Nik Zerof

Bring Your Own Vulnerable Driver! Meet BYOVD – one of the most dangerous attacks targeting Windows systems

Date: 27/05/2025

Many notorious hacker groups (e.g. North Korea’s Lazarus) use the BYOVD attack to gain access to kernel space and implement complex advanced persistent threats (APTs). The same technique is employed by the creators of the Terminator tool and various encryptor operators. This paper discusses BYOVD operating principles and why this attack has become so popular nowadays.

Read full article →

Agent Tesla: Reversing combat malware in Ghidra

Date: 15/05/2025

Author: Nik Zerof

Recently I encountered an interesting piece of malware called Agent Tesla. It’s still widespread and actively used by cybercriminals (the analyzed sample was dated 2023). Let’s dissect this remote access trojan and find out what’s hidden inside it.

Read full article →

Threadless Injection. Injecting shellcode into third-party processes to circumvent EDR

Date: 07/05/2025

Author: Nik Zerof

This article discusses Threadless Injection: a technique making it possible to make injections into third-party processes. At the time of writing, it effectively worked on Windows 11 23H2 x64 running on a virtual machine isolated from the network with OS security features enabled.

Read full article →

Process Ghosting. Circumvent antiviruses in the most dangerous way

Date: 28/04/2025

Author: Nik Zerof

One of the main priorities for hackers is to hide the execution of their malicious code. This article explains how to start processes using the Process Ghosting technique and discusses operation principles of malware detection systems.

Read full article →

Disassembling REvil. The notorious ransomware hides WinAPI calls

Date: 04/08/2020

Author: Nik Zerof

Some unknown hackers have recently attacked Travelex foreign exchange company using REvil ransomware. This trojan employs simple but efficient obfuscation techniques that conceal its WinAPI calls from the victim. Let’s see how the encoder works.

Read full article →

“Luke, I am your fuzzer”. Automating vulnerability management

Date: 04/02/2020

Author: Nik Zerof

Fuzzing is all the rage. It is broadly used today by programmers testing their products, cybersecurity researchers, and, of course, hackers. The use of fuzzers requires a good understanding of their work principles. These top-notch tools make it possible to identify previously unknown vulnerabilities in various applications. In this article, I will address different fuzzing types and show how to use one of them, WinAFL.

Read full article →

Ghidra vs. IDA Pro. Strengths and weaknesses of NSA’s free reverse engineering toolkit

Date: 28/12/2019

Author: Nik Zerof

In March 2019, the National Security Agency of the US Department of Defense (NSA) has published Ghidra, a free reverse engineering toolkit. A couple of years ago, I had read about it on WikiLeaks and was eager to lay hands on the software used by the NSA for reverse engineering. Now the time has come to satisfy our curiosity and compare Ghidra with other tools.

Read full article →