Hello and welcome to the Monday, December 15th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undergraduate certificate program in applied cyber security.

Well, this Monday, we have a number of diaries to talk about. The first one comes from Xavier,

and as typical for Xavier is of interest to anybody reverse analyzing Malver.

Xavier is taking a closer look at DLLs.

Now DLs, libraries, of course, in Windows are loaded by software in order to provide additional

functionality.

As any kind of library, of course, there are certain features that are being exposed by the

library, but one thing that's often overlooked here is the entry point. And what's happening here

is that a developer can define an entry point that's being executed as the library is being

loaded. There are a couple different options, how it can be executed,

and XIV is explaining this.

The reason is important for Malar Analysis

is that you may see a library being loaded,

a DLL being loaded,

but then actually no function in that DL is being ever executed.

Well, then you have to take a look at the entry

point to see if it contains any code of interest because that was executed just as DL was

loaded without any specific function actually being called.

And the next diary comes from Brad.

Brad wrote about, well, two particular examples of a recent

...