Aleksandr Matrosov

Aleksandr Matrosov

Security Intelligence Team Lead


Education: Master of Information Security (2007) at National Nuclear Research University "MEPHI" Bachelor of Electronics (2001) at Moscow College of Management and New Technologies

Highlights of your career? I have more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Worked as a security researcher since 2003 for major Russian IT companies. Frequently invited to speak at major security conferences with hardcore technical stuff.

Position and history at ESET? I joined the company in October 2009 as a Senior Malware Researcher and am currently working as Security Intelligence Team Lead. My team researches the most complex threats.

What malware do you hate the most? Stuxnet and Flame families for tons of C++ code.

Favorite activities? Reverse engineering, automation of RE processes and research in modern exploitation techniques.

What is your golden rule for cyberspace? Don't trust anybody, because you don’t know who is really sitting on other side of the communication channel and bad guys can play with your trust.

When did you get your first computer and what kind was it? My first experience with personal computers was with a ZX Spectrum in 1992. My first PC with i486DX4 on the board was purchased in 1995.

Favorite computer game/activity? I like cyberpunk computer game series as System Shock and Deus Ex. But lately my favorite computer game has been IDA Pro disassembler ;)


26 articles by Aleksandr Matrosov

ESET research

The Powerloader 64-bit update based on leaked exploits

The Powerloader 64-bit update based on leaked exploits

ESET research

The Powerloader 64-bit update based on leaked exploits

A few months ago on this blog I described PowerLoader functionality - including an interesting way for privilege escalation into the explorer.exe system process. The leaked PowerLoader code is also used in other malware families.

Aleksandr Matrosov27 Aug 20136 min. read


ESET research

Avatar rootkit: the continuing saga

Avatar rootkit: the continuing saga

ESET research

Avatar rootkit: the continuing saga

In this blog post we confirm that the Avatar rootkit continues to thrive in the wild, and disclose some new information about its kernel-mode self-defense tricks. We continue our research into this malware family.

Aleksandr Matrosov and Anton Cherepanov21 Aug 20136 min. read


The rise of TOR-based botnets

The rise of TOR-based botnets

The rise of TOR-based botnets

Aleksandr Matrosov24 Jul 20136 min. read


ESET research

Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication

Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication

ESET research

Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication

The mysterious Avatar rootkit, detected by ESET as Win32/Rootkit.Avatar, appears to reflect a heavy investment in code development, with an API and a SDK available, plus an interesting abuse of Yahoo Groups for C&C communications.

Aleksandr Matrosov and Anton Cherepanov01 May 20139 min. read


ESET research

Is Gapz the most complex bootkit yet?

Is Gapz the most complex bootkit yet?

ESET research

Is Gapz the most complex bootkit yet?

Introducing a detailed analysis of Win32/Gapz malware in a new white paper titled: Mind the Gapz: The most complex bootkit ever analyzed?

Aleksandr Matrosov08 Apr 20133 min. read


ESET research

Carberp: the never ending story

Carberp: the never ending story

ESET research

Carberp: the never ending story

Aleksandr Matrosov reveals changes in banking Trojan Carberp relating to Java/Spy.Banker (AgentX.jar) and gaining remote access using legitimate software as backdoor components.

Aleksandr Matrosov25 Mar 20134 min. read


ESET research

Gapz and Redyms droppers based on Power Loader code

Gapz and Redyms droppers based on Power Loader code

ESET research

Gapz and Redyms droppers based on Power Loader code

Technical analysis of Power Loader, a special bot builder for making downloaders for other malware families and yet another example of specialization and modularity in malware production.

Aleksandr Matrosov19 Mar 20132 min. read


ESET research

How Theola malware uses a Chrome plugin for banking fraud

How Theola malware uses a Chrome plugin for banking fraud

ESET research

How Theola malware uses a Chrome plugin for banking fraud

A deep dive into Win32/Theola, one of the most malicious components of the notorious bootkit family, Win32/Mebroot.FX. Theola uses malicious Chrome browser plugins to steal money.

Aleksandr Matrosov13 Mar 20133 min. read


ESET research

Caphaw attacking major European banks using webinject plugin

Caphaw attacking major European banks using webinject plugin

ESET research

Caphaw attacking major European banks using webinject plugin

Analysis of malicious code dubbed Win32/Caphaw (a.k.a. Shylock) attacking major European banks, with ability to automatically steal money when the user is actively accessing his banking account.

Aleksandr Matrosov25 Feb 20136 min. read