Malcat dev

First steps with #malcat? Here is a tutorial video, courtesy of @InvokeReversing : youtu.be/gqESN-etkok?fe…

@nhegde610 context size

@malcat4ever Why didn't you try glm 5.1 ?

We tested 9 LLMs on real-world #malware triage and static unpacking tasks, using only #Malcat’s MCP server. We compared not only their results, but also their speed and cost. Full write-up: malcat.fr/blog/benchmark…

#Malcat 0.9.14 is out! This is a maintenance build, with some bonuses: ● AccessDB parsing ● RAR unpacking ● UPX (static) unpacking ● Improved __noreturn detection ● ... and as usual, up-to-date signature, constants and Kesakode DBs!

If you are facing malicious access databases (getting traction rn), you can extract the VBA easily in #Malcat: 1. Locate "Attribute VB_Name" 2. Select from the 0x01 preceeding 3. .. up until a sequence of null bytes 4. Ctrl-T-> Office RLE We are working on a parser module!

#cybersecurity #malware #clickfix #macos #botconf Hi, I’ve decided to share a tool I wrote in my spare time. The app is designed to track the ongoing ClickFix campaign targeting macOS and Win users and collect compromised websites. clickfix.pro Hey @madzincyber :)

FUD CastleLoader signed "INFOTECK SOLUTIONS PRIVATE LIMITED" The 40MB exe makes it hard for detection engines to see the 1 important line of python it will execute. Short #malcat investigation though. 62a6e64a7233f4a756d01c54840ff703a620a416929d57eebc0bdac3b9ed2019 1/3

@martinbayard There's a good chance I'll forget it in a bar :D

@malcat4ever Where can we buy such a hoodie ? 😍😍😍

If you're attending #botconf this year and want to talk about #Malcat, come say hi. I'll be easy to spot: just look for the cool hoodie :)

(of course this is a joke, but I bet it's what he thought)

New anti-AV technique! By setting the PE VersionInfo to specific strings (here french for "dont-scan-mf"), you'll bypass most security solutions! Even if your file is named "RAT" or Stub.dll :D

@huntnp007 that was a joke Jessica ^^

@malcat4ever Product name literally says RAT though. Not exactly subtle. Wild that string tricks still fool some vendors in 2025.

Btw, it seems to be a new RAT named "Sero". Binary there: bazaar.abuse.ch/sample/ebf93fa…

Full analysis: securelist.com/coruna-framewo…

@SquiblydooBlog We have MSI -> powershell x2 -> shellcode that fetches a Letsdiskuss profile. C2 url is decoded by looking up the position of each word in the original lorem ipsum. All this and ... all the C2 urls are down :D

Fake Microsoft Teams, "MTSetup_v15.3.7191.msi" signed by "Tryphena Lewis" 18c5b7a39be2f4a4b2fd45f0f273874f5efcc8751d4e592e5f2bcf6dbf781277 FUD-lite Uploaded to MalwareBazaar here https://bazaar.abuse[.]ch/sample/18c5b7a39be2f4a4b2fd45f0f273874f5efcc8751d4e592e5f2bcf6dbf781277

Underrated use for LLMs: the ability to port Go programs to other languages, so that nobody has to touch this ugly language ever again.

In Malcat, hitting <Ctrl+M> will start the in-GUI MCP server (works in free version too). You can then interact with the current analysis using your LLM of choice. Here I renamed functions and variables of the C2 dispatcher function for an unknown malware:

@HuntYethHounds @rifteyy @SquiblydooBlog @andrewdanis @s1dhy ran xchanger through malcat MCP (using claude). Out of the box, got domains & registry behavior, failed to get the hard-coded XOR key. I had to have claude disassemble the .NET to get that additional info. Then had it create and HTML report. So, semi-automated. 🤷

@struppigel Wait 'til they learn about password-protected zip files.

I don't quite understand why this is a CVE if standard unarchivers fail to unpack these ZIPs. If you corrupt or encrypt any file and need to deploy a custom loader to extract it you have same result. ¯\_(ツ)_/¯ x.com/BleepinCompute…

@RedDrip7 looks like new #MiyaRAT version

#APT #Bitter 3ee66f56461fc046f600230d11ebe731 (MSI) f57975b8bc1169b35ae17b975327195e (EXE) hxxps://99media.com[.]pk/scvz zoemagicbook[.]com

My favorite malware analysis tool has become better. Now Mac support and MCP availability? Amazing.