Behind the Binary by Google Cloud Security

"TTD is a paradigm shift in the way you interact with the target... Potentially, five years from now, when we talk about debugging, we will just by default go to TTD."In this episode, we are joined by Xusheng Li, a debugger architect and reverse engineering expert, to explore the evolution of Time Travel Debugging (TTD). While traditional debugging has remained largely stagnant for decades, TTD introduces a novel new way to debug by recording and replaying execution traces with total precision. Xusheng takes us behind the scenes of how this technology solves the "granularity problem" in malware analysis—moving from a high-level API overview down to instruction-level "ground truth" without ever needing to re-run the program.We break down the engineering required to record billions of instructions into a manageable trace, the power of querying execution data like a searchable database, and how a "sealed" execution history is changing the workflow for both software developers, malware analysts, and vulnerability researchers.THE SESSION:The Deterministic Leap: How TTD avoids the overhead of recording every single instruction by focusing only on non-deterministic events—like file reads, CPU ID calls, and system inputs—allowing billions of cycles to be reconstructed from a fraction of the data.The Death of "Step-Over": Why the future of debugging lies in querying an execution database rather than manually stepping through code, enabling researchers to instantly find every moment an API was called or a specific memory address was modified.Solving the Granularity Problem: How a single trace file provides a "safety net" for analysis, allowing researchers to start with a broad triage of behavior and then use a "microscope" to dig into specific crypto functions or obfuscated payloads later.Data Flow vs. Code Flow: A look at the shift toward "concrete data flow analysis," where researchers focus on the movement of sensitive buffers and keys rather than getting lost in the mental overhead of complex instruction sets and registers.The Mystery of the i9 Crash: A real-world troubleshooting case where TTD was used to identify a hardware-level microcode bug in a modern CPU that would have been nearly impossible to pinpoint with traditional tools.The AI Connection: Why the "fixed world" of a TTD trace is the ideal training ground for LLM-assisted analysis, providing a secure, deterministic environment for AI to solve intermediate-level reverse engineering challenges.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

"I thought that we would never hear about these people after they were named. But what was a surprise is that they actually hired a lawyer in New York... and they were like, 'Yeah, we're going to be taking part in this trial."In this episode, we are joined by Pierre-Marc Bureau from Google’s Threat Intelligence Group (GTIG) to unpack the unprecedented takedown of the Glupteba botnet. Active since 2011, Glupteba infected roughly 1 million Windows devices before Google launched a coordinated technical and legal strike. Pierre-Marc takes us behind the scenes of an investigation that evolved from reverse engineering binaries to a surreal showdown in a New York civil court.We break down how a single hardcoded string unraveled a massive criminal enterprise, the mechanics of using the Bitcoin blockchain for resilient command and control, and the bizarre moment when Russian cybercriminals actually hired a US lawyer to fight back.THE SESSION:The Blockchain Fallback: How Glupteba operators hid AES-encrypted blobs inside Bitcoin transactions, creating an un-takable backup C2 infrastructure if their primary domains went down.The Fatal OpSec Flaw: How one mistake—leaving the string get.voltronwork.com in a Go module—allowed Google to connect the botnet to Russian developer shops and Delaware shell companies.The Corporate Cyber-Cartel: Why the group operated like a legitimate tech startup, openly selling end-to-end "services" like proxy networks and compromised Google and Facebook accounts on the open web.The Extortion Twist: The surreal courtroom drama where the malware operators tried to extort Google for $1 million per defendant in exchange for private keys—a move that ended with the judge sanctioning their lawyer for $250,000.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we are joined by Robert Wallace, Joseph Dobson, and Blas Kajusner to dissect the new "Hybrid Heist." The panel argues that the era of isolated crypto-theft is over; sophisticated actors are now targeting the Web2 layer—the frontends, the developer workstations, and the cloud infrastructure—to bypass the immutability of the chain itself.We also break down "Ether Hiding," a technique where attackers store malware payloads directly on the blockchain to create an unstoppable Command & Control (C2) infrastructure that cannot be taken down by traditional authorities.THE SESSION:Immutable C2 (Ether Hiding): How threat actors are updating smart contract state variables to serve second-stage malware payloads, effectively turning the blockchain into a "dead drop resolver" that ignores domain blocks and takedown requests.The Hybrid Attack Surface: Why the massive Bybit heist wasn't a failure of cryptography, but a Web2 frontend attack on the "Safe Wallet" interface that tricked users into signing transactions they couldn't see.The "OpSec" Crisis: Why smart contract developers are the new "Domain Admins," and how simple phishing campaigns against personal devices are leading to nine-figure losses.The "Choke Point" Vulnerability: Why the decentralized ecosystem is still entirely dependent on centralized on-ramps and off-ramps, and how this dependency creates a "kill chain" that defenders can disrupt.Governance Attacks: The shift from exploiting code to exploiting consensus—how attackers are buying enough tokens to legally vote themselves the contents of a project's treasury.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

"Skilled adversaries have a 100% success rate against all of the defenses that we know about."In this episode, Kevin Harris defends that claim. We move past the standard "AI Safety" talking points to distinguish between the two attack vectors confusing the industry: Prompt Injection (an application-layer failure) vs. Jailbreaking ("gaslighting" the model via context shifting).Kevin argues that we haven't actually invented AI yet—we've just built a mirror that reflects our own intelligence (and psychosis) back at us. We also dissect the new model context protocol (MCP) and why giving "discretion" to agents that cannot think is potentially repeating the security mistakes of Web 2.0.THE SESSION:The "Pirate" Jailbreak: Why telling a model to be a pirate isn't just a party trick—it's a method of shifting the context window to bypass refusal patterns.The 100% Failure Rate: Why current defenses are only speed bumps for skilled adversaries, and why you are attacking the application, not the model."There Is No AI": Kevin’s theory on why LLMs are just "predictive text made 3 orders of magnitude better" and the danger of "AI-induced psychosis".The Agentic Threat (MCP): A deep dive into the model context protocol. Why client-side authorization is the new "Browser Security" battleground, and why we are handing "table saws" to users who don't know how to use them.The Fix: Why "Attention Functions" are the key to understanding (and securing) the future of these models.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, Dhillon Kannabhiran shares the gritty origin story of Hack in the Box (HITB), detailing how he dug a $20k financial hole to launch the first event in Malaysia before building it into a global brand.The conversation moves beyond conferences to explore the cutting edge of technology and creativity. Dhillon explains why "agentic" systems (like Xbow) signal the end of hand-built exploits and discusses the unique challenges of securing Web3 smart contracts. We also dive into the intersection of math and music, how AI tools like Suno are changing art, and why the "hacker ethos" applies to everything from bug bounties to content creation.Get the latest from FLARE's community efforts: Email [email protected] to join our mailing list for important announcements. Your information will not be shared and is used only for this purpose.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we get a unique look at the history of Windows through the eyes of one of its leading experts, Pavel Yosifovich. We delve into his fascinating origin story, including the "fluke" that led him to become the author of the legendary Windows Internals series, and why he describes himself as a developer who "hates security."The conversation explores the most significant foundational changes in Windows kernel design, specifically the architectural shift toward Virtualization-Based Security (VBS) and the long-term strategy behind the "Secure Kernel." We discuss the ever-evolving landscape of EDRs, the reality of kernel-level threats, and the impact AI and memory-safe languages like Rust will have on future development. This episode offers valuable insights for reverse engineers and developers interested in the big-picture trends that have shaped—and will continue to shape—the world of operating system design.Get the latest from FLARE's community efforts: Email [email protected] to join our mailing list for important announcements. Your information will not be shared and is used only for this purpose.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we’re joined by Nino Isakovic, a long-time low-level security expert, for a thought-provoking conversation that spans the foundational and the cutting-edge. Nino discusses the art of deconstructing problems—sharing insights on how to learn effectively, the building blocks of a robust RE toolkit, and the critical shift required in our analytical approach. We then transition into the front lines of threat intelligence, where Nino discusses the specific challenges of analyzing sophisticated adversary tools. This includes systems like ORB Networks and a detailed look at his discovery of the ScatterBrain obfuscating compiler. Tune in for a full-spectrum discussion on what it takes to thrive in reverse engineering.ScatterBrain blog post: https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator?e=48754805Get the latest from FLARE's community efforts: Email [email protected] to join our mailing list for important announcements. Your information will not be shared and is used only for this purpose.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we sit down with Nick Harbour, Blas Kojusner, Moritz Raabe, and Sam Kim — members of the FLARE Team and some of this year’s challenge authors — for a deep dive into the design and execution of FLARE-On 12. The team discusses the complexity and intent behind this year's challenges, including how Sam created his grueling final challenge, "10,000," which featured 10,000 individual DLLs to force competitors toward automation. Sam reveals that solving the final puzzle required deep knowledge of both reverse engineering and group theory concepts like topological sorting and modular exponentiation of a matrix. Blas Kojusner explains his approach to challenge design, detailing how he blended modern Web3 concepts into a classic reverse engineering scenario with his ransomware chat client challenge, while Moritz shares that his Challenge 7 used obfuscation based on an actual malware sample he analyzed earlier in the year.The conversation then turns to the competition's impact and future. The authors confirm the community's primary feedback was a clear call for more malware-focused challenges. The strong participation and the constant flow of feedback directly influences the next iteration of the event, giving the team the motivation and data needed to improve. The FLARE Team confirms they are planning for FLARE-On 13 in 2026, driven by the community's enthusiasm to tackle new technical hurdles like Rust binaries. Tune in to hear the creators discuss the effort that goes into writing puzzles that truly test the world's best reverse engineers.Get the latest from FLARE's community efforts. Email [email protected] to join our mailing list for important announcements. Your information will not be shared and is used only for this purpose.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we're asking the question: "What Lurks Beneath?" We're joined by Mark Overholser, a Technical Marketing Engineer at Corelight who's part of the team running the Black Hat Network Operations Center (NOC). We discuss the incident during Black Hat 2025 that introduced us and revealed the team's proactive approach to protecting every guest from the unseen threats hiding in the shadows. Mark gives us an insider’s look at the philosophy and challenges behind building a robust network for a security conference, which includes the complex infrastructure provided by partners like Arista, Cisco, Palo Alto Networks, and Lumen.We then dive into memorable network incidents and how they apply to any modern organization. Mark shares key insights on how to balance a permissive network with robust security, how they identify legit traffic from the digital monsters in training labs, and the crucial role of network alerts (IDS/IPS) in stopping attacks before they become full-blown nightmares. He'll also share some scary stories, including an infected presenter, a leaked company org chart, and people accessing their NASes in the clear. Get ready for a frightfully insightful discussion on network security.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode of Behind the Binary, we're joined by renowned security researcher Hahna Kane Latonick for a deep dive into the powerful world where reverse engineering meets data science. Hahna shares her expertise on how techniques like supervised and unsupervised learning can be used to classify and predict security threats, and she explains how deep learning and neural networks are being applied to identifying code sharing and solving other classification problems. We also discuss how Generative AI is transforming reverse engineering, from augmenting and assisting workflows to driving fully automated analysis.Resources mentioned during the episode:https://dronewolf.darkwolf.io/https://asrp.darkwolf.io/https://ringzer0.training/countermeasure25-machine-learning-for-reverse-engineers/Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we're "Getting Ready for FLARE-On 12" with an inside look at the world-renowned reverse engineering competition. We’re joined by long-time FLARE-On host and challenge author Nick Harbour and regular challenge author Blas Kojusner for an in-depth conversation.We'll take a brief tour of FLARE-On history and discuss how it has grown into a must-do event for malware analysts and reverse engineers. We’ll also break down how the competition works, from the evolution of the unique flag format to the mechanics of getting to the next challenge.Nick and Blas will then give us a sneak peek at FLARE-On 12, teasing details on the number of challenges, the technologies being covered, and what participants can expect from this year's installment. Plus, we'll share insights into the challenge's difficulty, from the blazing speed of the first finisher to the average completion time for a successful competitor.Whether you're a seasoned veteran or a curious newcomer, getting ready for FLARE-On 12 starts here!https://www.flare-on.comJoin the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

Web3 promised a new era of decentralized finance, but it has also created a new frontier for crime, with thefts and hacks far surpassing those in the traditional financial sector. In this episode, we sit down with experts Blas Kojusner, Robert Wallace, and Joseph Dobson to explore the Wild West of Web3 and decentralized finance (DeFi).But what is Web3? Our episode begins by taking a look at Web3 technologies like DeFi, blockchain, and smart contracts and explain how their very design makes them vulnerable. Our panel will then reveal how threat actors exploit these weaknesses, from crypto wallet key theft and EthHiding to intricate smart contract exploits and web frontend attacks. We'll also highlight some of the major players in the Web3 crime scene, including organized state-sponsored groups.We'll also discuss how organizations can fight back. Our guests will share critical defense strategies, offering actionable steps developers and users can take to protect themselves and their assets from this new breed of financial predator.Read the blog referenced in this episode: https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heistsJoin the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode of Behind the Binary, we sit down with Dr. Jared DeMott to pull back the curtain on the world of cybersecurity. Formerly with the Microsoft Security Response Center (MSRC), Jared shares invaluable wisdom on managing bug bounty programs at scale and what truly makes a good bug report. We then pivot to explore his fascinating career journey, from his start with the NSA to leading teams at Microsoft. If that wasn’t enough, we’ll also dive into the unique challenges of a cyber startup. Get a firsthand account of his entrepreneurial spirit as he discusses why he launched his own cybersecurity company, revealing both the surprising successes and the hurdles he had to overcome.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

Join us as we explore the world of reverse engineering with pioneer and CTO, Danny Quist. We'll examine the evolving landscape of binary analysis tools, the constant battle with malware obfuscation, and what it was like building one of the very first malware repositories for research. Plus, Danny shares unique insights on neuro-diversity and cognitive load – crucial topics that impact us all.That's just a glimpse of what's ahead. Danny Quist isn't just a leading mind in reverse engineering; he offers a rare look into the evolution of our field and some deeply personal reflections that I think will resonate with many of you. Let's jump right into my chat with Danny.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

Ever wonder who names the world's most notorious APTs? In this episode, we sit down with Greg Sinclair, a reverse engineer from the FLARE team at Google. Greg not only hunts down sophisticated malware but also shares the behind the scenes story of how he discovered and named the North Korean APT, the Lazarus Group. He also discusses his innovative methods for identifying malware families through binary similarities. Get ready for an inside look at the challenges, triumphs, and the sheer passion that defines a cutting-edge reverse engineer.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

What goes into creating effective software protections? This episode features a conversation with Tim Blazytko, Chief Scientist and Head of Engineering at Emproof, about the essential strategies for protecting software intellectual property. We cover the core concepts of code obfuscation and anti-reverse engineering and discuss practical, modern approaches to implementing these defenses effectively, while also shedding light on the significant challenges and trade-offs involved. Listeners will gain insight into the defender's mindset, the evolution of protection techniques, and the fundamental difficulties in truly hiding secrets within executable code.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we’re joined by Thomas Roccia, a security researcher at Microsoft. Thomas discusses the growth of the Unprotect Project, how AI is changing security research, and the impact of data visualizations for conveying technical information. Drawing on his experience, Thomas offers a unique perspective on the intersection of open-source collaboration, artificial intelligence, and effective communication in the cybersecurity field.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

This episode shines a light on abuse.ch, a vital non-profit project built by and for the global cybersecurity community. We chat with founder Roman Huessy about the collective effort behind tracking malware and botnets for over a decade. Discover the journey of maintaining a crucial shared resource—the technical challenges of hosting an open platform designed for community benefit, and how collaboration fuels the fight against threat actors. Roman shares insights into the future of community-driven threat intelligence and the constant vigilance required to provide this essential service that empowers defenders worldwide.Find more information at abuse.ch.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we have a fascinating conversation with Jordan Wiens, developer of the widely used Binary Ninja, and co-founder of Vector 35. Jordan brings his expertise as an avid CTF player to a discussion about the complexities of building a commercial reverse engineering platform, the importance of community growth, and the significant future role of AI. We also delve into the unique nature of having active adversaries inherent in cyber security work.Resources mentioned in this episode:Code visualization: https://github.com/voidALPHA/cgc_vizBinary Ninja features: https://binary.ninja/2024/11/20/4.2-frogstar.html#language-representationsReversible debugger: https://web.archive.org/web/20150915000000*/https://www.raytheon.com/news/technology_today/archive/2010_issue1.pdfJoin the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we're sitting down with Duncan Ogilvie, the creator of x64dbg! We'll dive deep into how one of the most popular Windows debuggers got its start, explore the real-world challenges of running a major open-source software project, and even get a glimpse into the future of this essential tool. You'll also learn how piano tuning almost stopped this project from existing!Resources mentioned in this episdoe:Discord community for x64dbg: discord.x64dbg.comJoin the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

Saumil Shah, a security researcher, discusses his journey into reverse engineering, starting with his early interest in patching games and analyzing viruses. He emphasizes the evolution of reverse engineering tools and techniques, from manual approaches to AI-driven automation, and shares his insights on the future of the field and the importance of continuous learning. We also discuss his journey from veteran Black Hat instructor to starting his own security conference.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode, we are joined by Stephen Eckels of the FLARE team at Google (Mandiant). Stephen discusses his journey into the field, starting with his early interest in video game modding and hacking. He shares his experience in discovering the Sunburst backdoor in the SolarWinds attack and emphasizes the importance of continuous learning, community engagement, and the evolving landscape of reverse engineering tools and techniques.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

Join us as I sit down with renowned threat hunter, Ryan Chapman. Ryan shares his incredible journey from a curious young hacker to a formidable force in cybersecurity. Discover how his early fascination with software cracking ignited a passion for reverse engineering, ultimately leading him to the front lines of cyber defense. In this conversation, Ryan delves into his early days learning reverse engineering and recounts some pivotal moments. He discusses the evolution of malware obfuscation and what makes the field so engaging. And finally, Ryan shares insights into learning and building community to help anyone's career grow. Whether you're a seasoned security professional or just starting your cybersecurity journey, this episode offers valuable insights and inspiration.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

In this episode we’re sitting down with Victor Manuel Alvarez, the creator of YARA. YARA is one of the most powerful tools in cybersecurity. We discuss his early career, what motivated him to create YARA, and the role the community has played in its development. Plus, Victor shares his thoughts on the future of YARA and YARA-X, which is a ground-up rewrite of this venerable tool.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube

Nick Harbour discusses his career journey from his early days in the Air Force to his work at Mandiant. He shares insights into the evolution of malware, his contributions to the field of malware analysis, and the development of the Flare-On contest, a reverse engineering challenge.Join the CommunityResearch Hub: Threat research, training events and news:https://cloud.google.com/security/flareThe FLARE Insider: Get community updates and announcements. To subscribe, email [email protected] THE SHOW:Subscribe: Apple Podcasts | Spotify | YouTube