Most organizations start by using Microsoft Copilot the way it looks in demos: type a question, get an answer. That works for exploration. For repeatable operational work, it gets expensive quickly.

Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad.

During a DFIR engagement, LevelBlue was asked to assist with reverse engineering a Linux malware sample detected in a client’s environment. After reverse-engineering most of the malware sample, I wanted to create tooling to easily decrypt its command-and-control (C2) traffic. This post covers part of the methodology used for reversing the related routines as well as the tool created to decrypt the C2 traffic.

Every now and then, LevelBlue SpiderLabs diverts a bit from its normal course of discussing vulnerabilities, ransomware attacks, and malware, and generates a public service blog to help those in the cybersecurity industry improve their skillset or better understand how the world is changing.

Every now and then, LevelBlue SpiderLabs diverts a bit from its normal course of discussing vulnerabilities, ransomware attacks, and malware, and generates a public service blog to help those in the cybersecurity industry improve their skillset or better understand how the world is changing.

As security researchers, we actively monitor the latest CVEs and their publicly available exploits to create signatures. Beyond CVEs, we also hunt for malware on platforms such as MalwareBazaar, which enhances our visibility into attacks occurring across networks.

The dark web serves as a refuge for threat actors to gather intel, trade illicit goods and tools, and network with other cybercriminals. Aside from allowing threat actors to connect and learn from other individuals who share the same interests, the dark web facilitates the procurement and peddling of stolen data to make cyberattacks even more effective and nefarious.

This article also appears on the Stroz Friedberg, A LevelBlue Company, blog site.