MalDev Academy
@MalDevAcademy
Followers
13,506
Following
4
Media
75
Statuses
354
A comprehensive module-based malware development course providing fundamental to advanced level knowledge
Joined April 2023
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
HAPPY TRACKLIST
• 227842 Tweets
hobi
• 221780 Tweets
JIN IS COMING
• 199146 Tweets
Tuchel
• 194104 Tweets
FY RECAP BLANK SS2EP4
• 188097 Tweets
LINGLING MYCHERIE AMOUR EP8
• 180522 Tweets
カズラドロップ
• 70079 Tweets
TXT ANGEL CONCEPT PHOTO & CLIP
• 68932 Tweets
Polymarket
• 65864 Tweets
soobin
• 63053 Tweets
Taka
• 58826 Tweets
Tyler
• 49132 Tweets
WELCOME BACK J-HOPE
• 44838 Tweets
STRAY KIDS COME TO PLAY
• 40193 Tweets
JUNG HOSEOK IS BACK
• 39360 Tweets
Mutuse
• 36808 Tweets
$STORM
• 23522 Tweets
#السوبر_لمصالحه_الجمهور
• 23100 Tweets
Elisha Ongoya
• 22906 Tweets
Cynthia
• 21042 Tweets
Toru
• 21019 Tweets
ONE OK ROCK
• 17282 Tweets
عبدالرحمن المطيري
• 16001 Tweets
Marra
• 13489 Tweets
Gromit
• 13483 Tweets
中島健人
• 13443 Tweets
高所得者の年金停止要望
• 12311 Tweets
Haymitch
• 11284 Tweets
ソロデビュー
• 10566 Tweets
Nick Chubb
• 10255 Tweets
Pinned Tweet
Update 12 has been released with the following modules and challenges:
Updated syllabus:
- Exploiting EDRs For Evasion - Finding Internal Exclusion List
- Introduction To Sleep Obfuscation
- Introduction to Ekko and Zilean Sleep Obfuscation
-
0
39
183
Dumping LSASS against CrowdStrike:
We frequently receive feedback from our users highlighting their success in engagements and how Maldev Academy contributed.
Today, we received a message detailing their effective use of New Modules 23, 25, and 38 to successfully bypass
16
106
600
September update is out. This one is heavy on AV & EDR evasion.
- Introduction to Havoc C&C
- Building an evasive DLL payload loader
- Introduction to DLL sideloading
- Practical DLL sideloading example
- DLL sideloading for EDR evasion
- Bring your own vulnerable driver (BYOVD)
5
98
521
Malware development challenges are now posted onto the website. It's also possible to contribute and submit a challenge.
3
73
469
Our EXE loader is now available to everyone on GitHub:
We'll be uploading more repositories on our GitHub in the future.
1
127
454
Utilizing TLS callbacks to execute a payload without spawning any threads in a remote process.
Based off the new Threadless Injection module.
2
105
439
We’ve launched Maldev Academy Code Search!
We’ve built two projects with the help of this service and posted the code and videos to the GitHub repository below:
9
110
419
Ghostly Hollowing + Tampered Syscalls Via Hardware Breakpoints: Utilizing hardware breakpoints to spoof syscall arguments while implementing Ghostly Hollowing PE Injection technique
These two techniques were covered in the recent course updates.
5
83
401
Our DLL loader + sideloading modules have been successfully tested against Crowdstrike with no detections.
12
41
377
PeFluctuation is a technique designed to hide PE files in memory.
The images show PeFluctuation in action, hiding Mimikatz in memory and evading both pe-sieve and moneta.
PeFluctuation module will be included in update 6.
4
83
364
Executing Mimikatz and bypassing memory scans from PE-sieve and Moneta using PeFluctuation from update 6.
2
59
369
Maldev Academy DLL Loader vs Crowdstrike
The DLL loader is for Maldev members. But we're also publishing an EXE version of the loader on our GitHub for anyone to use.
5
76
363
Process injecting the EDR process? Yes!
Bring Your Own Vulnerable Driver (BYOVD) coming up soon.
4
48
349
Maldev Academy Code Search:
We’re very happy to announce the creation of a new code search service that will ease the learning and maldev experience for users.
The site currently has over 7000+ lines, 300+ snippets in total with new snippets being added every month.
All
8
49
342
LSASS Dump BOF Challenge: Build a BOF for Havoc to dump LSASS by using existing handles to the lsass.exe process.
The challenge and code solution will be available next week!
2
61
348
Injecting shellcode into Microsoft Defender from the kernel.
Update 5 is looking 🔥🔥
4
50
333
Malware development is about to become more fun!
This is a snippet of a longer video where we use the new Maldev Academy Code Search service to create a loader in less than 10 minutes.
Service launch date: February 19th, 2024
We will be doing giveaways so keep an eye out for
7
42
332
The upcoming Maldev Academy update will showcase a module that explains the process of developing a 'Shellcode Reflective DLL' builder.
This builder converts your DLL payload into position-independent shellcode, allowing you to load any DLL reflectively.
4
43
295
New Module 27 - Bring Your Own Vulnerable Driver (BYOVD)
Learn to inject C2 shellcode into the Microsoft Defender process (MsMpEng.exe) by exploiting a vulnerable driver.
1
49
300
Update 9 has been finalized and QA’d. It will be pushed out tonight:
Modules:
[1] Ghost Process Injection
[2] Ghostly Hollowing
[3] Herpaderping Process Injection
[4] Herpaderply Hollowing
[5] Shellcode Reflective DLL Injection
Challenges:
[1] Remote Module Stomping
[2] Process
7
32
279
Update 6 has been posted. These are pretty large and complex modules.
- Local PE Execution
- Reflective DLL Injection
- PeFluctuation (in-memory encryption)
- Building a PE Packer
Update 7 tentatively for November is:
- DLL Proxying
- Utilizing Fibers For Payload Execution
-
6
51
275
We're proud to announce that
@C5pider
will be joining the Maldev Academy Team this month in developing practical challenges for our users that will aid their malware development journey and reinforce what they've learned throughout the course.
12
26
276
Update 7 - November
- Malware Directory Placement
- Utilizing Fibers For Payload Execution
- TLS Callbacks For Anti-Debugging
Update 8 - January
- Threadless Injection
- Module Stomping
- Module Overloading
- Process Hollowing
Update 9 - Feburary
- Ghost Process Injection
-
4
27
280
New Module 46: Exploiting EDRs For Evasion - Preventing EDR From Taking Action
This module demonstrates a logic vulnerability in an EDR. Setting the "Read-Only" attribute on a malicious file prevents it from being quarantined or deleted.
We exploit this vulnerability to
4
37
275
Update 8 published:
1. Threadless Injection
2. Module Stomping
3. Module Overloading
4. Process Hollowing
Additionally 3 new challenges were added with the code solution:
1. Generating Encryption Keys Without WinAPI Calls
2. SystemFunction040 Encryption/Decryption
3.
5
36
271
Update 4 Out Now:
1. AMSI Intro
2. AMSI Bypass Via Byte Patching
3. Patchless AMSI Bypass Via Hardware Breakpoints
4. Building a DRM-Equipped Malware
Update 5 - September (Tentatively):
1. Building An Evasive DLL Payload Loader
2. EDR Evasion Via DLL Sideloading
3. Bring Your
5
38
271
Update 3 out now:
- Event Tracing for Windows - Introduction
- Event Tracing For Windows - ETW Tools
- Event Tracing For Windows - ETW Bypass Via Byte Patching
- Event Tracing for Windows - Better Patching
- Event Tracing for Windows - Patchless ETW
1
53
262
Shellcode Reflective DLL Injection (sRDI) Module ✅
Herpaderply Hollowing Module✅
Ghostly Hollowing Module✅
0
39
259
Sleep obfuscation modules and code are ready. The modules will be reviewed and pushed some time next week.
1
20
255
Update 10 out now!
1.Patchless Threadless Injection Via Hardware Breakpoints
2.Tampered Syscalls
3.Exploiting EDRs for Evasion - Preventing EDR From Taking Action
4.Exploiting EDRs for Evasion - EDR LOLBINs
Update 11 next:
1. Introduction to BoF
2. Writing BoF Files
3. BoF
3
29
245
By the end of the "Shellcode Reflective DLL Injection" module, you'll be able to create a custom shellcode builder that converts your DLL payload into shellcode.
2
40
248
Testing the PE Packer against MDE. Packed Mimikatz running as expected.
Update 6 will teach you to build your own PE packer.
1
28
236
Ghost Process Injection & Herpaderping Process Injection modules are ready✅
7
32
232
Learn how to build a custom PE packer from scratch with the "Building A PE Packer" module. The generated packed payloads are capable of bypassing memory scanning tools such as Moneta and PeSieve.
1
34
227
Update 1 out now!
- More C fundamentals for beginners
- Binary Metadata Modification
- Thread Enumeration via NtQuerySystemInformation
- Custom WinAPI Functions
- Exploiting EDRs For Evasion
- Introduction To MASM Assembly
Updated Syllabus:
4
40
223
We've updated our code snippets database. This update includes Python Impacket & C/C++ snippets. Copy, paste and use.
Some of the snippets include:
- Enumerate Remote Host
- SMB Pass-The-Hash
- Share Enumeration
- List SMB Files
- Download/Upload Via SMB
1
29
204
Module 81: Bypass AVs
This module walks the user through building a payload loader with several techniques.
2
32
203
Our Malware Development Database will soon be updated to feature new C and Rust code snippets.
4
33
205
Custom implementations of Transacted Hollowing, Ghostly Hollowing, and Herpaderply Hollowing.
Coming soon!
1
29
197
DRMBinViaOrdinalImports - Create Anti-Copy DRM Malware:
Prevent a binary from successfully running on other machines by modifying the IAT and replacing the imported function names with their corresponding ordinals.
3
34
197
DLL sideloading has been covered in several modules. We recommend users that have completed these modules to try the DLL sideloading challenge.
1
23
193
In update 1 we released our first "Exploiting EDRs For Evasion" module. We're planning to showcase more weaknesses with the following modules:
1. Exploiting EDRs For Evasion - Preventing EDR From Taking Action
2. Exploiting EDRs For Evasion - Finding Internal Exclusions
3.
3
30
189
An interesting AV/EDR research is to test whether the name of a file can impact the behavior of the security solution.
In our upcoming "Exploiting EDRs For Evasion" module, we demonstrate this concept against two EDR products.
3
12
190
The Maldev Academy Discord server is constantly releasing interesting information outside of the monthly module updates. Don't miss out!
2
10
182
The code search database is being updated in the upcoming week. Some of the new snippets include:
- Network Interaction Functions
- LSASS Dumping
- Lateral Movement
- Token Manipulation
- User Enumeration & Manipulation
- Anti-Analysis Techniques
All ready for use through
1
26
182
The Code Search database has been updated with nearly 100 new snippets. Copy-paste-invoke compile.
Some of the new snippets include:
- LSASS Dump Via Seclogon Race Condition
- LSASS Dump Via Duplication & Process Forking
- LSASS Dump Via
1
32
185
Check out our shellcoding challenges by
@C5pider
. These challenges involve writing custom shellcode, a reverse shell and more.
0
19
173
New Module 45 - Tampered Syscalls Via Hardware Breakpoints:
This new module discusses an advanced technique to bypass userland hooks while simultaneously spoofing the invoked syscall's arguments.
0
20
166
New Module 5: Introduction to MASM Assembly
A large module that covers the foundational understanding of the assembly programming language. This knowledge becomes useful in later modules and challenges where we work with functional shellcodes.
1
19
166
We have another 5 tickets to giveaway for
@HackSpaceCon
We believe this is an excellent learning opportunity for anyone in the cyber security industry.
All you need to do to qualify is comment on this post. We will select 5 winners on Saturday.
149
33
161
Learn about Event Tracing for Windows (ETW) and the different bypass techniques.
2
15
163
One of our more experienced users
@inbits_sec
released an obfuscation tool "CSSHide" inspired by the obfuscation modules in the course.
It's always great to see students going above and beyond and building their own projects💪
0
28
153
The upcoming hooking module is 🔥
The modules teaches you to utilize hardware breaking points to perform patchless hooks. It’s capable of copying installed hooks into new threads, as shown in the images.
5
23
155
Building on the latest BoF modules that were recently released:
Threadless injection via hardware breakpoints BoF challenge coming soon by
@C5pider
1
25
157
Update 11 has been pushed along with the challenge solutions:
1. Process Hypnosis (Credits:
@H0udini_13
)
2. Introduction To Object Files
3. Writing Beacon Object Files
4. Object File Loading
5. Anti-Analysis: IP Whitelisting (Challenge)
6. Domain Registration Kill Switch
4
20
147
The upcoming update includes utilization of TLS callbacks for anti-analysis purposes. If the binary detects it's being debugged, it will overwrite its main function with 0xFF bytes.
Image 1 - Normal execution
Image 2 - Attempt to execute during debugging fails
0
18
138
We've uploaded the final batch of code snippets for this month's update to our Malware Dev Database:
- Hardware Breakpoint Threadless Injection (Existing Process)
- Hardware Breakpoint Threadless Injection (New Process)
- PeFluctuation
- Process Hypnosis
- Syscalls Tampering
-
1
18
134
On Friday we pushed our 13th update which included the following modules:
- Token Manipulation
- Library Proxy Loading
- Heap Encryption With Ekko Sleep Obfuscation
We will also add 12 new challenges in the following week along with new snippets to the code database.
1
9
134
@k3nundrum
sharing his usage of our latest "Bring Your Own Vulnerable Driver" module and receiving a Havoc callback from Microsoft Defender's process (MsMpEng.exe) with no detection.
3
26
132
Some of the new snippets being added next month:
SCCM NAA Credential Dump
Wi-Fi Passwords Dump
Module Overloading
PE Injection
ETW Provider Session Hijacking
Copy-paste, invoke and compile.
0
15
128
Our latest module shows the implementation of Digital Rights Management (DRM) within the malware.
Once executed on a machine, the malware will not execute on any other machine.
This can potentially be effective against AV/EDR automatic sample submission.
0
21
123
We’re continuing to publish working code on our GitHub. We’ll be publishing a new repository next week.
Follow us to stay tuned.
1
9
123
We’re excited to be giving away 5 tickets for
@HackSpaceCon
All you need to do to qualify is comment on this post.
We will select 5 winners on Friday.
114
10
119
Following last month's introduction to Beacon Object Files, these newly released challenges provide a great opportunity to test your knowledge:
- Threadless Shellcode Injection via Hardware Breakpoints BOF
- LSASS Dump BOF
Be sure to give them a try!
0
17
121
We've added 3 new challenges courtesy of
@C5pider
. Solutions will be posted this week.
- Anti-Analysis: IP Whitelisting
- Domain Registration Kill Switch (WannaCry Style)
- Malware Working Hours
3
10
116
Due to the success of our private red team channel, we launched a second round of submissions yesterday. Within the first hour, we received more than 100 submissions.
We will be reviewing these submissions and approving qualified applicants over the coming days.
6
2
118
Custom reflective loader in the works for October’s update 🔥
1
11
112
Our next update will demonstrate how we can make EDRs behave unexpectedly against certain files names and attributes.
The update will provide information that can allow further vulnerability research against security solutions.
0
8
115
We're creating an exclusive channel on our Discord server for red teamers.
The admission form can be found in our Discord announcements channel. We will stop accepting responses at midnight (EDT).
We currently have over 150 submissions from some very highly qualified
5
3
112
Yesterday marked the 12th update of our Malware Development Course. An update almost every month since the launch of Maldev Academy!
We have a lot more updates coming. Stay tuned.
2
1
111
We've started issuing out certificates of completion to those who complete the course! 🔥
4
7
109
One of the course modules explains how to use HellsHall to perform indirect syscalls.
0
29
106
Our next update is including Process Hypnosis, an interesting process injection technique by
@H0udini_13
Stay tuned!
1
7
107
Another amazing review from a Maldev Academy student that completed the course!
4
6
105
Our code snippets are working against AV/EDRs with minor changes.
What happens Gartner's 100% Detection/Prevent EDRs get put up against
@MalDevAcademy
's code search? Had a blast getting one of the modules to dump lsass tonight 😅
4
11
66
0
17
94
Close to 200 Nim snippets have been added to our code database.
Database updates:
Reminder to anyone that subscribed prior to this week that your subscription does not expire anymore.
0
9
86
Last week’s challenge was to implement a “kill date” for a malware.
The solution has been posted now!
As a reminder you can submit your challenge to be featured in the upcoming weeks.
1
4
84
3 New challenges uploaded:
- Fibers For Shellcode Execution
- Anti-Analysis: Domain-Joined Check
- Custom GetProcAddress: Compile-Time Hash Obfuscation
3
6
84
Have you had a chance to go through our latest modules on Sleep Obfuscation?
3
2
84
🔥🔥🔥
Module stomping + shellcode encryption modules + Havoc shellcode = Win against defender
Awesome new modules
@MalDevAcademy
1
3
56
0
11
79
Some changes made over the weekend to our Malware Development Database:
1. Single Sign On implementation on search[.]maldevacademy[.]com for better integration with the course material.
2. Pricing for search[.]maldevacademy[.]com has changed from a subscription payment to a
1
7
80
New challenges uploaded:
- Ekko With Control Flow Guard (CFG) Enabled
- Ekko With Restored File Section Protections
- Ekko Using RtlEncryptMemory And RtlDecryptMemory
0
7
80
Perform limited directory encryption/decryption with the snippets found in our database.
These snippets can be used for ransomware simulation to validate defense mechanisms against directory and file encryption.
0
6
75
Last week's challenge was to update the course's custom implementation of GetProcAddress to support forwarded functions.
The solution was posted last night on our Discord channel. It will be posted on the website soon.
Thanks to
@C5pider
for developing this challenge.
1
2
73
June - Update 2:
1. Utilizing Hardware Breakpoints for Hooking (1)
2. Utilizing Hardware Breakpoints for Hooking (2)
3. Utilizing Hardware Breakpoints Hooks For Credential Dumping
4. Base-N Encoding For Entropy Reduction
5. AV/EDR Evasion Using File Bloating
4
5
72
New challenge along with it’s code solution is dropping tonight.
Creating a compile-time hashing function to easily hide strings inside your binary.
2
5
66
Make sure to give this week’s challenge by
@C5pider
a shot. The challenge is regarding PE image base relocation. A great start for people wanting to write their own loaders.
The challenge can be found on our Discord server and the solution will be posted next week!
0
5
66
The newly released Introduction To Assembly module is over 1000 lines long and prepares you for the upcoming shellcode development modules!
2
3
65