Philippe Lagadec
@decalage.bsky.social
Author of open-source projects oletools, olefile, ViperMonkey, ExeFilter, Balbuzard. Posting about #DFIR, #malware analysis, maldocs, file formats and #Python.
https://linktr.ee/decalage
https://linktr.ee/decalage
Reposted by Philippe Lagadec
There's some really big caveats to this. A thread.
New: Google says it has discovered at least 5 malware families that use AI to rewrite their code and generate new capabilities on the fly, suggesting AI-powered malware is finally starting to take off. cloud.google.com/blog/topics/...
Report also has interesting stories about state actors' AI use.
Report also has interesting stories about state actors' AI use.
November 5, 2025 at 3:52 PM
There's some really big caveats to this. A thread.
Reposted by Philippe Lagadec
October 4, 2025 at 9:00 PM
At hack.lu I gave a presentation about "How to better identify (weaponized) file formats":
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
hack.lu 2025
Hack.lu (and CTI summit) is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. It’s the ...
hack.lu
October 27, 2025 at 4:18 PM
At hack.lu I gave a presentation about "How to better identify (weaponized) file formats":
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?
You can now see it here: youtu.be/Qp5GDh2sj6A
#HackLu
Reposted by Philippe Lagadec
I've put together a website which indexes all the recordings my rigs have made thus-far as well as those currently planned:
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
Infosec/hacking videos recorded by Cooper (@Ministraitor)
Infosec/hacking videos recorded by Cooper (@Ministraitor)
administraitor.video
November 14, 2024 at 1:33 PM
I've put together a website which indexes all the recordings my rigs have made thus-far as well as those currently planned:
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
Reposted by Philippe Lagadec
How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec
youtu.be/Qp5GDh2sj6A
#HackLu
youtu.be/Qp5GDh2sj6A
#HackLu
How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec
YouTube video by Cooper
youtu.be
October 25, 2025 at 9:57 PM
How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec
youtu.be/Qp5GDh2sj6A
#HackLu
youtu.be/Qp5GDh2sj6A
#HackLu
This week I'm going to hack.lu, to give a presentation about file format identification:
Why do we need to identify file formats accurately?
Why can the current tools sometimes be bypassed, or make mistakes?
How can we do better?
2025.hack.lu/agenda/
Send me a DM if you'd like to meet there.
Why do we need to identify file formats accurately?
Why can the current tools sometimes be bypassed, or make mistakes?
How can we do better?
2025.hack.lu/agenda/
Send me a DM if you'd like to meet there.
hack.lu 2025
Hack.lu (and CTI summit) is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. It’s the ...
hack.lu
October 21, 2025 at 8:01 AM
This week I'm going to hack.lu, to give a presentation about file format identification:
Why do we need to identify file formats accurately?
Why can the current tools sometimes be bypassed, or make mistakes?
How can we do better?
2025.hack.lu/agenda/
Send me a DM if you'd like to meet there.
Why do we need to identify file formats accurately?
Why can the current tools sometimes be bypassed, or make mistakes?
How can we do better?
2025.hack.lu/agenda/
Send me a DM if you'd like to meet there.
Reposted by Philippe Lagadec
I'm happy to share that LIEF 0.17.0 is out: lief.re/blog/2025-09...
September 15, 2025 at 3:49 AM
I'm happy to share that LIEF 0.17.0 is out: lief.re/blog/2025-09...
Reposted by Philippe Lagadec
#ESETresearch has discovered #HybridPetya ransomware on VirusTotal: a UEFI-compatible copycat of the infamous Petya/NotPetya malware. HybridPetya is capable of bypassing UEFI Secure Boot on outdated systems. www.welivesecurity.com/en/eset-rese... 1/8
www.welivesecurity.com
September 12, 2025 at 9:02 AM
#ESETresearch has discovered #HybridPetya ransomware on VirusTotal: a UEFI-compatible copycat of the infamous Petya/NotPetya malware. HybridPetya is capable of bypassing UEFI Secure Boot on outdated systems. www.welivesecurity.com/en/eset-rese... 1/8
Reposted by Philippe Lagadec
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
August 26, 2025 at 3:38 PM
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
Reposted by Philippe Lagadec
Reposted by Philippe Lagadec
Even though I've been away from the field for years, it's great to see that a simple tool that I initially launched in 2018 and with great collaborators (Artur Marzano, Corey Forman and Christian Clauss) has been used by so many professionals.
www.helpnetsecurity.com/2025/03/26/m...
#malware
www.helpnetsecurity.com/2025/03/26/m...
#malware
Malwoverview: First response tool for threat hunting - Help Net Security
Malwoverview is an open-source threat hunting tool designed for the initial triage of malware samples, URLs, IP addresses, domains, malware families,
www.helpnetsecurity.com
March 26, 2025 at 7:02 PM
Even though I've been away from the field for years, it's great to see that a simple tool that I initially launched in 2018 and with great collaborators (Artur Marzano, Corey Forman and Christian Clauss) has been used by so many professionals.
www.helpnetsecurity.com/2025/03/26/m...
#malware
www.helpnetsecurity.com/2025/03/26/m...
#malware
Reposted by Philippe Lagadec
Merci @gabrielthierry.bsky.social de revenir sur l'histoire incroyable des #ShadowBrokers en plusieurs parties #MustRead
Partie 1
open.substack.com/pub/pwned/p/...
Partie 2
open.substack.com/pub/pwned/p/...
Partie 3
open.substack.com/pub/pwned/p/...
Partie 1
open.substack.com/pub/pwned/p/...
Partie 2
open.substack.com/pub/pwned/p/...
Partie 3
open.substack.com/pub/pwned/p/...
Celui qui n’aurait pas dû installer l’antivirus Kaspersky
Où l’on découvre la carrière brisée d’un fonctionnaire à cause d’un penchant, au choix, pour des versions crackées de Windows ou pour l'antivirus du célèbre ingénieur russe.
open.substack.com
March 16, 2025 at 8:11 AM
Merci @gabrielthierry.bsky.social de revenir sur l'histoire incroyable des #ShadowBrokers en plusieurs parties #MustRead
Partie 1
open.substack.com/pub/pwned/p/...
Partie 2
open.substack.com/pub/pwned/p/...
Partie 3
open.substack.com/pub/pwned/p/...
Partie 1
open.substack.com/pub/pwned/p/...
Partie 2
open.substack.com/pub/pwned/p/...
Partie 3
open.substack.com/pub/pwned/p/...
Do you know examples of polyglot files that have been used in real-life to hide malware from detection/analysis tools?
There is at least this PDF/MHT: blogs.jpcert.or.jp/en/2023/08/m...
Do you know other real malware cases?
There is at least this PDF/MHT: blogs.jpcert.or.jp/en/2023/08/m...
Do you know other real malware cases?
MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – - JPCERT/CC Eyes
JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the techn...
blogs.jpcert.or.jp
January 19, 2025 at 10:58 AM
Do you know examples of polyglot files that have been used in real-life to hide malware from detection/analysis tools?
There is at least this PDF/MHT: blogs.jpcert.or.jp/en/2023/08/m...
Do you know other real malware cases?
There is at least this PDF/MHT: blogs.jpcert.or.jp/en/2023/08/m...
Do you know other real malware cases?
Reposted by Philippe Lagadec
I made a Doom source port that runs within a PDF file.
PDFs support Javascript, so Emscripten is used to compile Doom to asm.js, which is then run within the PDF engine. Input/output is done by manipulating text input fields.
doompdf.pages.dev/doom.pdf
github.com/ading2210/do...
PDFs support Javascript, so Emscripten is used to compile Doom to asm.js, which is then run within the PDF engine. Input/output is done by manipulating text input fields.
doompdf.pages.dev/doom.pdf
github.com/ading2210/do...
January 13, 2025 at 4:16 AM
I made a Doom source port that runs within a PDF file.
PDFs support Javascript, so Emscripten is used to compile Doom to asm.js, which is then run within the PDF engine. Input/output is done by manipulating text input fields.
doompdf.pages.dev/doom.pdf
github.com/ading2210/do...
PDFs support Javascript, so Emscripten is used to compile Doom to asm.js, which is then run within the PDF engine. Input/output is done by manipulating text input fields.
doompdf.pages.dev/doom.pdf
github.com/ading2210/do...
Reposted by Philippe Lagadec
The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:
exploitreversing.com/2025/01/08/m...
Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).
#malware
exploitreversing.com/2025/01/08/m...
Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).
#malware
January 8, 2025 at 4:45 PM
The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:
exploitreversing.com/2025/01/08/m...
Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).
#malware
exploitreversing.com/2025/01/08/m...
Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).
#malware
Reposted by Philippe Lagadec
New DCOM lateral movement technique discovered that bypasses traditional defenses. Unlike previous attacks relying on IDispatch interfaces, this method exploits undocumented COM interfaces within MSI, specifically targeting IMsiServer and IMsiCustomAction interfaces. 1/7
Forget PSEXEC: DCOM Upload & Execute Backdoor
Join Deep Instinct Security Researcher Eliran Nissan as he exposes a powerful new DCOM lateral movement attack that remotely writes custom payloads to create an embedded backdoor.
www.deepinstinct.com
December 12, 2024 at 12:00 AM
New DCOM lateral movement technique discovered that bypasses traditional defenses. Unlike previous attacks relying on IDispatch interfaces, this method exploits undocumented COM interfaces within MSI, specifically targeting IMsiServer and IMsiCustomAction interfaces. 1/7