MalcatMar 10

We're happy to announce that #malcat 0.9.13 is out!

You'll find a new Apple-silicon MacOS port, two integrated MCP servers (in-GUI +headless) for automated triage and an improved interface:

https://malcat.fr/blog/0913-is-out-macos-port-mcp-server-and-dark-mode

MalcatJan 16

#malcat 0.9.12 is out!

Enjoy .pyc and .net stack analysis, py 3.14 support, nuitka / inno 6.7 / .net singlefile bundle parsers and may other improvements:

https://malcat.fr/blog/0912-is-out-python-314-pyc-and-net-stack-analysis/

0.9.12 is out: Python 3.14, PYC and .NET stack analysis

Malcat version 0.9.12 is out! This time we have focused on python and dotnet disassembly, with a new stack analysis that should improve their disassembly listing readability. We have also added support for python 3.14 and packed a large number of minor improvements.

MALCAT
Show threadSquiblydooJan 16

The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.

Video showing expanding the NSIS contents
3/7

Show threadSquiblydooJan 16

The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.

Video showing expanding the NSIS contents
3/7

Show threadSquiblydooJan 16

The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.

Video showing expanding the NSIS contents
3/7

Show threadSquiblydooJan 14

Running the rule against a file will only tell me that it matched, but not what matched, so I load it into #malcat.

Malcat comes with a lot of YARA rules already but there is a user directory too which allows you to add your own and ensure they persist across updates.
4/10

Show threadSquiblydooJan 12

With #malcat, or other tools, a reverse engineer can investigate those function blocks to understand what they are any why they are unique. For me, I can use this rule for hunting across an environment if desired.

https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day10.yara
5/5

Show threadSquiblydooJan 10

This scripts are deceptive as they contain 10,000 empty lines. BTW #malcat loads scripts like these better than most text editors.

If I get the chance, I may revise it to see how to find ones without the matching text or if you have ideas, hmu.

https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day9.yara
3/3

100DaysofYARA/Squiblydoo/Day9.yara at main · Squiblydoo/100DaysofYARA

Rules shared by the community from 100 Days of YARA 2026 - Squiblydoo/100DaysofYARA

GitHub
Show threadSquiblydooJan 2

For making the rule, I again used #malcat. I highlighted the smaller icon and added it to the YARA rule: "right-click" > "add selection to YARA" > "New rule". Couldn't be easier.

https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day2.yara
4/4

MalcatDec 5

#Malcat tip:

#Kesakode can be useful even when facing unknown/packed samples. Check "Show UNK" and focus on unique code and strings.

Here a simple downloader: