Malware Analyst.

A specialist who reverse-engineers malicious binaries — static and dynamic — to extract indicators, characterize capabilities, attribute to threat groups, and produce detection content for SIEM/EDR coverage. 它属于网络安全的 角色与职业 分类。

A specialist who reverse-engineers malicious binaries — static and dynamic — to extract indicators, characterize capabilities, attribute to threat groups, and produce detection content for SIEM/EDR coverage.

A malware analyst (also called reverse engineer or threat analyst, depending on the org) is the practitioner who takes a captured binary, document, or implant and tears it apart to answer: what does it do, who wrote it, how do we detect and stop it, and what does the broader campaign look like. Workflow typically begins with safe acquisition, then triage in a sandbox (ANY.RUN, Joe Sandbox, Cuckoo/Cape, MalwareBazaar) for behavioural signatures, followed by static analysis with IDA Pro, Ghidra, Binary Ninja, or Cutter for x86/ARM, jadx/dex2jar for Android, Hopper or Ghidra for macOS, dnSpy for .NET, and Hindsight/MSI tooling for installers. Dynamic analysis pairs a debugger (x64dbg, WinDbg, lldb, gdb) with sandboxed live execution. Outputs include YARA rules, Sigma rules, IOCs, attribution clues (PDB strings, language, code reuse), capability matrices, and written reports for CTI consumers. Many malware analysts also operate as 'threat intelligence' or 'threat research' staff, feeding the broader defender community through blog posts, conference talks, and vendor research feeds. Certifications often associated: GIAC GREM, SANS FOR-610, eLearnSecurity eCRE, plus Offensive Security and TCM Security RE courses.

针对 Malware Analyst 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Reverse engineer, Threat research analyst。