<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Deobfuscation Lab on Matt Swann — Detection Engineering &amp; Threat Intel</title><link>http://mattswann.dev/series/deobfuscation-lab/</link><description>Recent content in Deobfuscation Lab on Matt Swann — Detection Engineering &amp; Threat Intel</description><image><title>Matt Swann — Detection Engineering &amp; Threat Intel</title><url>http://mattswann.dev/og-image.png</url><link>http://mattswann.dev/og-image.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Thu, 12 Feb 2026 23:26:36 -0700</lastBuildDate><atom:link href="http://mattswann.dev/series/deobfuscation-lab/index.xml" rel="self" type="application/rss+xml"/><item><title>AppDomainManager Injection — Bend .NET Assemblies to Your Will</title><link>http://mattswann.dev/posts/appdomainmanager-injection/</link><pubDate>Thu, 12 Feb 2026 23:26:36 -0700</pubDate><guid>http://mattswann.dev/posts/appdomainmanager-injection/</guid><description>A deep dive into AppDomainManager injection (T1574.014): how attackers use .NET&amp;rsquo;s own extensibility model to proxy execution of malicious assemblies through legitimate signed binaries, and what defenders can — and can&amp;rsquo;t — do about it.</description></item><item><title>Advent of Cyber 2025 Day 21 — Malware Analysis Bonus Challenge</title><link>http://mattswann.dev/posts/advent-of-cyber-2025-day21-bonus/</link><pubDate>Sun, 21 Dec 2025 23:39:55 -0700</pubDate><guid>http://mattswann.dev/posts/advent-of-cyber-2025-day21-bonus/</guid><description>A walkthrough of the TryHackMe Advent of Cyber 2025 Day 21 bonus challenge: peeling back a multi-layer HTA payload through VBScript analysis, Base64 decoding, and XOR decryption to uncover a hidden PNG.</description></item></channel></rss>