Writing · Arkhatic

Deep-dives on the
technical decisions behind my work.

Engine systems, security pipelines, audio synthesis, game design reviews, incident investigations. Some technical posts are detailed enough that I could rebuild the project from them, and that's the point!

16 entries·RSS ↗
showing 7 of 16 · Securityclear ✕
Security
June 15, 2026
18 min read

Capabilities over signatures: the design behind a .blend inspector, and the provenance layer that sidesteps the fight

The technical companion to The weight of a hyphen. Two questions you can ask of a file that runs itself, what will it do and who made it, decompose into a detection problem you can only draw and a provenance problem you can win. The capability model that keeps a static inspector from drowning in false positives, the four-move evasion arms race and the four answers, and the signing math that makes a pirated copy fail by arithmetic. Architecture and decisions, not source.

Read →
Security
June 14, 2026
16 min read

The weight of a hyphen: a lookalike domain, a self-running file, and the inspector I built to catch it

A friend's Blender community was bleeding Discord accounts, and one of his domains had started serving malware. The domain was never his, the attack rode a single missing hyphen, and the real leak was a thousand endpoints. The investigation, the file format that runs itself, and the tool I built so Blender stops asking you to trust blind. Narrative and decisions, not a playbook.

Read →
Security
May 24, 2026
31 min read

Calibration as infrastructure: building a detonation lab

Six stages, four tensions, and the engineering decisions that determine whether a detonation lab earns its keep. How specimens enter, deploy, detonate, are observed, are analysed, and are archived, with notes on the tradeoffs that recur at every stage and the boring parts that compound over years. Architecture and decisions, not code. Engineering register, not academic.

Read →
Security
May 20, 2026
41 min read

Below the burn line: the architecture of operator infrastructure

Three tiers, four attribution surfaces, and the analyst posture they are all calibrated against. Why operator infrastructure decomposes into long-haul, redirector, and staging tiers, what discipline each tier requires across DNS, TLS, behavioural, and financial surfaces, and how the operator's own workstation becomes the single point of correlation that none of the tier discipline addresses. Architecture and decisions, not configuration. Methodology, not playbook.

Read →
Security
May 16, 2026
34 min read

Building the inverse: the design decisions behind a three-layer dropper

The same architecture from the other direction. Why a layered .NET dropper has three layers and not two or four, what each layer is solving for, and which defender assumptions the design quietly presupposes. A composite reference design drawn from the artefact dissected in Three layers deep and adjacent commodity infostealer campaigns through 2024 and 2025. Architecture and decisions, not source. Companion to the reverse-engineering writeup.

Read →
Security
May 13, 2026
21 min read

Three layers deep: reverse-engineering a .NET RAT dropper

Three layers down into a 1.1 MB junk-padded batch script: from cmd.exe macro obfuscation through a PowerShell shellcode loader to a Donut-packed implant living inside explorer.exe. The dropper hides its payload steganographically in 3,500 lines of comments, renames powershell.exe to evade name-based detection, and uses a 7-byte memory marker for cross-reboot idempotence. Companion to the incident writeup.

Read →
Security
May 12, 2026
14 min read

The cutest trap on the internet: weaponizing Google's child-safety system as a kill switch

A fake Minecraft launcher infected my friend α's machine on a Tuesday evening. By morning, an operator had used the stolen access to upload triggering content to α's Google account, log out, and let the platform's own automated child-safety detector erase the witness. The malware is the carrier; the kill switch is the story. The technical reverse-engineering lives in the companion post.

Read →