From Malpedia to Metalcore: Daniel Plohmann Talks Malware Research and Music
Published on
Published on
Published on
Sep 9, 2025
Sep 9, 2025
Sep 9, 2025
Malware research is a mix of curiosity, patience, and a knack for digging into the messiest corners of the internet. For Daniel, that curiosity kicked in well before his first professional role. It started with early programming experiments and a fascination for how things work behind the scenes. That spark eventually grew into a career spent picking apart malicious code, building tools and resources for the security community, and going after the odd, rare, and downright strange in the malware world.
In this chat, Daniel talks about his approach to malware analysis, why collaboration matters, and how people can find their way into this field from all sorts of starting points.
Can you walk us through your journey into cybersecurity and malware analysis? Was there a specific moment when you realized this was the field you wanted to pursue?
Daniel: My origin story is a bit like a boomerang. I think I always had a feverish interest and curiosity in technology.
One of my earlier memories apart from - quite naturally - using computers extensively for gaming is the following. In the mid-90s, I taught myself basic knowledge of the programming language Pascal using a book and wrote a command line tool to solve simple systems of equations with two or three variables to speed up my homework tasks, well, sure, to have more time for gaming?!
Despite the simple use case, this may have been an early eye-opening experience that planted a seed of the idea of how powerful programming or actually operating computers potentially was.
In the following years, I was definitely always fascinated by "hacking", or rather the romanticized idea of it. In retrospect, I never progressed past the script kiddie stage at that time, with a highlight probably breaking out of kiosk mode in the school's library computers.
When studying computer science at university in the early 2000s, information security was not my scope at all, likely also because it wasn't really covered by lectures yet.
After getting my diploma with a thesis on the simulation of wireless networks, I joined the department and was offered to focus on security-related topics, which brought me back to my early interest. My former colleagues Tillmann and Felix, who were veteran botnet fighters at that time already, definitely bootstrapped my start into malware analysis.
The kick of successfully reverse engineering the first malware samples definitely ignited a flame that hasn't vanished ever since, and set the course.
Funny enough, one of the first malware families I had a deep look at was one of the initial bitcoin mining botnets back in 2012, which was written in Delphi (a dialect of Pascal), so I got to look at the machine-level code of the first programming language I learned.
Your work combines academic diligence with hands-on threat intelligence. How has your academic background shaped your approach to practical malware research?
Daniel: I think the academic path helped me the most with developing a good sense for abstraction and structural analysis.
Given that security and threat intelligence are very fast-paced, we often tend to hop from putting out one fire to jumping to the next. The ability to retract one's attention every now and then, connecting dots, and identifying recurring themes/problems is certainly a benefit, especially when aiming for helpful analysis automations.
Oh, and well, having dug through countless pages of scientific papers and textbooks has probably helped to develop a certain immunity to exposing myself extensively to disassembled binary code and dry technical documentation, which is, however, really helpful when wanting to reverse engineer effectively.
What's one major shift you've seen in the threat research field since you started?
Daniel: I would say that starting out in IT security has become much easier nowadays compared to back when I entered the field. While there is so much more going on with the rapid growth of its relevance, learning the ropes has become so much easier, with plenty of books and affordable courses widely available.
Regarding the malware ecosystem itself, it was very interesting and scary to be a first-hand witness to the prevalence shift from financial fraud using banking trojans, which mostly targeted users, to the very destructive and impactful extortion attacks, mostly targeting organizations.
What inspired you to create Malpedia back in 2017? Was there a particular pain point or gap in the community that you felt needed to be filled?
Daniel: There were several factors that led to the core idea of Malpedia. At that time, the analysis community seemed more disconnected than it is today, particularly regarding the identification and publication of malware families and essentially nonexistent naming conventions for various reasons.
Personally, I was also dissatisfied with my own collection of malware samples, which had become what felt like a disorganized pile over the years. It was basically just a set of folders tagged with timestamps and, at best, some keywords about origin or a family name, then usually some analysis notes and binary artefacts that resulted from my analysis efforts. I wanted to reorganize this information and thought it would be beneficial to share it with the community, as I recognized this appeared to be a common challenge.
This led to the incorporation of references for different families and the inclusion of reference samples that could serve as binary data anchors. Ultimately, my goal was to build a kind of "Rosetta Stone" for malware.
It was very interesting and scary to be a first-hand witness to the prevalence shift from financial fraud using banking trojans, which mostly targeted users, to the very destructive and impactful extortion attacks, mostly targeting organizations
Malpedia is open to curated contributions. How do you strike the right balance between openness and maintaining high data quality?
Daniel: To this day, all content being added is peer-reviewed by a few volunteers and me, which ensures that at least another pair of eyes confirms the accuracy of metadata and family associations. All binary content, i.e. malware samples, are still reviewed by me to ensure consistency. This is certainly significant effort and using some automation helps with the process, but I think it's ultimately worth it.
Are there particular malware trends or families you've found yourself repeatedly drawn to over the years?
Daniel: Having started roughly 15 years ago, I must highlight win.zeus as a family that has incurred so much family offspring that it certainly crossed my desk time and time again. In this case, it was particularly interesting to see how other authors adapted parts of the leaked code and molded it to cater their needs.
Otherwise, I have a big heart for everything curious. Malware written in rare and odd languages, weird and unusual ways to make certain things happen, e.g., creative abuse of protocols to achieve command and control, those things brighten up my day.
If a young analyst wanted to contribute to Malpedia or follow in your research footsteps, what advice would you give them?
Daniel: Malpedia is always open for contributions, and everyone is invited to propose additions. I am actually aware of several younger analysts and freshly started bloggers who received increasing attention and were able to establish a portfolio, at least partially due to having their research being highlighted on the library and family pages.
Generally, I would recommend to just keeping going with perseverance. Especially when starting with binary analysis, there is a lot of potential for frustration, and one can feel lost easily. But once the initial hill is captured, there is also a lot of fun in it, as long as one remains curious and enjoys learning things.
Especially when starting with binary analysis, there is a lot of potential for frustration, and one can feel lost easily. But once the initial hill is captured, there is also a lot of fun in it, as long as one remains curious and enjoys learning things.
As part of your PhD thesis, you developed MCRIT, which builds on concepts like Position Independent Code (PIC) hashing and MinHashing. Could you break down why these two approaches were the backbone of your framework?
Daniel: The idea of PIC hashing is based on observations from Cohen and Havrilla, published in 2009. The goal is to derive a fingerprint on a function level that is quasi-exact and only accounts for memory relocations. Since we frequently encounter statically-linked code, especially from standard libraries such as the Microsoft Visual C runtime or GCC, these can be very well addressed with such a type of fingerprint.
Without fuzziness, matching also means we only look for identical fingerprints, which can be done very efficiently in databases. In their original research, they showed that using such fingerprints can reduce large quantities of functions down 40-fold to unique representations.
MinHashing, on the other hand, is a locality-sensitive hashing scheme that allows accounting for similarity to a certain degree, often used as an efficient storage and lookup technique in the search for similarity and clustering. For using it in the code similarity context, I have adopted well-known features from the academic literature for the function representation used in MCRIT. Both complement each other well when looking at it in a two-stage process.
A key differentiator of MCRIT is that it enables the derivation of occurrence frequencies for code indexed with it. Which use cases does this help with in a real-world investigation?
Daniel: Firstly, this allows to guide analyst attention towards code that is more likely intrinsic for the malware family under investigation, i.e., the parts of the code that bear its characteristics and capabilities. In consequence, we also built a feature in MCRIT that further builds on this insight and allows the automated generation of identification rules, targeting code specifically that is observed across multiple samples/versions of the malware family but not found anywhere else.
Secondly, when focusing beyond unique code, this also allows for highlighting rare code, and thus pointing a spotlight on code overlaps between a few, possibly related malware families, providing leads for authorship attribution. Thirdly, and inverting the first aspect, it also allows us to show which code is commonly found across the whole data set, meaning that MCRIT can outline areas of potential library code, simply by inference from its popularity.
You shared that MCRIT is built to work seamlessly with Malpedia. What advantages does this integration provide, especially in terms of actionable results?
Daniel: Yes, indeed, several features, and especially the frequency-based analysis, have been heavily inspired by first having an extensive, accurately labeled malware corpus available. For us, MCRIT helps with the curation of data, as it supports the rapid analysis and sorting into families. I expect that other users may be using MCRIT similarly with Malpedia as a baseline data set to aid their malware investigations.
The rule generation approaches outlined before, in turn, benefit Malpedia because they allow us to provide automatically generated high-fidelity rules for the malware families. It can be seen as a technical symbiosis.
Can you walk us through how Hunt.io fits into your workflow as a threat researcher?
Daniel: As I am mostly focusing on binary analysis in my daily work, the AttackCapture tool, which covers recordings of malware spotted in open directories, has great value for me. I was able to discover and extract several offensive tools regularly observed in the wild and other interesting malware samples from the data gathered by Hunt.io.
Are there particular types of hunting tasks where Hunt.io really shines?
Daniel: I also really like the C2 Infrastructure UI as it helps to get an idea of currently active adversarial infrastructure. This helps me stay informed about the popularity and frequency of use for malware and attack tools, which indirectly serves as an estimate for where to put a focus in my own work.
Have you discovered anything surprising or unexpected through Hunt.io: a hunch that turned into a major lead, perhaps?
Daniel: There was a post last year on the Hunt.io blog, which featured the discovery of a PlugX builder in an open directory. As one of my current pet projects is to dig through the history of PlugX, this came in very handy, as I was able to dig up multiple other builders based on the insights from this initial file.
The AttackCapture tool, which covers recordings of malware spotted in open directories, has great value for me. I was able to discover and extract several offensive tools regularly observed in the wild and other interesting malware samples from the data gathered by Hunt.io
We know you play the guitar. What kind of music do you gravitate toward when you're decompressing from a long day of threat research?
Daniel: There's actually a wide spectrum of music that I would generally consider in that scenario. It vastly depends on the mood of the day. Lately, it would either be some (progressive) metalcore like ERRA, Invent Animate, and Currents, but anything electronic is also always welcome, some Drum and Bass, or possibly an energetic live set from Boiler Room or Cercle.
Have you ever worked on a project that merged your love for music and tech, even in a fun or experimental way?
Daniel: I have experimented a bit with synthesizers when dabbling with electronic music, as well as playing with programmatic generation of MIDI tracks. For my band, I've also done recording of demo tracks and some engineering. I'd definitely like to expand on these things!
What's next for you? Any upcoming research areas or side projects you're particularly excited about?
Daniel: One of my major research scopes is still set on code similarity. While there is a lot of great work done already on techniques that do the actual comparison between pieces of code, I think there is still significant room for improvement in using these technical results to provide an actual benefit when performing analysis, e.g., highlighting the most expressive and insightful code overlaps.
Apart from that, I've started playing with natural language processing and exploring additional ways in which the information gathered with Malpedia can be leveraged in further ways to aid us as a community.
Malware research is a mix of curiosity, patience, and a knack for digging into the messiest corners of the internet. For Daniel, that curiosity kicked in well before his first professional role. It started with early programming experiments and a fascination for how things work behind the scenes. That spark eventually grew into a career spent picking apart malicious code, building tools and resources for the security community, and going after the odd, rare, and downright strange in the malware world.
In this chat, Daniel talks about his approach to malware analysis, why collaboration matters, and how people can find their way into this field from all sorts of starting points.
Can you walk us through your journey into cybersecurity and malware analysis? Was there a specific moment when you realized this was the field you wanted to pursue?
Daniel: My origin story is a bit like a boomerang. I think I always had a feverish interest and curiosity in technology.
One of my earlier memories apart from - quite naturally - using computers extensively for gaming is the following. In the mid-90s, I taught myself basic knowledge of the programming language Pascal using a book and wrote a command line tool to solve simple systems of equations with two or three variables to speed up my homework tasks, well, sure, to have more time for gaming?!
Despite the simple use case, this may have been an early eye-opening experience that planted a seed of the idea of how powerful programming or actually operating computers potentially was.
In the following years, I was definitely always fascinated by "hacking", or rather the romanticized idea of it. In retrospect, I never progressed past the script kiddie stage at that time, with a highlight probably breaking out of kiosk mode in the school's library computers.
When studying computer science at university in the early 2000s, information security was not my scope at all, likely also because it wasn't really covered by lectures yet.
After getting my diploma with a thesis on the simulation of wireless networks, I joined the department and was offered to focus on security-related topics, which brought me back to my early interest. My former colleagues Tillmann and Felix, who were veteran botnet fighters at that time already, definitely bootstrapped my start into malware analysis.
The kick of successfully reverse engineering the first malware samples definitely ignited a flame that hasn't vanished ever since, and set the course.
Funny enough, one of the first malware families I had a deep look at was one of the initial bitcoin mining botnets back in 2012, which was written in Delphi (a dialect of Pascal), so I got to look at the machine-level code of the first programming language I learned.
Your work combines academic diligence with hands-on threat intelligence. How has your academic background shaped your approach to practical malware research?
Daniel: I think the academic path helped me the most with developing a good sense for abstraction and structural analysis.
Given that security and threat intelligence are very fast-paced, we often tend to hop from putting out one fire to jumping to the next. The ability to retract one's attention every now and then, connecting dots, and identifying recurring themes/problems is certainly a benefit, especially when aiming for helpful analysis automations.
Oh, and well, having dug through countless pages of scientific papers and textbooks has probably helped to develop a certain immunity to exposing myself extensively to disassembled binary code and dry technical documentation, which is, however, really helpful when wanting to reverse engineer effectively.
What's one major shift you've seen in the threat research field since you started?
Daniel: I would say that starting out in IT security has become much easier nowadays compared to back when I entered the field. While there is so much more going on with the rapid growth of its relevance, learning the ropes has become so much easier, with plenty of books and affordable courses widely available.
Regarding the malware ecosystem itself, it was very interesting and scary to be a first-hand witness to the prevalence shift from financial fraud using banking trojans, which mostly targeted users, to the very destructive and impactful extortion attacks, mostly targeting organizations.
What inspired you to create Malpedia back in 2017? Was there a particular pain point or gap in the community that you felt needed to be filled?
Daniel: There were several factors that led to the core idea of Malpedia. At that time, the analysis community seemed more disconnected than it is today, particularly regarding the identification and publication of malware families and essentially nonexistent naming conventions for various reasons.
Personally, I was also dissatisfied with my own collection of malware samples, which had become what felt like a disorganized pile over the years. It was basically just a set of folders tagged with timestamps and, at best, some keywords about origin or a family name, then usually some analysis notes and binary artefacts that resulted from my analysis efforts. I wanted to reorganize this information and thought it would be beneficial to share it with the community, as I recognized this appeared to be a common challenge.
This led to the incorporation of references for different families and the inclusion of reference samples that could serve as binary data anchors. Ultimately, my goal was to build a kind of "Rosetta Stone" for malware.
It was very interesting and scary to be a first-hand witness to the prevalence shift from financial fraud using banking trojans, which mostly targeted users, to the very destructive and impactful extortion attacks, mostly targeting organizations
Malpedia is open to curated contributions. How do you strike the right balance between openness and maintaining high data quality?
Daniel: To this day, all content being added is peer-reviewed by a few volunteers and me, which ensures that at least another pair of eyes confirms the accuracy of metadata and family associations. All binary content, i.e. malware samples, are still reviewed by me to ensure consistency. This is certainly significant effort and using some automation helps with the process, but I think it's ultimately worth it.
Are there particular malware trends or families you've found yourself repeatedly drawn to over the years?
Daniel: Having started roughly 15 years ago, I must highlight win.zeus as a family that has incurred so much family offspring that it certainly crossed my desk time and time again. In this case, it was particularly interesting to see how other authors adapted parts of the leaked code and molded it to cater their needs.
Otherwise, I have a big heart for everything curious. Malware written in rare and odd languages, weird and unusual ways to make certain things happen, e.g., creative abuse of protocols to achieve command and control, those things brighten up my day.
If a young analyst wanted to contribute to Malpedia or follow in your research footsteps, what advice would you give them?
Daniel: Malpedia is always open for contributions, and everyone is invited to propose additions. I am actually aware of several younger analysts and freshly started bloggers who received increasing attention and were able to establish a portfolio, at least partially due to having their research being highlighted on the library and family pages.
Generally, I would recommend to just keeping going with perseverance. Especially when starting with binary analysis, there is a lot of potential for frustration, and one can feel lost easily. But once the initial hill is captured, there is also a lot of fun in it, as long as one remains curious and enjoys learning things.
Especially when starting with binary analysis, there is a lot of potential for frustration, and one can feel lost easily. But once the initial hill is captured, there is also a lot of fun in it, as long as one remains curious and enjoys learning things.
As part of your PhD thesis, you developed MCRIT, which builds on concepts like Position Independent Code (PIC) hashing and MinHashing. Could you break down why these two approaches were the backbone of your framework?
Daniel: The idea of PIC hashing is based on observations from Cohen and Havrilla, published in 2009. The goal is to derive a fingerprint on a function level that is quasi-exact and only accounts for memory relocations. Since we frequently encounter statically-linked code, especially from standard libraries such as the Microsoft Visual C runtime or GCC, these can be very well addressed with such a type of fingerprint.
Without fuzziness, matching also means we only look for identical fingerprints, which can be done very efficiently in databases. In their original research, they showed that using such fingerprints can reduce large quantities of functions down 40-fold to unique representations.
MinHashing, on the other hand, is a locality-sensitive hashing scheme that allows accounting for similarity to a certain degree, often used as an efficient storage and lookup technique in the search for similarity and clustering. For using it in the code similarity context, I have adopted well-known features from the academic literature for the function representation used in MCRIT. Both complement each other well when looking at it in a two-stage process.
A key differentiator of MCRIT is that it enables the derivation of occurrence frequencies for code indexed with it. Which use cases does this help with in a real-world investigation?
Daniel: Firstly, this allows to guide analyst attention towards code that is more likely intrinsic for the malware family under investigation, i.e., the parts of the code that bear its characteristics and capabilities. In consequence, we also built a feature in MCRIT that further builds on this insight and allows the automated generation of identification rules, targeting code specifically that is observed across multiple samples/versions of the malware family but not found anywhere else.
Secondly, when focusing beyond unique code, this also allows for highlighting rare code, and thus pointing a spotlight on code overlaps between a few, possibly related malware families, providing leads for authorship attribution. Thirdly, and inverting the first aspect, it also allows us to show which code is commonly found across the whole data set, meaning that MCRIT can outline areas of potential library code, simply by inference from its popularity.
You shared that MCRIT is built to work seamlessly with Malpedia. What advantages does this integration provide, especially in terms of actionable results?
Daniel: Yes, indeed, several features, and especially the frequency-based analysis, have been heavily inspired by first having an extensive, accurately labeled malware corpus available. For us, MCRIT helps with the curation of data, as it supports the rapid analysis and sorting into families. I expect that other users may be using MCRIT similarly with Malpedia as a baseline data set to aid their malware investigations.
The rule generation approaches outlined before, in turn, benefit Malpedia because they allow us to provide automatically generated high-fidelity rules for the malware families. It can be seen as a technical symbiosis.
Can you walk us through how Hunt.io fits into your workflow as a threat researcher?
Daniel: As I am mostly focusing on binary analysis in my daily work, the AttackCapture tool, which covers recordings of malware spotted in open directories, has great value for me. I was able to discover and extract several offensive tools regularly observed in the wild and other interesting malware samples from the data gathered by Hunt.io.
Are there particular types of hunting tasks where Hunt.io really shines?
Daniel: I also really like the C2 Infrastructure UI as it helps to get an idea of currently active adversarial infrastructure. This helps me stay informed about the popularity and frequency of use for malware and attack tools, which indirectly serves as an estimate for where to put a focus in my own work.
Have you discovered anything surprising or unexpected through Hunt.io: a hunch that turned into a major lead, perhaps?
Daniel: There was a post last year on the Hunt.io blog, which featured the discovery of a PlugX builder in an open directory. As one of my current pet projects is to dig through the history of PlugX, this came in very handy, as I was able to dig up multiple other builders based on the insights from this initial file.
The AttackCapture tool, which covers recordings of malware spotted in open directories, has great value for me. I was able to discover and extract several offensive tools regularly observed in the wild and other interesting malware samples from the data gathered by Hunt.io
We know you play the guitar. What kind of music do you gravitate toward when you're decompressing from a long day of threat research?
Daniel: There's actually a wide spectrum of music that I would generally consider in that scenario. It vastly depends on the mood of the day. Lately, it would either be some (progressive) metalcore like ERRA, Invent Animate, and Currents, but anything electronic is also always welcome, some Drum and Bass, or possibly an energetic live set from Boiler Room or Cercle.
Have you ever worked on a project that merged your love for music and tech, even in a fun or experimental way?
Daniel: I have experimented a bit with synthesizers when dabbling with electronic music, as well as playing with programmatic generation of MIDI tracks. For my band, I've also done recording of demo tracks and some engineering. I'd definitely like to expand on these things!
What's next for you? Any upcoming research areas or side projects you're particularly excited about?
Daniel: One of my major research scopes is still set on code similarity. While there is a lot of great work done already on techniques that do the actual comparison between pieces of code, I think there is still significant room for improvement in using these technical results to provide an actual benefit when performing analysis, e.g., highlighting the most expressive and insightful code overlaps.
Apart from that, I've started playing with natural language processing and exploring additional ways in which the information gathered with Malpedia can be leveraged in further ways to aid us as a community.
Related Posts:
Research on AsyncRAT campaigns using trojanized ScreenConnect installers and open directories, exposing resilient attacker infrastructure and C2 tactics. Learn more.
Research on AsyncRAT campaigns using trojanized ScreenConnect installers and open directories, exposing resilient attacker infrastructure and C2 tactics. Learn more.
Hunt.io uncovers the 2025 Energy Phishing Wave, with Chevron, Conoco, PBF, and Phillips 66 targeted by large-scale cloning and brand abuse. Learn more.
Hunt.io uncovers the 2025 Energy Phishing Wave, with Chevron, Conoco, PBF, and Phillips 66 targeted by large-scale cloning and brand abuse. Learn more.
Investigation into TinyLoader malware stealing cryptocurrency via Redline Stealer, USB spread, and C2 infrastructure.
Investigation into TinyLoader malware stealing cryptocurrency via Redline Stealer, USB spread, and C2 infrastructure.
Hunt 2.5 introduces IP pivots, faster HuntSQL queries, a full-screen app view, and a refreshed IP database. Explore the latest improvements.
Hunt 2.5 introduces IP pivots, faster HuntSQL queries, a full-screen app view, and a refreshed IP database. Explore the latest improvements.
Research on AsyncRAT campaigns using trojanized ScreenConnect installers and open directories, exposing resilient attacker infrastructure and C2 tactics. Learn more.
Hunt.io uncovers the 2025 Energy Phishing Wave, with Chevron, Conoco, PBF, and Phillips 66 targeted by large-scale cloning and brand abuse. Learn more.
Get biweekly intelligence to hunt adversaries before they strike.
Hunt Intelligence, Inc.
Get biweekly intelligence to hunt adversaries before they strike.
Hunt Intelligence, Inc.
Get biweekly intelligence to hunt adversaries before they strike.
Hunt Intelligence, Inc.