This repository is a collection of malware analysis write-ups and technical research notes. The focus is on understanding how real-world threats work — not just what they do, but how they are built, how they evade detection, and how defenders can respond effectively.
The material primarily covers malware analysis and reverse engineering, along with the TTPs observed during analysis and the evasion and anti-analysis techniques employed by the analyzed samples. Each report is grounded in hands-on work and documents methodology, decision points, and technical findings in a way that helps other analysts better understand modern malware capabilities and navigate similar cases more efficiently.
This repository is provided strictly for educational and defensive research purposes.
- No actual malware samples are included.
- All indicators are defanged and rendered non-clickable.
- Sensitive or potentially harmful artifacts are redacted where appropriate.
The goal is to support detection, response, and threat hunting efforts — whether you are a blue teamer getting started in the field, someone experienced who might run into something new, or simply someone who enjoys low-level stuff. :)
-
Multi-Stage M365 Phishing with Encrypted Loader
Analysis of a credential-harvesting campaign using browser fingerprinting, AWS WAF gating, AES-GCM–encrypted payload delivery, and Microsoft Entra ID validation. -
Reversing a VM-Obfuscated Node.js Infostealer
Static and behavioral analysis of a heavily obfuscated Node.js stealer, including unpacking, deobfuscation, and execution flow reconstruction. -
CoffeeScript Raspberry Robin Analysis (PDF)
Reverse engineering and behavioral breakdown of a CoffeeScript-based loader linked to Raspberry Robin activity.