{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:17:48Z","timestamp":1766441868518,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":117,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3744860","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:33:16Z","timestamp":1763854396000},"page":"1364-1378","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Enhanced Web Application Security Through Proactive Dead Drop Resolver Remediation"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-8626-1325","authenticated-orcid":false,"given":"Jonathan","family":"Fuller","sequence":"first","affiliation":[{"name":"United States Military Academy, West Point, NY, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0225-5141","authenticated-orcid":false,"given":"Mingxuan","family":"Yao","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-8917-6465","authenticated-orcid":false,"given":"Saumya","family":"Agarwal","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-6933-9882","authenticated-orcid":false,"given":"Srimanta","family":"Barua","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-7782-6529","authenticated-orcid":false,"given":"Taleb","family":"Hirani","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0207-7154","authenticated-orcid":false,"given":"Amit Kumar","family":"Sikder","sequence":"additional","affiliation":[{"name":"Iowa State University, Ames, IA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5859-6925","authenticated-orcid":false,"given":"Brendan","family":"Saltaformaggio","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"volume-title":"Retrieved","year":"2023","key":"e_1_3_2_2_1_1","unstructured":"Abuse.ch. 2023. URLHaus. (2023). Retrieved March 12, 2023 from https:\/\/urlhaus.abuse.ch\/."},{"key":"e_1_3_2_2_2_1","volume-title":"Proc. 30th USENIX Security. (Aug.","author":"Alrawi Omar","year":"2021","unstructured":"Omar Alrawi, Moses Ike, Matthew Pruett, Ranjita Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, and Brendan Saltaformaggio. 2021. Forecasting Malware Capabilities From Cyber Attack Memory Images. In Proc. 30th USENIX Security. (Aug. 2021)."},{"key":"e_1_3_2_2_3_1","volume-title":"Proc. 23rd USENIX Security. (Aug.","author":"Alrwais Sumayah","year":"2014","unstructured":"Sumayah Alrwais, Kan Yuan, Eihal Alowaisheq, Zhou Li, and XiaoFengWang. 2014. Understanding the dark side of domain parking. In Proc. 23rd USENIX Security. (Aug. 2014)."},{"key":"e_1_3_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.5555\/2028067.2028094"},{"key":"e_1_3_2_2_5_1","volume-title":"Proc. 21st USENIX Security. (Aug.","author":"Antonakakis Manos","year":"2012","unstructured":"Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh,Wenke Lee, and David Dagon. 2012. From Throw-away Traffic to Bots: Detecting the Rise of DGA-based Malware. In Proc. 21st USENIX Security. (Aug. 2012)."},{"key":"e_1_3_2_2_6_1","volume-title":"Retrieved","author":"Arntz Pieter","year":"2017","unstructured":"Pieter Arntz. 2017. Analyzing malware by API calls. (Oct. 2017). Retrieved March 06, 2024 from https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/analyzing-malware-by-api-calls\/."},{"key":"e_1_3_2_2_7_1","volume-title":"Retrieved","author":"MITRE","year":"2021","unstructured":"MITRE | ATT&CK. 2021. Attack Matrix for Enterprise. (Nov. 2021). Retrieved November 06, 2021 from https:\/\/attack.mitre.org\/."},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS.2014.6838310"},{"key":"e_1_3_2_2_9_1","volume-title":"Proc. 23rd USENIX Security. (Aug.","author":"Bao Tiffany","year":"2014","unstructured":"Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to Recognize Functions in Binary Code. In Proc. 23rd USENIX Security. (Aug. 2014)."},{"key":"e_1_3_2_2_10_1","volume-title":"Retrieved","author":"Bermejo Lenart","year":"2018","unstructured":"Lenart Bermejo and Joelson Soares. 2018. Lazarus Targets Latin American Financial Companies. (Nov. 2018). Retrieved November 15, 2024 from https:\/\/www.trendmicro.com\/en_us\/research\/18\/k\/lazarus- continues-heistsmounts-attacks-on-financial-organizations-in-latin-america.html."},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420969"},{"key":"e_1_3_2_2_12_1","volume-title":"Proc. 26th USENIX Security. (Aug.","author":"Blazytko Tim","year":"2017","unstructured":"Tim Blazytko, Moritz Contag, Cornelius Aschermann, and Thorsten Holz. 2017. Syntia: synthesizing the semantics of obfuscated code. In Proc. 26th USENIX Security. (Aug. 2017)."},{"key":"e_1_3_2_2_13_1","doi-asserted-by":"crossref","unstructured":"Robert S Boyer Bernard Elspas and Karl N Levitt. 1975. SELECT \u2014 A Formal System for Testing and Debugging Programs by Symbolic Execution. In ACM.","DOI":"10.1145\/800027.808445"},{"key":"e_1_3_2_2_14_1","volume-title":"Proc. 17th NDSS. (Feb.","author":"Caballero Juan","year":"2010","unstructured":"Juan Caballero, Noah M Johnson, Stephen McCamant, Dawn Song, and UC Berkeley. 2010. Binary Code Extraction and Interface Identification for Security Applications. In Proc. 17th NDSS. (Feb. 2010)."},{"key":"e_1_3_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/11537328_2"},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382217"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.31"},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950350"},{"key":"e_1_3_2_2_19_1","volume-title":"Retrieved","author":"Chen Joseph C","year":"2021","unstructured":"Joseph C Chen, Kenney Lu, Jaromir Horejsi, and Gloria Chen. 2021. Biopass RAT: New Malware Sniffs Victims via Live Streaming. (July 2021). Retrieved November 06, 2024 from https:\/\/www.trendmicro.com\/en_us\/research\/21\/g\/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html."},{"key":"e_1_3_2_2_20_1","volume-title":"Retrieved","author":"Cherepanov Anton","year":"2017","unstructured":"Anton Cherepanov. 2017. Analysis of TeleBots' cunning backdoor. (July 2017). Retrieved November 15, 2022 from https:\/\/www.welivesecurity.com\/2017\/07\/04\/analysis-of-telebots-cunning-backdoor\/."},{"key":"e_1_3_2_2_21_1","volume-title":"Proc. 5th Workshop on Hot Topics in System Dependability (HotDep). (June","author":"Chipounov Vitaly","year":"2009","unstructured":"Vitaly Chipounov, Vlad Georgescu, Cristian Zamfir, and George Candea. 2009. Selective Symbolic Execution. In Proc. 5th Workshop on Hot Topics in System Dependability (HotDep). (June 2009)."},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"crossref","unstructured":"Vitaly Chipounov Volodymyr Kuznetsov and George Candea. 2011. S2E: A Platform for In-vivo Multi-path Analysis of Software Systems. ACM SigPlan Notices.","DOI":"10.1145\/1950365.1950396"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1976.233817"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273463.1273490"},{"key":"e_1_3_2_2_25_1","volume-title":"Retrieved","author":"CYFIRMA.","year":"2022","unstructured":"CYFIRMA. 2022. Cyber Research on the Malicious Use of Discord. (Sept. 2022). Retrieved March 12, 2024 from https:\/\/www.cyfirma.com\/research\/cyberresearch-on-the-malicious-use-of-discord."},{"key":"e_1_3_2_2_26_1","volume-title":"Statistical Similarity of Binaries (June","author":"David Yaniv","year":"2016","unstructured":"Yaniv David, Nimrod Partush, and Eran Yahav. 2016. Statistical Similarity of Binaries (June 2016)."},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23055"},{"key":"e_1_3_2_2_28_1","volume-title":"Proc. 23rd USENIX Security. (Aug.","author":"Egele Manuel","year":"2014","unstructured":"Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. 2014. Blanket execution: dynamic similarity testing for program binaries and components. In Proc. 23rd USENIX Security. (Aug. 2014)."},{"key":"e_1_3_2_2_29_1","volume-title":"Retrieved","author":"ESET.","year":"2019","unstructured":"ESET. 2019. Operation Ghost. The Dukes aren't back \u2014 they never left. (Oct. 2019). Retrieved February 26, 2022 from https:\/\/www.welivesecurity.com\/wpcontent\/uploads\/2019\/10\/ESET_Operation_Ghost_Dukes.pdf."},{"volume-title":"Retrieved Feburary 21","year":"2019","key":"e_1_3_2_2_30_1","unstructured":"FireEye. 2019. APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic. (Feb. 2019). Retrieved Feburary 21, 2021 from https:\/\/www.fireeye.com\/current-threats\/apt-groups\/rpt-apt17.html."},{"volume-title":"Retrieved","year":"2019","key":"e_1_3_2_2_31_1","unstructured":"FireEye. 2019. Double Dragon - APT41, a Dual Espionage and Cyber Crime Operation. (Aug. 2019). Retrieved March 06, 2022 from https:\/\/content.fireeye.com\/apt-41\/rpt-apt41."},{"volume-title":"Multigrain - Point of Sale Attackers Make an Unhealthy Addition to the Pantry. (Apr","year":"2016","key":"e_1_3_2_2_32_1","unstructured":"FireEye. 2016. Multigrain - Point of Sale Attackers Make an Unhealthy Addition to the Pantry. (Apr. 2016). Retrieved November 6, 2021 from https: \/\/www.fireeye.com\/blog\/threat-research\/2016\/04\/multigrain_pointo.html."},{"key":"e_1_3_2_2_33_1","volume-title":"Retrieved","author":"FIRST.","year":"2015","unstructured":"FIRST. 2015. FIRST is the global Forum of Incident Response and Security Teams. (Oct. 2015). Retrieved December 31, 2024 from https:\/\/www.first.org."},{"key":"e_1_3_2_2_34_1","volume-title":"Malpedia: Free and Open Malware Reverse Engineering Resource offered by Fraunhofer FKIE. (Nov.","author":"Fraunhofer","year":"2021","unstructured":"Fraunhofer FKIE. 2021. Malpedia: Free and Open Malware Reverse Engineering Resource offered by Fraunhofer FKIE. (Nov. 2021). Retrieved November 6, 2021 from https:\/\/malpedia.caad.fkie.fraunhofer.de."},{"volume-title":"Monsoon -- Analysis of an APT Campaign. (Mar","year":"2022","key":"e_1_3_2_2_35_1","unstructured":"Forcepoint. 2022. Monsoon -- Analysis of an APT Campaign. (Mar. 2022). Retrieved March 6, 2022 from https:\/\/www.forcepoint.com\/sites\/default\/files\/resources\/files\/forcepoint-security-labs-monsoon-analysis-report.pdf."},{"volume-title":"Retrieved","year":"2019","key":"e_1_3_2_2_36_1","unstructured":"Fortinet. 2019. The Malicious Use of Pastebin. (2019). Retrieved March 12, 2022 from https:\/\/www.fortinet.com\/blog\/threat-research\/malicious-use-ofpastebin."},{"key":"e_1_3_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484537"},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"crossref","unstructured":"Nicola Galloro Mario Polino Michele Carminati Andrea Continella and Stefano Zanero. 2022. A Systematical and Longitudinal Study of Evasive Behaviors in Windows Malware. COSE.","DOI":"10.1016\/j.cose.2021.102550"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2846740"},{"key":"e_1_3_2_2_40_1","volume-title":"Jose Maria de Fuentes, and Lorena Gonzalez-Manzano","author":"Gimenez-Aguilar Mar","year":"2023","unstructured":"Mar Gimenez-Aguilar, Jose Maria de Fuentes, and Lorena Gonzalez-Manzano. 2023. Malicious uses of Blockchains by Malware: From the Analysis to Smart-Zephyrus. International Journal of Information Security, 1--36."},{"key":"e_1_3_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560587"},{"key":"e_1_3_2_2_42_1","volume-title":"Proc. 16th USENIX Security. (Aug.","author":"Gu Guofei","year":"2007","unstructured":"Guofei Gu, Phillip A Porras, Vinod Yegneswaran, Martin W Fong, and Wenke Lee. 2007. Bothunter: detecting malware infection through ids-driven dialog correlation. In Proc. 16th USENIX Security. (Aug. 2007)."},{"key":"e_1_3_2_2_43_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium, NDSS 2008","author":"Gu Guofei","year":"2008","unstructured":"Guofei Gu, Junjie Zhang, and Wenke Lee. 2008. Botsniffer: detecting botnet command and control channels in network traffic. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10th February - 13th February 2008. (Feb. 2008)."},{"key":"e_1_3_2_2_44_1","volume-title":"Retrieved","author":"Hromcov\u00e1 Zuzana","year":"2020","unstructured":"Zuzana Hromcov\u00e1 and Anton Cherepanov. 2020. Invisimole: The Hidden Part of the Story Unearthing Invisimole's Espionage Toolset and Strategic Cooperations. (June 2020). Retrieved November 15, 2024 from https:\/\/www. welivesecurity.com\/wp-content\/uploads\/2020\/06\/ESET_InvisiMole.pdf."},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-44081-7_4"},{"key":"e_1_3_2_2_46_1","volume-title":"The Feds Are Coming For ''Extremist'' Gamers. (Mar","author":"Intercept The","year":"2024","unstructured":"The Intercept. 2024. The Feds Are Coming For ''Extremist'' Gamers. (Mar. 2024). Retrieved June 9, 2024 from https:\/\/theintercept.com\/2024\/03\/09\/fbidhs- gamers-extremism-violence\/."},{"key":"e_1_3_2_2_47_1","volume-title":"Proc. 20th USENIX Security. (Aug.","author":"Jacob Gregoire","year":"2011","unstructured":"Gregoire Jacob, Ralf Hund, Christopher Kruegel, and Thorsten Holz. 2011. Jackstraws: Picking Command and Control Connections from Bot Traffic. In Proc. 20th USENIX Security. (Aug. 2011)."},{"key":"e_1_3_2_2_48_1","volume-title":"Proc. 18th NDSS. (Feb.","author":"Kang Min Gyung","year":"2011","unstructured":"Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. 2011. Dta: Dynamic Taint Analysis With Targeted Control-Flow Propagation. In Proc. 18th NDSS. (Feb. 2011)."},{"key":"e_1_3_2_2_49_1","volume-title":"Proc. 27th USENIX Security. (Aug.","author":"Kim Doowon","year":"2018","unstructured":"Doowon Kim, Bum Jun Kwon, Kristi\u00e1n Koz\u00e1k, Christopher Gates, and Tudor Dumitras, . 2018. The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PKI. In Proc. 27th USENIX Security. (Aug. 2018)."},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038912.3052674"},{"volume-title":"Symbolic Execution and Program Testing. In number 7","author":"King James C","key":"e_1_3_2_2_51_1","unstructured":"James C King. 1976. Symbolic Execution and Program Testing. In number 7. Vol. 19. ACM, 385--394."},{"key":"e_1_3_2_2_52_1","volume-title":"Proc. 26th ACM CCS. (Nov.","author":"Kleber Stephan","year":"2011","unstructured":"Stephan Kleber and Frank Kargl. 2011. Poster: network message field type recognition. In Proc. 26th ACM CCS. (Nov. 2011)."},{"key":"e_1_3_2_2_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.10"},{"key":"e_1_3_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241152"},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24475"},{"key":"e_1_3_2_2_56_1","volume-title":"Retrieved","author":"Lab FI","year":"2025","unstructured":"CyFI Lab. 2025. Baseline Comparison For De-Manipulation Algorithm C\/C Source Code Via Moss. (Apr. 2025). Retrieved April 09, 2025 from https : \/\/github.com\/CyFI-Lab-Public\/VADER\/blob\/main\/appendix\/moss.pdf."},{"key":"e_1_3_2_2_57_1","volume-title":"Retrieved","author":"Lab FI","year":"2025","unstructured":"CyFI Lab. 2025. Baseline Comparison For Decoding Algorithm Similarity Via Symbolic Expressions. (Apr. 2025). Retrieved April 09, 2025 from https: \/\/github.com\/CyFI- Lab- Public\/VADER\/blob\/main\/appendix\/baseline_ comparison.pdf."},{"key":"e_1_3_2_2_58_1","volume-title":"Retrieved","author":"Lab FI","year":"2025","unstructured":"CyFI Lab. 2025. Defensive Evasion APIs. (Apr. 2025). Retrieved April 09, 2025 from https:\/\/github.com\/CyFI-Lab- Public\/VADER\/blob\/main\/appendix\/ defensive_evasion_apis.pdf."},{"key":"e_1_3_2_2_59_1","volume-title":"Retrieved","author":"Lab FI","year":"2025","unstructured":"CyFI Lab. 2025. Identified Dead Drops. (Apr. 2025). Retrieved April 09, 2025 from https:\/\/github.com\/CyFI-Lab- Public\/VADER\/blob\/main\/appendix\/ identified_accounts.pdf."},{"key":"e_1_3_2_2_60_1","volume-title":"Retrieved","author":"Labs Malwarebytes","year":"2017","unstructured":"Malwarebytes Labs. 2017. Explained: Spora ransomware. (Mar. 2017). Retrieved November 15, 2022 from https:\/\/www.malwarebytes.com\/blog\/news\/2017\/03\/spora-ransomware."},{"key":"e_1_3_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24161"},{"key":"e_1_3_2_2_62_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/2714576.2714639"},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.59"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243783"},{"key":"e_1_3_2_2_66_1","volume-title":"Proc. 23rd ACM CCS. (Oct.","author":"Liao Xiaojing","year":"2016","unstructured":"Xiaojing Liao, Sumayah A. Alrwais, Kan Yuan, Luyi Xing, XiaoFeng Wang, Shuang Hao, and Raheem A. Beyah. 2016. Lurking malice in the cloud: understanding and detecting cloud repository as a malicious service. In Proc. 23rd ACM CCS. (Oct. 2016)."},{"key":"e_1_3_2_2_67_1","volume-title":"Proc. 15th ACM Symposium on Information, Computer and Communications Security (ASIACCS). (Oct.","author":"Lingam Greeshma","year":"2020","unstructured":"Greeshma Lingam, Rashmi Ranjan Rout, Durvasula V. L. N. Somayajulu, and Sajal K. Das. 2020. Social Botnet Community Detection: A Novel Approach based on Behavioral Similarity in Twitter Network using Deep Learning. In Proc. 15th ACM Symposium on Information, Computer and Communications Security (ASIACCS). (Oct. 2020)."},{"key":"e_1_3_2_2_68_1","volume-title":"Proc. 27th USENIX Security. (Aug.","author":"Liu Zhiheng","year":"2018","unstructured":"Zhiheng Liu, Zhen Zhang, Yinzhi Cao, Zhaohan Xi, Shihao Jing, and Humberto La Roche. 2018. Towards a secure zero-rating framework with three parties. In Proc. 27th USENIX Security. (Aug. 2018)."},{"key":"e_1_3_2_2_69_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-69155-8_4"},{"key":"e_1_3_2_2_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635900"},{"key":"e_1_3_2_2_71_1","unstructured":"Lorenzo Maffia Dario Nisi Platon Kotzias Giovanni Lagorio Simone Aonzo and Davide Balzarotti. 2021. Longitudinal Study of the Prevalence of Malware Evasive Techniques. arXiv preprint arXiv:2112.11289."},{"key":"e_1_3_2_2_72_1","volume-title":"Proc. 30th USENIX Security. (Aug.","author":"Meijer Carlo","year":"2021","unstructured":"Carlo Meijer, Veelasha Moonsamy, and Jos Wetzels. 2021. Where's Crypto?: Automated Identification and Classification of Proprietary Cryptographic Primitives in Binary Code. In Proc. 30th USENIX Security. (Aug. 2021)."},{"key":"e_1_3_2_2_73_1","volume-title":"Retrieved","author":"Menn Joseph","year":"2020","unstructured":"Joseph Menn. 2020. Court orders seizure of ransomware botnet controls as U.S. election nears. (Sept. 2020). Retrieved July 18, 2022 from https:\/\/www.reuters.com\/article\/us-uselection-cyber-botnet\/court-orders-seizure-of-ransomware-botnet-controls-as-u-s-election-nears-idUSKBN26X1G2."},{"key":"e_1_3_2_2_74_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00011"},{"key":"e_1_3_2_2_75_1","volume-title":"Malware Campaign Targets South Korean Banks. (Nov","author":"Micro Trend","year":"2021","unstructured":"Trend Micro. 2021. Malware Campaign Targets South Korean Banks. (Nov. 2021). Retrieved November 6, 2021 from https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/malware-campaign-targets-south-koreanbanks-uses-pinterest-as-cc-channel\/."},{"key":"e_1_3_2_2_76_1","volume-title":"Retrieved","author":"Micro Trend","year":"2022","unstructured":"Trend Micro. 2022. Operation Endtrade: Tick's Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. (Nov. 2022). Retrieved November 15, 2022 from https:\/\/documents.trendmicro.com\/assets\/pdf \/Operation- ENDTRADETICK-s-Multi-Stage- Backdoors- for- Attacking- Industries-and- Stealing-Classified-Data.pdf."},{"key":"e_1_3_2_2_77_1","volume-title":"Retrieved","author":"Micro Trend","year":"2024","unstructured":"Trend Micro. 2024. Trend Micro Collaborated with Interpol in Cracking Down Grandoreiro Banking Trojan. (July 2024). Retrieved July 13, 2024 from https:\/\/www.trendmicro.com\/en_fi\/research\/24\/d\/trend- micro- collaborated with-interpol-in-cracking-down-grandore.html."},{"key":"e_1_3_2_2_78_1","volume-title":"Understanding the Patchwork Cyberespionage Group. (Mar","author":"Micro Trend","year":"2022","unstructured":"Trend Micro. 2022. Understanding the Patchwork Cyberespionage Group. (Mar. 2022). Retrieved March 6, 2022 from https:\/\/documents.trendmicro.com\/assets\/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf."},{"key":"e_1_3_2_2_79_1","unstructured":"Jiang Ming Dongpeng Xu Yufei Jiang and Dinghao Wu. [n.d.] BinSim: Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking. In."},{"key":"e_1_3_2_2_80_1","volume-title":"Proc. 26th ACM CCS. (Nov.","author":"Naderi-Afooshteh Abbas","year":"2011","unstructured":"Abbas Naderi-Afooshteh, Yonghwi Kwon, Anh Nguyen-Tuong, Ali Razmjoo-Qalaei, Mohammad-Reza Zamiri-Gourabi, and Jack W Davidson. 2011. MalMax: Multi-Aspect Execution for Automated Dynamic Web Server Malware Analysis. In Proc. 26th ACM CCS. (Nov. 2011)."},{"key":"e_1_3_2_2_81_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23218"},{"key":"e_1_3_2_2_82_1","volume-title":"Proc. 21st USENIX Security. (Aug.","author":"Nelms Terry","year":"2012","unstructured":"Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2012. ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates. In Proc. 21st USENIX Security. (Aug. 2012)."},{"volume-title":"Retrieved","year":"2023","key":"e_1_3_2_2_83_1","unstructured":"Netresec. 2023. Publicly Available PCAP Files. (2023). Retrieved March 12, 2023 from https:\/\/www.netresec.com\/?page=PcapFiles."},{"key":"e_1_3_2_2_84_1","volume-title":"Proc. 12th NDSS. (Feb.","author":"Newsome James","year":"2005","unstructured":"James Newsome and Dawn Xiaodong Song. 2005. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proc. 12th NDSS. (Feb. 2005)."},{"key":"e_1_3_2_2_85_1","volume-title":"Retrieved","author":"Page Carly","year":"2022","unstructured":"Carly Page. 2022. Rsocks, A popular proxy service, was just seized by the DOJ. (June 2022). Retrieved July 18, 2022 from https:\/\/techcrunch.com\/2022\/06\/17\/rsocks-proxy-seized-justice-department\/."},{"key":"e_1_3_2_2_86_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818047"},{"key":"e_1_3_2_2_87_1","volume-title":"Proc. 23rd USENIX Security. (Aug.","author":"Peng Fei","year":"2014","unstructured":"Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-force: Force-executing Binary Programs for Security Applications. In Proc. 23rd USENIX Security. (Aug. 2014)."},{"key":"e_1_3_2_2_88_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.49"},{"key":"e_1_3_2_2_89_1","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2018.8433199"},{"key":"e_1_3_2_2_90_1","unstructured":"Checkpoint Research. 2019. Pony's C&C Servers Hidden Inside the Bitcoin Blockchain. (Dec. 2019). Retrieved March 6 2022 from https : \/ \/ research . checkpoint . com \/ 2019 \/ ponys - cc - servers - hidden - inside - the - bitcoin - blockchain\/."},{"key":"e_1_3_2_2_91_1","volume-title":"Retrieved","author":"Research ESET","year":"2019","unstructured":"ESET Research. 2019. Casbaneiro: Dangerous Cooking with a Secret Ingredient. (Oct. 2019). Retrieved March 06, 2024 from https:\/\/www.welivesecurity.com\/2 019\/10\/03\/casbaneiro-trojan-dangerous-cooking\/."},{"key":"e_1_3_2_2_92_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"volume-title":"The Dropping Elephant - Aggressive Cyber-Espionage in the Asian Region. (Mar","year":"2022","key":"e_1_3_2_2_93_1","unstructured":"Securelist. 2022. The Dropping Elephant - Aggressive Cyber-Espionage in the Asian Region. (Mar. 2022). Retrieved March 6, 2022 from https:\/\/securelist. com\/the-dropping-elephant-actor\/75328\/."},{"key":"e_1_3_2_2_94_1","volume-title":"Retrieved","author":"Shamah David","year":"2014","unstructured":"David Shamah. 2014. How malware writers' laziness is helping one startup predict attacks before they even happen. (Oct. 2014). Retrieved March 16, 2024 from https:\/\/www.zdnet.com\/article\/how- malware- writers- laziness- ishelping- one-startup-predict-attacks-before-they-even-happen\/."},{"key":"e_1_3_2_2_95_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_14"},{"volume-title":"Retrieved Feburary 26","year":"2022","key":"e_1_3_2_2_96_1","unstructured":"Standford.Edu. 2022. A System for Detecting Software Similarity. (Nov. 2022). Retrieved Feburary 26, 2024 from https:\/\/theory.stanford.edu\/~aiken\/moss\/."},{"key":"e_1_3_2_2_97_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3437520"},{"key":"e_1_3_2_2_98_1","volume-title":"Retrieved","author":"Team ASERT","year":"2018","unstructured":"ASERT Team. 2018. Donot Team Leverages New Framework. (Mar. 2018). Retrieved March 09, 2023 from https:\/\/www.netscout.com\/blog\/asert\/donotteam-leverages-new-modular-malware-framework-south-asia."},{"key":"e_1_3_2_2_99_1","volume-title":"Retrieved","author":"Unit Research Team Counter Threat","year":"2017","unstructured":"Counter Threat Unit Research Team. 2017. Bronze Butler Targets Japanese Enterprises. (Oct. 2017). Retrieved March 06, 2024 from https:\/\/www.secureworks.com\/research\/bronze-butler-targets-japanese-businesses."},{"key":"e_1_3_2_2_100_1","doi-asserted-by":"publisher","DOI":"10.1145\/2413176.2413217"},{"key":"e_1_3_2_2_101_1","volume-title":"Retrieved","author":"Todorovic Nikola","year":"2023","unstructured":"Nikola Todorovic and Abhi Chaudhuri. 2023. Using AI to help organizations detect and report child sexual abuse material online. (2023). Retrieved March 12, 2023 from https:\/\/blog.google\/around-the-globe\/google-europe\/using-aihelp-organizations-detect-and-report-child-sexual-abuse-material-online\/."},{"key":"e_1_3_2_2_102_1","doi-asserted-by":"crossref","unstructured":"Milad Torkashvan and Hassan Haghighi. 2015. CB2C: A Cloud-Based Botnet Command and Control. Indian Journal of Science and Technology.","DOI":"10.17485\/ijst\/2015\/v8i22\/59773"},{"key":"e_1_3_2_2_103_1","volume-title":"Retrieved","author":"Ventura Vitor","year":"2019","unstructured":"Vitor Ventura. 2019. Gustuff Banking Botnet Targets Australia. (Apr. 2019). Retrieved March 06, 2024 from https:\/\/blog.talosintelligence.com\/2019\/04\/gustuff-targets-australia.html."},{"volume-title":"Retrieved","year":"2004","key":"e_1_3_2_2_104_1","unstructured":"VirusTotal. 2004. VirusTotal. (June 2004). Retrieved January 05, 2024 from https:\/\/www.virustotal.com\/."},{"key":"e_1_3_2_2_105_1","volume-title":"Proc. 14th NDSS. (Feb.","author":"Vogt Ryan","year":"2007","unstructured":"Ryan Vogt, John Aycock, and Michael J Jacobson Jr. 2007. Army of botnets. In Proc. 14th NDSS. (Feb. 2007)."},{"key":"e_1_3_2_2_106_1","doi-asserted-by":"publisher","DOI":"10.5555\/3155562.3155606"},{"volume-title":"Retrieved","year":"2024","key":"e_1_3_2_2_107_1","unstructured":"WordPress. 2024. WordPress.com: Build a Site, Sell Your Stuff, Start a Blog & More. (2024). Retrieved December 13, 2024 from https:\/\/wordpress.com\/."},{"key":"e_1_3_2_2_108_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.56"},{"key":"e_1_3_2_2_109_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.56"},{"key":"e_1_3_2_2_110_1","volume-title":"Proc. 33rd USENIX Security. (Aug.","author":"Xu Haichuan","year":"2024","unstructured":"Haichuan Xu, Mingxuan Yao, Runze Zhang, Mohamed Moustafa Dawoud, Jeman Park, and Brendan Saltaformaggio. 2024. Dva: extracting victims and abuse vectors from android accessibility malware. In Proc. 33rd USENIX Security. (Aug. 2024)."},{"key":"e_1_3_2_2_111_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660352"},{"key":"e_1_3_2_2_112_1","volume-title":"Proc. 32nd USENIX Security. (Aug.","author":"Yao Mingxuan","year":"2023","unstructured":"Mingxuan Yao, Jonathan Fuller, Rajita Pai Sridhar, Saumya Agarwal, Amit K. Sikder, and Brendan Saltaformaggio. 2023. Hiding in Plain Sight: An Empirical Study of Web Application Abuse in Malware. In Proc. 32nd USENIX Security. (Aug. 2023)."},{"key":"e_1_3_2_2_113_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00228"},{"key":"e_1_3_2_2_114_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00111"},{"key":"e_1_3_2_2_115_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.241353"},{"key":"e_1_3_2_2_116_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420968"},{"key":"e_1_3_2_2_117_1","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489345"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3744860","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:16:04Z","timestamp":1766441764000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3744860"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":117,"alternative-id":["10.1145\/3719027.3744860","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3744860","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}