__ __ ______ | \/ |___ / | |\/| | / / | | | | / /__ |_| |_|/____| MZ HEADER
Hi, I'm Liam, a Security Researcher at CrowdStrike. This is my personal blog where I break down real-world malware samples with practical techniques — from unpacking and deobfuscation to debugging, disassembly, and memory forensics.
I use tools that are freely available, most of which come pre-installed on FLARE VM, so you can follow along without extra setup.
All samples referenced are publically available on VirusTotal and MalwareBazaar and you can also grab them from my repo.
Between May 2024 and January 2026, threat actors have been observed targeting Steam users by uploading malicious games to the Steam platform. At the time of writing, the FBI are currently investigating this. Affected games include BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. In this post, we are reverse engineering PirateFi.
— Mar 15, 2026MacSync is a macOS infostealer that harvests passwords, browser and crypto wallet data, Keychain items, and sensitive files. Investigation revealed its manipulation of legitimate crypto apps like Ledger and Trezor to capture additional user information.
— Dec 21, 2025UPATRE is a lightweight downloader that spreads across systems by replicating itself and removing its original dropper. Our analysis focused on its XOR-based decryption and decompression routines, uncovering how it retrieves and executes second-stage payloads.
— Dec 10, 2025Write-ups for the Huntress 2025 CTF's reverse engineering challenges.
— Nov 1, 2025Winos 4.0 is a multi-stage Windows loader delivered via trojanized installers. Investigation revealed its in-memory execution layers, process checks, and adaptive behavior depending on installed apps like WhatsApp and Telegram.
— Jun 21, 2025KoiLoader and its companion KoiStealer are known for complex memory unpacking and anti-VM protections. Using WinDbg, we traced its execution, bypassed its anti-analysis checks, and documented the exact mechanisms it uses to retrieve and execute its payload.
— Jun 20, 2025A collection of write-ups for the Huntress 2024 CTF.
— Nov 7, 2024This post dissects a PowerShell loader used by Quasar RAT. It covers its execution chain, including payload decoding, process injection, and persistence mechanisms. The loader uses AES encryption for securing its configuration and employs process hollowing to evade detection.
— Mar 26, 2024XWorm RAT often relies on obfuscated loaders to evade detection. This sample starts as a batch script that decodes, AES-decrypts, and GZip-decompresses a .NET payload directly into memory.
— Feb 3, 2024ClipBanker is focused on clipboard hijacking and cryptocurrency theft. We followed its journey from a JavaScript loader to in‑memory executable payloads, showing how it monitors clipboard activity to detect and replace cryptocurrency wallet addresses during transactions.
— Jan 8, 2024NJRat is a long-standing RAT with versatile capabilities. Our investigation reconstructed the full infection chain, from malicious document to loaders and dropped binaries, highlighting the RAT’s persistence strategies and its approach to gaining control over compromised systems.
— Nov 29, 2023