Cyderes Releases Research on .NET AOT Malware Analysis

Howler Cell’s latest research pulls back the curtain on a multistage malware campaign. The campaign uses .NET Native AOT to strip metadata, obscure functionality, and slow traditional analysis workflows. We break down the delivery chain and demonstrate a repeatable Binary Ninja methodology to recover hidden structures, rebuild runtime context, and restore visibility. If attackers are betting their code can’t be read, this guide shows how to read it anyway. Read the analysis: https://lnkd.in/gJvUu-vy

Great research from Howler Cell on a multistage campaign using .NET Native AOT to strip metadata and slow analysis. Strong example of how much visibility you can recover in Binary Ninja by rebuilding structure and context. Check it out!

Our next release from Cyderes Howler Cell highlights a detailed walkthrough on reverse engineering .NET AOT‑compiled malware and reconstructing .NET AOT method signatures using Vector 35's Binary Ninja. In this post, I break down:  - How .NET AOT compilation strips metadata and complicates analysis  - Techniques for navigating native AOT binaries inside Binary Ninja  - A step‑by‑step reconstruction workflow for identifying function signatures using WARP  - Applying the method to analyze a real malware delivery chain If you're into reverse engineering, threat research, or just enjoy peeling apart complex binaries, I think you’ll find this one valuable. Read the full write‑up here: https://lnkd.in/gfp5Gti8 #CyberSecurity #InfoSec #ThreatResearch #ThreatIntelligence #MalwareAnalysis #Infostealer #CyberThreats #SecurityResearch #DigitalForensics #IncidentResponse #MalwareResearch #CyberDefense #BlueTeam #RedTeam #SOC #HowlerCell

Howler Cell’s latest research pulls back the curtain on a multistage malware campaign. The campaign uses .NET Native AOT to strip metadata, obscure functionality, and slow traditional analysis workflows. We break down the delivery chain and demonstrate a repeatable Binary Ninja methodology to recover hidden structures, rebuild runtime context, and restore visibility. If attackers are betting their code can’t be read, this guide shows how to read it anyway. Read the analysis: https://bit.ly/4dkgQpu

Howler Cell’s latest research pulls back the curtain on a multistage malware campaign. The campaign uses .NET Native AOT to strip metadata, obscure functionality, and slow traditional analysis workflows. We break down the delivery chain and demonstrate a repeatable Binary Ninja methodology to recover hidden structures, rebuild runtime context, and restore visibility. If attackers are betting their code can’t be read, this guide shows how to read it anyway. Read the analysis: https://bit.ly/4dkgQpu

Howler Cell’s latest research pulls back the curtain on a multistage malware campaign. The campaign uses .NET Native AOT to strip metadata, obscure functionality, and slow traditional analysis workflows. We break down the delivery chain and demonstrate a repeatable Binary Ninja methodology to recover hidden structures, rebuild runtime context, and restore visibility. If attackers are betting their code can’t be read, this guide shows how to read it anyway. Read the analysis: https://bit.ly/4dkgQpu

"I emulated the Axios supply chain attack end-to-end. 6 phases. 8 Sigma rules & ES|QL queries. Zero actual malware." If you've been following the npm ecosystem news, The Axios compromise (March 30-31, 2026) was a textbook example of how devastating a supply chain attack can be. BlueNoroff (Lazarus subgroup / DPRK) compromised the npm account of the lead Axios maintainer and published malicious versions (axios@1.14.1 and axios@0.30.4) with a poisoned transitive dependency plain-crypto-js@4.2.1.                                            To give back the experience of living through the attack, I built a complete Caldera adversary profile that emulates the full kill chain on a Windows target: Phase 1 — Supply chain discovery (T1195.002)                                      Phase 2 — RAT download from C2 sfrclak.com:8000 (T1105) Phase 3 — Execution + persistence via MicrosoftUpdate Run key (T1547.001)                        Phase 4 — Obfuscation detection + artifact deletion (T1027, T1070.004)                         Phase 5 — C2 beacon simulation with IE8 User-Agent fingerprinting (T1104)                        Phase 6 — Exfil staging (T1005)                                                                       I have also written the Detections for all the observed behaviours content included:     → 8 Sigma rules covering all attack phases                                          → ES|QL queries for hunting in Elasticsearch/Kibana  → Mapped to MITRE ATT&CK  Why this matters: Axios is not just in your CI; most of the MCPS also heavily use Axios I know it's late, but I have some recommendations :             1. Pin to versions of your dependencies                                            2. Audit package.json for unknown/transitive dependencies                                   3. Run this Caldera operation in a test environment  4. Validate their SIEM/EDR against the included Sigma/ES|QL rules                                                                Link: https://lnkd.in/gU_eTs43    

🚨 Active supply chain attack on axios@1.14.1 and axios@0.30.4. These versions pull in plain-crypto-js@4.2.1 -- a brand-new package that didn't exist before today. Socket's AI analysis flags it as a malicious obfuscated dropper: runtime deobfuscation, dynamic execSync loading, payload staging to temp/ProgramData directories, and post-execution artifact deletion. Consistent with supply chain malware. We're still investigating. If you use axios, pin your version and audit your lockfile.

just yesterday I said it was supremely important to understand that AI would begin finding zero days at a massive speed. Today I open up my computer and what do I see? Claude just discovered 500 zero day vulnerabilities! welp

Just completed a hands‑on malware analysis lab on TryHackMe which focused on dissecting a suspicious Windows binary. Labs like this are a great reminder that creativity in tooling and methodology is just as important as technical depth when you’re reversing binaries and hunting for IOCs. There is almost always more than one technique or tool available during an investigation. Techniques used: - Performed static analysis of the PE file, focusing on headers, imports, and embedded strings to quickly surface potential IOCs. - Used multiple approaches to extract and interpret indicators: PeStudio for structured string analysis, PowerShell to pull and decode embedded data, and CyberChef as a visual cross‑check. - Showcased how the same artifact can be understood through different lenses, reinforcing that effective malware analysis isn’t about a single “right” tool, but about combining techniques to validate and enrich findings. Room Shadow Trace : https://lnkd.in/gKD5YB_C #TryHackMe #MalwareAnalysis #DFIR #ReverseEngineering #ThreatHunting #IncidentResponse #BlueTeam #PowerShell