@loland

Malware Analysis,
Reverse Engineering,
and all things Cybersecurity.

© 2025 loland@blog
  • Posts
  • Certifications
  • execute-assembly

A Stealthier Reflective Loading

Reflective Loading is a technique used by attackers on Windows to run code entirely in memory.

Nov 27, 2025

The CRTO

I passed the CRTO exam on 8 October 2025. This is a course review, as well as an opportunity to share some blue-team techniques for detection.

Oct 20, 2025

Strange Hacking Tool

Malware sample of unknown category from MalwareBazaar. Just looking to perform a quick analysis and share any interesting findings.

Mar 20, 2024

Simple Powershell Backdoor (.ps1, shellcode)

Fresh Powershell sample once again from MalwareBazaar. Decided to perform just a quick analysis, due to lack of free time and a thirst for some raw wild malware.

Nov 11, 2023

The Inner Workings of Meterpreter (shellcode)

This blog entry covers personal technical research on the meterpreter staging payload. Meterpreter, as part of the Metasploit framework developed by Rapid7, is a C2 framework used by white and black hats alike.

Sep 17, 2023

Embedded Shellcode Obfuscation Part 2 (C++)

A continuation of the previous chapter. We’ll continue to attempt more obfuscation techniques with the same objective of bypassing VirusTotal.

Sep 17, 2023

Embedded Shellcode Obfuscation (C++)

In this blog entry, I’ll be playing around with obfuscation techniques to bypass antivirus detection for an embedded meterpreter shellcode. The goal is to run shellcode in the local process, and to minimize VirusTotal flags. Techniques will be incrementally applied to the binary to observe progressive success.

Sep 15, 2023

Process Injection Techniques (C++)

In this entry, we will dive into Windows process injection techniques demonstrated by malware. Malware authors deploy process injection to run malicious code under another process.

Sep 12, 2023

Analyzing FakeSG Malware Campaign Sample (.hta, .ps1)

FakeSG is an ongoing malware campaign (as of 12 Sep 2023). The campaign aims to compromise websites (most commonly WordPress), which then imitate browser update pages - prompting the user to install and execute a malicious file.

Sep 12, 2023

EXTREMELY Unsettling Malware (.exe)

Back with another malware sample from MalwareBazaar! An executable, this time. With an interesting icon. Performing a Google Image Reverse Search on the icon provides no clues to its origin. Incredibly strange.

Aug 27, 2023

Analyzing Wild PowerShell Malware (.ps1, shellcode)

Let’s kickstart this blog with some PowerShell malware! Pulled this sample fresh off MalwareBazaar - no idea what it is. Opening the .ps1 file in VSCode reveals beautifully obfuscated PowerShell code.

Aug 23, 2023