🦀 I'm excited to announce that I am starting a training firm, @decoderloop, focused on providing Rust Reverse Engineering training! https://decoderloop.com/

The tools, techniques, and resources that reverse engineers have were built for the era of C. Meanwhile, malware authors and software developers alike are rapidly switching to modern programming languages such as Rust. Decoder Loop is here to fill the knowledge gap and level the playing field, for reverse engineers facing modern binaries.

We hope to come to a conference near you, next year. If you'd like to stay notified on upcoming trainings: follow us at @decoderloop, or sign up on our mailing list at https://decoderloop.com/contact/#training-signup-form

I'll also be at @ringzer0 COUNTERMEASURE on November 7 in Ottawa, Canada, giving a Rust RE focused workshop! Come say hi if you're there, and let's chat Rust RE!

#ReverseEngineering #MalwareAnalysis #rust #rustlang #infosec #training #cybersecurity

Our technical deep-dive about AppSuite PDF Editor backdoor is out 📝👇

https://www.gdatasoftware.com/blog/2025/08/38257-appsuite-pdf-editor-backdoor-analysis
#GDATA #GDATATechblog #AppSuite

🔍New Blog: JustAskJacky -- AI brings back classical trojan horse malware

https://www.gdatasoftware.com/blog/2025/08/38247-justaskjacky-ai-trojan-horse-comeback

#GDATA #GDATATechblog

🦔 📹 New Video: There is more than Clean and Malicious

➡️ 7 file analysis verdicts and what they mean

#MalwareAnalysisForHedgehogs #Verdicts
https://www.youtube.com/watch?v=XwT23XVtAw0

Great analysis of the malware distributed with the esling-config-prettier NPM package compromise on Friday: https://c-b.io/2025-07-20+-+Install+Linters%2C+Get+Malware+-+DevSecOps+Speedrun+Edition

By c-b.io on Bluesky / cyb3rjerry on Twitter :D

#malwareanalysis #reverseengineering #infosec #npm #npmsecurity #malware #reversing

During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit

This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot. Many EDR and detection systems typically monitor for commands such as 'vssadmin list shadows', and may trigger alerts based on their use.

However, by leveraging the "Previous Versions" feature in Windows (see screenshot), attackers can select a snapshot, view its properties, and enter the '@ GMT' path directly in Explorer. This allows them to browse the snapshot's contents without needing to use the command line.

Because this technique doesn't rely on typical shadow copy commands, it may evade detection by your EDR or SIEM solution. You might want to test it in your environment to identify and close this potential detection gap 🦸‍♂️🦸‍♀️