We are happy to announce support for the .NET BinaryFormatter serialization format. The new DotNET BinaryFormatter Format package replaces the old decoder with a full parser, providing reliable parsing and embedded object detection for malware analysis and forensic investigations.
BinaryFormatter (System.Runtime.Serialization.Formatters.Binary.BinaryFormatter) is a .NET binary serialization mechanism that has been widely used since the early days of .NET. It is also notoriously insecure: deserialization of untrusted data can lead to arbitrary code execution, which has made it a favored vector for .NET exploitation payloads. Malware authors frequently embed executables, shellcode, and configuration data inside BinaryFormatter byte arrays. Having native support in Cerbero Suite means analysts can safely inspect these payloads, navigate the serialized object graph, and extract embedded objects without risking code execution.