I’m Vitalii Zaiats — a security engineer based in Ukraine, working at the seam between network fingerprinting, malware analysis, and threat intelligence.
Most of what I do starts from the same instinct: the top layer of a system is the one an attacker controls, and it’s usually lying. The layers underneath — the TCP stack, the TLS handshake, the shape of a flow, the native code inside an app — tend to tell the truth. This blog is where I write those investigations up, including the parts where I was wrong.
What I work with
- Reverse engineering — Android APK triage, Go/native
.soanalysis, custom C2 protocol reconstruction, live protocol verification. - Network fingerprinting — TCP/IP, JA3/JA4, HTTP/2 & HTTP/3, STUN/WebRTC leak detection; distinguishing automation and proxies from real users.
- Detection & tooling — Suricata/Snort signatures, traffic-shape analysis, and small purpose-built tools (Python, Go, C, some ML with PyTorch).
Selected work
- Residential-proxy botnet — reverse-engineered and disclosed. Took an Android proxy-malware family and its C2 protocol apart from a single infected-device sample, mapped the infrastructure, and submitted a technical report (IOCs + detection rules) for the attention of Europol EC3, national CERTs, and hosting abuse teams. → Read the write-up
apkscan— static APK triage pipeline. Batch-analyses cracked APKs for bundled proxy/malware SDKs from the manifest, signing cert, and native code — without executing them. → code- Wire↔air correlation research. A bench study of whether a flow’s shape survives encryption onto WiFi — including the false positive my own null control caught. → Read the write-up
- More open source. layerid-fingerprint-c — a dependency-free C99 device-fingerprinting / anti-tamper SDK; layerid-id — a self-hosted OAuth2 / OIDC identity provider (FastAPI + Vue); fps — a multi-layer (TCP/TLS/HTTP2/HTTP3) network-fingerprinting service.
Get in touch
I’m open to security-engineering and threat-intelligence roles. The fastest way to reach me is email . My code is on GitHub (key repos also linked under Selected work above), and I’m on LinkedIn .