Traces how a browser or plugin bug turned a page visit into code execution: the redirect chain, landing-page fingerprinting, the Flash and Java exploit-kit economy of 2010-2016, and the decline as browsers and Adobe killed the attack surface.
A primary-source history of the exploit-kit era: the fingerprint-then-exploit flow, the rental economy behind Angler, Nuclear, RIG and Magnitude, the 2016 Angler takedown, and the collapse that followed Flash's death.
How traffic distribution systems gate and route victims through the malvertising chain: Keitaro-style filtering, server- and client-side cloaking, malicious ad injection, and the fingerprinting that hides payloads from researchers.
A reference on how malware fingerprints its runtime to decide whether it's being analyzed: CPUID and RDTSC timing, VM artifacts, mouse geometry, uptime, and sandbox hostnames, and why it stays dormant when the signals line up.
How malware generates thousands of pseudo-random rendezvous domains from a shared seed, traced from Kraken and Conficker through Torpig and GameOver Zeus, and how defenders sinkhole and classify them.
How fast flux rotates A and NS records over a bot proxy layer to hide C2 and phishing infrastructure, the flux-score and TTL signals that detect it, and what the 2025 CISA advisory adds.
Traces the anti-analysis layer inside modern phishing kits: how IP, user-agent, and referrer checks serve a benign decoy to scanners while showing the credential form to victims, the anti-bot-as-a-service market, and how anti-phishing crawlers crawl back.
Traces the 2024-2025 ClickFix and fake-CAPTCHA wave: how attackers dress malware delivery in Cloudflare and reCAPTCHA UX, push commands through the clipboard, and gate payloads so automated analysis sees nothing.
A primary-source history of the botnet, from 1990s IRC bots and the EarthLink Spammer through Storm, Conficker, Zeus, Mirai's IoT swarm, and the residential-proxy networks that now launder scraping and fraud.