Deep-dives on the
technical decisions behind my work.
Engine systems, security pipelines, audio synthesis, game design reviews, incident investigations. Some technical posts are detailed enough that I could rebuild the project from them, and that's the point!
Calibration as infrastructure: building a detonation lab
Six stages, four tensions, and the engineering decisions that determine whether a detonation lab earns its keep. How specimens enter, deploy, detonate, are observed, are analysed, and are archived, with notes on the tradeoffs that recur at every stage and the boring parts that compound over years. Architecture and decisions, not code. Engineering register, not academic.
Below the burn line: the architecture of operator infrastructure
Three tiers, four attribution surfaces, and the analyst posture they are all calibrated against. Why operator infrastructure decomposes into long-haul, redirector, and staging tiers, what discipline each tier requires across DNS, TLS, behavioural, and financial surfaces, and how the operator's own workstation becomes the single point of correlation that none of the tier discipline addresses. Architecture and decisions, not configuration. Methodology, not playbook.
Building the inverse: the design decisions behind a three-layer dropper
The same architecture from the other direction. Why a layered .NET dropper has three layers and not two or four, what each layer is solving for, and which defender assumptions the design quietly presupposes. A composite reference design drawn from the artefact dissected in Three layers deep and adjacent commodity infostealer campaigns through 2024 and 2025. Architecture and decisions, not source. Companion to the reverse-engineering writeup.
Three layers deep: reverse-engineering a .NET RAT dropper
Three layers down into a 1.1 MB junk-padded batch script: from cmd.exe macro obfuscation through a PowerShell shellcode loader to a Donut-packed implant living inside explorer.exe. The dropper hides its payload steganographically in 3,500 lines of comments, renames powershell.exe to evade name-based detection, and uses a 7-byte memory marker for cross-reboot idempotence. Companion to the incident writeup.
The cutest trap on the internet: weaponizing Google's child-safety system as a kill switch
A fake Minecraft launcher infected my friend α's machine on a Tuesday evening. By morning, an operator had used the stolen access to upload triggering content to α's Google account, log out, and let the platform's own automated child-safety detector erase the witness. The malware is the carrier; the kill switch is the story. The technical reverse-engineering lives in the companion post.