The Malware Analysis Series (MAS) by Alexandre Borges is a step-by-step malware analysis and reverse engineering series covering topics from foundational lab setup and unpacking through .NET analysis, banking trojans, shellcode reversing, macOS/iOS threats, and Linux ELF malware. All articles are freely available as PDFs. MAS_10 is the final article in the series.
MAS_01 — Foundations of Malware Analysis — Launches the series with a complete lab setup (IDA Free/Pro, x64dbg, ScyllaHide, Labeless, REMnux) and introduces the core methodology — unpacking, API resolving, C2 extraction and emulation — through analysis of Hancitor. Establishes the baseline concepts and tooling used throughout the entire series. ↓ PDF (Dec 3, 2021)
MAS_02 — Qakbot — String Decryption & C2 Extraction — Deep-dives into Qakbot covering string decryption, dynamic API resolving, C++ internal structures, and C2 data extraction. Reviews the full Windows memory allocation call chain (VirtualAlloc → NtAllocateVirtualMemory) and critical unpacking breakpoints including VirtualProtect, WriteProcessMemory, and NtMapViewOfSection. ↓ PDF (Feb 3, 2022)
MAS_03 — Emotet — Epoch 5 Botnet Analysis — Analyzes an Emotet Epoch 5 sample using Malwoverview, VirusTotal, Triage, and Capa to build a threat profile before touching the binary. Covers Elliptic Curve Cryptography, RC4 encryption, process injection detection via EnumerateProcesses + WriteProcessMemory, and bulk C2 IP extraction. Demonstrates a structured triage-first workflow applicable to any unknown sample. ↓ PDF (May 5, 2022)
MAS_04 — .NET Malware Analysis — Managed Code Fundamentals — Introduces .NET malware analysis with dnSpyEx, ILSpy, and de4dot. Explains MSIL decompilation, custom obfuscation, multi-stage packing, and encrypted payloads in managed code. Covers IOC extraction strategies — persistence, C2 communication, plaintext URLs, and credentials — as they apply specifically to managed binaries. First of multiple .NET articles in the series. ↓ PDF (May 12, 2022)
MAS_05 — Advanced Malware Analysis Techniques — Continues the series after a break, applying the accumulated analysis methodology to new malware samples and reinforcing techniques established in earlier articles. Deepens practical experience across static and dynamic analysis, showing how skills transfer to progressively more complex samples and evasion strategies encountered in real-world threats. ↓ PDF (Sep 14, 2022)
MAS_06 — Evasion & Anti-Analysis Techniques — Extends the analytical framework with a focus on anti-analysis and evasion techniques found in real-world Windows malware. Covers detection and circumvention of anti-debugging, anti-disassembly, and virtual machine detection methods that adversaries use to hinder reverse engineering sessions. ↓ PDF (Nov 24, 2022)
MAS_07 — Dridex — Banking Trojan Deep Dive — Targets Dridex, a complex banking trojan active since 2014 with a multi-stage architecture: a loader that installs the payload and downloads optional VNC and SOCKS modules, plus a payload stage capable of fetching additional components. Covers keylogger behavior, encrypted C2 communication, and document-based delivery. Focuses on the hardest analytical aspects not addressed in standard public reports. ↓ PDF (Jan 5, 2023)
MAS_08 — macOS / iOS Malware Analysis — Introduction — Expands the series to Apple platforms, introducing the concepts and skills required for reversing Mach-O binaries on macOS and iOS. Covers platform-specific analysis differences, lab setup with macOS Sonoma + Xcode, IDA Pro/Home, and Radare2. Deeper macOS/iOS coverage continues in the author’s Exploiting Reversing (ER) series. 62 pages. ↓ PDF (Aug 7, 2024)
MAS_09 — Shellcode Analysis & Reverse Engineering — Dedicated entirely to shellcode — position-independent code used in exploits, loaders, and stagers that executes without a standard PE header. Covers identification, extraction, and step-by-step reverse engineering in a Windows context using IDA Pro and x64dbg. Addresses dynamic API resolution via PEB walking, hash-based function lookup, and decoder stubs commonly used to evade static detection. 38 pages. ↓ PDF (Jan 8, 2025)
MAS_10 — Linux ELF Malware Analysis — Final Article — Closes the MAS series with an introductory analysis of ELF (Executable and Linkable Format) malware on Linux. Covers the most relevant ELF format analysis points, sample retrieval from public sandboxes, and practical reversing with IDA Pro on Ubuntu 24.04. Intentionally kept approachable to build foundational Linux malware analysis skills. PDF only — no separate article page. ↓ PDF (Jan 15, 2025)
All articles are authored by Alexandre Borges (Exploit Developer & Vulnerability Researcher) and published on exploitreversing.com. Content is provided for educational and research purposes only. Alexandre also maintains the Exploiting Reversing (ER) Series covering Windows/macOS internals, kernel drivers, hypervisors, and vulnerability research.