FUD CastleLoader
SHA256: b0a6f7afa4877eab5085d49207e26d1d2461d2d61d71a4d406e81e9f30711c5e
C2: goldmanadv[.]com
Right now, I open in #malcat, save the CAB file to disk, extract the CAB; ripgrep for the C2. Works but could be better, right?
1/2
FUD CastleLoader
SHA256: b0a6f7afa4877eab5085d49207e26d1d2461d2d61d71a4d406e81e9f30711c5e
C2: goldmanadv[.]com
Right now, I open in #malcat, save the CAB file to disk, extract the CAB; ripgrep for the C2. Works but could be better, right?
1/2
We had 9 LLMs battle on real-world #malware triage and static unpacking tasks, using only #Malcat MCP server.
We compared not only their results, but also their speed and cost.
Full write-up:
https://malcat.fr/blog/benchmarking-llms-for-malware-triage-and-static-unpacking-with-malcat/
#Malcat 0.9.14 is out!
This is a maintenance build, with some bonuses:
● AccessDB parsing
● RAR unpacking
● UPX (static) unpacking
● Improved __noreturn detection
● ... and as usual, up-to-date signature, constants and Kesakode DBs.
Happy reversing!
FUD CastleLoader signed "INFOTECK SOLUTIONS PRIVATE LIMITED"
The 40MB exe makes it hard for detection engines to see the 1 important line of python it will execute. Short #malcat investigation though.
62a6e64a7233f4a756d01c54840ff703a620a416929d57eebc0bdac3b9ed2019
1/3
We're happy to announce that #malcat 0.9.13 is out!
You'll find a new Apple-silicon MacOS port, two integrated MCP servers (in-GUI +headless) for automated triage and an improved interface:
https://malcat.fr/blog/0913-is-out-macos-port-mcp-server-and-dark-mode
#malcat 0.9.12 is out!
Enjoy .pyc and .net stack analysis, py 3.14 support, nuitka / inno 6.7 / .net singlefile bundle parsers and may other improvements:
https://malcat.fr/blog/0912-is-out-python-314-pyc-and-net-stack-analysis/
Malcat version 0.9.12 is out! This time we have focused on python and dotnet disassembly, with a new stack analysis that should improve their disassembly listing readability. We have also added support for python 3.14 and packed a large number of minor improvements.
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
Running the rule against a file will only tell me that it matched, but not what matched, so I load it into #malcat.
Malcat comes with a lot of YARA rules already but there is a user directory too which allows you to add your own and ensure they persist across updates.
4/10