Building a Professional KVM Malware Analysis Lab on Linux

Why Build Your Own Lab? When you start getting serious about malware analysis, your options are usually a cloud sandbox like Any.run or Cuckoo, or a locally spun-up VM with Windows Defender disabled. Both work for basic analysis, but neither gives you the level of control and visibility a dedicated lab provides. A proper lab lets you: See exactly what a sample does at the network level, including decrypted HTTPS traffic Correlate behavioral events across process, registry, file system, and network simultaneously Protect your real IP from appearing in malware C2 infrastructure logs Restore to a clean state in seconds and run the next sample Feed everything into a open-source SIEM for long-term pattern analysis This post walks through building exactly that, from bare metal to a fully operational lab with VPN routing, transparent TLS interception, and Wazuh monitoring across all VMs. ...

July 10, 2026 · Meistsec

How I Hunted the Atomic Arch AUR Stealer on My Own Box

TL;DR On 11 June 2026, attackers hijacked more than 400 Arch User Repository (AUR) packages and rewrote their build scripts to pull a malicious npm package that executed a Rust credential stealer — analyst-named deps — during the build. Sonatype calls the campaign Atomic Arch. Independent researcher Whanos reverse-engineered the payload, and that analysis is the source for most of the indicators here. I run Arch with a Wazuh agent, so I built a hunt around the IOCs and ran it against my own machine. The host came back clean. The interesting part isn’t the verdict — it’s that two checks looked like findings and weren’t: a PID-listing diff that screamed “hidden process,” and a loopback listener on a random high port that had exactly the shape of the malware’s local proxy. Both were artifacts of how the checks work, not evidence. This post is the hunt, why each check is trustworthy or not, the two head-fakes, and how to wire durable detections into Wazuh so the next variant trips an alert on its own. ...

June 15, 2026 · Meistsec

How I Chased a BPFDoor Backdoor in My Robot Vacuum (And Found a Microsecond Timer)

5/18/2026 TL;DR UniFi IDS signature 2069175 (ET MALWARE BPFDoor ICMP Echo Request, X:[COMMAND]) fired on a Roborock Q10 robot vacuum on my IoT VLAN. After a week of “investigation” — packet captures, custom Scapy trigger scripts, isolated test VLANs, the works — the root cause turned out to be a Suricata false positive with an identifiable mathematical cause: the vacuum sends an ICMP heartbeat every 20 seconds whose payload includes a 32-bit microsecond timestamp counter, and that counter rolls through values containing 0x58 0x3a (“X:”) at the rule’s match offset approximately once every few thousand packets. ...

May 18, 2026 · Meistsec