Field intel

Notes from
the operators.

Threat reports, hunt methodology, post-incident write-ups, and protocol research. Sanitized for public release; full versions available to subscribers under NDA.

Featured · Reverse Engineering

Lumma Stealer’s .reloc trick: 347 KB of payload hidden in plain sight, plus 70 MB of `0xCC` to defeat the YARA filesize gate.

A static reverse-engineering walkthrough of a real Lumma carrier recovered from a customer malvertising incident. Carrier anatomy, encrypted-blob coordinates, why the public YARA rule misses it, and the new structural rule that catches it.

2025.02.14 · Bruno Schmid · 28 min read · Read report →

More reports incoming.

We publish when there's something useful to say. Subscribe below to be notified when the next one ships.

▲ Subscribe

Operator-grade intel,
delivered weekly.

Threat briefings, named-actor updates, and detection content for security leaders. No marketing fluff, no vendor hot-takes.

Notes fromthe operators.

Lumma Stealer’s .reloc trick: 347 KB of payload hidden in plain sight, plus 70 MB of 0xCC to defeat the YARA filesize gate.

More reports incoming.

Operator-grade intel,delivered weekly.

Notes from
the operators.

Lumma Stealer’s .reloc trick: 347 KB of payload hidden in plain sight, plus 70 MB of `0xCC` to defeat the YARA filesize gate.

Operator-grade intel,
delivered weekly.