Malware Analysis Space

About Me

Hello, I'm clibm079 from China.
AKA Seeker(李标明).

Independent Malware Analyst & Researcher.
Notes (Philosophy & Poetry) — The Path of Clarity & Poems of Malware Analysis.
Showcasing my key research and creative works — blending technology, reflection, and poetry.

All content is provided strictly for educational and defensive purposes.

Insights & Research

• To truly understand an adversary, you must rise to — or beyond — their depth. Because only depth reveals intent.
• Top-tier APTs often strike unexpectedly, create new custom rules on targets—such as algorithms, protocols, or novel file system formats—and deploy closely interrelated multi-stage payloads loaded in both user and kernel modes.
• The thinking of short-term gains and quick wins is a big stop to deeply understanding the real threat actors.

Poems

• Poems of Malware Analysis

Reflections

• The Path of Clarity
  🔔 Latest version available on the blog (Updated: 2025-09-26)
• Safeguarding the Self
  Reflections Inspired by the Analysis of nls_933w.dll on Safeguarding Energy in Research

Latest Research

• Design Intent Exposed: Path Deception in nls_933w.dll
• Analysis of Equation Group’s nls_933w.dll: Revealing Core Tactics and Technical Mindset
• Static Analysis of Turla’s Uroboros: Revealing Core Tactics and Technical Mindset
• Uroboros Revisited: Tracing PatchGuard-Evasive Techniques Beyond SSDT Hooking
• SSDT Hooking: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes)
• From SSDT to IDT: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes)
• The Evolution of APT36’s Crimson RAT: Tracking Variants and Feature Expansion Over the Years
• XWorm Unmasked: Weaponizing Script Obfuscation and Modern Evasion Techniques
• The New Face of PowerShell: Ransomware Powered by PowerShell-Based Attacks
• The Art of Evasion: How Attackers Use VBScript and PowerShell in the Obfuscation Game
• The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions
• Unmasking the Threat: Understanding Sophisticated Trojan-Dropper Mechanisms
• AsyncRAT in Action: UAC-0173’s Latest Advanced Antivirus Detection & Evasion Techniques
• Akira Ransomware Expands to Linux: the attacking abilities and strategies
• Deobfuscating APT28’s HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation
• Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging
• APT44’s ASPX web shell leverages obfuscation techniques and firewall rule manipulation to evade detection
• APT Silver Fox is using a stock investment decoy and undocumented Windows API functions to evade detection
• The ransom group d0glun, is it hidden threat or just for fun?
• GreenSpot APT phishing campaigns with fake 163.com login analysis
• The North Korean nation-state APT43 Kimsuky used the PowerShell forceCopy to conduct spear-phishing analysis
• Rapperbot how to improve and expand its ability based on an early version static analysis
• Rapperbot static analysis for ARM architecture, the other variants to do a DDoS attack on Chinese AI startup DeepSeek
• HailBot analysis, the other variants to do a DDoS attack on Chinese AI startup DeepSeek
• Mirai botnet among different instruction sets: x86, ARM, PPC, and MIPS with static analysis
• APT42 phishing campaigns and malicious code like soldiers hiding deep in the jungle
• FunkSec Ransomware and Rust Reverse Analysis
• Mirai: An IoT DDoS Botnet How To Protect and Disguise Itself As Aggressive Attacker Analysis
• Botnet continue to exploit vulnerabilities and FICORA botnet analysis
• Botnet continue to exploit vulnerabilities and CAPSAICIN botnet analysis
• BotenaGo Malware Targets Multiple Routers with 30+ Exploit Functions and Go Reversing Analysis
• CoinMiner embedded lots of vulnerabilities to exploit
• Hive ransomware command-line parameters analysis
• Unveiling Gelsemium’s (毒狼草) Linux backdoor WolfsBane
• APT32 poisoning GitHub to target Chinese cybersecurity professionals and malware analysis

Blog

malwareanalysisspace.blogspot.com

GitHub

GitHub: seeker-lee

Homepage: clibm079.github.io (also clibm079.net)

Bazaar

UserId: 18825

Connect

X (formerly Twitter): @clibm079

Mastodon (infosec.exchange): @clibm079