NtQuerySystemInformation Module EnumerationUsing `NtQuerySystemInformation` with `SystemModuleInformation` (class 5) returns the list of loaded kernel modules and their base addresses. Malware uses this to detect specific drivers (VM tools, ED
SeDebugPrivilege EscalationEnabling `SeDebugPrivilege` on the current process token grants access to any process on the system, bypassing standard DACL checks. Malware enables this privilege before injecting into or reading mem
aspnet_compiler process-name sandbox evasionA behavioral sandbox-evasion technique in which malware checks the process list for the presence of `aspnet_compiler.exe` before executing its payload. The absence of this process indicates a non-deve
Batch PowerShell Variable Expansion ObfuscationA DOS batch-script anti-static technique in which a PowerShell payload is fragmented across tens of `SET` variable assignments, then reassembled in a single line via `%VARNAME%` expansion and passed a
ClickOnce certificate-trust bootstrap> A Windows PE extracts its own embedded Authenticode signature and installs the publisher certificate into the `TrustedPublisher` store before using `dfshim.dll!ShOpenVerbApplicationW` to silently la
ConfuserEx ObfuscationConfuserEx is an open-source .NET obfuscator that rewrites managed assemblies to impede reverse engineering. It operates at the IL level, applying heavy name mangling, constant encryption, control-flo
CPlApplet PNG Payload DropperA two-stage dropper pattern where a `CPlApplet` DLL (often with a `.scr` extension) masquerades as a Windows screensaver. Instead of containing the malicious payload inline, it expects a companion fil
Delphi VCL Certificate HarvestingA build/RE pattern where Delphi VCL RTL bloat inflates a small certificate-stealing payload into a 1.5–5 MB PE, making static triage noisy and behavioural analysis harder because the import table is d
UAC Bypass via Event Viewer (eventvwr.exe)Auto-elevate bypass abusing the .msc file handler registration. Event Viewer (`eventvwr.exe`) is a signed Microsoft binary that auto-elevates; it shells out to `mmc.exe` using the `Shell\Open\Command`
Fused String API DecodingA Go anti-analysis technique where Windows DLL names and their exported API names are concatenated into single large strings in `.rdata`, then sliced at runtime into individual `syscall.LoadLibrary` /
LZSS Payload DecompressionLZSS (Lempel-Ziv-Storer-Szymanski) is a sliding-window dictionary compressor used by the SilverFox/ValleyRAT cluster to hide its second-stage payload inside the PE. At runtime, a small decompressor st
Marker File Mutex GatingA lightweight runtime gating mechanism: the dropper checks for the existence of a specific file (typically under `%appdata%` or `%TEMP%`). If present, the gated payload branch is skipped. If absent, t
MessagePack Asynchronous RAT ProtocolA .NET C2 wire-format protocol used by [[asyncrat]] and conceptually related to the [[protobuf-net-asymmetric-client-rat-protocol]] seen in [[quasar]]. MessagePack-serialized objects are transmitted i
PEB-Walking API ResolutionPosition-independent code resolves Win32 API addresses at runtime by walking the Process Environment Block (PEB) linked list of loaded modules, then traversing the export table of `ntdll.dll` or `kern
Phorpiex loader initterm payload stagingPhorpiex droppers (observed in the `dropped-by-phorpiex` corpus) use the MSVCR90 C runtime `initterm` / `initterm_e` callback arrays to execute a non-trivial payload *before* `main()` is reached. The
Process HollowingA defense-evasion technique where a benign process is created in a suspended state, its memory is unmapped or overwritten, and malicious code is written into the hollowed space before the thread is re
Protobuf-net Asymmetric Client–RAT ProtocolA .NET remote-access trojan (RAT) communication pattern using protobuf-net as the serialization layer over an asynchronous TCP socket. The server acts as a listener; the client initiates an encrypted
Python-Packed PayloadMalware logic authored in Python, compiled to `.pyc`/`.pyo`, and bundled inside a Windows PE via PyInstaller, py2exe, or cx_Freeze. The outer PE is a stock bootloader; the actual IOCs, C2 logic, and e
raw-socket-ddos-flooderTechnique where malware opens `SOCK_RAW` (or `SOCK_PACKET`) sockets with `IP_HDRINCL` to craft Layer-3/Layer-2 packets directly. Used to generate high-volume DoS traffic with spoofed or randomised sou
RC4-encrypted PowerShell payload stagingA malware staging technique in which a PowerShell payload is encrypted with RC4 and delivered inside another script (e.g. JavaScript or batch). At runtime, the outer script decrypts the RC4 ciphertext
RC4 In-Place Section DecryptionThe PE's `.text`, `.data`, and import sections are encrypted with RC4 at build time. A small bootstrap stub embedded at entry point performs in-place RC4 decryption using a key derived from XOR-obfusc
Rust Async RAT FrameworkA recurring build pattern observed in modern Windows RAT/stealer families: native Rust compiled with the MSVC toolchain, using `tokio` for async I/O, `tokio-tungstenite` for WebSocket C2, `serde_json`
Semantic Jargon Export ObfuscationA PE export table is populated with hundreds of plausible-sounding function names drawn from unrelated technical domains (machine learning, networking, game engines, DevOps). The names are syntactical
SmartAssembly ObfuscationSmartAssembly is a commercial .NET obfuscator/packer by Redgate. Malware authors abuse its string encryption, control-flow obfuscation, and anti-tamper features.
version-info-masqueradeMalware alters the `VS_VERSIONINFO` resource block to claim a legitimate company name, product name, and file description. Windows Explorer, task managers, and AV reputation engines display this metad
WinInet + URLMon Dual-Path HTTP DownloaderA downloader that implements two independent HTTP fetch paths — a primary WinInet path (`InternetOpenW` → `InternetOpenUrlW` → `InternetReadFile` → `WriteFile`) and a fallback URLMon path (`URLDownloa
XOR-decrypted .NET assembly reflective loadingA defense-evasion technique in which a malware payload encrypts a .NET assembly with a simple XOR cipher, decrypts it at runtime in PowerShell, and loads it reflectively into the current process via `