Technical security research and writeups

Malware

  • Centurion: Bring Your Own Execution Environment

    How we built a custom virtualized loader with its own ISA, PE loader, TLS stack, and software crypto coprocessor in about a week using LLM-assisted development — and what the BYOEE model means for offensive tooling.

    read more →
  • Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 2 of 2)

    Part two of the Ghost Calls series details how we tunnel real-time C2 traffic through Zoom and Microsoft Teams TURN infrastructure using WebRTC — covering the approaches we evaluated, the WebRTC protocol suite, our SCTP-based implementation, and a walkthrough of the TURNt utility.

    read more →
  • Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 1 of 2)

    Web conferencing covert C2 turns the most trusted traffic on an enterprise network — the daily Zoom and Teams calls defenders are told to exempt from inspection — into an interactive command-and-control channel. Part one dissects the internals of Zoom's architecture, transport protocol, and clients.

    read more →
  • Extending LLVM for Code Obfuscation (2 of 2)

    Part two of the LLVM code obfuscation series. This installment covers developing a more complex pass that automatically encrypts string literals during the compilation process by manipulating the LLVM IR.

    read more →
  • Extending LLVM for Code Obfuscation (1 of 2)

    An introduction to binary obfuscation techniques through LLVM compiler customization. Part one covers LLVM fundamentals, development environment setup, and developing an LLVM pass for junk code insertion.

    read more →