The Malware Gallery portal has been significantly improved and restructured. It now includes feature techniques that explain the underlying mechanisms of specific malware functionalities.

This enhancement provides valuable insights for malware researchers, reverse engineers, and students seeking a deeper understanding of malware behavior.

Many techniques are accompanied by code snippets to help illustrate how each feature works, making it easier to recognize and analyze them in real-world scenarios.

Techniques and their associated features will be added progressively. Additionally, new malware families and releases have been published.

Recent updates to the application have introduced command line argument parsing, replacing user prompts for a more efficient experience. Various glitches have been fixed, enhancing overall performance. Notably, users can now spawn a shell as a different Windows user (RunAs).

This module allows you to run a process (defaulting to PowerShell) as a different user by providing a known username and password. By default, the standard output (stdout), standard error (stderr), and standard input (stdin) are attached to the current console of the caller.

Originally known as PowerRunAsAttached, the module has been renamed to more accurately reflect its purpose. While its core functionality remains unchanged, it now offers additional options and features enhanced code quality.

Furthermore, it has been added to the PowerShell Gallery, making installation and updates more convenient.

This first special issue of A Malware Retrospective recall a tool that shaped an entire generation during the MSN Messenger era. Known as IceCold, this infamous software was what we referred to as an "account freezer", a tool designed to block a target user’s access to services like chat applications or online games.

Though often used as a prank to get friends or rivals angry, IceCold also had an even more darker side. With some ingenuity and social engineering, it evolved into a powerful weapon for stealing MSN accounts without ever needing direct access to the target's computer. Its reputation secured its place in digital history as one of the most notorious MSN hack-tool.

New version of the Unprotect Scan Engine introduces several enhanced features:

• You can now upload ZIP files containing samples for analysis, including support for password-protected ZIPs (e.g., "infected" passwords).
• Detailed information is now provided for each sample, including:
  • MIME type
  • Architecture
  • Compilation time
  • ImageBase/EntryPoint
  • PEiD signatures
  • File metadata (when available)
• You can choose to hide your sample from the public board, minimizing exposure and ensuring the privacy of your sample report.

Version 6 of Unprotect has just been released, packed with numerous enhancements! This update includes an improved user experience, various bug fixes, improved performance and code optimizations. The most expected feature in this release is the introduction of Unprotect Scan, which in its initial version matches uploaded samples against YARA rules to detect and match with existing evasion techniques.

A bind shell option was added to redirect stdin, stdout, and stderr of the spawned interactive system process. A bind shell is a type of shell where the target machine listens on a specific port, waiting for an incoming connection from an attacker. Once the attacker connects to this port, they gain command-line access to the target system, allowing them to execute commands remotely.

This version includes global improvements to the code, structure, and logic. The most notable addition is support for input/output redirection through reverse shell, allowing interaction with an interactive spawned process without needing access to the desktop (e.g., via SSH or WinRM).

• Mouse Positioning Fix: Resolved an issue where the mouse position was incorrect when the remote desktop is smaller than the local desktop in mirror mode. The mouse is now accurately positioned across screens of different sizes.
• CTRL+[A-Z] Shortcut Fix for Windows: Fixed a bug on the Windows client where CTRL + [A-Z] keyboard shortcuts were not functioning properly. Shortcuts are now correctly processed.
• Connection Window Enhancements: Pressing ESC on the connection window now closes the application. Pressing ENTER or RETURN starts the connection process immediately.

Windows x86-64 executable is now available, making Arcane Viewer deployment even easier.

• Dynamic Resolution/Scaling Update Support: When the remote display resolution or HDPI scaling settings change, the viewer is notified and automatically updates the current window to accommodate the new display constraints.
• Secure Desktop (Automatic Desktop Context Switching) is now fully supported for both Desktop Streaming and Input (Keyboard, Mouse, Outgoing Clipboard). To capture Secure Desktop, Arcane Server must be run as an Interactive SYSTEM user. You can use PsExec or PowerRunAsSystem to achieve this. This feature is crucial for logging into a remote user account when the session is locked or for accepting or rejecting UAC prompts.
• Keyboard Simulation Enhancement: Keyboard simulation has been improved by moving from .NET to the pure Windows API SendInput for simulating both individual key inputs and shortcuts. This transition offers several advantages: it supports a broader range of applications and windows (all) and it simplifies the detection and switching of Secure Desktop updates.
• New Shortcuts Supported: Arcane now supports additional keyboard shortcuts, including CTRL+[A-Z] and ALT+[F1-F16]. The Windows key (Meta Key) is also supported. The shortcut for locking the workstation, WIN + L, has been added.
• Optimizations and Enhancements: This update includes multiple optimizations, cleaner code, and improved presentation mode handling. In presentation mode (view only), event threads are no longer required for both the viewer and the server.

Arcane Protocol Update: The protocol has been upgraded to version 5.0.2, bringing support for several server improvements, including dynamic display resolution updates, HDPI settings changes, and Secure Desktop support for Remote Desktop Streaming and Input (Mouse, Keyboard, Clipboard).

This release focuses on improving the code structure through extensive refactoring and resolving infrequent bugs caused by previously unhandled edge cases. Type hinting has been fully implemented, and the code is now nearly ready for production deployment.

Arcane 1.0.4 has been released with support for reciprocal clipboard synchronization between the server and client. Users can now configure clipboard synchronization strategies, including Receive Only, Send Only, Bidirectional, and Disabled modes. Additionally, this update includes several minor improvements.

Arcane 1.0.3 (Beta) PowerShell Full-fledged Remote Desktop has been released and now support server-certificate fingerprint validation with an option to remember your choice. Options window has been added to at the moment handle some remote desktop streaming settings and manage the trusted server fingerprints (Add, Edit, Remove)

Full Change log:

• The connection window interface has been streamlined, with additional options now accessible in a dedicated settings window.
• Server certificate validation has been introduced. When connecting to a server for the first time, users will be prompted to trust the certificate and can choose to remember their decision.
• A new settings window has been implemented, offering support for additional remote desktop parameters and managing trusted server certificates, including options to add, edit, and remove certificates.
• Various code refactoring and structural improvements have been made to enhance the overall performance and maintainability of the application.

• The issue of the Arcane Viewer Virtual Desktop Window freezing when manually closing the connection with Remote Desktop has now been fixed.
• The Arcane Viewer Virtual Desktop Window now has an icon on the taskbar.
• HDPI and scaling support have been improved.
• Arcane Viewer Virtual Desktop Window placement has been improved.

A new article has been published on Medium that delves into what Arcane is, providing a detailed explanation of how it works and why it stands out from typical remote desktop applications.

The article not only covers the installation process but also provides a comprehensive guide on how to use Arcane. It walks you through both the automated, recommended installation method as well as the manual method, which includes instructions on how to build your own version and install it.

Arcane, formerly known as PowerRemoteDesktop, is a unique remote control application distinguished by its server being entirely coded in PowerShell. It is currently the only remote desktop application with this characteristic. The project was renamed to Arcane to give it a more distinctive identity, moving away from the generic nature of its former name. This rebranding also coincided with a major rewrite of the viewer component.

While the server remains fully written in PowerShell, the viewer has been rewritten in Python, making it cross-platform. The transition to using Qt (PyQt6) as the graphical engine has further enhanced its usability and compatibility across different operating systems.

The features of Arcane are consistent with the latest version of PowerRemoteDesktop. However, the viewer is now more stable, user-friendly, and supports multiple platforms. Future updates will focus on expanding features as the viewer's stability is further refined through testing. I plan to introduce new functionalities once I'm confident in the viewer's stability accros different platforms.

We are excited to announce the release of DLest v3.0! This major update brings a host of performance enhancements, user interface improvements, and powerful new features including:

Process Spy: Debug processes to monitor DLL Load events in real-time. File Hash Tools: Easily generate and compare file hashes. Enumeration of Lone Ordinals: Identify and analyze anonymous functions with improved accuracy. Enhanced Filtering System: Experience a more robust and intuitive export filtering system.

In this second article, we demonstrates how malware authors exploit Microsoft Windows application resources as malicious vectors to either store their dynamic configuration or additional payloads. The focus is on the Windows API, but it also details some aspects of the PE (Portable Executable) header, allowing for manual inspection and manipulation of resources.

Welcome to the grand opening of Malware Gallery 1.0! We're excited to announce several new features that have been added since the beta version. One significant addition is the Archive mode, which expose a comprehensive database referencing over 10,000 malware and hack tool entries. This archive is compiled from a partial reconstruction of Mega Security's data spanning from 1998 to 2010.

But that's not all! We're dedicated to continuously updating our collection with new families and releases. Stay in the loop by subscribing to our RSS feed or following us on our social media channels to ensure you never miss a single update.