A malware sample is a mirror. Not of the victim. Of the attacker. You see what they rushed. You see what they copied. You see what they trusted. You see what they were afraid to expose. You see what they thought defenders would miss. That is why malware analysis is not only technical. It is behavioral. MAoS was written for people who want to read that layer. 📖 amazon.com/dp/B0FQDGZGZW If you want to understand malware beyond syntax, start here. #MalwareAnalysis #ReverseEngineering #ThreatResearch #MAoS #CyberSecurity

I did not write MAoS because the world needed another malware book. I wrote it because I kept seeing the same gap. People could reverse samples. People could explain functions. People could identify techniques. But many still struggled to understand the operation behind the malware. That is the part I wanted to focus on. The thinking. The context. The decisions. The intent. 📖 amazon.com/dp/B0FQDGZGZW If this is the layer you care about, MAoS is for you. #MalwareAnalysis #ReverseEngineering #ThreatResearch #MAoS #CyberSecurity

NTFS supports ACID transactions (since Vista). Commit, rollback, and CreateFileMapping on a transacted handle: the foundation of Process Doppelganging. New video write-up: trainsec.net/library/windows…

Proud to share that my name has been added as a contributor to the MITRE ATT&CK page for T1218.015: Electron Applications. This is based on my original research, “One Electron to Rule Them All”, covering how Electron apps can be abused for proxy execution through trusted applications. Research: trainsec.net/library/malware… MITRE: attack.mitre.org/techniques/… More interesting stuff is coming soon, so stay tuned. #MITREATTACK #CyberSecurity #MalwareAnalysis #ReverseEngineering #EDR

Most malware analysts are good at reversing code. Very few are good at understanding why it exists. That difference shows up in real incidents. You can rename functions. Trace APIs. Rebuild logic. Understand execution flow. And still miss the bigger picture. Because malware is not only code. It is intent. Pressure. Tradeoffs. Operator behavior. Developer decisions. MAoS was written for that gap. amazon.com/dp/B0FQDGZGZW If this feels familiar, you already know why. #MalwareAnalysis #ReverseEngineering #CyberSecurity #MAoS

One week out: Amichai Yifrach's Secure Boot masterclass on May 18. Terminal only methodology, boot to root shell. 4 hours, $49, $49 course voucher for every registrant. trainsec.net/bypassing-secur…

One week out: @The_H1tchH1ker Secure Boot masterclass on May 18. Terminal only methodology, boot to root shell. 4 hours, $49 $49 course voucher for every registrant. trainsec.net/bypassing-secur…

EDR bypasses are not impressive. Understanding why they work is. Most people stop too early. 📖 amazon.com/dp/B0FQDGZGZW If you want to go one level deeper, this is for you. #EDR #DetectionEngineering #MAoS

Misled Trust at Scale: Jetson Orin CVEs If you’re using @nvidia Jetson Orin, this may already be in your product. My research led to CVE-2026-24154 & CVE-2026-24153 They look like typical vulns. They’re not. They expose a deeper issue: systems that verify correctly, but carry development trust assumptions into production. Result: → Root shell during early boot → Observe live decryption → Extract keys & mount rootfs (no crypto broken) Nothing is broken. Trust just happens at the wrong moment. And Orin is everywhere: AI, robotics, industrial, edge. This is not a CVE story. It’s a production trust failure. Full breakdown 👇 lnkd.in/dcKj3ktd

Not all bad code is bad. Sometimes it is rushed. Sometimes it is reused. Sometimes it is intentional. Sloppy code can tell you: – how experienced the developer is – how fast they needed to deliver – what mattered and what did not Those signals are easy to miss if you only focus on execution flow. But they are often where the real story is. That way of looking at malware shaped MAoS. 📖 amazon.com/dp/B0FQDGZGZW If you want to start reading between the lines, this will help. #CyberSecurity #MalwareAnalysis #ReverseEngineering #ThreatResearch #MAoS #TrainSec

I'll be teaching a 3-day class "Windows Internals for Research and Development" in person, at x33fcon. Maybe I'll see you there :) x33fcon.com/#!t/PavelYosifov…

⏳ I've often found that the best time to teach something, is when you're learning it yourself. Last year I set out to finally learn how to use time-travel debugging in WinDbg - I documented what I learned and that is now a part of the FLARE Learning Hub docs.google.com/document/d/1… This attempts to bring every critical concept, command, and query into a single document to get you up and running with TTD!

Last call. Pavel Yosifovich (@zodiacon) live 4H WinDbg masterclass is in 48 hours — and registration closes with it. $49 ticket ($49 course voucher included) Recording for all attendees. This is the last chance to register. 👉 trainsec.net/windows-researc…

You can know how something works and still not understand it. I have seen analysts explain every function in a sample and still miss what actually matters. Because knowing is technical. Understanding is contextual. Malware analysis sits right in that gap. MAoS is not about knowing more. It is about understanding better. 📖 amazon.com/dp/B0FQDGZGZW If you feel that gap in your work, this is exactly where the book focuses. #MalwareAnalysis #ReverseEngineering #MAoS #CyberSecurity

A Windows list pointer often isn’t pointing where you think it is. This post from @zodiacon explains LIST_ENTRY, circular lists, CONTAINING_RECORD, and why the same pattern shows up in processes, threads, and loaded modules. trainsec.net/library/windows…

Some of the most effective malware I have seen was not sophisticated. No complex obfuscation. No advanced techniques. Nothing that would impress in a demo. What made it effective was how it was used. Malware does not operate in isolation. It operates inside decisions, timing, and context. If you only analyze code, you miss the operation. That is a big part of what MAoS tries to show. 📖 amazon.com/dp/B0FQDGZGZW If you have ever underestimated a simple sample, this will resonate. #MalwareAnalysis #ThreatResearch #MAoS #CyberSecurity

If you want a clean Win32 exercise that’s practical and still relevant on modern Windows, this is a great one from @zodiacon. Control Panel is still supported, which means you can still build your own .cpl applets. This post shows the DLL approach in C : implement CPlApplet, add resources (name/description/icon), install/register the applet, and debug it using the right host process. Read: trainsec.net/library/windows…

And it's not only using BYOVD and drivers, but using other simpler techniques -> trainsec.net/courses/edr-int…

MAoS was not written in isolation. It was written between real investigations, real deadlines, and real operational pressure. That influenced the tone of the book. I was not trying to create something flashy. I wanted to document a way of thinking that actually holds under pressure 🔥 If you work with malware in real environments, not just controlled labs, you will probably feel that difference. 📖 amazon.com/dp/B0FQDGZGZW If you are serious about sharpening how you think about malware, start here. #MalwareAnalysis #ThreatResearch #DFIR #MAoS #CyberSecurity