{"id":35547,"date":"2014-05-21T12:31:03","date_gmt":"2014-05-21T19:31:03","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=35547"},"modified":"2025-06-02T01:34:45","modified_gmt":"2025-06-02T08:34:45","slug":"iranian-keylogger-marmoolak-enters-via-backdoor","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/","title":{"rendered":"Iranian Keylogger Marmoolak Enters via Backdoor"},"content":{"rendered":"

Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin:<\/p>\n

\"Marmoolak<\/a><\/p>\n

As part of the weaponizing phase, attackers often put a payload into a file that, once installed, will connect in the C2 (command and control) phase to the attacker. A very common payload used by many password-stealing malware is a keylogger. The purpose of keylogging is to capture the users\u2019 keystrokes, and gather credentials and links to internal and external resources. The stolen credentials can later be used to weaponize another file or serve as part of the actions phase of the APT kill chain.<\/p>\n

One example we recently ran into is the malware Marmoolak, an Iranian keylogger with the MD5 F09D2C65F0B6AD55593405A5FD3A7D91.<\/p>\n

We traced the first appearance of this keylogger to a Middle-East forum:<\/p>\n

\"Marmoolak<\/a><\/p>\n

Although some keyloggers may capture keystrokes for legitimate purposes, this one misleads its victims by including a hidden payload. By placing this keylogger on this forum, we believe the developer intended to attack other members of this forum, a popular tactic in that region.<\/p>\n

To prevent detection, malware authors often use cheap and easy packer\u2019s, which modify the malware witha runtime compression or encryption program. In this case the files were hidden by a modified version of the well-known packer UPX.<\/p>\n

On execution, the file adds a copy of itself into the System32 folder as Mcsng.exe. The malware also launches a process that drops and writes the file 1stmp.sys in the %system32%\\config folder:<\/p>\n

\"Marmoolak<\/a><\/p>\n

Although the file extension suggests it is a .sys (system) file, it is not. Its purpose is to function as a log file that contains the encrypted keystrokes of the user. Every time a key is pressed, the process records the keystroke, encrypts it and\u00a0appends it to 1stmp.sys. The next screen shows a section of encrypted strings:<\/p>\n

\"Marmoolak<\/a><\/p>\n

Although the encryption algorithm is simple, it uses \u201cselective encryption,\u201d with two techniques: Each byte is encrypted by technique 1 if it is odd and technique 2 if it is even. Here is an example of a log after decryption:<\/p>\n

\"Marmoolak<\/a><\/p>\n

After decrypting we can see not only keystrokes, but also the time stamps when they were logged. After the keystrokes are logged and encrypted, the malware mails its content to its author. The malware also sends computer name and user name data to its master.<\/p>\n

After cleaning up the standard Visual Basic obfuscation we can see the malware uses Sendmail:<\/p>\n

\"Marmoolak<\/a><\/p>\n

In this case the encrypted log is sent to the email address Marmoolak@red-move.tk. This address is hosted on a domain that is very popular in Iran for hosting malware. The McAfee Labs reputation engine has flagged this domain as malicious: https:\/\/www.mcafee.com\/enterprise\/en-us\/threat-intelligence.domaintc.html?vid=red-move.tk<\/a><\/p>\n

After deobfuscation,\u00a0we observed strings in Persian that contain the word marmoolak,<\/i> a frequent derogatory term in Persian to describe their Arabic neighbors.<\/p>\n

Final Reminders<\/h2>\n

McAfee detects this Trojan keylogger and its variants as Keylog-FAG! To avoid infection from this and other keyloggers, keep your antivirus system updated and do not download content from untrusted sources. Be especially careful of hacker forums. Some members pretend to be helpful and offer their tools. However, these tools are often backdoor malware and exist solely to access systems and abuse them for various malicious ends.<\/p>\n","protected":false},"excerpt":{"rendered":"

Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by…<\/p>\n","protected":false},"author":653,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1411,1814,3952,180],"coauthors":[3576],"class_list":["post-35547","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-advanced-persistent-threats","tag-computer-security","tag-internet-security","tag-malware"],"acf":[],"yoast_head":"\nIranian Keylogger Marmoolak Enters via Backdoor | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin: As part of the\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Iranian Keylogger Marmoolak Enters via Backdoor | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin: As part of the\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2014-05-21T19:31:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-02T08:34:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"585\" \/>\n\t<meta property=\"og:image:height\" content=\"93\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ChristiaanBeek\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/\"},\"author\":{\"name\":\"Christiaan Beek\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\"},\"headline\":\"Iranian Keylogger Marmoolak Enters via Backdoor\",\"datePublished\":\"2014-05-21T19:31:03+00:00\",\"dateModified\":\"2025-06-02T08:34:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/\"},\"wordCount\":571,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png\",\"keywords\":[\"advanced persistent threats\",\"computer security\",\"internet security\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/\",\"name\":\"Iranian Keylogger Marmoolak Enters via Backdoor | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png\",\"datePublished\":\"2014-05-21T19:31:03+00:00\",\"dateModified\":\"2025-06-02T08:34:45+00:00\",\"description\":\"Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin: As part of the\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Iranian Keylogger Marmoolak Enters via Backdoor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\",\"name\":\"Christiaan Beek\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"caption\":\"Christiaan Beek\"},\"description\":\"Christiaan Beek is the Lead Scientist & Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \\\"Hacking Exposed\\\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&CK framework and holds multiple patents.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/christiaanbeek\/\",\"https:\/\/x.com\/ChristiaanBeek\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Iranian Keylogger Marmoolak Enters via Backdoor | McAfee Blog","description":"Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin: As part of the","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Iranian Keylogger Marmoolak Enters via Backdoor | McAfee Blog","og_description":"Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin: As part of the","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2014-05-21T19:31:03+00:00","article_modified_time":"2025-06-02T08:34:45+00:00","og_image":[{"width":585,"height":93,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png","type":"image\/png"}],"author":"Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@ChristiaanBeek","twitter_site":"@McAfee","twitter_misc":{"Written by":"Christiaan Beek","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/"},"author":{"name":"Christiaan Beek","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79"},"headline":"Iranian Keylogger Marmoolak Enters via Backdoor","datePublished":"2014-05-21T19:31:03+00:00","dateModified":"2025-06-02T08:34:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/"},"wordCount":571,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png","keywords":["advanced persistent threats","computer security","internet security","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/","name":"Iranian Keylogger Marmoolak Enters via Backdoor | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png","datePublished":"2014-05-21T19:31:03+00:00","dateModified":"2025-06-02T08:34:45+00:00","description":"Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin: As part of the","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Marmoolak-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/iranian-keylogger-marmoolak-enters-via-backdoor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Iranian Keylogger Marmoolak Enters via Backdoor"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79","name":"Christiaan Beek","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","caption":"Christiaan Beek"},"description":"Christiaan Beek is the Lead Scientist & Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \"Hacking Exposed\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&CK framework and holds multiple patents.","sameAs":["https:\/\/www.linkedin.com\/in\/christiaanbeek\/","https:\/\/x.com\/ChristiaanBeek"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/35547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/653"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=35547"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/35547\/revisions"}],"predecessor-version":[{"id":214827,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/35547\/revisions\/214827"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=35547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=35547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=35547"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=35547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}