Workflow · workflow

Walmart Global Tech uses Claude.ai Sonnet 4.6 to reverse engineer backdoor malware DGA

A backdoor malware payload named 'tracker' was being actively delivered to several machines and contained a Domain Generation Algorithm that needed to be reverse engineered to understand its C2 infrastructure.

How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · DGA routine submitted to Claude
The researcher provides Claude with the main DGA routine and progressively adds supporting subroutines as the session continues.
Tools used
Claude.ai Sonnet 4.6
Outcome

Claude, guided iteratively by the researcher, successfully reverse engineered the malware DGA, identified and corrected bugs including an edge-case issue, and produced Python code that correctly simulated its domain generation.

What failed first

The initial Python code generated by Claude to simulate the DGA contained bugs and did not produce the same domains as the malware.

Results
Volumealigned correctly with the desired output
Source

https://medium.com/walmartglobaltech/metastealer-traffic-new-dgas-and-analyzing-the-tracker-backdoor-dga-with-ai-96ea63dc7c01

How we source this →

Grounding & classification
Source type: technical build writeup
11 fields verified against source quotes.
code generationfailure mode describedhuman review describedsource backedtools describedworkflow describedretailaccuracy improvementtechnical build writeupai draft human approval