This post begins a series centered on kernel software analysis.

An actor is blocking the ability to exploit a Citrix vulnerability, but maintaining a backdoor.

The FLARE team examines reverse engineering tools including ApplyCalleeType and StructTyper.

Mandiant Threat Intelligence uncovered a large number of legitimate portable executable (PE) binaries affected by various types of PE infecting malware.

Transformer machine learning has seen big breakthroughs in recent years, and in this blog post we discuss a case study in which we apply Transformers to malicious URL detection.

Learn how to use flare-qdb to bring “script block logging” to the Windows command interpreter, and more.

On a Windows host there is more than one way for a program to communicate across the internet. When reverse engineering a piece of malware it is of critical importance to understand what API is being used and how it works so that you may gain an understanding of the data sent and received as well as command structure and internal protocol if applicable. The choice of networking API also effects how you craft your indicators (more on this later). I break Windows Malware Command and Control communications into four API categories: Sockets, WinInet, URLMon and COM. The primary focus of this article is COM, since it is the rarest, least understood and most difficult to reverse engineer.

The 2019 Flare-On challenge is over, now come check out the solutions and stats.

For a taste of what we expect to see in 2022, we turned to Sandra Joyce, Mandiant's EVP, Global Intel & Advanced Practices