Josh Stroschein | The Cyber Yeti

🇸🇬 I'm heading to #BlackHatAsia for the first time as part of the FLARE training team. We’re bringing 4 days of "The FLARE Team's Guide to Reverse Engineering Modern Malware." I’m especially excited for our labs on: ⏪ Time Travel Debugging (TTD) 🕵️‍♂️ Evasion: (in)direct system calls and process injection 🧪 Identifying crypto (in ransomware) 🏗️ C++ & .NET internals and deobfuscation tactics We'll have four days for deep-dive labs, mentorship, and learning - hope to see you there! 📅 #the-flare-teams-guide-to-reverse-engineering-modern-malware-49607" target="_blank" rel="nofollow noopener">blackhat.com/asia-26/traini… @BlackHatEvents

🏗️ You can’t create reliable Windows shellcode without a precise understanding of the Windows API. It's more than knowing the function—you must understand call order, handle preservation, and manual structure parsing. Watch Part 2 of the workshop here: 📺 youtu.be/xdCfeC7o2Ss Once we move to assembly, the "safety net" is gone. No compiler to catch type mismatches or manage your stack: 🔹 You are the memory manager for your structures. 🔹 You must manually ensure calling conventions are followed. 🔹 You are responsible for calculating every member offset by hand.

🐚 Custom Windows shellcode is the ultimate way to learn OS internals and sharpen your assembly skills. 🗺️ Video 1: The Game Plan. We start in C to map out the APIs and logic before hitting the ASM. Watch Part 1: 📺 youtu.be/6oeMEzCKXyo ✅ Dev/Debug workflows ✅ Position-Independence (PIC) ✅ Module & API hashing ✅ Stack strings & Endianness ✅ XOR obfuscation & Decryption stubs

🇸🇬 The #FLARE training at #BHAsia2026 is officially at 79% capacity! 🚨 We’re 1 month away from kicking off 4 days of deep-dive RE in Singapore. We'll be covering: ✅ Time Travel Debugging (TTD) ✅ EDR Bypasses & Direct Syscalls ✅ C++ & .NET Malware Syllabus/Registration: 👉 #the-flare-teams-guide-to-reverse-engineering-modern-malware-401-49607" target="_blank" rel="nofollow noopener">blackhat.com/asia-26/traini… 🤔DMs are open if you have questions about the curriculum! See you there! 💪 @BlackHatEvents @Mandiant

Well, we're around there - the caps move a little during the registration window :)

IcedID Config extraction: Writeup for a challenge part of Zero2Auto malware analysis course. txc.gitbook.io/documentation/… Also tried out the @REMnux MCP server to check out, how AI can support my analysis approaches and learning overall

🚨 Final call! It’s your last chance to enter the DFIR Diva x @Detegoforensics giveaway before it’s Game Over! Set in a vibrant, pixelated 8-bit cityscape inspired by classic arcade games, Detego Detective turns a short break into an exciting challenge. 🕹️ The clock’s ticking. Play now, set a high score and win Detego merch! 🕵️ How to enter: ✅ Play the game at detegodetective.com ✅ Follow Detego Global on LinkedIn 🏆 Winners will be announced soon!

🔥 Join the FLARE Team for an advanced deep dive into Windows malware with RingZer0. Master the tradecraft we use daily: 🔹TTD Execution Tracing 🔹EDR Evasion & Syscalls 🔹C++/.NET Reversing 🔹Ransomware Crypto Register: bit.ly/4rwZWHT

⏪Dynamic analysis has come a long way. Time-travel debugging (TTD) is a great example - it allows you to query execution information instead of relying on break/resume to find what you are looking for! - Full OS interaction - Forwards/backwards navigation from the trace - Scriptable (JS/LINQ) - That WinDbg UI everyone loves! 🤔 But how can TTD help with .NET malware? Easy—it lets you trace the transition from managed code to unmanaged API calls. We broke down these techniques to unravel .NET process hollowing in a recent blog post: cloud.google.com/blog/topics/th… This is just one example of the content we're bringing to #BlackHatAsia! 🇸🇬 #the-flare-teams-guide-to-reverse-engineering-modern-malware-49607" target="_blank" rel="nofollow noopener">blackhat.com/asia-26/traini… @BlackHatEvents

Modern malware is evolving quickly. Join the FLARE team at in Singapore to master: - Syscall stub identification - PPID Spoofing - Process injection via Native APIs Register ➡️ bit.ly/4bshhge

🤔 Investigating the Import Table? Looking for evidence of runtime linking? Strings are at the heart of unraveling what is going on. But how does an attacker avoid a "noisy" Import Table while keeping their capabilities? The answer: Runtime Linking. In the series finale, we use a C sample to explore how Import Tables can be constructed on the fly! 🛠️ 🧠 youtu.be/96Yl-3pvb40

10 days left to submit in time for Phase 1 of the Recon CFP (March 14th), CFP closes April 11th. REcon is a top reverse engineering cybersecurity conference covering software and hardware reversing, exploit dev, malware analysis, software deobfuscation & more. recon.cx/2026/en/cfp.ht… #REcon2026 #ReverseEngineering #InfoSec

🎧 The latest episode of Behind The Binary is here! In this episode, we are joined by Robert Wallace, Joseph Dobson, and Blas Kajusner to dissect the new "Hybrid Heist." The panel discusses that the era of isolated crypto-theft is over; sophisticated actors are now targeting the Web2 layer—the frontends, the developer workstations, and the cloud infrastructure—to bypass the immutability of the chain itself. 🍎 podcasts.apple.com/us/podcast/ep2… We also break down "Ether Hiding," a technique where attackers store malware payloads directly on the blockchain to create an unstoppable Command & Control (C2) infrastructure that cannot be taken down by traditional authorities.

Ever wanted to write a Control Panel app? No, Control Panel is not dead yet :) youtu.be/TsrQr9tqPUw

AI agents are never going to have a credit card, but they will have crypto wallets. In this Behind the Binary podcast episode, Mandiant experts discuss the $1.5B Bybit heist, EtherHiding, and the rise of immutable C2. 🎧 Listen: apple.co/3NhDlkn

@rj_chap 🤗 Glad we're hitting on a timely topic! We covered some Web3/DeFi topics in an episode from late last year, icymi: podcasts.apple.com/us/podcast/ep1… Planning to make this a quartely session, thoughts?

I've been meaning to catch up on EtherHiding. And my man @jstrosch has our backs! Thanks to Robert Wallace, Joseph Dobson, & Blas Kajusner for joining along and creating an awesome episode for all of us. You all are appreciated :). open.spotify.com/episode/2ejHbM…

Go learn IRL from one of the folks I learned the most from!