Malcat dev

#Kesakode updated to 1.0.45 !

● New malware entries: Fullmetal, Laplas, RoningLoader, ShadowRat, Silentsweeper and SystemShock
● Updated malware entries: 29
● FP-fixed signatures: 931
● 16587 new clean programs whitelisted
● 3452882 new functions
● 165257 new strings

#kesakode DB update to 1.0.43, with again a focus on the clean set:
● 18 new malware entries
● 53 existing entries updated
● FP-fixed signatures: 749
● 5280 new clean programs whitelisted
● +2M unique functions
● +300K unique strings

Malcat scripting tutorial: deobfuscating Latrodectus In this tutorial, we will learn how to leverage Malcat's scripting and patching capabilities to deobfuscate an unpacked Latrodectus sample.

Learn how to deobfuscate #Latrodectus using #malcat's scripting engine:

malcat.fr/blog/malcat-...

#kesakode updated to 1.0.42:

* New entries: Brickstorm, Butoflex, Ladvix, NetStar, Pantegana, Tendyron, Tsunamikit and VampireBot

* Updated entries: AuraStealer, Latrodectus, NightshadeC2 and QNAPCrypt

* 33275 new clean programs whitelisted

* FP-fixed signatures: 1028

#Kesakode updated to 1.0.41:

Malware signatures:
* New malware entries: 14
* Updated malware entries: 16
* FP-fixed signatures: 1340

Files:
* 33 new malicious samples
* 52010 new clean programs

Database:
* 13093705 new unique functions
* 7778950 new unique strings

0.9.11 is out: ARM and MachO analysis Malcat version 0.9.11 is out! With this release, Malcat is now able to analyse MacOS programs. That means: addition of Armv7, Armv8 and Aarch64 disassemblers and decompilers as well as MachO, DMG and...

#Malcat version 0.9.11 has been released, with support for ARM and Mach-O program analysis.
More details below:
malcat.fr/blog/0911-is...

#Malcat tip #10: analysing backdoored clean software can be hard.
A quick win is to pivot around known constants, thanks to Malcat's 400k+ constants DB (here a #Tropidoor dlder):

Tomorrow at BSides Edmonton! 🔥

Updated #Kesakode to 1.0.39:
* New malware entries: HybridPetya, MostereRAT, PhantomStealer, SatanLockV2 and Yurei
* Updated malware entries: 38
* 3285 new library objects seen
* 2622 new clean programs whitelisted
* 905652 new unique functions
* 1330028 new unique strings

YouTube video Malcat : First Steps

First steps with #malcat? Here is a tutorial video, courtesy of
@invokereversing.bsky.social :
www.youtube.com/watch?v=gqES...

Updated #kesakode to 1.0.38:

Malware signatures:
* New malware entries: 20 new families
* 564116 new unique functions
* 197608 new unique strings
* 27 new unique constant fingerprints

Get your swimsuit, we're diving into a black SEO scheme What started like an easy unpacking session to fill a Friday afternoon lead us to a singular black-SEO campaign. Together, we will unravel 4 different malicious loaders written in 4 different programm...

Sometimes it looks like #malware, smells like #malware but it's just ... weird:
malcat.fr/blog/get-you...

TL;DR I am launching my #startup and we are going to change how to evaluate,cluster and reason about #malware, delivering accurate,contextual intelligence on samples. Say Hi to RationalEdge
@rationaledge.bsky.social
rationaledge.io

#threatintel #threathunting #cti #reverseengineering #detection 1/9

YouTube video by Invoke RE Triaging Malware with Malcat (Stream - 29/07/2025)

We've uploaded our stream from July 28th where we triaged an Emotet infection chain with Renaud from @malcat4ever.bsky.social Enjoy! www.youtube.com/watch?v=xJof...

#Kesakode DB has been updated to 1.0.36 !
* 9 new malware families
* 70 extended malware signatures
* 37 new malicious samples in database
* 11440 new library objects seen
* 120k new clean programs whitelisted
* 17M new unique functions
* 3M new unique strings

#Kesakode has been updated to 1.0.34!
* 34 new malware entries
* 249 extended malware signatures
* 50 new malicious samples in database
* 58950 new clean programs whitelisted
* 5459056 new unique functions
* 1862336 new unique strings

Does someone know this #malware, since this is definitely NOT latrodectus. Looks like some Discord-backed infostealer:
bazaar.abuse.ch/sample/85f8c...

You can now check your strings in #malcat against an online library of #Malpedia FLOSSed strings. Just copy this plugin:

github.com/malpedia/mal...

Learn How to Dissect Binary Files with the Creator of Malcat! Malcat is a powerful binary file dissector that's essential for Windows and Linux IT-security professionals. As both a feature-rich hexadecimal editor and a ...

🚀 Malcat is a powerful binary file dissector that's essential for Windows and Linux IT-security professionals. As both a feature-rich hexadecimal editor and a disassembler, Malcat offers a comprehensive toolkit for in-depth binary analysis. Check it out 👇

www.youtube.com/live/yzC_539...

0.9.10 is out: CFG recovery, MIPS & UI improvements Malcat version 0.9.10 is out! In this release, we have improved Malcat's CFG recovery algorithm and compared its performances against other reversing software. A new CPU architecture (MIPS) has also b...

#Malcat 0.9.10 is out! State-of-the-art CFG recovery, MIPS disassembler & decompiler and many UI improvements;

malcat.fr/blog/0910-is...

0.9.10 is out: CFG recovery, MIPS & UI improvements Malcat version 0.9.10 is out! In this release, we have improved Malcat's CFG recovery algorithm and compared its performances against other reversing software. A new CPU architecture (MIPS) has also b...

#Malcat 0.9.10 is out! State-of-the-art CFG recovery, MIPS disassembler & decompiler and many UI improvements;

malcat.fr/blog/0910-is...

Sticking to your "Goldoon" example, does your result table (7) only consider artifacts from the downloader part? If yes (hard to know, but it looks like it), this is a 13kb tiny downloader, it's definitely not worth 4-5 days of analysis. A couple of hours maybe. And I'm being pessimistic.

then how do you quickly confirm the AI assertion without input/output testing? It may be a sha256 variant. You know well malware authors like to modify standard algorithms.
If it's just saying "it looks like sha256", it's also very quick to say without AI:

Give the same task to the same person (or another evenly skilled one) with and without AI. Repeat with a few other malware analysts.
Bonus points if the task has clearly defined results, e.g. "extract the C2 url", "what files are modified", list all C2 commands, what encryption is used, etc.

Humans may not report things because of time constraints or just plain lazyness (more to write). And even if not, "interesting" is subjective. You've found it interesting, maybe the original blog author did not.

For instance for Goldoon, my estimate for the blog post would be 12 hours from sample to finished article (I worked for an AV company, I have an idea how little they value such minimal blog posts).
My estimation for instance would change the conclusion of your paper. That's why estimations are bad.

And don't get me wrong, your comparison of LLM engine is very pertinent and useful for instance. I'm just talking about the speed claim.

You have not convinced me for now, but I'm open for discussion. This is sure a complex topic to evaluate.

Not to mention you have to know WHERE to debug, which means you already have down some basic RE work.

You could have asked the blog authors maybe?
The only point of comparison you give for non-AI work is your own estimation. Since you format your paper in 2 columns and post it on arxiv, I thought you wanted to make it look scientific, and "according to my own estimation" is not very scientific.