A detailed technical analysis of Netfilter.sys, a malicious kernel driver that was legitimately signed by Microsoft through attestation signing. This post explores how the rootkit harnesses the Windows Filtering Platform for stealthy IP redirection, the C2 communication mechanisms, and how Microsoft strengthened driver signing processes afterwards.

A deep dive into the RESURGE malware’s persistence mechanisms targeting Ivanti Connect Secure (ICS) appliances. This article details how RESURGE hijacks the firmware upgrade process, using SED scripts to modify critical components like /etc/ld.so.preload, CGI backdoors, integrity scanners, and even the coreboot.img for extreme persistence.