They mention that they do not have access to the threat actor’s obfuscating compiler itself, but while reading the analysis it occurs to me that given they have released a purpose-built deobfuscator, that they could certainly <i>develop</i> a ScatterBrain-like compiler and then I wonder if doing so might enable creation of useful heuristics that might reveal the quiet existence of ScatterBrain compiler in some sample, archive, darknet tools repo, compromised host, torrent, etc.<p>Just as they have supplied IOCs, perhaps they could provide reasonable signatures or heuristic rules that scanners in various places might ingest and apply that might allow for the discovery of some latent copy of the compiler itself, which could be useful in and of itself, as well as for all of the possible breadcrumbs and inferences that could be made based on where/when it was spotted, if it was.