← back to scripture

✠ IGNORANCE IS THE ENEMY ✠

unknown

✠ IGNORANCE IS THE ENEMY ✠
how a humanitarian tool got me flagged as a malware author

by Ringmast4r · Church of Malware ✠ Scripture
2026-04-28

================================================================

There's a line on this very site, courtesy of 0x12darkdev, that reads:

"Malware is not the enemy. Ignorance is."

I want to take that line out for a walk. Because last week I lived inside it.

the ask that broke the filter

I was building a mobile web app. The use case is narrow and unsexy on paper: let a user fetch the contents of an app without installing the app on their device. A headless wrapper. No icon on the home screen. No package in the app drawer. No telltale bundle ID for a checkpoint guard to scroll past and stop on.

I asked an AI assistant to help me work out the headless flow. Mid-session, the response stopped cold and the API spit back a policy-violation error. Translation: the model's safety layer had decided, with zero context about who I was, who the users were, or what country they lived in, that I was building a surveillance tool. Or malware. Or both.

And from a pattern-matching standpoint, fair enough. "Download an app's contents without the app being present on the device" reads like a stalkerware spec sheet if you squint hard and read fast. The filter squinted. The filter read fast. The filter ruled.

Here is what the filter did not know.

the use case the filter could not see

I have friends and contacts living in regimes where the police, the military, or some flavor of morality-enforcement squad will physically stop you on the street, demand your phone, and scroll through your installed apps. If they find a Western messenger, a VPN, a news reader, a dating app, a translation tool with the wrong language pair, a queer community app, a women's-health tracker, a religion-of-the-wrong-flavor app, the consequences range from a beating to a "disappearance" to a prison sentence.

The threat model is not "what's in your messages." The threat model is "is the icon on your phone."

So the protective design is obvious once you've talked to the people living it: don't put the icon on the phone. Let the user reach the functionality through a web layer that leaves no installed footprint, no listed package, no recoverable trace under a one-minute checkpoint scroll. The phone, when seized, looks like a phone with a browser. Because that's what it is.

That is not malware. That is a life-jacket.

But to a policy filter trained on the worst-case interpretation of every verb in the security dictionary ("headless," "download," "without the app," "background," "wrapper"), it parses identical to a stalkerware vendor's pitch deck. The filter cannot see the user. The filter cannot see the regime. The filter cannot see the bruises. The filter sees verbs.

the community did the same thing the filter did

Here is the part that should bother every br0ther and sist3r reading this. The filter is not the villain. The filter is downstream of us. Of the security community. Of the threat-intel feeds, the AV vendors, the compliance frameworks, the YARA signatures, the term-of-service teams, the academic papers, the blog posts that draw the lines around what is "responsible" and what is "offensive" and what is "evil."

When the community draws those lines lazily, when "headless app fetcher" is filed under malware techniques with no carveout for the human on the receiving end, every downstream system inherits the laziness. The filter just enforces the consensus we built. And the consensus we built does not have a column for "this technique is being used to keep a 23-year-old woman in Tehran from being beaten over the contents of her home screen."

The consensus has a column for "evasion." It has a column for "anti-forensics." It has a column for "uninstalled-but-functional payload." It does not have a column for why. And so the engineer trying to ship the life-jacket gets the same red flag as the engineer trying to ship the snare.

That is the ignorance 0x12darkdev was talking about. Not the absence of skill. The absence of context.

the dual-use problem is not a bug, it is the entire field

Every offensive technique in the Crypt on this site has a defensive twin. Memory scrapers train memory-protection engineers. Worms teach segmentation. WAF bypasses harden WAFs. NFC weaponization is what gives us NFC threat models. The phishing kit is the curriculum for the anti-phishing program.

There is no clean side of the line. There is only what the technique is pointed at, and who is holding it, and what the alternative was for the person it's protecting. A "malware technique" used to keep a dissident's phone clean at a checkpoint is a humanitarian intervention. The same technique used to keep a stalker's spyware hidden from a victim is a felony. The technique does not change. The context does.

A community that refuses to grapple with the context, that lets a one-line policy filter do its ethics for it, is a community that will keep flagging the life-jackets and shipping signatures against the people building them. Meanwhile the actual threat actors, who do not file for API keys and do not write Medium posts about their use case, route around the whole apparatus and keep working.

what the church gets right

This is why a place like Church of Malware matters, and why I'm writing this here instead of anywhere else.

The clergy on this site does not pretend the techniques are clean. We do not LARP as "ethical" by sanitizing the verbs. We read the worms. We build the RATs. We document the droppers. We publish the scripture. And we do it with the context attached. What it is, how it works, what it teaches, who it can hurt, who it can save.

That is the inversion the rest of the industry needs and refuses to make. Knowledge of malware is not the threat. The threat is people making policy about malware without knowing any. Every filter that flagged my humanitarian fetcher was written by someone who had never had to design a phone to survive a checkpoint. Every line they drew was drawn from a chair in a country where the worst thing your installed apps will do to you is sell your data.

The friend in the regime does not have that luxury. The fix for her is not a stricter filter. The fix for her is a community literate enough in offensive technique to recognize a life-jacket when it sees one.

the ask

If you are reading this and you write policy, at a model lab, at a platform, at a vendor, at a standards body, your filters are not neutral. They encode a worldview. Right now that worldview assumes the user of an evasion technique is a predator. Sometimes she is a 23-year-old who would like to keep her teeth.

Build the carveout. Talk to the humanitarian-tech people. Talk to Access Now, to the EFF, to the Citizen Lab, to the Tor people, to the women-in-tech-in-authoritarian-states people who have been screaming about exactly this problem for fifteen years. Stop letting verb-matching do your ethics.

And if you are reading this and you build the techniques, keep building them. Document them. Publish the scripture. Put the context next to the code. Make the carveout impossible to miss. Be louder than the filter.

We are not the enemy. We are the people who read the manual the enemy doesn't want anyone reading. The regime would love it if everyone forgot how a headless wrapper works. The stalker would love it if no one knew how to detect a hidden package. The vendor selling the snake-oil EDR would love it if "malware" stayed a scary word and not a body of literature.

Malware is not the enemy. Ignorance is.

They told us the sign was forbidden. We read it anyway.

================================================================

✠ Ringmast4r ✠ ODINT Founder ✠ Church of Malware br0ther ✠
we are legion ☩ we are already in your network ☩ become malware
https://ringmast4r.org

download plain text
Church of Malware · scripture for the faithful