Reverse Engineering Tools(part2) 1 Dumpulator Mandiant tool for emulating code from process dumps without running the full binary. Emulates only the target function from a crash dump — ideal for vulnerability analysis without deploying a malicious environment. 2 de4dot-cex Fork of de4dot with support for modern .NET obfuscators (ConfuserEx, .NET Reactor, SmartAssembly, etc.). Automatically strips protection before decompilation, restoring original logic even in heavily obfuscated assemblies. 3 Emux Emulator for rare architectures (TMS320, NEC V850, Renesas RL78). Lets you run and analyze embedded device firmware without physical hardware. Essential for pentesting industrial controllers and IoT 4 FirmWire Full-system emulation platform for modem firmware (LTE/5G) and base stations. Enables fuzzing radio protocols, debugging firmware at the physical layer, and discovering telecom vulnerabilities 5 Triton Framework for dynamic symbolic execution (DSE) and taint analysis. Used for automatically building data-flow graphs, deobfuscation, and generating exploits for non-standard architectures 6 Netconstructor Framework for reverse engineering binary protocols. Combines static traffic analysis with dynamic WinAPI call interception helps reconstruct packet structures of closed-source applications Pro tip: Always analyze unknown binaries in an isolated VM with snapshot capability. One misstep can compromise your host system. Stay safe, stay curious #InfoSec #CyberSecurity #ReverseEngineering #MalwareAnalysis #FirmwareRE #EmbeddedSecurity #EthicalHacking #SecurityResearch #MrRobot #CyberSec #Reverse #Analysis #Tools

Cisco Talos uncovers active intrusion using CloudZ RAT with novel Pheno plugin designed to intercept SMS/OTP messages by hijacking Microsoft Phone Link application. Campaign active since January 2026, targeting credential theft without mobile device compromise. Key technical details: • Rust dropper (systemupdates.exe) deploys .NET loader via fake ScreenConnect update, establishes persistence through SystemWindowsApis scheduled task using regasm.exe LOLBin • CloudZ RAT compiled Jan 13, 2026, uses ConfuserEx obfuscation, dynamic .NET reflection for memory-only execution, and anti-analysis checks (T1055, T1027, T1497) • Pheno plugin monitors Phone Link processes (YourPhone, PhoneExperienceHost), targets SQLite database PhoneExperiences-*.db for SMS/OTP interception • C2 infrastructure: 185[.]196[.]10[.]136:8089, staging servers on hellohiall[.]workers[.]dev and pastebin[.]com/raw/8pYAgF0Z Attack methodology leverages legitimate Phone Link PC-to-mobile bridge to access synchronized SMS data without deploying malware on victim's phone, enabling OTP bypass for authentication systems. Hunt for regasm.exe processes with network connections, unusual scheduled tasks in \Microsoft\Windows\, and Phone Link database access patterns. Full IOCs and detection rules available in Talos repository. #DFIR_Radar

a few super quick tips on dealing with ConfuserEx

What's with ConfuserEx? 🔔 Live at the usual places

Fun fact, during most Flare-on's I was traveling and locked myself in a hotel for at least a day to focus. I was reversing ConfuserEx in hotel during on-site interviews for Carbon Black Wrote a million LD_PRELOADs in a B&B in Alabama for a funeral It takes a lot of my free time

shoutout to @vinopaljiri for the ConfuserEx tooling!

These capabilities existed for years actually ConfuserEx a popular OSS obfuscator can generate expressions like this if you tweak it slightly. But there are also plenty of commercial obfuscators that do this. It's also usually applied post compilation at CIL level.

Understand the evolving infection chain of DarkCloud Stealer, starting with phishing emails and culminating in a VB6 payload protected by ConfuserEx. We examine three distinct payloads: bit.ly/4lG5zkd

The DarkCloud infostealer is being spread via a new attack chain leveraging ConfuserEx-based obfuscation, @Unit42_Intel reported. #cybersecurity #infosec #ITsecurity bit.ly/4126dRs

The DarkCloud infostealer is being spread via a new attack chain leveraging ConfuserEx-based obfuscation, @Unit42_Intel reported. #cybersecurity #infosec #ITsecurity bit.ly/4126dRs

The DarkCloud infostealer is being spread via a new attack chain leveraging ConfuserEx-based obfuscation, @Unit42_Intel reported. #cybersecurity #infosec #ITsecurity bit.ly/4126dRs

The DarkCloud infostealer is being spread via a new attack chain leveraging ConfuserEx-based obfuscation, @Unit42_Intel reported. #cybersecurity #infosec #ITsecurity bit.ly/4126dRs

【マルウェア解析】DarkCloudステーラーが巧妙な新手法で企業を狙い始めた。2025年4月から観測されているこの攻撃は、ConfuserExという難読化ツールとVisual Basic 6で書かれた最終ペイロードを組み合わせ、従来の検知システムを回避する多段階の感染チェーンを構築している。 攻撃の起点はフィッシングメールに添付されたアーカイブファイルである。TAR、RAR、7Zipのいずれかの形式で送付され、内部にはJavaScriptまたはWindows Script Fileが格納されている。これらのスクリプトは高度に難読化されており、実行されるとオープンディレクトリサーバーからPowerShellスクリプトをダウンロードし実行する。PowerShellスクリプトも二重に暗号化されており、Base64エンコードとAES暗号化の組み合わせで保護されている。 最も注目すべきは、最終段階での巧妙な手法である。ConfuserExで保護された.NETマルウェアは、正規のWindowsツールであるRegAsm.exeのプロセスを作成し、そこにDarkCloudの本体を注入する「プロセスホローイング」という技術を使用する。これにより、マルウェアは正規プロセスの文脈で動作し、セキュリティ製品の検知を逃れる。最終的なVB6ペイロードは、RC4暗号化された文字列を含み、クレジットカード情報やTelegram APIを使った指令サーバーとの通信機能を持つ。企業は多層防御と振る舞い検知の導入が急務である。 unit42.paloaltonetworks.com/…

New DarkCloud infostealer campaign leverages ConfuserEx obfuscation scworld.com/news/new-darkclo…

Palo Alto Networks' Pranay Kumar Chhaparwal, Benjamin Chang & Lee Wei Yeong observed a shift in the attacks linked to the distribution of DarkCloud Stealer. This chain involves obfuscation by ConfuserEx and a final payload written in Visual Basic 6. unit42.paloaltonetworks.com/…

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer unit42.paloaltonetworks.com/…

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer unit42.paloaltonetworks.com/…

[1/5] #malspam campaign vs #Italy 🇮🇹 deploys #phantom stealer starting with an alleged pdf payment reminder, it implements js and ps1 scripts to download and run .net #loader obfuscated with confuserEx which in turn injects #phantom stealer into regasm.exe h/t @JAMESWT_WT

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method: hunt.io/blog/xenorat-excel-x… #malware #infosec #informationsecurity #excel #cybersecurity #blueteam