Security Magic

PureRAT analysis, PYC disassembly, shellcode, and Reactor .NET binaries extracted. IOCs and Detection. Executive Summary I analyzed a malware chain beginning with DriveVideoSetup-x64-0.1.0.exe , distributed through a fake Drive Video /SMVEO-themed lure. The malware uses a staged execution chain that moves from Python bytecode into shellcode, then into multiple protected .NET assemblies. The chain includes heavy obfuscation and encryption, runtime patching ,certificate generation, protobuf references, and authenticated WebSocket communications. Dynamic analysis observed the malware enrolling with infrastructure, creating certificate material under %LOCALAPPDATA%\SMVEO\ , connecting to agent.sm-veo.com , and logging agent starting 2.3.0 , auto-enrolling , and ws connection . Multiple indicators suggest this activity is likely PureRAT . Execution Workflow DriveVideoSetup-x64-0.1.0.exe ↓ Persistence via CurrentVersion\Run ↓ python.pyc ↓ Base85 decode ↓ zlib decompress ↓marshal...

Analysis of fake utility installers delivering proxyware malware through Microsoft App Store. With findings related to Ghostsocks. Quick Summary A consolidated analysis of suspicious Microsoft Store utility apps, including WinDirStat and LightShot impersonators, that load a shared Go-based client.dll backconnect/proxy implant. Primary payload: client.dll Primary C2: mylabubus.shop Compiler: Go 1.24.9 Assessment: Backconnect / proxy malware Contents Executive Summary Key Findings Technical Analysis Evidence Summary Campaign Correlation Indicators of Compromise MITRE ATT&CK Mapping Responsible Disclosure Updates Executive Summary I analyzed a suspicious Microsoft Store utility package, focusing in particular on a WinDirStat impersonator. The analysis combined manual reverse engineering and runtime testing with AI-assisted workflows using REMnux MCP, Malcat MCP with Claude, and automated sandbox analysis. The application presented itself as a normal El...

Deep dive into YAPA malware using a new WiX installer technique, analyzing PDFRefresh, updater abuse, UUID fingerprinting, and stealth persistence. YAPA (Yet Another PDF Application), EvilaAI, MediaArena, or whatever you want to call these, are continuously trying new tactics/techniques to evade detection. In this latest YAPA, I look at PDFizer, which uses Wix MSI installer to assist with making detection more difficult. I first posted a similar file,  FlyPDFy   on this  X post   PDFizer: MD5: 5843ff0c676bcf99039b2b46035fdf8e Signer: Shappi Corp Download: https://pdf-izer[.]com/ SandBox Run : File Extraction: Since this is a Wix installer, we can use Dark.exe to extract the MSI Then we can use a tool like less-msi to further extract all the remaining files: PDFCoreLibrary.dll  (.NET) PDFizer.exe  (.NET) PDFRefresh.exe (GO) It does appear that the .NET files are benign. However the MSI does create a scheduled task to run the PDFRefresh...

The following is a test run of using Malcat with MCP . Malware Analysis Report — xchanger.exe Malware Analysis Report File: xchanger.exe  |  Analyzed: 2026-03-12  |  Tool: Malcat + .NET Disassembly MALICIOUS — Trojanized Installer / C2 Dropper File Metadata Filename xchanger.exe File Size 1,779,416 bytes (~1.7 MB) Type PE / .NET (DOTNET) Version 2.0.20.403 Internal Name XChanger.exe Copyright XChanger Copyright © 2026 SHA-256 356ca46f39b480d0ab523535f98e64ae0ec58fe1fdbb8ffc02f54b814445e9d0 Hardcoded XOR Key NetworkManager — Scramble / Unscramble Xt7Kp2Lm9Qw4Rv8Y-x1729583156 Length: 29 characters  |  Found at EA: 0xE771, 0xFB1A // Rolling XOR per character, then Base64-encoded for transmission byte lambda(char c, int i) { return (byte)(c ^ "Xt7Kp2Lm9Qw4Rv8Y-x1729583156"[i % 29]); } // Called by: PostPayloadAsync, SendConfigNotificationAsync, // TransmitProfileReportAsync, BeginS...

In this series of YAPA (Yet Another PDF Application), I continue to document newly observed suspicious PDF converter applications. The latest one is DailyFile , which can be found on dailytapp[.]com.  The above image shows the a similar style to many other observed malicious pdf, document, and zip converter applications. Analysis: The analysis of this started by pivoting off of other known indicators, primarily the certificate signer: "Astras Novei LTD" which had also been observed with a malicious python based converter Ziply .  Additionally, "A1A Marketing Ltd." had been previously observed with other YAPA sites like pdf-star[.]com and powerdocapp[.]com. We also see "Sherlock Tech Ltd" which points to other YAPA samples as well. This is a .NET application, which makes it easy to load and observe in DnSpy. The YAPA here performs similar functions as previously observed instances. We can see simple obfuscation of "Google and Chrome", we can see ...