Workflow · workflow
Walmart Global Tech uses Claude.ai Sonnet 4.6 to reverse engineer backdoor malware DGA
A backdoor malware payload named 'tracker' was being actively delivered to several machines and contained a Domain Generation Algorithm that needed to be reverse engineered to understand its C2 infrastructure.
How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · DGA routine submitted to Claude
The researcher provides Claude with the main DGA routine and progressively adds supporting subroutines as the session continues.
Tools used
Claude.ai Sonnet 4.6
Outcome
Claude, guided iteratively by the researcher, successfully reverse engineered the malware DGA, identified and corrected bugs including an edge-case issue, and produced Python code that correctly simulated its domain generation.
What failed first
The initial Python code generated by Claude to simulate the DGA contained bugs and did not produce the same domains as the malware.
Results
Volumealigned correctly with the desired output
Grounding & classification
Source type: technical build writeup
11 fields verified against source quotes.
code generationfailure mode describedhuman review describedsource backedtools describedworkflow describedretailaccuracy improvementtechnical build writeupai draft human approval