Andreas Klopsch

I published an article how BlackByte evades EDR by removing kernel callbacks via abuse of vulnerable driver Rtcore64.sys news.sophos.com/en-us/2022/10/… #reverseengineering #malware #infosec #windows #cybersecurity #blackbyte #ALPHV #sophos #ida #ransomware #endpoint

Kazuar (Secret Blizzard) is a highly sophisticated malware family. #MIRAGE takes a deep dive into its modular P2P botnet and how it enables covert, persistent access 👀 microsoft.com/en-us/security… #cybersecurity #reverseengineering #microsoft #infosec #malware #threatintel

Another quality technical blog from #MIRAGE, this time on Secret Blizzard’s beloved #Kazuar malware. This blog is an in-depth analysis of Kazuar’s progression from a single, monolithic framework into a modular bot ecosystem composed of three distinct module types, each with clearly defined roles. Together, these components distribute functionality across the P2P botnet, enabling flexible configuration, lower observability, and broad tasking while minimizing opportunities for detection. microsoft.com/en-us/security…

Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. microsoft.com/en-us/security…

The Russian military intelligence actor Forest Blizzard has conducted large-scale exploitation of vulnerable small office/home office (SOHO) devices to hijack DNS requests and enable persistent, passive visibility and reconnaissance at scale. msft.it/6012Q24hI By compromising edge devices that are upstream of larger targets, threat actors could take advantage of less closely monitored assets to pivot into enterprise environments. We have identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure. Microsoft Threat Intelligence is publishing this research to increase awareness of the risks associated with insecure home and small-office internet devices and to give users and organizations tools to mitigate, detect, and hunt for these threats where they might be impacted.

⭐ RIFT Major Rearchitecture! Now more modular, extensible, and easier to use New experimental build 3 modes: file analysis, direct generation, HTTP API service Improved IDA Plugin! github.com/microsoft/RIFT #reverseengineering #malware #cybersecurity #infosec #RIFT

Recently, Microsoft's Digital Crimes Unit (DCU) facilitated a disruption of RedVDS infrastructure and related operations. microsoft.com/en-us/security… #infosec #cybersecurity #digitalcrime #cybercrime

The IDA Pro 9.3 release is just around the corner. hex-rays.com/blog/ida-9.3-t… #reverseengineering #idapro #malware #threatintel

🚨 RIFT Update 🚨 Improved rustc compiler detection ✅ Fixed bugs causing incorrect FLIRT signatures for nightly builds 🛠️ Plus, multiple stability fixes! We’re making RIFT easier to use—big features coming soon 😎 👉 github.com/microsoft/RIFT #RIFT #rust #microsoft #infosec

🚨 “A fake fix is all it takes.” ClickFix convinces users to run attacker commands themselves. Always verify before pasting anything into a terminal. Full analysis: microsoft.com/en-us/security… #malware #mstic #microsoft #infosec #cybersecurity

RIFT Update ⚡ Automate rustc_hashes.json updates with new Linux & Windows scripts! Easier than ever. 👉 github.com/microsoft/RIFT #CyberSec #MalwareResearch #RIFT

This is an amazing story about why companies should always think about who their customers are! Lesson: Don't mess with reverse engineers! codetiger.github.io/blog/the-day-m… #reverseengineering #cybersecurity #infosec

Just dropped: my RECON 2025 talk on Rust library recognition in malware! 🦀 Worth a watch if you're into RE or malware research. youtu.be/_JiuYkFzVgg?si… #malware #RIFT #microsoft #reverseengineering #rust

Lots of frustration in the malware analysis and reverse engineering community. It's been discovered a DEFCON talk, presentation, and the code which coincided with it, was AI slop. The talk itself had hallucinated terminology which (apparently) no one at DEFCON noticed. Bad.

#PipeMagic is a highly modular backdoor used by the financially motivated threat actor Storm-2460. It masquerades as a legitimate open-source ChatGPT Desktop Application. Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS). PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Quality blog by MSTIC malware intelligence, research and analysis (MIRAGE) team: microsoft.com/en-us/security… #pipemagic #mstic #mirage #threatintelligence

🚨 Ever tangled with virtual machine-based code protection? 🚨 In 2020, I wrote a virtual machine deobfuscator for a crack me challenge. Check it out! malwareandstuff.com/taming-virtual… malwareandstuff.com/taming-virtual… 🔍 #ReverseEngineering #MalwareAnalysis #windows #idapro #deobfuscation

🚨 Microsoft reports Russian APT Secret Blizzard is targeting embassies in Moscow with AiTM attacks using ApolloShadow malware. It installs a trusted root cert to spoof legit sites & maintain persistence—ongoing since 2024. 🧵 Details: microsoft.com/en-us/security… #CyberSecurity #APT #ThreatIntel

🚨 RIFT update! Now supports FLIRT signature generation on Linux 🐧 🔗 github.com/microsoft/RIFT #RustLang #MalwareAnalysis #ReverseEngineering #DFIR #FLIRT

🚨 RIFT Update: We’ve boosted our compiler detection! 🛠️ Now with sharper insights into binaries built using GNU, MinGW, and MSVC toolchains. More enhancements are on the way—stay tuned! 🔍✨ #ReverseEngineering #MalwareAnalysis #RIFT #malware #msft github.com/microsoft/RIFT

Do you find analyzing Rust binaries/malware tedious and unpleasant? You’re not alone! If you’re attending #REcon this year, our own @hackingump1 will be unveiling #RIFT today at 2PM EST (not at REcon? We got you covered, stay tuned). We have been using RIFT internally for some time and it has truly transformed the way we handle and analyze Rust binaries. cfp.recon.cx/recon-2025/tal… #RIFT #Rust #REon25 #MSTIC #MIRAGE

Unpacking VMProtect 3 (x64) 🤷‍♂️