Magic Packets & Stealth Backdoors: The Art of Detection Engineering Artwork

DISCARDED: Tales From the Threat Research Trenches

DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.
Welcome to DISCARDED

All Episodes

DISCARDED: Tales From the Threat Research Trenches

Magic Packets & Stealth Backdoors: The Art of Detection Engineering

April 14, 2026 • Proofpoint • Season 1 • Episode 99

0:00 | 33:51

Send us fan mail!

Hello to all our Cyber Daffodils! Host Selena Larson, and guest Host, Tim Kromphardt, sit down with Stuart Del Caliz, Senior Threat Detection Engineer at Proofpoint, to unpack the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden.

From magic packets and port knocking to sophisticated backdoors like BPFdoor, Stuart shares how attackers design covert communication methods—and how defenders work to uncover them without overwhelming security teams with noise. The conversation blends deep technical insight with real-world analogies (think speakeasy knocks and undercover “internet cops”) to make complex detection strategies easier to understand.

You’ll also hear:

How detection engineers balance accuracy and performance when writing IDS/IPS signatures
Why some advanced malware can remain undetected for years—and whether we’re simply not seeing it
How historic leaks like Shadow Brokers still influence modern attack techniques
The role of “pattern matching” in identifying evolving malware behaviors
How file metadata and revoked certificates can reveal threats hiding in plain sight
Why community collaboration and feedback loops are critical to stronger detections

Whether you’re a security practitioner or deep in the trenches, this episode offers a closer look at the craft of detection engineering—and the constant challenge of writing high-fidelity detections against increasingly evasive threat techniques.

Resources Mentioned:

https://community.emergingthreats.net/

https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/

https://www.wired.com/story/nsa-hacking-tools-stolen-hackers/

https://github.com/x0rz/EQGRP

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

SPEAKER_00 0:03

You're listening to Discarded: Tales from the Threat Research Trenches, a podcast by Proof Point for Security Practitioners. Each episode you'll hear from security researchers, malware analysts, threat hunters, and more as we dive into what's going on in the world of cyber attacks and how defenders safeguard us from threats. Let's get into the show. Hello to all our cyber daffodils. It is springtime here in the world where I live, and I hope everyone is enjoying warmer weather or cooler weather, depending on where you are tuning into the podcast from. I am your host, Selena Larson. You are listening to Discarded Tales from the Trenches, a podcast by Proof Point. I am here today with my co-host Tim Crumper and his two dogs.

SPEAKER_02 0:49

Always. I'm here with senior threat detection engineer Stuart. Welcome, Stuart. Glad to have you.

SPEAKER_00 0:57

Hello.

SPEAKER_02 0:59

Thanks for watching.

SPEAKER_00 1:00

I am so delighted. Welcome to the podcast. You are new on our podcast. And so why don't you share with our listeners who you are? What do you do?

SPEAKER_01 1:10

Well, as you mentioned, I'm senior threat detection engineer over on the uh merging threats team. I uh joined Proof Point just a little over a year ago, been enjoying writing SIGs for both the ET community and for our customers.

SPEAKER_00 1:26

So well, welcome, welcome. I have to say, one of the highlights that I have with you, Stuart, is that we were wearing matching corduroy when we hung out for the first time. Yeah.

unknown 1:38

Yeah.

SPEAKER_01 1:41

Yeah, I had my uh uh overalls on. It was great. It was my fancy farmer style I got.

SPEAKER_00 1:48

It's great. I love it. I feel like we have a few fancy farmers here at Proof Point. You and Sarah definitely vibe in that way. And I somehow matched with like four different team members at our on-site on different days. I don't know, I don't know what it is. I'm a chameleon, clearly.

SPEAKER_01 2:04

Uh the one thing I didn't prepare for this podcast was I did not get my nails done. I feel really I wanted to match your energy going in.

SPEAKER_00 2:14

So well, yes, there's always time for Pokemon nails. I'm just saying, you know, uh next time, next time you gotta bring it.

SPEAKER_02 2:22

Yeah, next time we all need to dress as fancy farmers because that would be fantastic.

SPEAKER_00 2:29

So, all right, let's dive into some stuff. So, one of the really cool things that you do here at BrewPoint is you are taking a look at exploits and backdoors. And recently there have been some spyware leaks that have kind of come out, um, like source code that's been leaked or tooling that's been leaked. And you really dive into that type of malware quite a bit. And I know that you have done some research on historic backdoors as well. So I'm kind of curious, like, what are you currently working on? Like, what do you find really interesting about some of the more sort of sophisticated backdoors that we see in like spyware espionage?

SPEAKER_01 3:04

Yeah, so one of the things I really like is magic bytes, magic magic packets, and uh port knocking that backdoors will implement. There's a few that do really well. There's a few that are pretty prolific. Some have even aren't in use anymore, but you find out later down the road they've been in use for over a decade, and it's just now being, you know, talked about. For example, BPF Door. Actually, just last week, Rapids Ubin put out an article of a bunch of variants that they had been observing, and it's been really interesting. There's a lot of different ways that they've been changing up their tactics, but for the most part, it still is the same method. They'll they'll use BPF, which is Berkeley packet filtering.

SPEAKER_02 3:58

We can't just pass up magic packets and port knocking. What are those? Those sound magical.

SPEAKER_01 4:04

Yeah, magic bytes, magic packets are a sequence of hex bytes usually, or or a secret order that the backdoor is expecting to find. So from the client side or from the threat actor side, they will organize a packet in a way that the backdoor is going to filter and activate upon receiving. So, like this method is kind of derived from wake on land, which was pretty big in the 90s to remotely, you know, access computers and and wake them up. The concept of magic packet triggers, inspired covert activation mechanisms. While that stuff is not directly related to like malware, it definitely inspired a lot of a lot of like techniques. And then port knocking is similar in the sense that it's expecting a series of ports and a sequence that it connects to before it can finally make an established connection between the client, the threat actor, and the backdoor, which is the server in this case.

SPEAKER_02 5:20

So it's like a secret knock at like a speakeasy or something, right? Like saving a haircut, two bits. It's like, that's it. You get in, you're you're good.

SPEAKER_00 5:28

You are allowed. So is this method um of the set that you're looking at? It seems like this is typically in more sophisticated malware samples, right? That have a little bit more ability to fly under the radar. They're trying to be a little bit more secretive, likely more espionage focused. Is that what you're that that's what you're looking at?

SPEAKER_01 5:49

Yeah, and targets usually are usually like routers, things that are exposed to internet, less likely web applications or devices uh hosting web apps and stuff like that.

SPEAKER_02 6:00

So Internet of Things. Yes. Yes. We've talked about a lot about those.

SPEAKER_00 6:07

So you had mentioned the Rabbit Seven report on BPF Door, which was kind of updated research from previously published information about that malware. Can you talk about why you thought that research was so interesting? And then in your role on emerging threats, which of course is creating network detections, IDS IPS signatures based off of open source intelligence, essentially, how did you incorporate some of that research into writing detections for our platform?

SPEAKER_01 6:35

So, what I find so interesting about it is that it's challenging. It's challenging in the fact that you have to both marry performance and accuracy, and stuff like this is is is really hard to thread the needle on. And so, because what you're working with is so small, and for example, when I write a rule for Sericata or Snorb, if I have content matches that are really short, that can impact performance pretty heavily. And so magic bytes, magic packets, they're really small. They're they're a small sequence of hex. And so trying to coordinate the the matching of that with packets that are more suspicious, they don't match normal traffic, is the best way we can match or uh uh create a rule that is both performant and accurate. So I find it challenging in the sense that it's it it can may not be perfect for every everybody's environment, but what we do is we try to put out rules that will work in in a lot of environments. Some environments utilize our rule sets through the sandbox, some do a little bit more work and they do like TLS inspection. So they decrypt everything and then re-encrypt it before sending it to where it needs to. So all that matters, but the magic packets they're they're they're a little bit more difficult to work with, but that's what's what's so interesting.

SPEAKER_00 8:20

So based off of Tim's metaphor, you basically have to puzzle out what the secret knock is and then be able to copy that and incorporate it into rules so they effectively fire and can detect the secret knock.

SPEAKER_01 8:34

Exactly.

SPEAKER_02 8:34

And not be too noisy that you're going to annoy analysts that are looking at these and go, okay, I'm getting a lot of these.

SPEAKER_00 8:41

Yeah, if you knock too much, if you knock too much on the speakeasy door, they won't let you in. That's the point of a speakeasy. Exactly. You have to be quiet.

SPEAKER_01 8:50

Yeah, as a former stock analyst, I I tried to envision myself in that role again. And when I write these rules, I do not want to make their life harder. I want to make it easier. And yeah, this is it's something that I, you know, carry with me is sock life, stock in the trenches.

SPEAKER_02 9:11

That's great. That's great. Because we need people to think about those things. Uh you know, as a former SOC analyst myself, like you gotta have folks that understand what that job is like, because it's it's it's quite overwhelming at uh at times, right?

SPEAKER_00 9:25

So it's really important that you have to get these signatures right because one of the things about BP Epdoor, um, according to Rapid 7, they call it, quote, sleeper cells in the backbone. So it's very important, it's targeting telecom networks. They are very strategic espionage targets, and telecommunications infrastructure is a very hot target right now. And we've seen a lot of samples recently, and certainly from China targeting this um sort of strategic area for them. And so, of course, when you're writing these very complicated rules, you have to make sure that they are tuned and very, very effective and don't, you know, false positive uh blow up the sock because it is a very serious malware. And you know, if you're targeted by this, you want to make sure that it's 100% correct because of um the capabilities and the targeting and um the association with espionage.

unknown 10:16

Yeah.

SPEAKER_02 10:17

What kind of hurdles did you have to overcome with that?

SPEAKER_01 10:20

Well, in older variants, like the 2023 samples, there was a specific T SP sequence and acknowledgement numbers in the T SP header. And that in and itself is very unique, but at the same time not impossible to to match on uh to to replicate. So finding finding a way that both says, hey, this is going to match on this particular sequence and acknowledgement, but what all what else within that packet would make it look like it's not normal T Speed traffic in that sense?

SPEAKER_02 10:59

Right, because you need the context, right? You can't just say, hey, here's the the pattern, because you need the context to go with that in order to uh make that work.

SPEAKER_01 11:07

Yeah, there's 2025 variant where they started at the beginning of uh the payload, it would start with an X, and then it would be followed by the IP delimited by a colon and then the port, which would be the call back. But what helped in this case was it was sent over port 53, which then kind of begs the difference. What why are you having uh potential DNS traffic coming inbound to your environment and then validating that it doesn't have the same structure as a DNS packet would have?

SPEAKER_02 11:45

Yes, because you wouldn't typically expect a DNS packet to be inbound on a regular network.

SPEAKER_01 11:51

And I think for classic BPF door, there were a byte sequence, there were a few byte sequences, one for TCP and a separate one for UDP and ICMP. But uh the the interesting part, or at least the the the part that kind of like makes it stand out a bit, is that this uh payload was sent in a uh TCP SYN uh packet. So no established connection was made yet. And normally SYN packets don't usually have a payload. So that uh kind of made it a little bit more, you know, stand out.

SPEAKER_02 12:37

So it's like a secret handshake too. So yeah.

SPEAKER_01 12:40

Yeah.

SPEAKER_02 12:40

Nice, nice. So we got secret knocks, secret handshakes. That's fantastic.

SPEAKER_00 12:45

We need a secret third thing.

SPEAKER_02 12:46

Yes, sinister third thing.

SPEAKER_00 12:51

So it's really interesting how you talk about all the different things that are required to go into detections because it is a little bit like a fingerprint, right? So you're you're creating something that you'd be able to match in much the same way as like detectives look at the fingerprint on a door in a burglary, because you're like, okay, I have to match it exactly with this person or this malware, as the case may be. And so you're kind of writing that from scratch, basically trying to figure that out. And it's also interesting too how the fingerprints change with the malware. So, unlike some more basic commodity types of malware, stuff that's, you know, easily accessible on GitHub, things like, you know, information sealers like Agent Tesla have been around forever. Those are fairly easy to sig on, they're fairly static. You get a little bit more sophisticated information sealers that use different types of crypt, like crypting or um cryptors and different ways of trying to like encode various different data. So kind of like the it the challenges increase as the malware gets better. But what is pretty notable is there's always sort of this like set or type of malware that is going to be really challenging to Sigon that has these um like magical little characteristics. And you were talking before we started the podcast on you're even looking at historic data too. Like, so you're like like investigating how has malware previously used some of these techniques? What can we learn from that? So, can you talk a little bit about it? I think you mentioned shadow brokers as an example.

SPEAKER_01 14:21

I sure did. I find it really interesting. And uh, you know, it is available on GitHub. And it was nice to pull down and take a look at how it tries to do the same thing with a magic packet. Same with BPF door, where you're getting a SYN packet with a payload size stands out. But what they did was really interesting as they implemented a custom BPF virtual machine, which was used to validate the packet before it decrypted the the payload that it came with. So this to the start, it sends a a packet, a really small packet. Uh it's like 136 bytes. The structure of it was there was a trigger value followed by the encrypted payload, followed by the size, followed by a reserved bytes, and then followed by a checksum. And so what was what was interesting about how they they set up the sequence is you had a static value, you would uh XOR against the checksum. You would take another static value, XOR that against the size, and then the checksum value would uh equal the trigger value, and then the size value was checked to see what the size of the the total payload would be. It was really cool. The one part I did miss was uh before they XORed those values, they would switch the Indiann-ness of the the bytes, and so normally the Indian network Indian would be big, and then they would swap it. So as you see this the hex sequence of two bytes, you might have like B E E F come over the wire, but they would swap it and it would be EFBE, and then they would exor that, and then that value would be checked against another val the the final value. So with those two in mind, that was the that was the first stage before decrypting the encrypted payload, and then they would call back to their to the client that was reaching out. So that was really cool. The structure of it, you would take this payload and all you had all you had to do was uh do a little bit of complex, you know, byte swapping and and exoring. I found it really cool. It was really like everything is kind of located in this packet just to check, and all you had to do was do the check yourself. Unfortunately, I got part way through creating a nice Sericata a rule uh for IDS to match on it, but because of limitations within the engine, couldn't complete that that process. But that that kind of started a nice little like, hey, OISF, let's like, let's let's expand some of the features of Zericata so that we can do some more complex math or complex comparisons when we see stuff like this.

SPEAKER_00 17:54

Mm-hmm. So I'm curious. So you're talking about the shadow brokers uh stuff that's on GitHub and on the backdoor that they were using, but it's been around since what, like 2016? And so it's like 10 years old, but you're you don't really see this much with malware. And I'm curious if you had, I mean, well, first of all, this is this might be a little bit of a spicy question because you're looking at the detections. You're the you're the data, you're the data guy, but I'm curious, like, is it that we're just not seeing the malware because we're not catching it? Or do you think that it's just like so technically difficult to implement this type of um malware capability that there's just not a lot of people that would bother doing it that way?

SPEAKER_01 18:39

I would say my money is on that we're not seeing it. I mean, who's thinking of that, of that, that sequence? I mean, you you could probably think of a really cool sequence to check something, a a certain type of knock, you know. Tim thinks of a different knock. I think of a different knock. And I doubt we'll all have the same knock. And to expect one of us to know without without understanding or having heard it once before, would we be able to guess it on the first try? So, but it does it, you know, like going through these situations and it like, you know, experimenting and and testing out and seeing how it's done, it gives us like that one extra step to knowing maybe we can catch up catch something like this in the future. Maybe we can, you know, surprisingly, someone people love to reuse code, you know, and re-implement things. And it's easy, but also, you know, if we can, we can catch it, that's awesome. And if we just learn a little bit more, that's awesome too.

SPEAKER_02 19:54

From listening to you talk, it kind of sounds like these uh these malware developers are they kind of have a similar job to you, right? They have to listen for these connections, and then you also have to to look for the same kind of things to kind of filter out the noise. So like you kind of have a similar job there, but you know, not all these are uh so quite so dynamic, right? We have some that are more on the static side. Uh, how do you approach making IDS SIGs for those? Do you get inspiration from like other signatures? Do you have like a like a mood board or maybe like a Pinterest kind of thing you set up for for IDS? What do you do? What's your process?

SPEAKER_01 20:29

Yeah, yeah. I I I do have a mood board. I do have a vision board, and it is based on Yara rules and host based detections, uh, sim rules, things like that, because I I come from, you know, thus I I I I did a lot of stock work where you are looking at sims, you are looking at all types of logs and doing some research into malware and what you know, what it's what it's gonna do, what is the components that make up that malware. I have this vision that most YAR rules that are written for detecting binaries statically, like rather than in memory, because this wouldn't work in the same sense, we could almost implement the same technique in IDS. There are some limitations, there's size limitations, there's only so much that we can inspect at a given time. A stream can only be so long that we can we can inspect, but there are certain ways around it. I do look towards Yara rules for inspiration, for guidance. There's a lot of great uh researchers out there that put out a lot of really good content, and um I like to, you know, utilize that and implement them um when I can um and give shout outs, especially when the when they do such great work. And recently, I've been using, I've been creating file detections around things like lolbins, so living off-the-land binaries. Kind of stemmed from seeing a lot of attack chains where threat actors would utilize bring your own vulnerable driver to bypass security features or elevate privileges. And while post-based detections exist and perform well in those cases, before they're brought to your device, they do travel over the internet. So I thought, why can't we do the same thing? And so this is where uh looking into specifically for for drivers and executables, most any legitimate binary will have a file version info. And that file version info data structure that provides the detailed version info and like company and description, product versions, stuff like that. So you'll so what you find, you find that at the at the pretty much at the end of an executable in the version info block, like I said, they would have a file version or a product version, product name, company name, some version of a description or even legal uh copyright. It doesn't have to have all, but it might have some of those things. And so what I do is I write a rule that looks for some of those values, some of those unique values. And more specifically, if you have like a version that is known to be vulnerable, uh known to be used in these scenarios, then I match that with product names or or other unique values and create a rule based on that.

SPEAKER_00 24:00

So you can kind of take these characteristics that would apply to a lot of different types of executables, but not necessarily just the single sample or the single type of malware that you're looking at. You can use these shared characteristics to catch more fish, I guess. Like cast a wider net to kind of take up some of that stuff. So it doesn't necessarily like for example, so for example, I'm curious, like this technique by leveraging file info characteristics to try and detect known bad things on specific executables. Have you ever noticed that that will catch things that aren't necessarily detected as malicious otherwise?

SPEAKER_01 24:37

Yes. Yes. Because actually, this is this is actually one of those things where I did a little bit of work into uh it was talked about a bit before, but it's not a new new or novel practice, but uh revoked code signing certificates. You know, we we saw those with Screen Connect, we've seen those with other RMMs. That comes across as valid to some EDRs. They'll check just if the binary is signed, but not whether it's been revoked. And so we will uh and I've written a couple signatures around that, which match on the signer and the serial number because both of them are not encrypted. They're they're plain text and working within the confines of Sericata and what it can inspect, it's possible to notify when you're downloading something that potentially has a revoked signing certificate.

SPEAKER_02 25:40

Like a cop pulling you over and checking your ID and saying it's expired, but it's okay. Go ahead.

SPEAKER_00 25:50

Tim, I am loving all of your analogies on this podcast. It's really like putting into context some of the work that Stuart does, which I think is often thought to be very technical, but there are some real world um analogies that we can that we can use to explain these. I like your cop pulling you over, checking your ID, and letting you go, even if it's fire.

SPEAKER_02 26:12

It comes from years of talking to people that have no idea what you're talking about. When you work in a sock job, you want to talk to friends and family about what you do, and they're like, you stare at you dead blankly, like, yeah, you gotta find out analogies. I'm sure Stuart does that all the time. Talking about your work at home.

SPEAKER_00 26:29

My nephew called me an internet cop when I tried to explain, tried to explain my job.

SPEAKER_02 26:36

That's hilarious. That's what my kids called what my job is all the time. They're like, What are you doing? I'll tell them what I do. They're like, Oh, it's an internet cop. Like, uh, I mean, I can't arrest anybody, so I'm not really a copy. Yes, that's a very common analogy as well.

SPEAKER_00 26:50

Uh no, that's super funny. So that's so that's really interesting. So are you able to like, are there any sort of common executable types or um different malware that is um frequently using the same, either, you know, the the file information, the certs, or things like that. That is there like a family that tends to use it more or a type of malware that you're having a lot of luck with this detection method?

SPEAKER_01 27:11

I've not been able to attribute to any particular malware or threat actors. I rely heavily on the other members of the proof pointing threat research team who do a phenomenal job at tracking and campaigning and doing a lot of legwork just so that I can write the rules that I do write.

SPEAKER_00 27:30

So actually, you explained your job so funny before we actually started recording this podcast. And I think you should share that with the audience because it's a great way of, you know, we we we've had a wide variety of people on the podcast. And, you know, one of the people that we've had before multiple times is Greg Lesnich, of course, who's a you know an espionage threat researcher, tracker guy. And I know that you guys were kind of he's he's kind of a big deal, yeah. And I know that you were you were talking back and forth and trying like you know, boiling down to the basics, like what yeah, he he he called himself a professional data miner.

SPEAKER_01 28:06

And I was like, that's great. Uh it's great to meet you. I'm a professional, a pattern matcher. And uh I feel like that that really speaks to me on a lot of levels. I I I honestly I I find it so interesting to find patterns. It's uh like being a detective, and like you said about fingerprints, and it's just you know, every day it's one of those things where you're like, all right, what's the mystery of today? What what do I get to find? What do I get to use to to to unlock the secrets of you know malware or what this weird, suspicious thing is doing, and how can I match on it? How can I, how can I be its pattern matcher?

SPEAKER_00 28:49

Well, and I think it's really interesting too to think about the different roles when we're talking about cyber threat intelligence and threat research, because to your point, you're not looking at the attribution, you're looking at literally the bytes in the code. You're looking at PCAP. And like you're looking at traffic. And um, from our perspective, and well, and Tim is an even different researcher than I am. Like we all have kind of our own sort of specialty skills. And but yeah, I I would also consider myself kind of like a data miner, but I also like doing sort of like overtime strategic analysis. So like looking for patterns and data that are like more in terms of like campaigns and malwares and attribution and like looking at at patterns and data of that type of thing and and taking like an overtime strategic analysis look at things while we have, you know, folks like Greg who are like mining just like big type, like a lot of different types of data, finding new malware, finding new exploits, kind of you know, doing a little bit doing that type of thing, which then of course goes to you. But then I use your signatures to unearth more data that then I can collect and look at patterns in malware and attribution. So it's kind of like this like it's a beautiful cycle, it's like the cycle of CTI.

SPEAKER_01 30:02

Um I think I've seen the diagram somewhere.

SPEAKER_00 30:07

Well, I didn't do a very good job of explaining it. There's more too. And speaking of the CTI life cycle, there is one critical piece of the CTI life cycle which never ever, ever, ever gets fulfilled, and that's the feedback portion of the cycle. So we do here within our own organization, but like I feel like oftentimes you don't. We're we're very lucky here at Proof Point because we do have like a great, you know, feedback loop and a really good like overall intelligence cycle.

SPEAKER_01 30:33

Speaking of feedback, I will plug for ET if you go to community.emerging threats.net, you can give the emerging threats team feedback on all these amazing rules that you may be implementing in your environment. And we love feedback because we want to make it, we want to make them better. We want to make them accurate, we want to make them perform well, we want to geek out on network traffic. Send us your PCAPs and let's talk.

SPEAKER_00 31:01

Yeah, you guys really do. It's great. I love the emerging threats community. I love how collaborative it is. We have tons and tons of of external researchers giving you stuff. I think we've even had incidents where um uh someone is like, oh, I found this, you know, this new thing. It's not public, but I'd like to make sure that we have emerging threat signatures for it before it's released, like out in the world, which is which is also awesome. So please, by all means, um send us, send us your PCAP, send us your data. Not us as in me.

SPEAKER_01 31:31

I won't be looking at that, but I mean they could send it to you, but then you can send it to us. Yes, yes.

SPEAKER_00 31:38

I'll be um uh the middleman. I will I'll be uh uh I will happily be the peak the PCAP mule.

SPEAKER_02 31:45

PCAP mule. Perfect. And we also like feedback on this podcast. So if you'd like to comment, go uh go find us on uh iTunes or or on our website, whatever. Give us some feedback. We'd love it.

SPEAKER_00 32:00

We actually have, we've recently added a text us module. So if you look at the description on wherever you're listening to your podcast, you can text us your feedback and we will happily incorporate it into future podcasts. Um, this was super interesting. Thank you so much, Stuart. Um, we will definitely have to have you back because we had a list of things to talk to you about, and there was um a whole section that we didn't even get to, which was um new techniques in um different S SDG smuggling and um SMTP detections, which is also super interesting. So we will definitely have to have you back. For any of our listeners who are interested in learning more about emerging threats, learning more about how to write your own signatures, definitely check out um community.emerging threats.net. There are tutorials, tips, tricks. You know, you can message the team directly on um on various platforms. So definitely reach out. And one of the greatest parts of the emerging threats team is it is education for the community. So so Stuart, thank you so much for joining us today. This was a really fun conversation. It was super interesting. I learn a lot every time we have uh an IDS network SIG writer come on the podcast. So it's very exciting. And I will send you things if I see commonalities and file infos um for different executables. That's yeah, that sounds like a really cool little detection trick. So good to learn. Tim, as always, thank you so much for uh being the co-host today and bringing the good vibes and metaphors, analogies, and uh speakeasy.

SPEAKER_02 33:24

That's what I'm here for. Speakeasy vibes.

SPEAKER_00 33:28

Yes, yes, amazing. Um, and to all our listeners, as always, thank you so much for tuning in. And until next time, happy hunting. You've been listening to Discarded Tales from the Threat Research Trenches, a podcast by Proof Point. Never miss an episode by subscribing to the show in your favorite podcast player. Happy hunting.