé welivesecurity.com/en/eset-resear… 1/8

Our new APT activity report is available now, with updates from #ESET researchers on the various threat actors we track. Check it out! web-assets.esetstatic.com/wls/en/papers/…

A big honor to coauthor with abcSup and Gulshan the very first blog from Android Red Team on analysis and exploitation of CVE-2023-20938 in Android Binder driver at androidoffsec.withgoogle.com/posts/attackin… 🔥 The slide-deck presented at offensivecon is available at androidoffsec.withgoogle.com/posts/attackin…

After nearly 10 years of existence, years of use in production on 10k+ computers. The new PythonForWindows release is 1.0.0 \o/ This release adds three important things: official python 3 support, full Unicode support for py2/py3 & CI testing on GitHub ! github.com/hakril/PythonF…

#ESETresearch discovered a signed, vulnerable, ad-injecting driver from a mysterious Chinese company. This threat, which we dubbed HotPage, comes self-contained in an executable that installs its main driver and injects libraries into Chromium-based browsers. 1/7

We are looking for a strategic threat intel analyst to join ESET Research. Interested in cyber-espionage and geopolitics? Apply! ca.linkedin.com/jobs/view/anal…

The video from the 30 Years of Decompilation celebration at QUT is now live at youtu.be/y2AsoW3v85I. The celebration features discussions with Emeritus Professor John Gough, myself, Mike Van Emmerik, Anne Fitzgerald, and Trent Waddington. Thanks to Paul Roe for organising!

New research from the APT team, hot from the press ⬇️

New blog entry: C++ Unwind Metadata: A Hidden Reverse Engineering Bonanza msreverseengineering.com/blog/2024/8/20…

A few days ago, Pidgin Instant Messenger Pidgin Instant Messenger published a notification about a malicious plugin (ScreenShareOTR) found in a third-party plugin list. #ESETResearch investigated these plugins and confirmed that they indeed contain malicious code, which downloads and executes

Hi there! My latest article on the HarfangLab blog has just been published! I'm talking about unpacking, XMRig, R77 and FIN7 (or not 🤓) A special S/O to Antonio Cocomazzi Ivan Kwiatkowski and Secure Chicken 🐣 To check it out ➡️ harfanglab.io/insidethelab/u…

By analyzing thousands of samples, #ESETresearch has conducted a comprehensive technical analysis of the toolset the 🇷🇺Russia-aligned #Gamaredon #APTgroup used in 2022 and 2023 to spy on Ukraine🇺🇦 . welivesecurity.com/en/eset-resear… 1/9

JEB 5.18 is available 🤖 Check out our latest blog post on inlining and deobfuscating "fat" functions: pnfsoftware.com/blog/deobfusca… #ReverseEngineering

🚀#Ph0wn2024 presents the Android Application Reversing workshop! Join Cedric Lucas to learn how Android apps are built, analyzed, and reverse-engineered using JEB(JEB Decompiler ). Perfect for those diving into Android reverse engineering! 📱🔍 More info: ph0wn.org/workshops24/#r…

JEB 5.19 is available (pnfsoftware.com/jeb/changelist). An interesting new feature in this release is a mixed boolean-arithmetic (MBA) expression simplifier/breaker. It gives interesting results on obfuscated code. Have a look at the snippet in image 1, which is a decompilation with

In our search for new forensic artifacts at ExaTrack, we sometimes deep dive into Windows Internals. This one is about COM and interacting with remote objects using a custom python LRPC Client. STUBborn: Activate and call DCOM objects without proxy: blog.exatrack.com/STUBborn/

Detailed analysis of RomCom’s exploit, chaining the two vulnerabilities together, is available at welivesecurity.com/en/eset-resear…. IoCs available from our GitHub: github.com/eset/malware-i… 7/7

#ESETresearch reveals the first Linux UEFI bootkit, Bootkitty. It disables kernel signature verification and preloads two ELFs unknown during our analysis. Also discovered, a possibly related unsigned LKM – both were uploaded to VT early this month. welivesecurity.com/en/eset-resear… 1/5