> Concepts_

~/packetpursuit $ ls /intel/concepts/

  • AutoIt Compiled Script Dropper Malware delivered as a compiled AutoIt3 script (`.a3x` or `.exe` output from AutoIt compiler). The script is executed by the AutoIt3 interpreter, providing a Turing-complete scripting environment with
  • .NET Manifest Resource Decryption .NET assemblies often store encrypted payloads as embedded manifest resources. At runtime the malware calls `Assembly.GetManifestResourceStream` to retrieve the blob, then decrypts it (commonly AES +
  • Embedded RCData Encrypted Configuration Malware build pattern: runtime configuration (C2 host, port, mutex name, feature flags, credentials) is stored as an RCData resource inside the PE, encrypted to defeat static extraction. Decrypted at
  • Go Infostealer Build Pattern Recurring build artefacts observed in Go-based infostealers compiled for Windows. First documented in the PacketPursuit corpus for the [[acrstealer]] family, but the settings are generic and may appea
  • IExpress SFX Dropper The Microsoft IExpress/Wextract self-extractor (`wextract.exe`) repurposed as a malware dropper. The outer PE is a legitimate Windows system binary that extracts an embedded Cabinet archive to a temp
  • javascript-obfuscator Commercial-grade JavaScript obfuscation commonly observed in malware droppers. Characterised by string-array lookup tables, control-flow flattening, dead-code injection, and hex-offset string referenc
  • Legitimate remote-access tool abuse > Malware operators repurpose, re-bundle, or re-configure legitimate commercial remote-access tools (TeamViewer, AnyDesk, NetSupport Manager, ConnectWise ScreenConnect, etc.) to gain covert persistent
  • MessagePackLib Asynchronous RAT Protocol A .NET C2 wire-format pattern in which the client and server exchange commands and replies as MessagePack-serialized objects wrapped in an AES-256-HMAC envelope, transported over a TLS-encrypted TCP s
  • netsupport-manager-abuse NetSupport Manager is a legitimate commercial remote-access and classroom-management tool. Threat actors abuse its client installer by bundling it inside masqueraded installers (Inno Setup, IExpress,
  • PyArmor Obfuscation PyArmor is a Python obfuscation and licensing toolkit that encrypts Python source code or bytecode and decrypts it at runtime via a compiled C extension (`pyarmor_runtime.pyd`). It is commonly abused
  • PyInstaller Bootloader A small C or Win32 PE executable produced by `PyInstaller --onefile`. At runtime it:
  • ransomware A malware category whose primary **impact** is the encryption, exfiltration, or destruction of files for the purpose of extortion. Traditional ransomware encrypts data in-place, appends a unique exten