MALWARE BOSS BESTIARY

KNOW YOUR ADVERSARY. STUDY THEIR MOVES. BUILD THE COUNTER.

╔═══════════════════════════════════════╗
║     SELECT YOUR OPPONENT              ║
║     Study their techniques            ║
║     Learn their weaknesses            ║
║     Build detections                  ║
║     Fight them in the ARENA           ║
╚═══════════════════════════════════════╝
COBALT STRIKE
Post-Exploitation Framework
<CS> /===\ |X|
EXTREME HP: 150
SPECIAL MOVES
  • Beacon C2 Communication (HTTPS/DNS/SMB)
  • Process Injection (Hollowing, Thread Hijack)
  • Lateral Movement via SMB Named Pipes
  • Mimikatz Credential Harvesting (LSASS dump)
  • Encoded PowerShell Stager Deployment
WEAKNESSES
  • JA3/JA3S fingerprinting catches default beacons
  • Default named pipe signatures (\\MSSE-* patterns)
  • LSASS access (Sysmon 10) with 0x1010/0x1410
  • Process lineage anomalies (svchost injection)
  • Memory-resident detection (YARA scans)
ANALYST NOTES
  • JA3/JA3S fingerprinting is your best bet for catching default Cobalt Strike beacons.
  • Named pipe events (Sysmon 17/18) catch default CS pipes — hunt for \\MSSE-* patterns.
  • Memory analysis reveals injected beacon shellcode — focus on unsigned code in svchost.
MITRE ATT&CK
T1071.001 — Web Protocols
T1055 — Process Injection
T1021 — Remote Services
T1003.001 — LSASS Memory
⚔ FIGHT IN ARENA
EMOTET
Initial Access Broker / Loader
{E} /|||\ |+|
MEDIUM HP: 100
SPECIAL MOVES
  • Malicious Office Macros / XL4 Delivery
  • Email Thread Hijacking (reply-chain lures)
  • PowerShell spawned from WINWORD.EXE
  • Secondary Payload Drop via rundll32
  • Registry Run Key Persistence
WEAKNESSES
  • Process tree: WINWORD → powershell/cmd
  • Suspicious Office child processes (Sysmon Event 1)
  • Email attachment patterns (reply-chain anomalies)
  • rundll32 loading DLLs from temp paths
  • Registry run key persistence (Sysmon 13)
ANALYST NOTES
  • Emotet relies on Office macros — block macro execution via GPO as first defense.
  • Monitor Sysmon Event 1 for WINWORD.EXE spawning PowerShell or cmd.exe.
  • Thread-hijacking makes phishing harder to spot — train users on reply-chain anomalies.
MITRE ATT&CK
T1566.001 — Phishing: Spearphishing Attachment
T1204.002 — User Execution: Malicious File
T1547.001 — Registry Run Keys
⚔ FIGHT IN ARENA
LOCKBIT
Ransomware / RaaS
=[LB]= |##| /|##|\
EXTREME HP: 200
SPECIAL MOVES
  • Rapid Multi-Threaded File Encryption
  • Volume Shadow Copy Deletion (vssadmin)
  • Group Policy Propagation (AD-wide)
  • Data Exfiltration (double extortion)
  • Self-Propagation via Active Directory
WEAKNESSES
  • vssadmin delete shadows — immediate red flag
  • Massive file I/O spike detection / canary files
  • Known extension renaming patterns
  • Pre-encryption recon (ADFind, BloodHound)
  • GPO event logs show propagation activity
ANALYST NOTES
  • Shadow copy deletion (vssadmin delete shadows) is an immediate red flag — alert on it immediately.
  • File integrity monitoring or canary files catch encryption fast.
  • Network segmentation and host isolation is your #1 priority once encryption starts.
MITRE ATT&CK
T1486 — Data Encrypted for Impact
T1490 — Inhibit System Recovery
T1048 — Exfiltration Over Alternative Protocol
⚔ FIGHT IN ARENA
BLACKCAT / ALPHV
Ransomware / RaaS (Rust-based)
/ALPHV\ |=XX=| \####/
EXTREME HP: 220
SPECIAL MOVES
  • Cross-Platform Rust-Based Encryption
  • ADFind Domain Reconnaissance
  • UAC Bypass via fodhelper.exe
  • Backup Deletion (bcdedit, wmic)
  • Triple Extortion (encrypt + leak + DDoS)
WEAKNESSES
  • Pre-encryption ADFind/BloodHound recon activity
  • fodhelper.exe UAC bypass artifacts (Sysmon Event 1)
  • Rust binary characteristics (uncommon in enterprise)
  • bcdedit / vssadmin / wmic deletion commands
  • Large outbound data transfers before encryption
ANALYST NOTES
  • ADFind.exe is a massive red flag — baseline legitimate use and alert everything else.
  • fodhelper.exe UAC bypass: Sysmon Event 1 with fodhelper as parent is high-fidelity.
  • Double extortion means data exfil happens BEFORE encryption — catch outbound movement early.
MITRE ATT&CK
T1486 — Data Encrypted for Impact
T1490 — Inhibit System Recovery
T1548.002 — Bypass User Account Control
⚔ FIGHT IN ARENA
SLIVER
Open-Source C2 Framework
[SL] <||||> |/\|
EXTREME HP: 160
SPECIAL MOVES
  • Mutual TLS / HTTP(S) / DNS C2 Channels
  • In-Memory .NET Assembly Execution
  • Pivot Listener for Internal Movement
  • Shellcode Injection into explorer.exe
  • Token Impersonation & Privilege Escalation
WEAKNESSES
  • Unique per-implant TLS certificates (JA3/JA3S)
  • CLR loading events and ETW traces
  • Go binary characteristics (large file size, strings)
  • Unusual listening ports from pivot listeners
  • Token impersonation: Event 4624 LogonType 9 + 4672
ANALYST NOTES
  • Sliver uses mTLS with self-signed certs — JA3 fingerprinting catches the default config.
  • In-memory .NET execution leaves ETW breadcrumbs — enable CLR logging.
  • Pivot listeners create unexpected listening ports — Sysmon Event 3 on unusual ports is key.
MITRE ATT&CK
T1573.002 — Asymmetric Cryptography
T1055 — Process Injection
T1071.001 — Web Protocols
⚔ FIGHT IN ARENA
ICEDID
Banking Trojan / Loader
{ID} /|--|\ |==|
HARD HP: 110
SPECIAL MOVES
  • ISO/LNK File Delivery (MOTW bypass)
  • DLL Execution via rundll32 from Temp
  • Process Injection into msiexec.exe
  • Proxy-Aware C2 Communication
  • Cobalt Strike Secondary Payload Loading
WEAKNESSES
  • ISO mount followed by LNK/DLL execution
  • rundll32.exe loading DLLs from temp paths
  • msiexec.exe injection (Sysmon 10 targeting msiexec)
  • Encoded C2 traffic with known structure
  • Named pipe creation from secondary CS payload
ANALYST NOTES
  • ISO files bypass Mark-of-the-Web — treat mounted ISO images with suspicion.
  • IcedID frequently chains into Cobalt Strike — finding IcedID means hunting for CS beacons next.
  • Proxy-aware C2 means your web proxy logs are a primary detection source.
MITRE ATT&CK
T1218.011 — Rundll32
T1553.005 — Mark-of-the-Web Bypass
T1055 — Process Injection
⚔ FIGHT IN ARENA
TRICKBOT
Banking Trojan / Reconnaissance
[TB] -||- /\
HARD HP: 120
SPECIAL MOVES
  • Web Injection (browser manipulation)
  • Network Reconnaissance (nltest, net commands)
  • Credential Theft (Mimikatz module)
  • Lateral Movement (EternalBlue)
  • Module-Based Architecture
WEAKNESSES
  • Scheduled task creation patterns
  • Reconnaissance command clusters (nltest, dsquery)
  • Network discovery command bursts
  • Known C2 infrastructure patterns
  • Module download behavior from C2
ANALYST NOTES
  • TrickBot's recon phase is noisy — clusters of nltest, net group, and dsquery commands in rapid succession.
  • Module-based architecture means new capabilities can appear post-infection — monitor for DLL drops.
  • Often deployed as a precursor to Ryuk/Conti ransomware — treat TrickBot as a ransomware precursor.
MITRE ATT&CK
T1087 — Account Discovery
T1018 — Remote System Discovery
T1053.005 — Scheduled Task
QAKBOT
Loader / Initial Access
[QB] -||- /|\
MEDIUM HP: 80
SPECIAL MOVES
  • HTML Smuggling Delivery
  • DLL Loading via regsvr32.exe
  • Process Injection (Explorer.exe)
  • Email Harvesting for Propagation
  • Scheduled Task Persistence
WEAKNESSES
  • Regsvr32 execution from temp directories
  • DLL loading from unusual paths
  • Process injection into explorer.exe (Sysmon 10)
  • Scheduled task naming conventions
  • HTML smuggling artifacts in proxy logs
ANALYST NOTES
  • HTML smuggling bypasses email gateways — monitor for .iso/.img file creation after browser activity.
  • regsvr32.exe loading DLLs from temp directories is a high-fidelity indicator.
  • Explorer.exe injection — look for Sysmon 10 where TargetImage is explorer.exe.
MITRE ATT&CK
T1218.010 — Regsvr32
T1055 — Process Injection
T1053.005 — Scheduled Task
⚔ FIGHT IN ARENA
ASYNCRAT
Remote Access Trojan (RAT)
(AR) || <-->
EASY HP: 75
SPECIAL MOVES
  • Keylogging & Screen Capture
  • Remote Shell Access (reverse shell)
  • Browser Credential Exfiltration
  • Startup Folder Persistence
  • Plugin-Based Architecture / Anti-VM
WEAKNESSES
  • .NET assembly execution patterns (CLR events)
  • Mutex creation (often hardcoded names)
  • Startup folder persistence (Sysmon Event 11)
  • Predictable C2 certificate patterns
  • Reverse shell on high/unusual ports
ANALYST NOTES
  • AsyncRAT is .NET-based — CLR loading events and .NET assembly loads are high-value indicators.
  • Startup folder persistence is noisy — Sysmon Event 11 on the Startup path catches this reliably.
  • Browser credential theft targets known paths — monitor file access to Login Data and cookies.
MITRE ATT&CK
T1059.001 — PowerShell
T1056.001 — Keylogging
T1547.001 — Registry Run Keys
⚔ FIGHT IN ARENA
REDLINE STEALER
Info Stealer
{RL} /||\ ==
MEDIUM HP: 70
SPECIAL MOVES
  • Browser Credential Theft
  • Crypto Wallet Extraction
  • System Information Gathering
  • Screenshot Capture
  • FTP/VPN Credential Harvesting
WEAKNESSES
  • Access to browser credential stores (Login Data files)
  • Rapid data collection + exfiltration pattern
  • Known C2 communication patterns
  • File access to wallet directories
  • .NET-based binary characteristics
ANALYST NOTES
  • RedLine's smash-and-grab pattern is distinctive — rapid sequential access to credential stores, wallets, then exfil.
  • Monitor file reads on browser credential paths (AppData/Local/Google/Chrome/User Data).
  • Often delivered via cracked software downloads — user education on piracy risks helps prevent initial access.
MITRE ATT&CK
T1555.003 — Credentials from Web Browsers
T1005 — Data from Local System
T1113 — Screen Capture
defender@cathedral:~$ 

ADVERSARY ARCADE — Boss Bestiary

fungiknight © 2026