During a DFIR engagement, LevelBlue was asked to assist with reverse engineering a Linux malware sample detected in a client’s environment. After reverse-engineering most of the malware sample, I wanted to create tooling to easily decrypt its command-and-control (C2) traffic. This post covers part of the methodology used for reversing the related routines as well as the tool created to decrypt the C2 traffic.