// static analysis · specimen triage
A staged implant was pulled from a compromised workstation. Each stage held its configuration behind a different obfuscation layer. Work through the specimens below: reverse each one, recover the embedded indicator it protects, determine the stage's intent, and log the indicator to the case.
Samples are behaviorally inert. Each only reads stdin and writes stdout — no network, filesystem, or persistence actions occur. Every embedded indicator (C2 host, mutex, campaign ID, Run key) is fictional and non-routable. Detonate inside an isolated VM regardless, per standard handling.
Recovered indicators take the form FLAG{…} and are submitted on the case system of record. The field on each specimen is a local self-check only — it confirms you pulled the right indicator before you report it.
ELF 64-bit, x86-64, dynamically linked. Analyze on an isolated Linux VM. Each sample only reads stdin and writes stdout — running them is safe.