clibm079 | Malware Analysis Space

About Me

Hello, I'm clibm079 from China.
AKA Seeker(李标明).

Independent Malware Analyst & Researcher.
Notes (Philosophy & Poetry) — The Path of Clarity & Poems of Malware Analysis.
Documenting the Stage of Quiet Exploration—blending technology, reflection, and poetry.

All content is provided strictly for educational and defensive purposes.

Thank you for this amazing world that lets me have a chance to meet you and encourages me to do more...

Observation & Insights

To truly understand an adversary, you must rise to — or beyond — their depth. Because only depth reveals intent.
Top-tier APTs often strike unexpectedly, create new custom rules on targets—such as algorithms, protocols, or novel file system formats—and deploy closely interrelated multi-stage payloads loaded in both user and kernel modes.
The thinking of short-term gains and quick wins is a big stop to deeply understanding the real threat actors.
Curiosity is always the driving force behind exploration and transcendence.
I did malware research that helped me learn and understand myself and the world and the relationship.
Simply being curious and exploring gives people positive abilities to expand on malware research or other fields.
Being humble is not just about recognizing how little you know but also about facing complexity and understanding it takes time and patience.
The analysis is just the observation, not a conclusion.

Poems

Poems of Malware Analysis (2026.6.7 - 2026.6.10)
>Here, the observation from another stage of quiet exploration for malware RE that it goes from user mode to kernel mode to UEFI to ...
Poems of Malware Analysis (2025.6 - 2025.12)
>Shadows in the Stack: Notes from the Binary Jungle ...

Reflections

The Path of Clarity (Jun 9, 2025)
>Notes from a Stage of Quiet Exploration — Not a Guide, But a Trace
Safeguarding the Self (Aug 25, 2025)
>Reflections Inspired by the Analysis of nls_933w.dll on Safeguarding Energy in Research

Archive List

2026

Revisiting Stuxnet: Research Notes (May 12, 2026)
Revisiting MoonBounce: Research Notes (Jan 28, 2026)
Revisiting LoJax: Supplementary Analysis and Research Notes (Jan 2, 2026)

2025

Revisiting LoJax: The First UEFI Rootkit Found in the Wild (Dec 17, 2025)
PE-bear: The Art of Intuitive Malware Analysis (Nov 21, 2025)
Revisiting SubVirt & Blue Pill: From Attacker Proof-of-Concepts to Defensive Foundations (Oct 29, 2025)
Regin: Static Analysis of Its Lightweight VFS Abstraction Layer (Oct 14, 2025)
Design Intent Exposed: Path Deception in nls_933w.dll (Sep 16, 2025)
Analysis of Equation Group’s nls_933w.dll: Revealing Core Tactics and Technical Mindset (Aug 12, 2025)
Static Analysis of Turla’s Uroboros: Revealing Core Tactics and Technical Mindset (May 14, 2025)
Uroboros Revisited: Tracing PatchGuard-Evasive Techniques Beyond SSDT Hooking (May 6, 2025)
SSDT Hooking: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes) (Apr 29, 2025)
From SSDT to IDT: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes) (Apr 24, 2025)
The Evolution of APT36’s Crimson RAT: Tracking Variants and Feature Expansion Over the Years (Apr 8, 2025)
XWorm Unmasked: Weaponizing Script Obfuscation and Modern Evasion Techniques (Mar 27, 2025)
The New Face of PowerShell: Ransomware Powered by PowerShell-Based Attacks (Mar 23, 2025)
The Art of Evasion: How Attackers Use VBScript and PowerShell in the Obfuscation Game (Mar 20, 2025)
The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions (Mar 15, 2025)
Unmasking the Threat: Understanding Sophisticated Trojan-Dropper Mechanisms (Mar 11, 2025)
AsyncRAT in Action: UAC-0173’s Latest Advanced Antivirus Detection & Evasion Techniques (Mar 9, 2025)
Akira Ransomware Expands to Linux: the attacking abilities and strategies (Mar 8, 2025)
Deobfuscating APT28’s HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation (Mar 4, 2025)
Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging (Feb 26, 2025)
APT44’s ASPX web shell leverages obfuscation techniques and firewall rule manipulation to evade detection (Feb 23, 2025)
APT Silver Fox is using a stock investment decoy and undocumented Windows API functions to evade detection (Feb 20, 2025)
The ransom group d0glun, is it hidden threat or just for fun? (Feb 16, 2025)
GreenSpot APT phishing campaigns with fake 163.com login analysis (Feb 14, 2025)
The North Korean nation-state APT43 Kimsuky used the PowerShell forceCopy to conduct spear-phishing analysis (Feb 13, 2025)
Rapperbot how to improve and expand its ability based on an early version static analysis (Feb 11, 2025)
Rapperbot static analysis for ARM architecture, the other variants to do a DDoS attack on Chinese AI startup DeepSeek (Feb 9, 2025)
HailBot analysis, the other variants to do a DDoS attack on Chinese AI startup DeepSeek (Feb 5, 2025)
Mirai botnet among different instruction sets: x86, ARM, PPC, and MIPS with static analysis (Feb 1, 2025)
APT42 phishing campaigns and malicious code like soldiers hiding deep in the jungle (Jan 26, 2025)
FunkSec Ransomware and Rust Reverse Analysis (Jan 24, 2025)
Mirai: An IoT DDoS Botnet How To Protect and Disguise Itself As Aggressive Attacker Analysis (Jan 21, 2025)
Botnet continue to exploit vulnerabilities and FICORA botnet analysis (Jan 20, 2025)
Botnet continue to exploit vulnerabilities and CAPSAICIN botnet analysis (Jan 18, 2025)
BotenaGo Malware Targets Multiple Routers with 30+ Exploit Functions and Go Reversing Analysis (Jan 17, 2025)
CoinMiner embedded lots of vulnerabilities to exploit (Jan 15, 2025)
Hive ransomware command-line parameters analysis (Jan 15, 2025)
Unveiling Gelsemium’s (毒狼草) Linux backdoor WolfsBane (Jan 14, 2025)
APT32 poisoning GitHub to target Chinese cybersecurity professionals and malware analysis (Jan 13, 2025)

Blog

malwareanalysisspace.blogspot.com

GitHub

GitHub: seeker-lee

Homepage: clibm079.github.io (also clibm079.net)

Bazaar

UserId: 18825

Connect

X (formerly Twitter): @clibm079

Mastodon (infosec.exchange): @clibm079

Bluesky: clibm079.bsky.social

YouTube: @clibm079