GitHub - packmad/fprem-anti-emulation Contribute to packmad/fprem-anti-emulation development by creating an account on GitHub.

I was watching a presentation [1] on @REverseConf 2026 and I learned an anti-emulation trick that uses x87 FPU quirks. It is used by an anti-cheat engine (as part of an MBA).

Here you go, it detects Unicorn: github.com/packmad/fpre...

[1] www.youtube.com/watch?v=3Ltw...

Trust Under Siege: Label Spoofing Attacks Against Machine Learning for Android Malware Detection Machine Learning (ML) malware detectors rely heavily on crowd-sourced AntiVirus (AV) labels, with platforms like VirusTotal serving as trusted sources of malware annotations. But what if attackers cou...

[4/4] Authors:
Tianwei Lan, @zangobot.bsky.social , Farid Nait-Abdesselam , Yufei Han, @saonzo.bsky.social

Links:
ieeexplore.ieee.org/document/114...
s3.eurecom.fr/docs/tifs26_...

Trust Under Siege: Label Spoofing Attacks Against Machine Learning for Android Malware Detection Machine Learning (ML) malware detectors rely heavily on crowd-sourced AntiVirus (AV) labels, with platforms like VirusTotal serving as trusted sources of malware annotations. But what if attackers…

[3/4] This attack works because many pipelines blindly trust AV labels as ground truth.

Impact:
⚠️ 1% poisoned samples → performance drops by up to ~15%
🎯 0.015% → targeted false positives

Smallest payloads we used: 22 and 55 bytes.
Yes, you can poison with something smaller than this sentence.

[2/4] We actually modified benign Android apps and uploaded them to VirusTotal.
Result: AV engines flagged them as malware.

How?

1️⃣ Take a benign APK
2️⃣ Inject a tiny malware signature
3️⃣ AV engines detect it
4️⃣ Dataset builders collect it as malware
5️⃣ Future ML detectors train on poisoned data

[1/4] 🚨 "Trust Under Siege: Label Spoofing Attacks Against ML for Android Malware Detection" has been accepted at IEEE TIFS.

We implemented the first practical label spoofing attack targeting the AntiVirus (AV) labeling pipeline used to train Machine Learning (ML) malware detectors.

Breaking news from NDSS26: it seems that we have won a Distinguished Paper Award for "Decompiling the Synergy: An Empirical Study of Human-LLM Teaming in Software Reverse Engineering"

A giant thank you to my amazing co-authors and everyone who participated in the experiment!

[1] www.ndss-symposium.org/ndss-paper/u...

[2] www.ndss-symposium.org/ndss-paper/d...

I'm in San Diego for NDSS26. We got these two papers accepted:

[1] "Unveiling BYOVD Threats: Malware's Use and Abuse of Kernel Drivers"
[2] "Decompiling the Synergy: An Empirical Study of Human-LLM Teaming in Software Reverse Engineering"

Come by and say hello, let's have a drink 🍻

DNS requests on my home network over the last 24 hours (no one was using the network).
The red spikes at regular intervals are blocked DNS requests (global[.]telemetry[.]insights[.]video[.]a2z[.]com) of the Amazon Fire Stick.
Heartfelt thanks to the pi-hole.net team❤️

Wolfenstein 3D (1992) by id Software didn’t need DRM. It had threats.
Even if the "aggressive" protection mechanism was a joke… it definitely made you think twice. 😅

[2/3] You can find all relevant links in our blog post:
www.s3.eurecom.fr/post/2025/10...

🚨 New research from EURECOM & Univ. of Milan!
[1/3] “Unveiling BYOVD Threats: Malware’s Use and Abuse of Kernel Drivers” (to appear at NDSS’26) reveals how malware exploits signed drivers to gain kernel privileges. This work led to the discovery of 7 unknown weaponized drivers 💣

[1] www.washingtonpost.com/technology/2...

[2] arxiv.org/abs/2401.05566

The Washington Post/CrowdStrike [1] reports DeepSeek gives weaker or refused code to disfavored groups. It’s not a "sleeper agent" in the Hubinger et al. [2] sense, but the resemblance is striking: context-dependent behavior that undermines some users while appearing safe to others.

VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages 523 malicious SVG phishing files since Aug 2025 bypassed antivirus, evolving tactics expose macOS to AMOS.

Did you know that you can execute JavaScript code via SVG images (i.e., XML)?
And guess which app opens SVG images by default on Windows?
Your default browser! 😱

PoC: gist.github.com/packmad/ab1e...

thehackernews.com/2025/09/viru...

No scientific value, but I timed how long it took me to reverse M$'s classic Minesweeper game AFTER the decompiled code had been renamed by GPT (MCP w/ IDA): 19m22s. Then I started xdbg and went straight to the memory where the bombs were. Damn, I was reading the source code 😳

Neuromuscular Aim Assist Giving a PC program control of my muscles to become the fastest in the world. Sponsored by Micro Center! Build, Upgrade, and Save All Month Long at Micro Center:…

Although the author of the video repeatedly claims that he is not cheating, he is. But at the "bioengineering" level. I suppose it triggers some recognizable patterns that could be used for detection. However, it's the future. Hats off!

www.youtube.com/watch?v=9alJ...

wiki.python.org/moin/UsingSl...

docs.python.org/3/library/fu...

Two little-known #Python features that I often use:

__slots__ explicitly state the attributes of your instances (=> faster attribute access and memory space savings).

@lru_cache the function returns the cached result when the same inputs occur again (AKA memoization).

Does anyone have an idea why the Android "Emualtor" 😆 is capped at 6 cores (X86_64 and I386 versions)?

android.googlesource.com/platform/ext...

The 4th edition of WoRMA is officially scheduled for June 30th, co-located with IEEE EuroS&P in magnificent Venice in Italy!

Website and CfP: worma.gitlab.io/2025/

Deadline: February 20th, 2025

Spread the word!