Publications

Research #

Radiant: Concolic Execution for Solana Programs

22 Dec 2025

A concolic execution engine for Solana programs

Solaris: Stateful, Structure-Aware, sBPF Bytecode Coverage-Guided Fuzzing

15 Dec 2025

A structure-aware coverage-guided fuzzer for Solana programs operating at the sBPF bytecode level

Kobalos – A complex Linux threat to high performance computing infrastructure

2 Feb 2021

A white paper about an unique multiplatform malware

Operation NightScout: Supply‑chain attack targets online gaming in Asia

1 Feb 2021

A supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia

Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia

17 Dec 2020

A supply-chain attack on the website of a government in Southeast Asia.

Linux.Rekoobe Operating Undetected

20 Jan 2020

Rekoobe is a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015, reemerging in early 2020.

ChinaZ updates toolset

13 Dec 2019

Analysis of new samples of ChinaZ, a Chinese-speaking cybercrime group authors of Elknot, and BillGates among other botnets.

ACBackdoor - The story of a multiplatform trojan

18 Nov 2019

Analysis of a Linux trojan in which authors tried to port to Windows.

Watching the Watchbog, new Cython sample and Linux Exploits

24 Jul 2019

Analysis of a new version of Linux.WatchBog writen in Cython that was suspected to have compromised more than 4,500 linux machines, highlighting how effective Cython could be for obfuscation purposes.

How we disrupted 15 active ransomware campaigns targeting Linux file-storage servers

10 Jul 2019

How to temporarily DoS’d the operation of a ransomware targeting Linux-based file storage systems (NAS servers) abusing on a bug in the logic of the malware.

HiddenWasp - Linux implant targeting Linux systems

29 May 2019

Analysis of a Linux implant with ties to Winnti malware used by Chinese state-nexus actors.

War in the cloud: East Asian Cybercrime actors compete for persistance

9 May 2019

Pacha Group, a Chinese-speaking group targeting cloud-based infrastructure was disrupting foothold of other crypto-mining groups, namely Rocke Group/Iron Group which was also known to target cloud environments at the time.

Analysis of Pacha Group unconventional toolset

28 Feb 2019

Pacha Group, a suspected Chinese-speaking ecrime group showcased unconventional Linux malware at the time, with no ties to other known threat actors.

Muhstik reloaded - New Linux variants target phpmyadmin servers

12 Nov 2018

This was my first public malware analysis report, nothing too special really. Staying here for historic purposes

ELF 101 Series

2018

Presentations #

Supporting Solana Program Analysis in Radare2 (r2con2025)

25 Oct 2025

Exploring Solana’s runtime model, sBPF ISA, and demonstrating new radare2 plug-ins developed for sBPF disassembly and analysis.

Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks (VB2020)

Oct 2020

An implant designed to operate and spread through air-gapped networks.

ELF Crafting. Uncovering Advance Anti-analysis techniques for the Linux Platform (r2con2019)

Sep 2019

A presentation covering the intricacies of the ELF file format, and how could it be abused by threat-actors to make their malware more challenging to analyze for malware researchers.

Glibc Heap Analysis with Radare2 (r2con2016)

Sep 2016

Talk intended to document the internals of the Linux heap layout formed by the glibc malloc dynamic memory allocator algorithm along with its analysis using radare2.

←

Projects