Use this skill when analyzing stripped, packed, or statically linked Go malware or suspicious Go binaries and the goal is to recover build metadata, separate user logic from runtime noise, map packages and goroutine behavior, extract high-signal evidence, and produce defensible capability and next-step assessments. Use when the workflow should combine fast CLI triage (file, sha256, binwalk, strings, go version -m) with concrete `ida-pro-mcp` steps (`decompile`, `xrefs_to`, `find_regex`, `export_funcs`) or AI-assisted structured survey before deep reversing. Trigger on Go malware behavior reconstruction, goroutine-heavy samples, dispatcher or C2 handler hunting, or when symbol recovery is already done and analyst focus shifts to capabilities.
2026-04-10
reverse-golang-symbol-recovery
Use this skill when stripped, packed, or poorly labeled Go binaries need function names, package paths, build metadata, source layout clues, types, or interfaces recovered from build info, pclntab, moduledata, typelinks, or tool-specific metadata before deeper malware analysis. Use when triaging with binwalk/strings/go version -m/GoReSym/redress, when IDA or Ghidra shows too few strings versus strings(1), or when preparing concrete `ida-pro-mcp` rename and xref workflows for pclntab-anchored recovery.
2026-04-10
Use this skill whenever an `ida-pro-mcp` server is connected and you need to drive IDA Pro efficiently for reverse engineering — structured "survey this binary" first passes, progressive deepening from big-picture to dispatcher-level detail, ready-to-paste `py_eval` helpers for `.rodata` string recovery, panic-path extraction, and pclntab discovery, and disciplined rules for when to `decompile`, `xrefs_to`, `find_regex`, `rename`, and `set_type`. Trigger on any task involving IDA MCP, IDA Pro workflows, stripped binary analysis when the disassembler is connected, or when an analyst asks Claude to "look at this IDB", "survey this binary", "find the dispatcher", or "recover symbols" with an IDA backend available. Complements `reverse-malware-triage`, `reverse-rust-malware`, `reverse-golang-symbol-recovery`, and `reverse-golang-malware`.
2026-04-10
reverse-botnet-dismantling
Use this skill when reverse-engineering, sandbox, or threat-intel work has already reconstructed a malware or botnet control plane and the goal is to turn that evidence into ranked disruption, containment, sinkhole, monitoring, and coordination options without overstating what is actually feasible.
2026-04-09
reverse-operator-attribution
Use this skill when reverse-engineering, sandbox, or threat-intel evidence exposes build paths, usernames, typo fingerprints, version windows, cloud relays, wallets, contracts, peer infrastructure, or other operator traces and the goal is to pivot from malware artifacts to a defensible developer or operator attribution model with prioritized investigative actions.
2026-04-09