About Me
clibm079
Seeker(李标明)
Independent Malware Analyst & Researcher
Documenting the Stage of Quiet Exploration —
blending technology, reflection, and poetry
Notes (Philosophy & Poetry)
The Path of Clarity & Poems of Malware Analysis
Only depth reveals intent
Observation & Insights
- To truly understand an adversary, you must rise to — or beyond — their depth. Because only depth reveals intent.
- Top-tier APTs often strike unexpectedly, create new custom rules on targets—such as algorithms, protocols, or novel file system formats—and deploy closely interrelated multi-stage payloads loaded in both user and kernel modes.
- The thinking of short-term gains and quick wins is a big stop to deeply understanding the real threat actors.
- Curiosity is always the driving force behind exploration and transcendence.
- I did malware research that helped me learn and understand myself and the world and the relationship.
- Simply being curious and exploring gives people positive abilities to expand on malware research or other fields.
- Being humble is not just about recognizing how little you know but also about facing complexity and understanding it takes time and patience.
- The analysis is just the observation, not a conclusion.
Poetry
- Poems of Malware Analysis — Here, the observation from another stage of quiet exploration for malware RE that it goes from user mode to kernel mode to UEFI to ... (2026.6.7 - 2026.6.10)
- Poems of Malware Analysis — Shadows in the Stack: Notes from the Binary Jungle (2025.6 - 2025.12)
Reflections
- The Path of Clarity — Notes from a Stage of Quiet Exploration — Not a Guide, But a Trace (Jun 9, 2025)
- Safeguarding the Self — Reflections Inspired by the Analysis of nls_933w.dll on Safeguarding Energy in Research (Aug 25, 2025)
Archive
2026
- Revisiting Stuxnet: Research Notes — Technical Analysis and Design Insights into the “hide files” mindset (Jun 30, 2026)
- Revisiting Stuxnet: Research Notes — Technical Analysis and Design Insights into the Loader (May 12, 2026)
- Revisiting MoonBounce: Research Notes — Technical Analysis and Design Insights into the DXE Core (Jan 28, 2026)
- Revisiting LoJax: Supplementary Analysis and Research Notes (Jan 2, 2026)
2025
- Revisiting LoJax: The First UEFI Rootkit Found in the Wild (Dec 17, 2025)
- PE-bear: The Art of Intuitive Malware Analysis (Nov 21, 2025)
- Revisiting SubVirt & Blue Pill: From Attacker Proof-of-Concepts to Defensive Foundations (Oct 29, 2025)
- Regin: Static Analysis of Its Lightweight VFS Abstraction Layer (Oct 14, 2025)
- Design Intent Exposed: Path Deception in nls_933w.dll (Sep 16, 2025)
- Analysis of Equation Group’s nls_933w.dll: Revealing Core Tactics and Technical Mindset (Aug 12, 2025)
- Static Analysis of Turla’s Uroboros: Revealing Core Tactics and Technical Mindset (May 14, 2025)
- Uroboros Revisited: Tracing PatchGuard-Evasive Techniques Beyond SSDT Hooking (May 6, 2025)
- SSDT Hooking: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes) (Apr 29, 2025)
- From SSDT to IDT: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes) (Apr 24, 2025)
- The Evolution of APT36’s Crimson RAT: Tracking Variants and Feature Expansion Over the Years (Apr 8, 2025)
- XWorm Unmasked: Weaponizing Script Obfuscation and Modern Evasion Techniques (Mar 27, 2025)
- The New Face of PowerShell: Ransomware Powered by PowerShell-Based Attacks (Mar 23, 2025)
- The Art of Evasion: How Attackers Use VBScript and PowerShell in the Obfuscation Game (Mar 20, 2025)
- The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions (Mar 15, 2025)
- Unmasking the Threat: Understanding Sophisticated Trojan-Dropper Mechanisms (Mar 11, 2025)
- AsyncRAT in Action: UAC-0173’s Latest Advanced Antivirus Detection & Evasion Techniques (Mar 9, 2025)
- Akira Ransomware Expands to Linux: the attacking abilities and strategies (Mar 8, 2025)
- Deobfuscating APT28’s HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation (Mar 4, 2025)
- Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging (Feb 26, 2025)
- APT44’s ASPX web shell leverages obfuscation techniques and firewall rule manipulation to evade detection (Feb 23, 2025)
- APT Silver Fox is using a stock investment decoy and undocumented Windows API functions to evade detection (Feb 20, 2025)
- The ransom group d0glun, is it hidden threat or just for fun? (Feb 16, 2025)
- GreenSpot APT phishing campaigns with fake 163.com login analysis (Feb 14, 2025)
- The North Korean nation-state APT43 Kimsuky used the PowerShell forceCopy to conduct spear-phishing analysis (Feb 13, 2025)
- Rapperbot how to improve and expand its ability based on an early version static analysis (Feb 11, 2025)
- Rapperbot static analysis for ARM architecture, the other variants to do a DDoS attack on Chinese AI startup DeepSeek (Feb 9, 2025)
- HailBot analysis, the other variants to do a DDoS attack on Chinese AI startup DeepSeek (Feb 5, 2025)
- Mirai botnet among different instruction sets: x86, ARM, PPC, and MIPS with static analysis (Feb 1, 2025)
- APT42 phishing campaigns and malicious code like soldiers hiding deep in the jungle (Jan 26, 2025)
- FunkSec Ransomware and Rust Reverse Analysis (Jan 24, 2025)
- Mirai: An IoT DDoS Botnet How To Protect and Disguise Itself As Aggressive Attacker Analysis (Jan 21, 2025)
- Botnet continue to exploit vulnerabilities and FICORA botnet analysis (Jan 20, 2025)
- Botnet continue to exploit vulnerabilities and CAPSAICIN botnet analysis (Jan 18, 2025)
- BotenaGo Malware Targets Multiple Routers with 30+ Exploit Functions and Go Reversing Analysis (Jan 17, 2025)
- CoinMiner embedded lots of vulnerabilities to exploit (Jan 15, 2025)
- Hive ransomware command-line parameters analysis (Jan 15, 2025)
- Unveiling Gelsemium’s (毒狼草) Linux backdoor WolfsBane (Jan 14, 2025)
- APT32 poisoning GitHub to target Chinese cybersecurity professionals and malware analysis (Jan 13, 2025)
Links
Blog: malwareanalysisspace.blogspot.com/?m=1
GitHub: seeker-lee
MalwareBazaar: 18825
X: @clibm079
Mastodon: @clibm079
Bluesky: @clibm079
YouTube: @clibm079