Workflow · Production

Walmart Global Tech uses Claude.ai Sonnet 4.6 to reverse engineer backdoor malware DGA

The problem

A backdoor malware payload named 'tracker' was being actively delivered to several machines and contained a Domain Generation Algorithm that needed to be reverse engineered to understand its C2 infrastructure.

First attempt

The initial Python code generated by Claude to simulate the DGA contained bugs and did not produce the same domains as the malware.

Workflow diagram · grounded in source
1
DGA routine submitted to Claude
trigger
“My approach was to provide Claude with the main DGA routine of sub_140006F10 and then provide sub routines and supporting functions as the session went on”
2
Claude identifies DGA pattern
ai_action
“Right off the bat it was able to identify this was a routine that was generating strings based on a list of tokens, even determining this was probably a DGA”
3
Initial Python implementation generated
ai_action
“Once it had produced an initial implementation, I supplied known-good output samples, allowing it to identify and correct its own mistakes”
4
Researcher provides validation samples
human_review
“I provided the first three expected domains generated by the sample and informed the AI that its implementation contained a bug”
5
Claude corrects implementation bugs
ai_action
“Not only did it discover the bug to let it generate the domains correctly but it also discovered another bug that had to do with edge cases”
6
Correct Python code produced
output
“The final generated python code aligned correctly with the desired output”
Reported outcome

Claude, guided iteratively by the researcher, successfully reverse engineered the malware DGA, identified and corrected bugs including an edge-case issue, and produced Python code that correctly simulated its domain generation.

Reported metrics
DGA reverse engineering outcomeautomatically reverse engineer the DGA used in the backdoor malware and provide working python code to simulate it
Implementation accuracyaligned correctly with the desired output
Reported stack
Claude.ai Sonnet 4.6
Source
https://medium.com/walmartglobaltech/metastealer-traffic-new-dgas-and-analyzing-the-tracker-backdoor-dga-with-ai-96ea63dc7c01
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Claude, guided iteratively by the researcher, successfully reverse engineered the malware DGA, identified and corrected bugs including an edge-case issue, and produced Python code that correctly simulated its domain g…

What tools did this team use?

Claude.ai Sonnet 4.6.

What results were reported?

DGA reverse engineering outcome: automatically reverse engineer the DGA used in the backdoor malware and provide working python code to simulate it; Implementation accuracy: aligned correctly with the desired output (source-reported, not independently verified).

What failed first in this deployment?

The initial Python code generated by Claude to simulate the DGA contained bugs and did not produce the same domains as the malware.

How is this workflow AI workflow structured?

DGA routine submitted to Claude → Claude identifies DGA pattern → Initial Python implementation generated → Researcher provides validation samples → Claude corrects implementation bugs → Correct Python code produced.