Often, related groups of threat actors will reuse bits and pieces of code in separate pieces of malware. This can be used as an attribution method. If a function, class, method, constant, or any such piece of data that is novel to one malware family is discovered in a new sample, there is a high liklihood that the disparate samples are related in one way or another. Perhaps the two different strains are authored by the same person? Maybe they are colleagues?
code reuse as attribution
0001-01-01
Recent Posts
Linux Persistence: Modular Software
2025-04-17 DFIR CTF persistence linux persistence apache asterisk
Linux Persistence: Web Shells
2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP
Linux Persistence: Rootkits
2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking
Defanging Linux LKM Rootkits With cleanup_module()
2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit