<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: jordanricky1604-ship-it</title>
    <description>The latest articles on DEV Community by jordanricky1604-ship-it (@jordan1604).</description>
    <link>https://dev.to/jordan1604</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3959082%2Fbfe416fa-e837-490b-b822-c226343648ea.png</url>
      <title>DEV Community: jordanricky1604-ship-it</title>
      <link>https://dev.to/jordan1604</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/jordan1604"/>
    <language>en</language>
    <item>
      <title>Malware Deep Dive: Sdbot</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Fri, 17 Jul 2026 12:44:15 +0000</pubDate>
      <link>https://dev.to/jordan1604/malware-deep-dive-sdbot-4d1m</link>
      <guid>https://dev.to/jordan1604/malware-deep-dive-sdbot-4d1m</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Sdbot (Rat)
&lt;/h1&gt;

&lt;p&gt;Today we are analyzing the &lt;strong&gt;Sdbot&lt;/strong&gt; malware family, which falls under the Rat category.&lt;/p&gt;

&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;p&gt;sdbot is classified as a remote access trojan (RAT), malware that gives an attacker remote control of an infected computer. It has one or more associated MITRE ATT&amp;amp;CK technique references (linked on this page) that document the behaviors observed for it. We have not yet published a hand-verified detailed profile for this family; the MITRE references below are the authoritative source for its documented techniques.&lt;/p&gt;

&lt;h2&gt;
  
  
  Known Aliases
&lt;/h2&gt;

&lt;p&gt;Security vendors and researchers may refer to this family by several different names, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;win32.sdbot&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;sdbot.worm&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;rbot&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;spybot&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;sdbot.a&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  MITRE ATT&amp;amp;CK Techniques
&lt;/h2&gt;

&lt;p&gt;This family has been observed utilizing the following techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;T1059.003&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1059/003/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1071.003&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1071/003/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1547.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1547/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1105&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1105/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1091&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1091/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1498&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1498/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Where can I learn more about sdbot?&lt;/strong&gt;&lt;br&gt;
Refer to the linked MITRE ATT&amp;amp;CK technique pages, which document the behaviors associated with this family.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/sdbot.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data! You can also find the full dataset on &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;Hugging Face&lt;/a&gt; and &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;Kaggle&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Malware Deep Dive: Gandcrab</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Tue, 14 Jul 2026 06:54:18 +0000</pubDate>
      <link>https://dev.to/jordan1604/malware-deep-dive-gandcrab-49nf</link>
      <guid>https://dev.to/jordan1604/malware-deep-dive-gandcrab-49nf</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Gandcrab (Ransomware)
&lt;/h1&gt;

&lt;p&gt;Today we are analyzing the &lt;strong&gt;Gandcrab&lt;/strong&gt; malware family, which falls under the Ransomware category.&lt;/p&gt;

&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;p&gt;GandCrab is ransomware that encrypts a victim's files and demands ransom for their return, targeting Windows PCs of both consumers and businesses. Per Malwarebytes, it launched in January 2018 and operated as a ransomware-as-a-service, with affiliates spreading it for a share of the profits. On May 31, 2019 its operators publicly announced they were shutting down. Free decryptors for certain versions were later released through industry and law-enforcement collaboration.&lt;/p&gt;

&lt;h2&gt;
  
  
  Known Aliases
&lt;/h2&gt;

&lt;p&gt;Security vendors and researchers may refer to this family by several different names, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;GandCrab&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  MITRE ATT&amp;amp;CK Techniques
&lt;/h2&gt;

&lt;p&gt;This family has been observed utilizing the following techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;T1486&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1486/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1490&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1490/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1082&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1082/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1083&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1083/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1071.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1071/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1566.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1566/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is GandCrab?&lt;/strong&gt;&lt;br&gt;
Ransomware that encrypts files on Windows PCs and demands payment; it targeted both consumers and businesses.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;When was GandCrab active?&lt;/strong&gt;&lt;br&gt;
It launched in January 2018 and its operators announced a shutdown on May 31, 2019.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How was GandCrab distributed?&lt;/strong&gt;&lt;br&gt;
As a ransomware-as-a-service: affiliates spread it through methods like exploit kits, phishing, and other vectors in exchange for a cut of the ransoms.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is there a free GandCrab decryptor?&lt;/strong&gt;&lt;br&gt;
Free decryptors for certain GandCrab versions were released through industry and law-enforcement collaboration; availability depends on the version.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Should I pay the GandCrab ransom?&lt;/strong&gt;&lt;br&gt;
Security guidance generally discourages paying. Check whether a free decryptor exists for your version (e.g., via the No More Ransom project) and restore from clean backups where possible.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How can I protect against ransomware like GandCrab?&lt;/strong&gt;&lt;br&gt;
Keep software patched, be cautious with email attachments and links, use reputable security software, and maintain tested offline backups.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where can I read an authoritative source on GandCrab?&lt;/strong&gt;&lt;br&gt;
Malwarebytes maintains a GandCrab overview, linked on this page.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/gandcrab.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data! You can also find the full dataset on &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;Hugging Face&lt;/a&gt; and &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;Kaggle&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Malware Deep Dive: Adposhel</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Wed, 08 Jul 2026 08:39:24 +0000</pubDate>
      <link>https://dev.to/jordan1604/malware-deep-dive-adposhel-2n53</link>
      <guid>https://dev.to/jordan1604/malware-deep-dive-adposhel-2n53</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Adposhel (Adware)
&lt;/h1&gt;

&lt;p&gt;Today we are analyzing the &lt;strong&gt;Adposhel&lt;/strong&gt; malware family, which falls under the Adware category.&lt;/p&gt;

&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;p&gt;adposhel is classified as adware or a potentially-unwanted program associated with intrusive advertising or bundling. It has one or more associated MITRE ATT&amp;amp;CK technique references (linked on this page) that document the behaviors observed for it. We have not yet published a hand-verified detailed profile for this family; the MITRE references below are the authoritative source for its documented techniques.&lt;/p&gt;

&lt;h2&gt;
  
  
  Known Aliases
&lt;/h2&gt;

&lt;p&gt;Security vendors and researchers may refer to this family by several different names, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;adposhel adware&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;browsefox variant&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  MITRE ATT&amp;amp;CK Techniques
&lt;/h2&gt;

&lt;p&gt;This family has been observed utilizing the following techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;T1176&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1176/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1112&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1112/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1547.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1547/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Where can I learn more about adposhel?&lt;/strong&gt;&lt;br&gt;
Refer to the linked MITRE ATT&amp;amp;CK technique pages, which document the behaviors associated with this family.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/adposhel.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data! You can also find the full dataset on &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;Hugging Face&lt;/a&gt; and &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;Kaggle&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Malware Deep Dive: Swisyn</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Tue, 07 Jul 2026 08:06:41 +0000</pubDate>
      <link>https://dev.to/jordan1604/malware-deep-dive-swisyn-i1g</link>
      <guid>https://dev.to/jordan1604/malware-deep-dive-swisyn-i1g</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Swisyn (Trojan_Generic)
&lt;/h1&gt;

&lt;p&gt;Today we are analyzing the &lt;strong&gt;Swisyn&lt;/strong&gt; malware family, which falls under the Trojan_Generic category.&lt;/p&gt;

&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;h3&gt;Executive Summary&lt;/h3&gt;

&lt;p&gt;Swisyn is a malicious Trojan designed to covertly infiltrate Windows systems, establish persistence, and act as a reliable downloader for remote threat actors. It is frequently utilized in the initial stages of a cyberattack to gather system intelligence and facilitate the automated deployment of secondary, highly destructive malware payloads, such as enterprise ransomware or banking trojans.&lt;/p&gt;

&lt;h3&gt;Infection Vector and Technical Capabilities&lt;/h3&gt;

&lt;p&gt;Swisyn is predominantly distributed through socially engineered spam campaigns containing malicious attachments (often weaponized PDFs or Office documents utilizing macro exploits) or via compromised software installers downloaded from untrustworthy web portals.&lt;/p&gt;

&lt;p&gt;Upon successful execution, Swisyn operates with a focus on stealth and payload delivery:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;System Reconnaissance:&lt;/strong&gt; The trojan immediately collects detailed system information, including the OS version, installed software, Active Directory domain membership, and active antivirus solutions. This fingerprint is transmitted to a command-and-control (C2) server.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Persistence:&lt;/strong&gt; Swisyn ensures it survives system reboots by modifying the Windows Registry (e.g., adding entries to the `Run` or `RunOnce` keys) or by creating hidden Scheduled Tasks that execute the malware payload under high privileges.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Payload Delivery:&lt;/strong&gt; Acting as a downloader, Swisyn receives instructions from the C2 server to silently download and execute secondary malware. This provides the attacker with a flexible platform to escalate the attack based on the value of the compromised host.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;Threat Assessment&lt;/h3&gt;

&lt;p&gt;A Swisyn infection represents a significant breach of the endpoint perimeter. Because it provides remote attackers with the ability to execute arbitrary code, a single compromised machine can rapidly be utilized to pivot laterally and compromise the entire corporate network.&lt;/p&gt;

&lt;h3&gt;Remediation and Eradication&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Endpoint Detection and Response (EDR):&lt;/strong&gt; Configure EDR solutions to monitor for anomalous registry modifications and unauthorized outbound network connections to unknown IP addresses.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Network Isolation and Sweeps:&lt;/strong&gt; Immediately isolate the infected endpoint from the LAN. Conduct a thorough forensic sweep to identify not only the Swisyn executable but also any secondary payloads it may have successfully deployed.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credential Reset:&lt;/strong&gt; Because Swisyn frequently facilitates the deployment of info-stealers, all user credentials associated with the compromised endpoint must be treated as compromised and immediately reset.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Known Aliases
&lt;/h2&gt;

&lt;p&gt;Security vendors and researchers may refer to this family by several different names, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Trojan.Swisyn&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Downloader.Swisyn&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Win32/Swisyn&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  MITRE ATT&amp;amp;CK Techniques
&lt;/h2&gt;

&lt;p&gt;This family has been observed utilizing the following techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;T1105&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1105/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1547.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1547/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1059&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1059/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Where can I learn more about swisyn?&lt;/strong&gt;&lt;br&gt;
Refer to the linked MITRE ATT&amp;amp;CK technique pages, which document the behaviors associated with this family.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/swisyn.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data! You can also find the full dataset on &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;Hugging Face&lt;/a&gt; and &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;Kaggle&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Malware Deep Dive: Ldpinch</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Mon, 06 Jul 2026 06:35:23 +0000</pubDate>
      <link>https://dev.to/jordan1604/malware-deep-dive-ldpinch-50fd</link>
      <guid>https://dev.to/jordan1604/malware-deep-dive-ldpinch-50fd</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Ldpinch (Unknown)
&lt;/h1&gt;

&lt;p&gt;Today we are analyzing the &lt;strong&gt;Ldpinch&lt;/strong&gt; malware family, which falls under the Unknown category.&lt;/p&gt;

&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;h3&gt;Executive Summary&lt;/h3&gt;

&lt;p&gt;LDPinch (also known as Pinch) is a legacy, highly successful Information Stealer (InfoStealer) Trojan. While extremely prevalent in the mid-to-late 2000s, its source code has been widely distributed, leading to numerous modern variants. Its primary objective is the rapid, covert extraction of saved passwords, system configurations, and cryptographic keys from an infected Windows host, immediately exfiltrating the data back to the attacker.&lt;/p&gt;

&lt;h3&gt;Infection Vector and Technical Capabilities&lt;/h3&gt;

&lt;p&gt;LDPinch is typically distributed via malicious email attachments (often utilizing archive formats like ZIP or RAR to evade basic scanning), disguised as game cracks on P2P networks, or dropped by exploiting unpatched browser vulnerabilities.&lt;/p&gt;

&lt;p&gt;Its technical design is focused entirely on fast credential harvesting:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Comprehensive Password Extraction:&lt;/strong&gt; LDPinch contains specialized modules to decrypt and steal saved credentials from a massive array of software. This includes web browsers (IE, Firefox), email clients (Outlook, The Bat!), FTP clients (CuteFTP, WS_FTP), and instant messaging applications (ICQ, AIM).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;System Profiling:&lt;/strong&gt; Before exfiltration, it gathers a detailed system profile, including installed software, network configuration, and active processes, which is highly valuable to attackers planning subsequent attacks.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Rapid Exfiltration:&lt;/strong&gt; Unlike a RAT, LDPinch does not typically maintain a long-term interactive session. It is a "smash and grab" tool. It harvests the data, compresses it (often encrypting it), and sends it to the attacker via SMTP (email), FTP upload, or HTTP POST, and then frequently deletes itself to hide its tracks.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;Threat Assessment&lt;/h3&gt;

&lt;p&gt;An LDPinch infection is an immediate data breach. The theft of corporate email, VPN, or FTP credentials provides the attacker with direct, authenticated access to the internal network, bypassing perimeter defenses and paving the way for data extortion or ransomware deployment.&lt;/p&gt;

&lt;h3&gt;Incident Response and Remediation&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Global Credential Reset:&lt;/strong&gt; The absolute highest priority is a mandatory password reset for all accounts used on the compromised machine. Because it steals FTP and remote access credentials, these must be secured instantly.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Egress Traffic Review:&lt;/strong&gt; Check firewall logs for anomalous outbound SMTP (Port 25) or FTP (Port 21) connections originating from the infected endpoint, which may indicate where the stolen data was sent.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EDR Sweep:&lt;/strong&gt; Utilize EDR to ensure the LDPinch executable has been removed. Even if it deleted itself, it is crucial to verify that it did not download a secondary payload before terminating.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Known Aliases
&lt;/h2&gt;

&lt;p&gt;Security vendors and researchers may refer to this family by several different names, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;InfoStealer.LDPinch&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Trojan-PSW.Win32.LdPinch&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Pinch&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  MITRE ATT&amp;amp;CK Techniques
&lt;/h2&gt;

&lt;p&gt;This family has been observed utilizing the following techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;T1555&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1555/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1005&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1005/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1048&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1048/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Where can I learn more about ldpinch?&lt;/strong&gt;&lt;br&gt;
Refer to the linked MITRE ATT&amp;amp;CK technique pages, which document the behaviors associated with this family.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/ldpinch.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data! You can also find the full dataset on &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;Hugging Face&lt;/a&gt; and &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;Kaggle&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Malware Deep Dive: Zbot</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Mon, 06 Jul 2026 06:34:36 +0000</pubDate>
      <link>https://dev.to/jordan1604/malware-deep-dive-zbot-43j6</link>
      <guid>https://dev.to/jordan1604/malware-deep-dive-zbot-43j6</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Zbot (Banking_Trojan)
&lt;/h1&gt;

&lt;p&gt;Today we are analyzing the &lt;strong&gt;Zbot&lt;/strong&gt; malware family, which falls under the Banking_Trojan category.&lt;/p&gt;

&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;p&gt;Zbot is better known as Zeus, one of the most influential banking trojans in malware history, designed to steal banking information and other sensitive credentials for exfiltration. As MITRE ATT&amp;amp;CK notes for the Zeus Panda variant, the original Zeus source code was leaked in 2011, which let many threat actors build new variants on top of it (including Citadel, Gameover Zeus, and Zeus Panda). It primarily targets Windows and captures credentials through browser-based techniques such as web injection and keylogging.&lt;/p&gt;

&lt;h2&gt;
  
  
  Known Aliases
&lt;/h2&gt;

&lt;p&gt;Security vendors and researchers may refer to this family by several different names, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Zeus&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Zbot&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Zeus Panda&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Wsnpoem&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  MITRE ATT&amp;amp;CK Techniques
&lt;/h2&gt;

&lt;p&gt;This family has been observed utilizing the following techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;T1185&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1185/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1071.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1071/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1056.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1056/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is Zeus/Zbot?&lt;/strong&gt;&lt;br&gt;
A landmark banking trojan that steals banking credentials and other sensitive data, typically by capturing what victims enter into their browser.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why is the 2011 Zeus source-code leak important?&lt;/strong&gt;&lt;br&gt;
MITRE notes the original source code leaked in 2011, allowing threat actors to build many new variants from it, which shaped a whole generation of banking malware.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What variants came from Zeus?&lt;/strong&gt;&lt;br&gt;
Well-known descendants include Citadel, Gameover Zeus, and Zeus Panda, among others.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How does Zeus steal banking details?&lt;/strong&gt;&lt;br&gt;
Mainly through browser session hijacking / web injection and keylogging, capturing credentials as they are entered on banking sites.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What systems does Zeus target?&lt;/strong&gt;&lt;br&gt;
It primarily targets Windows, with the Zeus Panda variant documented across Windows XP through Windows 10.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How did Zeus typically spread?&lt;/strong&gt;&lt;br&gt;
Historically through phishing emails and drive-by downloads from compromised or malicious websites.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How can I protect financial accounts from trojans like Zeus?&lt;/strong&gt;&lt;br&gt;
Use multi-factor authentication, keep your system and browser patched, avoid suspicious attachments and links, and monitor accounts for unauthorized activity.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Where is the authoritative reference?&lt;/strong&gt;&lt;br&gt;
MITRE ATT&amp;amp;CK's Zeus Panda entry (S0330), linked on this page, documents the variant's techniques and the 2011 source leak.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/zbot.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data! You can also find the full dataset on &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;Hugging Face&lt;/a&gt; and &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;Kaggle&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Malware Deep Dive: Ainslot</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Mon, 06 Jul 2026 06:34:26 +0000</pubDate>
      <link>https://dev.to/jordan1604/malware-deep-dive-ainslot-4ala</link>
      <guid>https://dev.to/jordan1604/malware-deep-dive-ainslot-4ala</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Ainslot (Trojan)
&lt;/h1&gt;

&lt;p&gt;Today we are analyzing the &lt;strong&gt;Ainslot&lt;/strong&gt; malware family, which falls under the Trojan category.&lt;/p&gt;

&lt;h2&gt;
  
  
  Overview
&lt;/h2&gt;

&lt;h3&gt;Executive Summary&lt;/h3&gt;

&lt;p&gt;Ainslot is a malicious Trojan designed to covertly infiltrate Windows systems, establish persistence, and act as a reliable downloader for remote threat actors. It is frequently utilized in the initial stages of a cyberattack to gather system intelligence and facilitate the automated deployment of secondary, highly destructive malware payloads, such as enterprise ransomware or banking trojans.&lt;/p&gt;

&lt;h3&gt;Infection Vector and Technical Capabilities&lt;/h3&gt;

&lt;p&gt;Ainslot is predominantly distributed through socially engineered spam campaigns containing malicious attachments (often weaponized PDFs or Office documents utilizing macro exploits) or via compromised software installers downloaded from untrustworthy web portals.&lt;/p&gt;

&lt;p&gt;Upon successful execution, Ainslot operates with a focus on stealth and payload delivery:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;System Reconnaissance:&lt;/strong&gt; The trojan immediately collects detailed system information, including the OS version, installed software, Active Directory domain membership, and active antivirus solutions. This fingerprint is transmitted to a command-and-control (C2) server.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Persistence:&lt;/strong&gt; Ainslot ensures it survives system reboots by modifying the Windows Registry (e.g., adding entries to the `Run` or `RunOnce` keys) or by creating hidden Scheduled Tasks that execute the malware payload under high privileges.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Payload Delivery:&lt;/strong&gt; Acting as a downloader, Ainslot receives instructions from the C2 server to silently download and execute secondary malware. This provides the attacker with a flexible platform to escalate the attack based on the value of the compromised host.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;Threat Assessment&lt;/h3&gt;

&lt;p&gt;An Ainslot infection represents a significant breach of the endpoint perimeter. Because it provides remote attackers with the ability to execute arbitrary code, a single compromised machine can rapidly be utilized to pivot laterally and compromise the entire corporate network.&lt;/p&gt;

&lt;h3&gt;Remediation and Eradication&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Endpoint Detection and Response (EDR):&lt;/strong&gt; Configure EDR solutions to monitor for anomalous registry modifications and unauthorized outbound network connections to unknown IP addresses.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Network Isolation and Sweeps:&lt;/strong&gt; Immediately isolate the infected endpoint from the LAN. Conduct a thorough forensic sweep to identify not only the Ainslot executable but also any secondary payloads it may have successfully deployed.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credential Reset:&lt;/strong&gt; Because Ainslot frequently facilitates the deployment of info-stealers, all user credentials associated with the compromised endpoint must be treated as compromised and immediately reset.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Known Aliases
&lt;/h2&gt;

&lt;p&gt;Security vendors and researchers may refer to this family by several different names, including:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Trojan.Ainslot&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Downloader.Ainslot&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Win32/Ainslot&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  MITRE ATT&amp;amp;CK Techniques
&lt;/h2&gt;

&lt;p&gt;This family has been observed utilizing the following techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;T1105&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1105/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1547.001&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1547/001/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;T1059&lt;/strong&gt;: &lt;a href="https://attack.mitre.org/techniques/T1059/" rel="noopener noreferrer"&gt;View on MITRE&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Frequently Asked Questions
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Where can I learn more about ainslot?&lt;/strong&gt;&lt;br&gt;
Refer to the linked MITRE ATT&amp;amp;CK technique pages, which document the behaviors associated with this family.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/ainslot.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data! You can also find the full dataset on &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;Hugging Face&lt;/a&gt; and &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;Kaggle&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Deep Dive: Xtreme RAT (XTRAT)</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Sat, 04 Jul 2026 11:57:25 +0000</pubDate>
      <link>https://dev.to/jordan1604/deep-dive-xtreme-rat-xtrat-4o5</link>
      <guid>https://dev.to/jordan1604/deep-dive-xtreme-rat-xtrat-4o5</guid>
      <description>&lt;h1&gt;
  
  
  Deep Dive: Xtreme RAT (XTRAT)
&lt;/h1&gt;

&lt;p&gt;Xtreme RAT (also known as XTRAT and ExtRat) is a notorious Windows remote access trojan that has been actively used in targeted cyber-espionage campaigns. Today, we're taking a closer look at this backdoor, its capabilities, and its history.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is Xtreme RAT?
&lt;/h2&gt;

&lt;p&gt;According to documentation by Malpedia (Fraunhofer FKIE) citing Trend Micro, Xtreme RAT is a backdoor that provides a remote attacker with complete control over an infected system while silently stealing sensitive information. &lt;/p&gt;

&lt;p&gt;It is widely known for being deployed in highly targeted attacks. Most notably, it was utilized in the 2012 campaigns against Israeli and Syrian government targets, and cybersecurity researchers have strongly associated the malware family with the &lt;strong&gt;Molerats&lt;/strong&gt; threat actor group.&lt;/p&gt;

&lt;h2&gt;
  
  
  Core Capabilities
&lt;/h2&gt;

&lt;p&gt;When Xtreme RAT infects a Windows machine, the attacker gains a wide array of capabilities. Some of the primary functions include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;File Management&lt;/strong&gt;: The ability to silently download, upload, and execute malicious payloads or exfiltrate documents.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Registry Management&lt;/strong&gt;: Modifying the Windows registry to establish persistence or weaken security settings.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;System Control&lt;/strong&gt;: Executing arbitrary shell commands, forcing system shutdowns, and forcibly logging the user on or off.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Surveillance&lt;/strong&gt;: Capturing the screen of the infected system and operating as a keylogger to capture passwords, credentials, and other typed information.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Associated Threat Actors &amp;amp; Aliases
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Aliases&lt;/strong&gt;: xtreme rat, xtremerat, xrat, ExtRat&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Threat Actor&lt;/strong&gt;: Molerats&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;MITRE ATT&amp;amp;CK Techniques&lt;/strong&gt;: T1059.003, T1056.001, T1113, T1125, T1105, T1071.001&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Defense and Mitigation
&lt;/h2&gt;

&lt;p&gt;Detecting Xtreme RAT relies on a combination of endpoint detection and response (EDR) to catch the keylogging and registry modifications, as well as network monitoring to detect the command and control (C2) communication. &lt;/p&gt;

&lt;p&gt;By understanding the techniques (such as &lt;code&gt;T1056.001&lt;/code&gt; for Keylogging and &lt;code&gt;T1059.003&lt;/code&gt; for Windows Command Shell), defenders can build robust detection rules to catch the behavior of XTRAT before data exfiltration occurs.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;This article is part of the &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/families/xtrat.html" rel="noopener noreferrer"&gt;Malware Families Catalog&lt;/a&gt;. Visit the original page for more details and interactive data!&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>malware</category>
      <category>security</category>
    </item>
    <item>
      <title>I got tired of Ctrl-F'ing PDFs for malware family names so I built a catalog</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Tue, 02 Jun 2026 17:06:16 +0000</pubDate>
      <link>https://dev.to/jordan1604/i-got-tired-of-ctrl-fing-pdfs-for-malware-family-names-so-i-built-a-catalog-1hn7</link>
      <guid>https://dev.to/jordan1604/i-got-tired-of-ctrl-fing-pdfs-for-malware-family-names-so-i-built-a-catalog-1hn7</guid>
      <description>&lt;p&gt;Quick backstory. I do MSP work and a chunk of my week is triage. Something pops on an endpoint, you get a family name back from whatever tool flagged it, and now you're trying to figure out if this thing is a banker, a loader, a wiper, ransomware, whatever. Half the time the top Google hit is a vendor blog from 2019 with a popup begging you to download a whitepaper. The other half is some forum thread where the actual useful comment got deleted.&lt;/p&gt;

&lt;p&gt;So I made a thing. It's just a static site with one page per malware family. 2,899 of them, pulled from the EMBER 2018 list (Endgame's dataset, the one a lot of ML-for-malware papers train against). Each family gets its own URL like /families/emotet.html, /families/trickbot.html and so on. Nothing fancy. No JS framework. Just HTML you can land on from a search result and read in two seconds.&lt;/p&gt;

&lt;p&gt;Live here if you want to poke at it: &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/" rel="noopener noreferrer"&gt;https://jordanricky1604-ship-it.github.io/malware-families-catalog/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Why bother. Honestly because I kept hitting the same wall. You're on a call, the SOC analyst on the other side says "we're seeing Qakbot", and you want a one-pager you can skim while they keep talking. Not a 40 page report. Not a paywall. Just "here's what this is, here's what it usually does, here's a couple of references." That's the whole pitch.&lt;/p&gt;

&lt;p&gt;The other annoying thing was discoverability. If I dump a CSV on HuggingFace nobody searching for a specific family name is going to find it. The CSV is one URL. But if every family is its own page with the name in the title tag and the H1, then someone Googling "what is njRAT" can actually land on it. That was the bet anyway. Still waiting to see how Google feels about it but Bing already indexed ~250 URLs which I'll take.&lt;/p&gt;

&lt;p&gt;I also mirrored the dataset to HuggingFace (&lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;https://huggingface.co/datasets/Jordan123234/malware-families-catalog&lt;/a&gt;) and Kaggle (&lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog&lt;/a&gt;) because that's where ML folks actually go looking. The GitHub Pages site is the canonical though, the other two are mirrors that point back.&lt;/p&gt;

&lt;p&gt;A few things I learned that might save someone else time:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Generating 2,899 HTML files from a template is fine. The slow part isn't the generation, it's getting Pages to actually finish building. I had to split things or it would time out.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Sitemaps matter way more than I expected. I had the pages live for like a week before I realised Search Console wasn't picking them up because my sitemap was only listing the index. Once I generated a proper sitemap with every family URL in it the crawl rate jumped immediately.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Don't name your files with weird characters. Some of the family names in EMBER have slashes, dots, parentheses. I lowercased and stripped everything down to [a-z0-9-] and kept a mapping file. Worth it.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;If you cross-link aggressively (A-Z index, related families, prev/next nav) crawlers will actually follow. If you just dump 2,899 orphan pages and pray, they sit there forever.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;It's Apache 2.0 so do whatever you want with it. PRs welcome if you want to add a reference or fix a family description, there's a decent chance I got something wrong on a less common one. The build pipeline is in the repo too if you want to fork it for a different taxonomy (CVEs, threat actors, whatever).&lt;/p&gt;

&lt;p&gt;That's it. Going back to my actual job now.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>showdev</category>
      <category>sideprojects</category>
      <category>tooling</category>
    </item>
    <item>
      <title>I open-sourced a Malware Families Catalog built on EMBER 2018</title>
      <dc:creator>jordanricky1604-ship-it</dc:creator>
      <pubDate>Fri, 29 May 2026 23:12:14 +0000</pubDate>
      <link>https://dev.to/jordan1604/i-open-sourced-a-malware-families-catalog-built-on-ember-2018-40ck</link>
      <guid>https://dev.to/jordan1604/i-open-sourced-a-malware-families-catalog-built-on-ember-2018-40ck</guid>
      <description>&lt;h2&gt;
  
  
  What it is
&lt;/h2&gt;

&lt;p&gt;I just released an open-source dataset that maps EMBER 2018 malware family labels to a unified, structured catalog. It's published identically on three platforms so you can pull it whichever way fits your workflow:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;GitHub Pages (canonical):&lt;/strong&gt; &lt;a href="https://jordanricky1604-ship-it.github.io/malware-families-catalog/" rel="noopener noreferrer"&gt;https://jordanricky1604-ship-it.github.io/malware-families-catalog/&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;HuggingFace:&lt;/strong&gt; &lt;a href="https://huggingface.co/datasets/Jordan123234/malware-families-catalog" rel="noopener noreferrer"&gt;https://huggingface.co/datasets/Jordan123234/malware-families-catalog&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Kaggle:&lt;/strong&gt; &lt;a href="https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog" rel="noopener noreferrer"&gt;https://www.kaggle.com/datasets/rickyjordan/malware-families-catalog&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;License is Apache-2.0. The schema is identical across all three so you can swap loaders without touching the rest of your pipeline.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why I built it
&lt;/h2&gt;

&lt;p&gt;The EMBER 2018 benchmark from Elastic is one of the most widely used static-PE malware classification datasets — but the family label column is sparse and noisy, and there's no canonical companion that catalogs which families appear, how often, and what's known about them. Most projects either drop the family labels entirely (and just do benign/malicious classification) or hand-roll their own family lookup table.&lt;/p&gt;

&lt;p&gt;I wanted a clean, honest catalog you can join against EMBER without having to do that work yourself.&lt;/p&gt;

&lt;p&gt;A few constraints I held myself to while building it:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;No fabricated facts.&lt;/strong&gt; If a family is obscure or unattributed, the record says so. I'd rather have a &lt;code&gt;null&lt;/code&gt; than a confident-sounding hallucination.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;No manual removal instructions.&lt;/strong&gt; This is a research dataset, not a how-to. Records describe what a family is and link out to authoritative sources where appropriate.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;One schema everywhere.&lt;/strong&gt; Same columns, same types, same row counts on HF, Kaggle, and GitHub. The README on each platform points at the others.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How to load it
&lt;/h2&gt;

&lt;p&gt;From HuggingFace:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;datasets&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;load_dataset&lt;/span&gt;
&lt;span class="n"&gt;ds&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;load_dataset&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Jordan123234/malware-families-catalog&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;From Kaggle (via the Kaggle CLI):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kaggle datasets download &lt;span class="nt"&gt;-d&lt;/span&gt; rickyjordan/malware-families-catalog
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;From GitHub Pages (raw files):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-O&lt;/span&gt; https://jordanricky1604-ship-it.github.io/malware-families-catalog/data/families.csv
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  What's next
&lt;/h2&gt;

&lt;p&gt;I'd love feedback — especially from people who've worked with EMBER and have opinions about which family attributes are most useful for downstream classifiers. Open an issue on the GitHub repo if anything looks off.&lt;/p&gt;

&lt;p&gt;If you find it useful, a star on the repo helps surface it for the next person searching for the same thing.&lt;/p&gt;

&lt;p&gt;— Built and maintained as an open community resource.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>machinelearning</category>
      <category>opensource</category>
      <category>showdev</category>
    </item>
  </channel>
</rss>
