Threat Researcher, DFIR, MalDev — malware analysis, reverse engineering & detection engineering

SANS Certified Threat Researcher with extensive experience in malware reverse engineering & development, YARA/Sigma rule creation, and technical threat reporting. Proven track record in detecting and mitigating advanced threats, supporting incident response, and performing digital forensics. Strong focus on enhancing security through research-driven detection.

Whoami

Animated avatar of shaddy43

Shayan Ahmed Khan
Alias: shaddy43
Threat Researcher, DFIR, MalDev
GREM, SC-200, AZ-500, PMRP, HCIA Security
I believe in open-source work & contributions!

Buy Me A Coffee

Donate via PayPal

Recent Posts

Cover image for Velociraptor: The Ultimate Powerhouse for Swift and Precision Investigations

Velociraptor: The Ultimate Powerhouse for Swift and Precision Investigations

A deep dive into an open-source DFIR tool and its flexibility

18 Jan 2025 • 06 minute read

Latest
Cover image for Emotet Malware Analysis

Emotet Malware Analysis

A detailed technical analysis report on Emotet Malware covering 3 stages from initial vbs dropper to stage 2 emotet dll and in-memory loaded module

28 Oct 2024 • 12 minute read

Cover image for Memory Patch Deobfuscation

Memory Patch Deobfuscation

The xloader AKA formbook, hides its core malicious functionality under the guise of encrypted core malicious functions that are patched at run-time in the memory during its exectution

24 Aug 2024 • 10 minute read

Cover image for Lagos Island Ntdll Unhooking

Lagos Island Ntdll Unhooking

This method loads Windows ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective

24 Aug 2024 • 12 minute read

Cover image for Ghost in the system, Malware Defense Evasion

Ghost in the system, Malware Defense Evasion

A list of interesting Malware Defense Evasion techniques

08 Aug 2024 • 6 minute read

Cover image for Layers of Deception: Analyzing the Complex Stages of XLoader 4.3 Malware Evolution

Layers of Deception: Analyzing the Complex Stages of XLoader 4.3 Malware Evolution

Technical Analysis of xloader4.3/formbook infostealer

24 Jan 2024 • 25 minute read

Featured
Cover image for From Infection to Encryption: Tracing the Impact of RYUK Ransomware

From Infection to Encryption: Tracing the Impact of RYUK Ransomware

Technical Analysis of dangerous multi-threading encrypter on which many of the modern ransomware are based on

26 Nov 2023 • 10 minute read

Cover image for Decrypting the Mystery of MedusaLocker

Decrypting the Mystery of MedusaLocker

Technical Analysis of MedusaLocker Ransomware and its extracted TTPs

13 Nov 2023 • 9 minute read

Cover image for RevEnge! Reverse Engineering android apps to bypass SSL pinning for mobile app pen-testing

RevEnge! Reverse Engineering android apps to bypass SSL pinning for mobile app pen-testing

Bypass SSL pinning manually by patching the APK file for MITM proxy and API testing

31 Oct 2023 • 5 minute read

Cover image for Secrets of commercial RATs! NanoCore dissected

Secrets of commercial RATs! NanoCore dissected

Technical analysis of NanoCore RAT 1.2.2.0 malware and its extracted TTPs

21 Sep 2023 • 14 minute read

Cover image for RevEnge! Reverse engineering android apps to bypass root detection capabilities for mobile app-pentesting

RevEnge! Reverse engineering android apps to bypass root detection capabilities for mobile app-pentesting

Bypassing Root Detection by reverse engineering APK and patching code

05 Nov 2022 • 6 minute read

Cover image for The epitome of evasion! A custom shellcode

The epitome of evasion! A custom shellcode

Crafting a custom position independent code (shellcode) to evade defenses

09 Apr 2022 • 8 minute read

Evasion
Cover image for Reverse Auth

Reverse Auth

Reversing Authenticaion. Completing famous bomb.exe, a reverse engineering exercise to reverse engineer and bypass authentication checks in one hour

23 Mar 2022 • 7 minute read

Cover image for Cracked Haven

Cracked Haven

Understand software cracking and its implications. This article explores the way software cracking works with a practical example of cracking Adobe Photoshop and manually adding backdoor

12 Mar 2022 • 10 minute read

Featured
Cover image for Analysis of a trojanized anydesk

Analysis of a trojanized anydesk

Technical analysis of a trojanized anydesk, delivering infostealer in anydesk campaign

01 Mar 2022 • 10 minute read

Projects

Cover image for BrowserSnatch

BrowserSnatch

This project steals important data from all chromium and gecko browsers installed in the system and gather the data in a stealer db to be exfiltrated out

Stars ☆: 250+, Forks: 40+

Latest
Cover image for MalwareAnalysisSeries

MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for analyzing a piece of malware sample. Additionally, the repo also contains interesting TTPs extracted and recreated from malware samples with detection rules

Stars ☆: 14+

Featured
Cover image for Position Independent Backdoor

Position Independent Backdoor

This project contains methodology of creating position independent code which can be used to extract shellcode from the generated binary. Shellcode could be injected in any process for evading defenses

Stars ☆: 04, Forks: 01

Cover image for Reverse Shell Netcat

Reverse Shell Netcat

This repository contains a program that gives remote shell connection on the sockets back to the c2 server. This connection can be listened on Netcat as well

Stars ☆: 05, Forks: 03

Cover image for Donut Injector

Donut Injector

An injector that tries to bypass static and dynamic analysis. The shellcodes that are injected must be encrypted with a key and decrypted at runtime to avoid detection

Stars ☆: 03

Cover image for Pocket Encrypter

Pocket Encrypter

A light-weight Pocket encrypter using CBC AES 256 for encrypting files with password being passed as a parameter

Stars ☆: 01

Cover image for AES Shellcode Encrypter

AES Shellcode Encrypter

A tool that can encrypt all type of files and give the encrypted output in the form of an encrypted shellcode

Stars ☆: 14, Forks: 06

Cover image for SGCApp: Secure Group Communication

SGCApp: Secure Group Communication

This repository implements SEGCOM paper to achieve secure group communication in multi-casting

Archived