From APT28 to RePythonNET: automating .NET malware analysis

This blogpost from Sekoia's TDR describes techniques for reversing .NET malware with a focused case study on APT28's use of the Covenant .NET C2 framework. It documents manual and automated approaches to identify decryption routines, extract C2 configuration, patch binaries, and scale decompilation via pythonnet, dnlib, ILSpy and an MCP service (RePythonNET), and highlights APT28 operational tactics and infection chains used in 2024–2025.