This past week I finally wrapped up something I started 2 years ago, Maldev Academy's Malware Development course! Long time readers know that I first dipped my toes in malware development shortly after finishing Zero Point Security's CRTO certification through the SEKTOR7 Institute's Maldev Essentials course (if you want to read more about my experience with it, you can do so here). I felt like I had learned a lot in that course, but what I actually learned was that I was at the initial peak of the Dunning-Kruger hill. I just didn't know it at the time.

Ethics Disclaimer

Like any review I post, I want to level set and provide you with some context. I purchased this course in October 2023. At the time, Maldev Academy offered 3 tiers of course access. A 90 day plan for $250, a 180 day plan for $350, or a lifetime plan for $500. I paid for the lifetime plan out of pocket after trying to petition my (at the time) employer to take it as a workplace sponsored training before my proposal was tabled indefinitely. Fast forward to 2025, and I started working at SpecterOps in April. My manager and I placed completing the course as a development goal for this year.

What is Maldev Academy anyways?

Maldev Academy is a modular, text-based course that steps you through the process of creating a Windows payload loader, while highlighting problems malware developers run into and showing you multiple ways these problems can be solved. There are 91 modules in the course and they are roughly similar lengths with some exceptions. This is also a Windows focused class. Sorry Linux folks you'll have to sit this one out. The course is primarily taught with C and the Win32 API, however it does have code you can download in both C and Rust. I didn't touch any of the Rust content in the Academy. The course starts with a high level "What is malware?", before going over the following in roughly this order:

• A primer on Windows internals
• Basic loader architecture
• Payload encryption and obfuscation
• AV Detection methods
• Many, many payload execution methods
• IoC spoofing
• Import Address Table Obfuscation
• WinAPI Hooking
• Syscalls (direct and indirect)
• Anti-analysis techniques
• WinAPI unhooking

The complete list is available in their syllabus. The wild part to me is that's just the initial content. As of publication, there have been 20 content updates since the course was released 2 years ago. Maldev Academy calls these "New Modules". There are 82 new modules so far and they focus on a specific topic such as dumping LSASS, keylogging, ETW, dumping SAM, and more. There are a few which also add loader content, but the majority introduce new concepts. This review only consists of my thoughts on the original 91 modules, as I have not worked on the 82 new modules yet. Another thing to keep in mind is that when I purchased this course in 2023 if you did not have the $500 lifetime plan, the new content was not available. Nowadays in 2025, there are only 2 plans. A lifetime $500 option and a $700 course + malware database option. You can also add the malware database afterwards for an additional $250, so purchasing the bundle saves you $50.

False Starts

I intended to finish Maldev Academy a long time ago, but for a variety of reasons professional development was weird for a few years. There were also a few instances where I bit off more than I could chew and this was one of them. I started working on Maldev Academy armed only with the knowledge of C I got from "Learn C the Hard Way" by Zed Shaw, and SEKTOR7's Maldev Essentials course. Both times the wheels fell off the cart pretty early on, around 10 modules in. This was fairly disheartening, as I didn't have a great idea of what I needed to learn to bridge the gaps. This is why Maldev Academy was left on the backburner for so long. Now that I'd use make use of its content and because I had a goal to achieve, it was time to really sink my teeth into things and get it done.

Setting Up the Pieces

Things changed in April 2025 when I started working for SpecterOps. The reason I mention this again is because when we have new consultants come in, we have required and recommended training for them to take. I came in at the Associate level, so I have quite the laundry list to cover. This is great! While working on this list, there were a series of courses that I took that gave me the tools I needed to start successfully working on Maldev Academy again. Those courses were the Windows Internals classes from Pavel Yosifovich. I took them on Pluralsight, however they are also available on his own training website Trainsec. I am not aware of any significant differences between the content, however Pluralsight is cheaper. Especially if you do the month-to-month subscription and grind the courses quickly. The reason I didn't post a review on the Windows Internals courses comes mostly down to other demands on my time and the lack of competition. There really aren't many other ways to learn this stuff other than buying the Windows Internals book, which Pavel also helped write, but it reads like a textbook. Pavel has insights that just aren't anywhere else.

The reason I harped on the Windows Internals courses this long is simple. I think taking them should be considered mandatory learning to understand what's going on in Maldev Academy. Maldev Academy covers some aspects of Windows Internals, but frankly it wasn't enough for me to go and work on it directly. Taking these classes from Pavel provided me the tools I needed to understand what the Academy was teaching me.

It Finally Clicked

Armed with my newfound understanding of what makes Windows tick, I started work on Maldev Academy again in late summer, shortly before PancakesCon 6. I lost a few weeks of work time due to preparing for my PancakesCon talk and writing the accompanying blog posts, but once those were completed I was back in the groove and working on Maldev Academy again. I was initially working on a few modules a week and completing every learning goal as I went. The fall tends to be my busiest time of year so once I got past all that, I was keeping pace of about 1-2 modules a day, while completing all the learning goals in each module. This would not have been sustainable for very long, and therefore I want to caution against going at that pace. I had a deadline to hit and I was going to hit it.

Most of the content showcased both documented and undocumented Windows APIs and how you can abuse them to do something nefarious. A good example here is payload execution. There are 15 modules that in some way or another, showcase different payload execution methods including local (same process), remote (different process, same computer), various injection methods such as APC Injection, Mapping Injection, Thread Hijacking, Function Stomping, and so much more. All of these utilize legitimate Windows features in malicious ways.

Another course highlight is how it tackles endpoint security evasion. Maldev Academy considers evasion and OPSEC throughout many of the modules, however there are 2 big pushes alongside a bunch of smaller tidbits sprinkled throughout the course. The first big evasion push comes right after finishing up the modules on payload encryption and obfuscation. It seems like the course authors wanted a Defender bypass pretty early so students wouldn't have to worry about having their samples caught and deleted all the time. Early modules show how the basic msfvenom payloads created up until that point can be encrypted or obfuscated to evade Defender, then showcases how it's done by making you implement them manually before providing some tooling to make it easier to do.

The second major evasion push comes around Module 58, when the course introduces Windows API Hooking. API Hooking is a major source of telemetry for EDRs, so Maldev Academy shows a few ways on how hooking can be performed before going on a long series of modules showcasing ways to avoid hooks. I appreciate how they go about it too, because they highlight the cat and mouse game that's been taking place over the years. They showcase a hook evasion method, then explain new detections that EDR vendors came up with to catch the evasive payloads, before showcasing the next evolution in tradecraft to get around the new detections. I love this approach. It shows not just the concept, but why it was done, how it was defeated, and how the new implementation is better. I'm huge on providing context when I am teaching and mentoring, so I love that this was a focus for the course.

There are so many other little gems that I enjoyed. They showcase re-implementations of certain Windows API features in native C code, which leads to some interesting reductions of IoCs that I wouldn't have thought of, nonetheless implemented on my own. The Academy also showcases tons of community resources so once you finish it, you have other places you can jump off to research and continue learning. I plan to take some of the lessons learned in the anti-analysis modules in particular and apply them to some stuff I have planned for CCDC, same goes to the IAT hiding modules. I can also see where the course content can quickly become applicable in my day job, which is always a bonus.

Overall, the course is excellent. The private Discord server you can access for taking the course is also excellent. I would highly recommend Maldev Academy to a budding red teamer like myself provided you've done your homework on C, and have a good understanding of Windows Internals. I feel like this class is an incredible foundation for me to push myself to a higher level of operational effectiveness. If you're a developer already, or have a developer background, this should be a very easy jump for you comparatively. There could be some red team terminology that you might need help with, but it's fairly minimal. This course is definitely designed around taking red teamers and turning them into developers rather than the other way around. For me, this was exactly what I needed. It allows me to better understand what the tools I'm running are actually doing under the hood and enables me to make better risk calculations when trying to remain undetected in an assessment. I am a huge fan, and I'm strongly considering getting the phishing course next. Well done Maldev Academy Team!