{
	"id": "51a3bd68-2954-4175-9db1-e95b28ce1f4c",
	"created_at": "2026-04-06T00:07:46.63428Z",
	"updated_at": "2026-04-10T03:21:33.452711Z",
	"deleted_at": null,
	"sha1_hash": "94866fb2c91f45b48bf1a2f7ea538056fd7d4227",
	"title": "Deceiving the Deceivers: A Review of Deception Pro",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2796366,
	"plain_text": "Deceiving the Deceivers: A Review of Deception Pro\r\nPublished: 2026-01-13 · Archived: 2026-04-05 18:10:22 UTC\r\nTL;DR: This is my personal experience and a quick review of the Decepton Pro sandbox. Deception Pro is a\r\nspecialized sandbox for long-duration analysis of malware and threat actor behavior. Overall, it is a promising\r\nproduct and fills a niche gap in the malware sandbox market.\r\nOne challenge facing malware analysts, reverse engineers, and threat intelligence analysts is understanding how\r\nmalware behaves over a longer period of time. Capturing behaviour in a traditional sandbox for 3, 5, or even 20\r\nminutes is possible, and analysts can also run samples in custom virtual machines or a baremetal analysis system\r\nto watch what they do. But there are still key challenges, such as:\r\nIt’s difficult to make the environment realistic enough to “convince” malware to continue execution, and\r\neven more difficult to capture follow-on actions such as commands issued to a bot or hands-on-keyboard\r\nevents. Advanced malware and actors are looking for active directory environments or corporate networks,\r\nfor example, and this can be difficult to simulate or maintain.\r\nEven if an analyst can create a realistic enough environment to capture meaningful actor activity, it’s\r\ndifficult to randomize the environment enough to not be fingerprinted. If an actor sees the same hostname,\r\nIP, or environment configurations over and over again, the analysis machine can easily be tracked and/or\r\nblocklisted.\r\nScalability, especially in baremetal setups, is always an issue. In my baremetal analysis workstation, I can’t\r\ndetonate multiple malware samples at a time (while preventing cross-contamination), for example, and I\r\ncan’t easily add snapshots for reverting after detonation.\r\nIntroducing Deception Pro\r\nI was introduced to Deception Pro by a colleague who spoke highly of Paul Burbage’s team and the work they’ve\r\ndone on other products (like Malbeacon). After reaching out to Paul, he was kind enough to offer me a demo\r\naccount to help me understand the product and how it could fit into my threat research workflow. So without\r\nfurther ado, here’s my disclaimer:\r\nDisclaimer: Paul and the Deception Pro team provided me with a free demo license to evaluate the product and\r\nsee if it meets my needs. I’m not being paid for this review, and Paul and the team did not ask me to write one.\r\nThis review is entirely my own doing.\r\nIn this post, I’ll be covering what Deception Pro is, how it can fit into a malware analysis and reverse engineering\r\nworkflow, and some of its features.\r\nOverview\r\nDeception Pro is what I’d call a “long-term observability sandbox.” Essentially, it’s a malware sandbox designed\r\nto run malware for extended periods – several hours or even days – while also fooling the malware into thinking\r\nhttps://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/\r\nPage 1 of 6\n\nit’s running in a legitimate corporate environment. Long-term observation can be beneficial for a couple reasons,\r\nmost notably:\r\nAdvanced malware often “sleeps” for long periods, waiting for an elapsed period of time before continuing\r\nexecution or downloading additional payloads. \r\nWhen the analyst wants to observe additional payload drops (for example, in a loader scenario) or hopes to\r\ncatch hands-on-keyboard actions or follow-up objectives the attackers are trying to execute.\r\nPretend for a moment I’m a malware analyst (which I am, so there’s not much stretch of the imagination here). I\r\ndetonated an unknown malware sample in my own virtual machines as well as several commercial sandboxes.\r\nUsing publicly available commercial and free sandboxes, I determined that the malware belongs to a popular\r\nloader family. (Loaders are a class of malware that download additional payloads. They typically perform\r\nsandbox detection and other evasion techniques to ensure the target system is “clean” before executing the\r\npayload.)\r\nI know this malware is a loader, but I want to understand what payload it ultimately drops. This behavior isn’t\r\nobservable in the other sandboxes I’ve tried. I suspect that’s because the malware only communicates with its C2\r\nand deploys its payload after a long period of time. I then submit the malware sample to Deception Pro.\r\nWhen starting a new Deception Pro session, you’re greeted by an “Initiate Deception Operation” menu, which is a\r\ncool, spy-like way of saying, “start a new sandbox run.” James Bond would approve.\r\nIn this menu, we can choose from one of three randomly generated profiles, or “replicas,” for the user account in\r\nyour sandbox – essentially, your “target.” This person works for one of the randomly generated company names\r\nand is even assigned a fancy title. Deception Pro then generates fake data to populate the sandbox environment,\r\nand this replica acts as a starting point or seed. I chose Mr. Markus Watts, a Supply Chain Data Scientist at the\r\ncompany Pixel Growth. Looks legit to me.\r\nIn the next menu, we’re prompted to upload our malware sample and choose additional details about the runtime\r\nenvironment. The two primary options are “Detonate Payload” and “Stage Environment Only.” Detonate\r\nPayload does what you’d expect and immediately detonates the payload once the environment spins up. Stage\r\nEnvironment Only allows the operator (you) to manually interact with the analysis environment. I haven’t\r\nhttps://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/\r\nPage 2 of 6\n\nexperimented with this option.The final menu before the sandbox starts is the Settings menu. Here, we can select\r\nthe detonation runtime (days, hours, minutes), the egress VPN country, some additional settings, and most\r\nimportantly, the desktop wallpaper of the user environment. I’ll choose a relaxing beach wallpaper for Mr. Watts.\r\nHe probably needs a nice beach vacation after all the work he does at Pixel Growth.\r\nAs Deception Pro is designed for long-term observation, it’s best to set a longer duration for the run. Typically, I\r\nset it to 5–8 hours, depending on my goals, and I’ve had good results with this.\r\nAfter clicking the Submit button, the analysis environment is set up and populated with random dummy data,\r\nsuch as fake files, documents, and other artifacts, as well as an entire fake domain network. This creates a realistic\r\nand believable environment for the malware to detonate in.\r\nhttps://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/\r\nPage 3 of 6\n\nBehavioral and Network Analysis\r\nFast-forward eight hours, and our analysis is complete. I’m excited to see what behaviors were captured. We’ll\r\nstart with the Reports → Detections menu.\r\nThe Detections menu shows key events that occurred during malware detonation. There are a few interesting\r\nentries here, including suspicious usage of Invoke-WebRequest and other PowerShell activity. Clicking on these\r\nevents provides additional details:\r\nIn the Network tab, we can view network connections such as HTTP and DNS traffic, along with related alerts:\r\nhttps://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/\r\nPage 4 of 6\n\nIn the screenshot above, you may notice several web requests as well as a network traffic alert for a “FormBook\r\nC2 Check-in.” This run was indeed a FormBook sample, and I was able to capture eight hours of FormBook\r\ntraffic during this specific run.\r\nI was also able to capture payload downloads in another run:\r\nIn this run (which was a loader), a 336 KB payload was delivered roughly five hours into execution. This\r\nhighlights the fact that some loaders delay payload delivery for long periods of time.\r\nThe Artifacts menu allows analysts to download artifacts from the analysis, such as PCAPs, dropped files, and\r\nadditional downloaded payloads:\r\nRegarding PCAPs, there is currently no TLS decryption available, which is a drawback, so let’s touch on this now.\r\nConclusions\r\nIt’s important to remember that Deception Pro is a specialized sandbox. I don’t believe it needs to have all the\r\nfeatures of a traditional malware sandbox, as that could cause it to become too generalized and lose its primary\r\nstrength: creating believable target users and lightweight environments while enabling long-term observation of\r\nhttps://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/\r\nPage 5 of 6\n\nmalware and follow-on actions. Here are some of the benefits I noticed when using Deception Pro, and some\r\npotential room for improvement:\r\nBenefits\r\nGenerates operating environments that simulate very realistic enterprise networks. This can expose\r\nadditional malware and threat actor activities that other sandboxes may miss, like pivoting or network\r\nreconnaissance.\r\nAllows users to specify long detonation runtimes (hours to days) for observance of full attack chains (from\r\ninitial infection to command and control, data exfiltation, and additional module and payload drops.\r\nCaptures key events, behaviors, and network traffic of interest for investigators and researchers\r\nAllows interaction with the running sample and environment\r\nRoom for Improvement\r\nPCAP decryption is currently missing (though this is reportedly coming)\r\nBehavioural output is somewhat limited in its current state. This wasn’t too detrimental for my use case, as\r\nI primarily used Deception Pro as a long-term detonation environment rather than a full-fledged analysis\r\nsandbox. I rely on other tools and sandboxes for deeper analysis.\r\nCurrently no memory dump capabilities or configuration extraction\r\nAlso, note that the operating system environment is randomly generated, which limits customization (such as\r\nusernames, company names, etc.). This will rarely be an issue, but could matter when attempting to detonating\r\nhighly targeted malware.\r\nOverall though, I think the team behind Deception Pro is well on its way to creating a solid specialty sandbox, and\r\nI’m excited to see where it goes. Big thanks to Paul and the team for letting me spam their servers with malware.\r\nSource: https://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/\r\nhttps://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityliterate.com/deceiving-the-deceivers-a-review-of-deception-pro/"
	],
	"report_names": [
		"deceiving-the-deceivers-a-review-of-deception-pro"
	],
	"threat_actors": [],
	"ts_created_at": 1775434066,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94866fb2c91f45b48bf1a2f7ea538056fd7d4227.pdf",
		"text": "https://archive.orkl.eu/94866fb2c91f45b48bf1a2f7ea538056fd7d4227.txt",
		"img": "https://archive.orkl.eu/94866fb2c91f45b48bf1a2f7ea538056fd7d4227.jpg"
	}
}