We are RatGuard

$ whoami // malware research lab

We reverse-engineer malware, investigate malicious infrastructure, and report threat actors to blocklists and competent authorities.

View Investigations Contact Lab
whoami

Anonymous. Focused. Persistent.

We operate anonymously as RatGuard. Our work revolves around static and dynamic analysis of malicious binaries - stealers, RATs, fake clients, and malware disguised as legitimate software. We document findings, trace infrastructure, and push malicious domains to global blocklists.

No corporate affiliation. Just an independent research initiative.

capabilities

Tools & Skills

Static analysis, dynamic analysis, and threat infrastructure research.

Static Analysis
Disassembly and decompilation of PE binaries. Pattern recognition, string extraction, capability mapping.
IDA Pro Detect It Easy FLARE-FLOSS FLARE-CAPA dnSpy GoReSym
Dynamic Analysis
Runtime behavior tracing inside isolated VMs. Network traffic interception and unpacking.
x64dbg VMware HTTP Debugger
Languages
Building tooling and understanding malware source patterns. Actively developing skills in systems languages.
Rust (active) Go (active) C++ (active)
investigations

Threat Reports

Documented investigations resulting in domain takedowns and blocklist submissions.

Phishing
dojiner.at
Spamhaus DBL FULLY BLOCKED

Steam phishing operation using a fake Steam client executable. Upon launch, the binary displayed a fake error dialog and opened a WebView pointing to a credential harvesting page mimicking the Steam login interface. Investigated the infrastructure, documented the attack chain, and submitted to Spamhaus DBL and Google Safe Browsing. Domain is now fully blocked.

Malware Distribution
cheater.to
Spamhaus DBL FULLY BLOCKED

Malware distribution platform operating under the guise of game cheats. Binaries distributed through the site contained malicious payloads. The domain was investigated, reported, and successfully added to Spamhaus DBL. Currently returns 403 Forbidden - infrastructure neutralized.

C# Binder
@crackcheats67
Spamhaus DBL ANALYZED

Telegram channel distributing a malicious binder. Static analysis using dnSpy revealed a C# dropper extracting two executable files from its internal resources and dropping them into the %temp% folder. Subsequent dynamic analysis within dnSpy exposed the C2 domain, which was successfully submitted to the Spamhaus DBL.

Go Dropper
@sherlockcheatss
ANALYZED

Telegram channel distributing a Go-based dropper. Dynamic analysis in x64dbg and behavioral static analysis in IDA Pro confirmed the binary unpacks its primary malicious payload directly into the %temp%\lsass_helper.exe directory upon execution.

RAT Distribution
@cheaternumberone
Spamhaus SBL ANALYZED

YouTube channel actively distributing the Overlord RAT. Dynamic analysis of the downloaded payload successfully identified the Command and Control (C2) IP address. The infrastructure was reported and is currently listed on the Spamhaus SBL.

More investigations are being documented. This page will be updated as reports are published.
Submit a tip
contact

Get in touch

Threat reports, tips, collaboration inquiries.