Course Abstract:
This three-day, hands-on course teaches defenders how to hunt, pivot, and track adversary infrastructure across phishing, malware, and post-exploitation operations, and how to correlate that infrastructure with malware analysis to build high-confidence detections and intelligence. Students will learn repeatable workflows to move from single indicators to campaign- and actor-level understanding while maintaining strong operational security. The course also introduces practical ways to use AI-assisted techniques to accelerate analysis and reporting without replacing analyst judgment or compromising sensitive data.
Course Description:
Modern threat actors treat infrastructure as a disposable, flexible resource, constantly rotating domains, hosting, and delivery mechanisms to evade traditional detection. As a result, defenders who rely only on malware samples or static IOCs often miss the broader campaign context and fail to disrupt attacker operations effectively. This course teaches a structured, defender-focused methodology for adversary infrastructure hunting and malware analysis, showing how to move from isolated technical artifacts to a coherent understanding of campaigns, tradecraft, and intent.
Over three days, students will learn how to discover, pivot, and track adversary infrastructure across phishing campaigns, loaders, and command-and-control frameworks, and how to safely analyze malware to extract configuration, behavior, and infrastructure relationships. Through real-world case studies and guided workflows, participants will practice correlating infrastructure and malware artifacts, identifying attacker mistakes, and translating technical findings into actionable detections and intelligence.
The course also introduces realistic, analyst-driven AI-assisted techniques to help accelerate reverse engineering, triage, clustering, and reporting workflows. Rather than focusing on automation or hype, the emphasis is on responsible augmentation using AI to improve efficiency and consistency while preserving human validation and operational security.
The course emphasizes operational safety, evidence quality, structured reasoning, and practical application for SOC, DFIR, CTI, and threat hunting teams.
By the end of this course, students will be able to:
- Systematically discover, pivot, and map adversary infrastructure starting from minimal technical indicators such as a single domain, IP, URL, or malware sample.
- Distinguish between meaningful infrastructure relationships and false correlations using DNS history, TLS metadata, hosting context, and behavioral patterns.
- Identify infrastructure tradecraft used by phishing operators, malware loaders, and post-exploitation frameworks, including rotation strategies, redirectors, and cloud abuse.
- Perform safe and structured malware triage, static analysis, behavioral analysis, and targeted reverse engineering to extract configuration, capabilities, and infrastructure artifacts.
- Correlate malware artifacts with infrastructure findings to move from sample-level analysis to campaign- and actor-level understanding.
- Recognize and interpret anti-analysis, evasion, and analyst deception techniques used by modern malware and infrastructure operators.
- Use AI-assisted techniques responsibly to accelerate reverse engineering, clustering, and reporting workflows while maintaining analyst validation and data security.
- Translate technical findings into actionable outputs, including high-signal detections, threat intelligence reports, and operational recommendations.
- Apply operational security best practices to avoid exposing themselves, their organizations, or their research activities during live adversary investigations.
- Integrate adversary infrastructure hunting, malware analysis, and AI-augmented workflows into existing SOC, DFIR, CTI, and threat hunting operations in a scalable and repeatable way.
Course Content
Day 1 Agenda: Adversary Infrastructure Hunting - From Fundamentals to Real-World Campaigns
Day Objective
By the end of Day 1, participants will be able to identify, pivot, and track adversary infrastructure across phishing campaigns, malware C2 frameworks, and threat actor operations using open-source and commercial intelligence, while maintaining strong operational security.
1. Opening & Training Orientation
- Training goals and expected outcomes
- Scope of infrastructure hunting vs traditional IOC-based detection
- Ethical boundaries, legal considerations, and safe research practices
- How this training fits into DFIR, SOC, CTI, and Red/Blue team workflows
2. Foundations of Adversary Infrastructure Hunting
- What is adversary infrastructure?
- Why infrastructure outlives malware samples
- Static vs dynamic infrastructure
- Criminal vs nation-state infrastructure characteristics
- Common attacker mistakes defenders can exploit
3. Core Terminology & Concepts
- Domains, IPs, ASN, hosting providers, CDNs
- Passive DNS, WHOIS, Records
- Shared hosting vs dedicated infrastructure
- Redirectors, dead drops, staging servers
- Bulletproof hosting & resellers
- Fast-flux, domain shadowing, wildcard abuse
4. DNS & Internet Infrastructure Fundamentals (For Hunters)
- How DNS resolution actually works (attacker view)
- DNS records most useful for hunting (A, AAAA, NS, MX, TXT, CNAME)
- TTL manipulation and why it matters
- DNS patterns commonly seen in phishing and malware campaigns
- Abuse of DNS providers, dynamic DNS, and SaaS platforms
5. Tooling & Data Sources for Infrastructure Hunting
- Internet-wide scanners & search engines (concepts, not vendor-locked)
- Passive DNS platforms
- Certificate transparency & TLS metadata
- Hosting, ASN, and network intelligence
- Web metadata & HTTP fingerprinting
- Strengths, weaknesses, and bias of different data sources
6. Operational Security & Data Management
- Research OPSEC mistakes that expose hunters
- Account separation & attribution risks
- Safe interaction with live attacker infrastructure
- Structuring notes, pivots, and evidence
- Turning messy findings into usable intelligence
7. Infrastructure Pivoting Techniques
- Starting from a single domain, IP, or URL
- Pivoting via:
- Passive DNS relationships
- TLS certificates
- HTTP headers and server behavior
- Hosting & ASN overlaps
- Identifying shared infrastructure vs false correlations
8. Hunting Without a Known IOC
- Hypothesis-driven threat hunting
- Behavioral patterns instead of indicators
- Infrastructure reuse across campaigns
- Identifying attacker “tradecraft fingerprints”
- When infrastructure looks benign but isn’t
9. Phishing Infrastructure & Campaign Hunting
- Phishing infrastructure lifecycle
- Domain generation patterns in phishing campaigns
- Hosting choices for phishing vs malware
- Identifying phishing kits through infrastructure artifacts
- Tracking multi-stage phishing campaigns over time
10. Case Study: End-to-End Phishing Campaign Infrastructure
- Initial lure domain discovery
- Pivoting to related domains & IPs
- Identifying campaign scale
- Infrastructure reuse across brands
- Extracting detection logic from campaign analysis
11. Tracking Adversary Infrastructure at Scale
- Campaign-level vs actor-level tracking
- Mapping infrastructure evolution over weeks/months
- Identifying hand-offs between phishing, loaders, and C2
- Linking infrastructure clusters with confidence
12. Introduction to Post-Exploitation & C2 Infrastructure
- How modern C2 infrastructure is structured
- Redirectors vs team servers
- CDN & cloud abuse (Cloudflare, VPS, serverless platforms)
- What infrastructure hunters can learn without malware execution
13. Case Study: Hunting Post-Exploitation & C2 Framework Infrastructure
- Identifying C2 infrastructure through metadata
- Recognizing common redirector patterns
- Infrastructure mistakes made by advanced actors
- Translating findings into defensive detection
14. How Adversaries Evolve Infrastructure to Evade Detection
- Rotation strategies
- Disposable vs persistent infrastructure
- Domain aging and reputation abuse
- Lessons learned from real takedowns
15. Turning Hunting into Actionable Intelligence
- Writing infrastructure-focused intelligence reports
- Feeding detections to SOC and security tooling
- Prioritizing infrastructure risk
- Measuring hunting effectiveness
16. Case Study 3 - Adversary Infra hunting combined with OSINT
17. Wrap-Up & Transition to Day 2 (Malware Analysis)
- How infrastructure findings enrich malware analysis
- What to look for during malware reversing
- How Day 2 will build on Day 1 discoveries
Day 2 Agenda: Malware Analysis - From Triage to Threat Actor Tradecraft
Day Objective
By the end of Day 2, participants will be able to safely analyze malicious files using a repeatable workflow, extract high-confidence technical artifacts such as configuration, behavior, and intent. This will help in correlating malware findings with the adversary infrastructure and translate reverse engineering insights into actionable detections and threat intelligence.
1. Opening & Training Orientation
- Recap of Day 1 infrastructure hunting takeaways
- How malware analysis and infrastructure hunting reinforce each other
- Expectations and scope for defender-focused malware analysis
- When malware analysis adds value vs when hunting alone is sufficient
- Safety, legality, and responsible handling of live malware
2. Malware Analysis Workflow & Analysis Tradecraft
- End-to-end malware analysis lifecycle
- Static vs. dynamic vs. behavioral vs. reverse engineering
- Triage-driven decision making
- When not to reverse malware
- Anti-analysis, anti-VM, and analyst deception
- Building a repeatable and scalable workflow
- Outcome: Participants will understand how to structure malware analysis efficiently without over-analyzing low-value samples.
3. Malware Triage & Initial Static Analysis
- File type identification and format validation
- Hashing strategies (cryptographic vs fuzzy)
- Malware family vs sample-level analysis
- Strings analysis:
- Plaintext vs. encoded
- Config and artifact discovery
- Import table analysis and capability inference
- Packers, obfuscators, and crypters
- Embedded resources and secondary payloads
- Tools:
- PEStudio, Detect It Easy
- Strings, FLOSS
- CAPA
- Outcome: Participants will be able to extract meaningful intelligence without executing malware.
4. Behavioral & Dynamic Analysis (Safe Detonation)
- Designing safe malware detonation environments
- Observing execution flow and staging behavior
- Process injection and memory-only techniques
- File system, registry, and service persistence
- Network behavior:
- DNS usage
- HTTP/S, TLS, and beaconing patterns
- Evasion behaviors in sandboxes
- Tools & Concepts:
- Procmon, Regshot
- Wireshark
- Sandbox demonstration (ANY.RUN / Triage-style)
- Outcome: Participants will be able to observe real-world malware behavior and understand attacker intent.
5. Intro to Reverse Engineering for Defenders
- Disassembly vs. decompilation concepts
- Understanding program structure and control flow
- Identifying:
- C2 routines
- Encryption and encoding logic
- Persistence mechanisms
- Anti-analysis checks
- Extracting embedded configuration data
- Practical reversing mindset for defenders (not exploit devs)
- Tools:
- Ghidra or IDA Free
- x64dbg
- Outcome: Participants will be able to explain what malware does and why, not just list indicators.
6. Malware Configuration & Capability Extraction
- Static vs. runtime config extraction
- Identifying hardcoded vs dynamically retrieved config
- Understanding malware capabilities through config fields
- Loader vs. payload roles
- Modular malware design and plugin architectures
7. Malware & Infrastructure Correlation
- Extracting infrastructure indicators from binaries
- Hardcoded IPs vs. domain-based C2
- TLS certificate usage and pinning
- Domain generation logic and fallback mechanisms
- How malware design influences infrastructure choices
- Feeding infrastructure findings back into Day 1 hunting workflows
8. Anti-Analysis, Evasion & Analyst Deception
- VM, debugger, and sandbox detection techniques
- Time-based and logic bomb execution
- API hashing and string encryption
- Environment fingerprinting
- How advanced malware hides true behavior
9. Malware Families, Loaders & Campaign Context
- Loader vs payload vs post-exploitation tooling
- Malware-as-a-service ecosystems
- Shared loaders across multiple threat actors
- Infrastructure reuse driven by malware kits
- Identifying malware lineage and code reuse
10. Case Study: End-to-End Malware Analysis
- Initial sample triage
- Static and behavioral analysis findings
- Reverse engineering key functionality
- Extracting infrastructure and campaign artifacts
- Mapping malware to infrastructure clusters from Day 1
11. Scaling Malware Analysis for SOC & CTI Teams
- Automation vs. deep analysis tradeoffs
- What to analyze manually vs. automatically
- Prioritizing malware samples
- Maintaining internal malware knowledge bases
- Avoiding analysis burnout
12. Turning Malware Analysis into Detection
- Writing high-signal detections from malware behavior
- Translating reverse engineering insights into:
- Network detections
- Host-based detections
- Behavioral analytics
- Avoiding brittle, hash-only detections
13. Attribution Considerations from Malware Analysis
- Code similarities and shared libraries
- Infrastructure and malware co-evolution
- Confidence levels in attribution
- Common pitfalls and false attribution traps
14. Case Study: Malware Analysis + Infrastructure = Attribution
- Combining malware artifacts with infrastructure pivots
- Linking samples across campaigns
- Building a high-confidence actor profile
- Defending attribution decisions
15. Malware Analysis OPSEC & Analyst Safety
- Preventing analyst attribution
- Safe sample handling and storage
- Common mistakes that expose analysts or organizations
- Legal and ethical boundaries
16. Measuring Malware Analysis Effectiveness
- What “good” malware analysis looks like
- Metrics that matter (and those that don’t)
- Improving detection, response, and intelligence outcomes
17. Wrap-Up & Defender Integration
- How Day 1 and Day 2 connect in real-world operations
- Applying skills to SOC, DFIR, CTI, and Threat Hunting roles
- Building a personal malware analysis roadmap
- Q&A and closing discussion
Day 3 Agenda: AI assisted Malware Analysis & Intelligence integration
Day Objective
By the end of Day 3, participants will be able to:
- Safely integrate AI into malware analysis workflows
- Use AI to accelerate (not replace) reverse engineering and triage
- Apply structured AI-assisted analysis without leaking sensitive data
- Transform technical findings into production-ready intelligence
- Deliver professional-grade reports and CTI outputs
- Integrate findings into SOC, DFIR, and threat hunting workflows
1. AI in Reverse Engineering
- Explaining decompiled code faster
- Identifying encryption routines
- Spotting C2 loops
- Recognizing config parsers
- Converting assembly to structured explanations
- Using AI to describe control flow
- Recognizing known crypto implementations
- Identifying reused code blocks
- When AI makes mistakes
- Subtle crypto misidentification
- Mislabeling custom protocols
- Overfitting to known families
Outcome: Faster understanding without blindly trusting output.
2. MCP Analysis Workflows
Keep this conceptual and practical , not engineering-heavy.
- What is tool-augmented AI?
- AI connected to:
- Static analysis tools
- Sandbox outputs
- Internal malware databases
- Infrastructure datasets
- Example augmented workflow:
- Sandbox detonation → structured JSON output
- AI summarizes behavior
- AI suggests:
- Related malware families
- Infrastructure pivot ideas
- Detection opportunities
- Retrieval-augmented workflows
- Query internal CTI repository
- Pull previous campaign notes
- Compare config similarities
Outcome: Participants understand practical AI integration without needing to build full AI pipelines.
3. Case Study: AI-Augmented End-to-End Investigation
- Full integration exercise:
- Full integration exercise:
- Initial ioc - starting point
- Pivoting - infra, sample (stealer, payload etc)
- Extracted loader sample
- Static triage
- Dynamic analysis
- Reverse engineering key function
- AI-assisted summarization
- Infrastructure clustering
- Drafting executive & technical report
4. Writing Malware & Infrastructure Reportsn
- Types of reports:
- Technical deep-dive
- Executive intelligence summary
- Detection advisory
- Campaign tracking brief
- Structure of strong reports:
- Executive summary
- Campaign overview
- Technical findings
- Infrastructure analysis
- Malware capabilities
- Attribution assessment (confidence-based)
- Detection & mitigation guidance
- Structure of strong reports:
- Executive summary
- Campaign overview
- Technical findings
- Infrastructure analysis
- Malware capabilities
- Attribution assessment (confidence-based)
- Detection & mitigation guidance
- Common reporting mistakes (and how to avoid them)
5. Turning Analysis into CTI & SOC Value
- Converting findings into:
- Detection rules
- Threat hunting hypotheses
- Watchlists
- Campaign tracking objects
- Feeding:
- SIEM
- EDR
- TIP platforms
- Case management systems
- Structured intelligence formats
- IOC feeds
- Behavioral signatures
- Infrastructure clusters/li>
6. Conclusion & Q&A
Day 3 completes the full investigative lifecycle, from infrastructure hunting and malware analysis to AI-assisted acceleration and intelligence integration..
Participants now understand how to use AI to assist reverse engineering, streamline triage, and improve reporting, without replacing analyst judgment. Most importantly, they can transform technical findings into actionable CTI outputs and SOC-ready detections.
Q&A and open discussion to address real-world challenges, implementation questions, and next steps for applying these skills operationally.
Pre-requisite
- A basic understanding of networking concepts (DNS, HTTP/S, IP addressing)
- Familiarity with common attacker tactics such as phishing, malware delivery, and C2 communication
- Comfort navigating Windows systems and using command-line tools
What Students Should Bring:
To get the most out of this workshop, attendees should bring:
- A laptop (Windows, macOS, or Linux) with at least 8GB of RAM and 50GB of free storage
- A virtualization platform (VMware Workstation/Player or VirtualBox or HyperV)
- Admin/root access to install tools
- Pre-installed Python 3.x and Jupyter Notebook
What the Trainer Will Provide:
- Course material (pdf copy)
- Lab solution material
- Videos used in the workshop
- Malware samples used in the workshop/labs
- Memory Images used in the workshop/labs
- Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples
- Pivoting cheatsheet
Trainers
Senior Threat Researcher
Seqrite Labs, Quick Heal
Senior Threat Researcher
Acronis
Senior Threat Researcher
BforeAI
