Malware configuration data often holds the key to understanding a threat actor’s intent, infrastructure, and operational scope. Yet, as adversaries evolve their tooling, extracting this configuration information has become a progressively cumbersome challenge for analysts. This talk provides a hands-on exploration of how malware stores, hides, and protects its configuration; moving from easily accessible static artifacts to deeply obfuscated and encrypted structures.

Starting with fundamental patterns and low-hanging fruits, we’ll walk through practical examples of locating embedded configuration data in binaries, analyzing common encoding routines. The session then escalates to advanced cases where adversaries deploy custom encryption layers, smart contracts, or dynamically generated configuration schemas - illustrated through live demonstrations of real-world samples.

To ground these techniques in recent reality, the talk highlights several emerging malware families observed in the wild throughout recent years. Each case-study outlines how the configuration is structured and stored, and demonstrates the methods and the logic used to extract and decode it - offering actionable know-how directly transferable to day-to-day reverse engineering.

Attendees will gain not only conceptual insights into malware configuration structures across different malware families but also actionable findings for configuration extraction workflows. By the end of the talk, participants will be able to tackle both the straightforward and the sophisticated: turning malware configuration data into actionable threat intelligence.