- █▀▄▀█ █░░ █░█░█ █▀█ █▄▄ █░░ █▀█ █▀▀ █▀
- █░▀░█ █▄▄ ▀▄▀▄▀ █▀▄ █▄█ █▄▄ █▄█ █▄█ ▄█

A collection of blogs about Malware Development and Analysis from talented researchers.

The goal is to inspire your imagination, improve your skills in malware development, and help you learn new techniques.

Contribute: If you know of a cool blog about malware, please contribute to this repository!

Disclaimer: I am not the author of these blogs. This repository is simply a collection of them. All credit goes to the original authors.

---

[ MALWARE DEV ]

(Offensive Tradecraft, Evasion, Internals, Injection)

• Getting Started With Malware Development - crow.rip - Click Here
• Hacking the World with HTML - osandamalith.com - Click Here
• Modern implant design: position independent malware development - 5pider.net - Click Here
• OPSEC: Read the Code Before It Burns Your Op - blacksnufkin.github.io - Click Here
• A universal EDR bypass built in Windows 10 - riskinsight-wavestone.com - Click Here
• The Emulator's Gambit: Executing Code from Non-Executable Memory - redops.at - Click Here
• Indirect syscalls and dynamic SSN retrieval via PEB/EAT - redops.at - Click Here
• Syscall Workshop: Bonus Material Part I (APIs) - redops.at - Click Here
• Syscall Workshop: Bonus Material Part III (Hooked SSNs) - redops.at - Click Here
• Evading the Machine (AI) - steve-s.gitbook.io - Click Here
• Using Reflective Loaders to Replace LoadLibrary - racoten.gitbook.io - Click Here
• Unleashing the Unseen: Cobalt Strike Profiles for EDR Evasion - whiteknightlabs.com - Click Here
• Breaking Patterns: Rethinking Assumptions in Code Execution - ioactive.com - Click Here
• New AMSI Bypss Technique Modifying CLR.DLL - practicalsecurityanalytics.com - Click Here
• Bypass AMSI in 2025 - r-tec.net - Click Here
• Bypass userland hooking using suspended processes - waawaa.github.io - Click Here
• How to Obfuscate C Code - digital.ai - Click Here
• PIC DLL Loaders - tradecraftgarden.org - Click Here
• Perfect DLL Hijacking - elliotonsecurity.com - Click Here
• Hiding in Plain Sight: Unlinking Malicious DLLs from the PEB - blog.christophetd.fr - Click Here
• ThreadlessStompingKann - caueb.com - Click Here
• Module Stomping - dtsec.us - Click Here
• Early Bird APC Injection - chrollo-dll.gitbook.io - Click Here
• Code & Process Injection - ired.team - Click Here
• Mockingjay revisited (Process Stomping / sRDI) - naksyn.com - Click Here
• Process Injection Techniques (PDF) - i.blackhat.com - Click Here
• File Folding (Origami) - thecontractor.io - Click Here
• SWAPPALA: Why Change When You Can Hide? - oldboy21.github.io - Click Here
• Shellcodes are dead, long live Fileless Shellcodes - kleiton0x00.github.io - Click Here
• COFFLoader: Building your own in memory loader - trustedsec.com - Click Here
• Finding and utilising leaked code signing certificates - tij.me - Click Here
• Hack-cessibility: When DLL Hijacks Meet Windows Helpers - trustedsec.com - Click Here
• WSUS Is SUS: NTLM Relay Attacks in Plain Sight - trustedsec.com - Click Here
• ByteViper - ghost-pepper.gitbook.io - Click Here
• Executing CSharp Assemblies from C code - lsecqt.github.io - Click Here
• When is it generally safe to CreateRemoteThread? - m417z.com - Click Here
• fork() bombing windows - mostwanted002.page - Click Here
• Reflective DLL got Indirect Syscall skills - oldboy21.github.io - Click Here
• The Art of Linux Kernel Rootkits - inferi.club - Click Here
• Mic-E-Mouse (Drivers/Hypervisors) - sites.google.com - Click Here
• Diving Into Glupteba's UEFI Bootkit - unit42.paloaltonetworks.com - Click Here
• Read Teaming: How Modern Attackers Bypass EDR - deceptiq.com - Click Here

---

[ MALWARE ANALYSIS & REVERSE ]

(Dissection, Threat Hunting, Intel, Detection)

• malware-traffic-analysis.net - malware-traffic-analysis.net - Click Here
• Malware analysis (Elastic Security Labs) - elastic.co - Click Here
• Malwarebytes Labs - The Security Blog From Malwarebytes - malwarebytes.com - Click Here
• How is my Browser blocking RWX execution? - rwxstoned.github.io - Click Here
• EDR Analysis: Leveraging Fake DLLs, Guard Pages, and VEH - redops.at - Click Here
• Using EMBER2024 to evaluate red team implants - mez0.cc - Click Here
• Naively bypassing new memory scanning POCs - sillywa.re - Click Here
• Exploit Reversing Blog - exploitreversing.com - Click Here
• CS6038/CS5138 Malware Analysis Course - class.malware.re - Click Here
• A Programmer's View On Conti-Locker - swayam-padhy.gitbook.io - Click Here
• Phantom Persistence - blog.phantomsec.tools - Click Here
• Breaking TadpoleVM - deluks2006.github.io - Click Here
• Reverse Engineering WeeperVM 2 - x64.ooo - Click Here
• Crackmesone CTF - crackmesone.ctfd.io - Click Here
• APT28 campaign targeting Polish government institutions - cert.pl - Click Here
• XWorm malware resurfaces with ransomware module - bleepingcomputer.com - Click Here
• From a Single Click: Lunar Spider Intrusion - thedfirreport.com - Click Here
• ShadowV2 Botnet Exploits AWS Docker Containers - thehackernews.com - Click Here
• GhostSocks: From Initial Access to Residential Proxy - synthient.com - Click Here
• DHCSpy: Discovering the Iranian APT MuddyWater - shindan.io - Click Here
• Compliance Threat: RedLine Information Stealer - darktrace.com - Click Here
• PipeMagic in 2025: Tactics changes - securelist.com - Click Here
• Geedge & MESA Leak: Great Firewall Document Leak - gfw.report - Click Here
• Hunting C2 Panels: Beginner’s Guide - hunt.io - Click Here
• An Attacker’s Blunder Gave Us a Look Into Their Operations - huntress.com - Click Here
• GPUGate Malware: Malicious GitHub Desktop Implants - arcticwolf.com - Click Here
• Popular Tinycolor npm Package Compromised - socket.dev - Click Here
• AlmondRAT Analysis: Hazy Tiger Lost its Nuts - deluks2006.github.io - Click Here
• New EDR-Freeze tool uses Windows WER - bleepingcomputer.com - Click Here
• Learn about ChillyHell, a modular Mac backdoor - jamf.com - Click Here
• Lazarus and the FudModule Rootkit (Admin-to-Kernel Zero-Day) - gendigital.com - Click Here