Research
Threats move fast, so we build in the open. This is the engineering behind rfxn's detection updates: scan engine internals, signature design, and the analysis that drives them. When a new threat lands, the write-up ships with the code.
The MU-Plugin Menace: Five Malware Families Hiding in Plain Sight
WordPress must-use plugins auto-execute on every page load, don't appear in the admin panel, and can't be deactivated. Five distinct malware families, from simple redirectors to a 7-layer persistence fortress, have independently converged on this vector. We document them all and publish detection signatures.
Structured Audit Logging for Bash Applications
Most bash tools log unstructured text. We built elog_lib.sh, a shared event logging library that emits 23 typed events to six formats simultaneously: JSONL, CEF, syslog, GELF, and Elasticsearch ECS. One function call, zero-code SIEM integration, no compiled dependencies.
Axios npm Compromise: Lazarus Group Deploys Cross-Platform RAT
The axios npm package (50M+ weekly downloads) was compromised via maintainer account hijack. Malicious versions 1.14.1 and 0.30.4 inject a postinstall dropper that delivers a cross-platform RAT attributed to Lazarus Group (DPRK/APT38). We publish 33 maldet signatures covering the dropper, all platform payloads, and C2 infrastructure.
WordPress Supply Chain Attacks: BuddyBoss, Gravity Forms, and the Trust Problem
Three premium plugin supply chain compromises in 12 months (BuddyBoss, Gravity Forms, and Groundhogg) show attackers systematically targeting vendor update infrastructure. We publish 10 new maldet signatures including generic detection rules that catch future supply chain backdoors in any WordPress plugin.
Magento PolyShell: Detection, Mitigation, and maldet Signatures
A critical unauthenticated file upload vulnerability in Magento's REST API allows attackers to plant PHP webshells disguised as GIF images. We break down the attack, publish 7 ModSecurity rules, Apache hardening guidance, and four new maldet signatures.
Compound Signatures: Building a Boolean Detection Language in Bash
ClamAV's signature format cannot express boolean logic. We built a compound signature engine that evaluates AND/OR/threshold rules using shell-native primitives (grep, awk, sort) with 22x less memory and 2.1x higher detection rates. No daemon, no dependencies.
43x Faster: Rewriting maldet's Scan Engine with Batch Parallel Processing
Linux Malware Detect v1.6.6 forked 500,000 subprocesses per scan. The v2.0 rewrite uses batch parallel workers, Aho-Corasick grep, and awk preloading to scan 10,000 files in 28 seconds, zero external dependencies and a 44 MB memory footprint.