reverse engineering

Winsage
April 2, 2026
Wine is a compatibility layer, not an emulator, that translates Windows API calls into POSIX equivalents, allowing Windows applications to run on Linux. Proton, developed by Valve, builds on Wine and includes additional components like DXVK and VKD3D-Proton to enhance performance for Windows games on Linux through Steam. For Steam users, Proton is recommended for a streamlined gaming experience, while Lutris is suggested for those outside the Steam ecosystem. Wine has been in development since 1993, focusing on recreating the Windows API, but faced challenges with gaming compatibility. Cedega was an early attempt to improve gaming support over Wine but ultimately declined. Valve's development of Proton was motivated by the need for better compatibility for Windows games on Linux, especially highlighted by the launch of the Steam Deck. Wine struggled with synchronization issues and handling direct kernel access by Windows applications, which Proton addressed with seccomp-bpf filters and syscall user dispatch. Both Wine and Proton are crucial to the current state of Linux gaming.
Tech Optimizer
January 22, 2026
A large-scale campaign is exploiting the truesight.sys Windows security driver from Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions, facilitating the deployment of ransomware and remote access malware. This attack utilizes over 2,500 validly signed variants of the driver, allowing attackers to manipulate legacy driver signing rules to load pre-2015 signed drivers on Windows 11 machines. The vulnerable TrueSight driver exposes an IOCTL command that enables attackers to terminate security processes, providing them with kernel-level access to bypass user-mode protections. The infection chain typically starts with phishing emails or compromised sites, leading to the installation of a downloader that retrieves additional malicious components. The malware establishes persistence and deploys an EDR killer module targeting nearly 200 security products. Once defenses are disabled, the final payload, often a remote access trojan or ransomware, executes with minimal visibility, completing the attack in as little as 30 minutes.
AppWizard
October 15, 2025
The GhostBat RAT campaign employs sophisticated malware distribution techniques, utilizing infection vectors such as WhatsApp, SMS with shortened URLs, GitHub-hosted APKs, and compromised websites to deliver malicious Android droppers. These droppers utilize multi-stage workflows, ZIP header manipulation, and string obfuscation to evade detection. The malware includes tools for stealing banking credentials and cryptocurrency miners, directing victims to phishing pages resembling the mParivahan app to collect sensitive information. SMS messages with banking keywords are exfiltrated to command and control servers, while incoming messages may be forwarded for OTP harvesting. Device registration occurs through a Telegram bot named GhostBatRat_bot. In July 2024, Android malware impersonating Regional Transport Office applications was documented, designed to steal contacts and SMS messages. Observations from September 2025 revealed over forty samples propagating through WhatsApp and SMS, ultimately delivering a malicious version of the mParivahan app. The malware initiates phishing activities by requesting SMS permissions and harvesting banking credentials. VirusTotal detections for the malware remain low due to its multi-layered dropper mechanisms and obfuscation techniques. The architecture of GhostBat RAT features multi-stage dropper workflows, native binary packing, and heavy string obfuscation. The first-stage dropper verifies device architecture and manufacturer, while subsequent stages decrypt and execute payloads, including a cryptominer library and a malicious APK for data theft. Victims encounter a counterfeit Google Play update page, leading to the installation of the malicious APK, which requests SMS permissions and presents a phishing interface. Users are prompted to enter their UPI PIN into a fake payment flow, which forwards the PIN to a Firebase endpoint. The campaign highlights the need for careful SMS permission management and vigilance against shortened URLs to combat emerging Android malware threats.
AppWizard
October 2, 2025
Cybersecurity researchers from Cleafy have identified an Android trojan named Klopatra, which targets banking and cryptocurrency users by stealing funds from banking applications and cryptocurrency from hot wallets. This malware, attributed to a Turkish threat actor, has been active since March 2025 and has undergone 40 iterations. It is distributed through a deceptive app called Modpro IP TV + VPN, which requests Accessibility Services permissions upon installation. Klopatra employs advanced techniques to evade detection, including the use of Virbox for code protection, minimizing Java and Kotlin usage, NP Manager string encryption, and multiple anti-debugging features. Currently, at least 3,000 devices in Europe have been compromised by this malware.
AppWizard
August 19, 2025
Recent research from Arizona State University and Citizen Lab has identified connections among three families of Android VPN applications with over 700 million downloads, raising concerns about user privacy and security. The analysis revealed three groups of VPN providers: 1. Group A: Eight apps from three providers sharing identical Java code and libraries, exhibiting vulnerabilities such as: - Collecting location data against privacy policies. - Using weak encryption methods. - Hard-coded Shadowsocks passwords that could allow traffic decryption. 2. Group B: Eight apps from five providers supporting only the Shadowsocks protocol, sharing libraries and hard-coded passwords, with all servers hosted by GlobalTeleHost Corp. 3. Group C: Two providers with one app each, using a custom tunneling protocol and sharing similar code, vulnerable to connection inference attacks. The research highlighted significant privacy breaches, including undisclosed location data collection and vulnerabilities that could allow eavesdroppers to decrypt communications. Alarmingly, these VPN providers are linked to Qihoo 360, a Chinese company that has concealed this connection, raising concerns about potential data sharing with the government due to China's strict laws. Additionally, the Tech Transparency Project found that many free VPN apps on the Apple App Store are also linked to companies in mainland China or Hong Kong without disclosing these ties.
Search