https://sudorem.dev/A personal blog for malware analysis, open source security, capture the flags, and all things information security.en-usSun, 15 Mar 2026 00:00:00 GMThttps://sudorem.dev/blog/agentic-ai-for-ir/https://sudorem.dev/blog/agentic-ai-for-ir/Exploring how agentic AI can support incident response by applying concurrent, methodical analysis across large telemetry sets. We examine where specialized agents fit into PICERL workflows, how adversarial review helps control false positives, and why orchestration matters in real-world investigative environments.Sun, 15 Mar 2026 00:00:00 GMThttps://sudorem.dev/blog/esql-topological-hunting/https://sudorem.dev/blog/esql-topological-hunting/Building an entity-centric ES|QL hunting model for SSLVPN abuse by prioritizing topology over raw alert volume. We explore how infrastructure reuse, cross-organization overlap, and short authentication time deltas can separate adversarial activity from benign noise at scale.Wed, 18 Feb 2026 05:00:00 GMThttps://sudorem.dev/blog/huntypot-1/https://sudorem.dev/blog/huntypot-1/Examining patterns observed in operating and collecting data from an SSLVPN honeypot sitting behind a Finch proxy.Sat, 06 Sep 2025 05:00:00 GMThttps://sudorem.dev/blog/cloudflared/https://sudorem.dev/blog/cloudflared/Ransomware affiliates have long since abused Cloudflared tunnels to maintain persistent access to compromised environments. These tunnels can be utilized as a strong indicator of compromise when examined at-scale.Sat, 17 May 2025 05:00:00 GMThttps://sudorem.dev/blog/malware-analysis/https://sudorem.dev/blog/malware-analysis/A continually evolving knowledgebase of things I've found pertinent as a threat and security operations analyst, specifically focusing on malware analysis.Sat, 05 Oct 2024 05:00:00 GMThttps://sudorem.dev/blog/advanced-chainsaw-2/https://sudorem.dev/blog/advanced-chainsaw-2/Chainsaw's hunt feature, along with Chainsaw's rule engine, is an excellent way to hunt for evil at scale and create reusable, maintainable queries for rapid triage. We will apply this to both simulated red team engagements and real world compromises to detect lateral movement, Impacket, and even ASP.NET compromises.Wed, 26 Jun 2024 05:00:00 GMThttps://sudorem.dev/blog/advanced-chainsaw-1/https://sudorem.dev/blog/advanced-chainsaw-1/A brief introduction to Chainsaw's search feature and the document tagging engine, Tau, that WithSecure released in the most recent major Chainsaw update. We will discuss and demystify some of the nuance of Tau's query behavior, and apply these to hands on examples of simple queries that can be utilized to detect evil across numerous event logs with high fidelity.Sat, 22 Jun 2024 05:00:00 GMThttps://sudorem.dev/blog/obfuscation/https://sudorem.dev/blog/obfuscation/Discussing obfuscation and its effect on the broader open-source supply chain.Tue, 11 Jun 2024 05:00:00 GMThttps://sudorem.dev/blog/xz-backdoor/https://sudorem.dev/blog/xz-backdoor/No-lone zones are ubiquitous with critical military tasks, and the scope and potential impact of the xz backdoor present an excellent opportunity to discuss how this could be applied to open source software.Sun, 31 Mar 2024 05:00:00 GMThttps://sudorem.dev/blog/pico24-banners/https://sudorem.dev/blog/pico24-banners/Abusing symlinks to include and subsequently display arbitrary textfiles in place of standard SSH banners.Tue, 26 Mar 2024 21:00:00 GMThttps://sudorem.dev/blog/pico24-c3/https://sudorem.dev/blog/pico24-c3/Working through security by obscurity with the PicoCTF 2024 C3 challenge.Tue, 26 Mar 2024 21:00:00 GMThttps://sudorem.dev/blog/pico24-rsa-oracle/https://sudorem.dev/blog/pico24-rsa-oracle/Implementing a known plaintext attack utilizing an RSA oracle.Tue, 26 Mar 2024 21:00:00 GMThttps://sudorem.dev/blog/pico24-weirdsnake/https://sudorem.dev/blog/pico24-weirdsnake/Reverse engineering disassembled Python bytecode back to the original code.Tue, 26 Mar 2024 21:00:00 GMThttps://sudorem.dev/blog/dreamyoak-malware/https://sudorem.dev/blog/dreamyoak-malware/Following the kill chain of a malicious Python package, and decompiling a basic Quasar RAT while rapidly learning some valuable lessons.Sat, 22 Jul 2023 19:01:23 GMThttps://sudorem.dev/blog/tracking-kekw/https://sudorem.dev/blog/tracking-kekw/The Python Packaging Ecosystem remains fairly stable in the broad scope of open source package distribution, but they are not immune to sustained attacks either. One threat actor group has evolved from simple nuissance to a sustained stream of spam and malware utilizing GitHub staging and direct targeting of userbases for the distribution of malicious programs.Fri, 14 Jul 2023 21:22:24 GMThttps://sudorem.dev/blog/discord-engagement/https://sudorem.dev/blog/discord-engagement/Discord is the most populated live chat interaction platform on the internet. Let's take some time to discuss how we could use that to engage open source communities and enterprise user bases more effectively, and discuss some of the public perceptions that surround Discord.Fri, 14 Jul 2023 01:15:48 GMThttps://sudorem.dev/blog/dearmored/https://sudorem.dev/blog/dearmored/Looking deeper into PyArmor obfuscated malware utilizing tools such as Process Monitor and Wireshark, and hooking third party libraries to gain access to web requests and encrypted data.Wed, 12 Jul 2023 19:05:32 GMThttps://sudorem.dev/blog/pypi-security/https://sudorem.dev/blog/pypi-security/An overview of building community-driven malware reporting for PyPI, from manual triage to automated YARA-assisted workflows. It explores the operational tradeoffs and why standardized reporting models matter for ecosystem-scale defense.Wed, 12 Jul 2023 13:22:22 GMThttps://sudorem.dev/blog/yara-challenges/https://sudorem.dev/blog/yara-challenges/A practical look at where YARA helps and where it falls short when detecting malicious Python packages at scale. It focuses on the ambiguity between legitimate and abusive behavior and the limits of signature-based detection in open ecosystems.Tue, 11 Jul 2023 17:08:09 GMT