A privacy-first take on local malware analysis
A privacy-first take on local malware analysis
https://www.helpnetsecurity.com/2026/06/26/burnyard-local-malware-analysis/
Publish Date: 2026-06-26 02:00:00
Source Domain: www.helpnetsecurity.com
Submitting a suspicious file to VirusTotal or MalwareBazaar places a copy of that file on a platform other people can search. Analysts across the industry rely on these services to get a quick verdict on whether a binary is dangerous. The convenience carries a condition many overlook. Once a sample reaches a public repository, the person who wrote it can locate it there. Skilled operators watch these platforms for the hashes of their own tools, and a match tells them their campaign has been detected. Files tied to a targeted intrusion can also carry sensitive material from the victim, which then sits on a third-party system.
Burnyard, a research project from The Ohio State University takes aim at this condition. It runs suspicious binaries on the analyst’s own hardware and keeps each sample local for the duration of the analysis.
Burnyard end-to-end analysis workflow
Running the binary in user-space emulation
Burnyard performs dynamic analysis through user-space emulation. The system executes a sample one instruction at a time and intercepts every system call and Windows API call the program issues. A custom hook framework records each event with its decoded parameters and return value, producing a chronological trace in CSV form. That trace becomes the input to a classifier, which assigns the sample a label of benign or one of 43 known malware families. A transformer-based language model adds a plain-language description of the observed behavior.
The emulation layer operates at the instruction level and avoids the hypervisor stack that a sandbox depends on. Burnyard supports Windows, Linux, and Mach-O binaries across several CPU architectures. A supplied root filesystem provides the libraries, directories, and registry stubs a binary expects at runtime, which removes the need for a host operating system. The design allows deployment on commodity hardware with no network connection. The team ran its evaluation on a Dell Optiplex Micro 3050 with a…
