They mention that they do not have access to the threat actor’s obfuscating compiler itself, but while reading the analysis it occurs to me that given they have released a purpose-built deobfuscator, that they could certainly develop a ScatterBrain-like compiler and then I wonder if doing so might enable creation of useful heuristics that might reveal the quiet existence of ScatterBrain compiler in some sample, archive, darknet tools repo, compromised host, torrent, etc.

Just as they have supplied IOCs, perhaps they could provide reasonable signatures or heuristic rules that scanners in various places might ingest and apply that might allow for the discovery of some latent copy of the compiler itself, which could be useful in and of itself, as well as for all of the possible breadcrumbs and inferences that could be made based on where/when it was spotted, if it was.

The source for the de-obfuscator: https://github.com/mandiant/poisonplug-scatterbrain

I'd be curious to see how obfuscated code produced like this fares when analyzed with ghidra augmented with AI plugins.

Also, I'm surprised there seems to be no mention in the article of why standard decompilation techniques fail (I might have missed it).

This is the result when an elite attacker meets an elite analyst group.

That's some very heavy stuff.

This is very cool. Can someone help me understand the behind the scenes, what’s their strategy? Their motivations? Are they targeting specific industries or nations for a reason?

Is it correct to presume that the obfuscated samples might be hard to come by for the average interested viewer?

Given that this was made by a nation-state attacker I'd expect something more sophisticated than pairipcore VM..

So, still waiting for full pairipcore (the newer one) writeup.