Building a Professional KVM Malware Analysis Lab on Linux

Why Build Your Own Lab? When you start getting serious about malware analysis, your options are usually a cloud sandbox like Any.run or Cuckoo, or a locally spun-up VM with Windows Defender disabled. Both work for basic analysis, but neither gives you the level of control and visibility a dedicated lab provides. A proper lab lets you: See exactly what a sample does at the network level, including decrypted HTTPS traffic Correlate behavioral events across process, registry, file system, and network simultaneously Protect your real IP from appearing in malware C2 infrastructure logs Restore to a clean state in seconds and run the next sample Feed everything into a open-source SIEM for long-term pattern analysis This post walks through building exactly that, from bare metal to a fully operational lab with VPN routing, transparent TLS interception, and Wazuh monitoring across all VMs. ...

July 10, 2026 · Meistsec

How I Hunted the Atomic Arch AUR Stealer on My Own Box

TL;DR On 11 June 2026, attackers hijacked more than 400 Arch User Repository (AUR) packages and rewrote their build scripts to pull a malicious npm package that executed a Rust credential stealer — analyst-named deps — during the build. Sonatype calls the campaign Atomic Arch. Independent researcher Whanos reverse-engineered the payload, and that analysis is the source for most of the indicators here. I run Arch with a Wazuh agent, so I built a hunt around the IOCs and ran it against my own machine. The host came back clean. The interesting part isn’t the verdict — it’s that two checks looked like findings and weren’t: a PID-listing diff that screamed “hidden process,” and a loopback listener on a random high port that had exactly the shape of the malware’s local proxy. Both were artifacts of how the checks work, not evidence. This post is the hunt, why each check is trustworthy or not, the two head-fakes, and how to wire durable detections into Wazuh so the next variant trips an alert on its own. ...

June 15, 2026 · Meistsec

Approaching the Attack Chain

05/25/2023: Phishing, Domain Abuse/Typo-Squatting, Chat-Bots, and C2 Deployment… This proof of concept is for educational purposes only. All resources are my own, and no individuals or sock puppets were harmed during the testing process. From my initial review of Impostoor Technology Services https://impostoor.com the company offers various global data storage services for its customers. I pursued an approach of active and passive reconnaissance techniques to gather valuable information about the target network and its users. In addition, I delivered test emails to its corporate addresses to understand the look and feel of company formatting and header information. ...

May 25, 2023 · Meistsec

Practical Malware Analysis & Triage

09/01/2022: This is an analysis of a malware sample studied during TCM Security’s PMAT Course Practical Malware Analysis & Triage (PMAT) Malware Analysis Report unknown.exe Malware Aug 2022 | Meistsec | v1.0 Executive Summary SHA256 Hash: 3ACA2A08CF296F1845D6171958EF0FFD1C8BDFC3E48BDD34A605CB1F7468213E TCM Security offers HuskyHacks Practical Malware Analysis & Triage Course. The PMAT course has been one of my most enjoyable experiences in learning cybersecurity thus far. The course teaches the fundamentals of malware analysis, reverse engineering, report writing, and establishing rules to prevent malware infections in a network. A sandboxed environment utilizing FlareVM and REMnux Linux on a compartmentalized network was utilized to perform the detailed analysis. ...

September 1, 2022 · Meistsec