QSecure at BlackHat USA 2025: Introduced DeadMatter at Arsenal

Black Hat USA has long been the arena for security's most inventive minds to converge. This year, QSecure joined the global cybersecurity stage to introduce DeadMatter, our offset-independent credential extraction tool, live at Black Hat Arsenal.

From conversations on the show floor to live demos in the Arsenal space, Black Hat 2025 was an energising opportunity to share our work and learn from the world’s leading practitioners.

​

What is DeadMatter?

DeadMatter is a C# tool that recovers credentials (e.g., MSV/NTLM and DPAPI) directly from memory artifacts—without hard-coded, version-specific offsets or virtual addresses. Instead, it uses structure scanning and carving, which allow it to work across OS builds and imperfect dumps. It supports raw/full dumps, minidumps, decompressed hibernation files, VM memory files, or any other file format that does not encrypt or compress the dumped memory contents.

In environments where EDR/AV flag traditional LSASS dumping or exfiltrating large memory images isn’t feasible, DeadMatter processes artifacts in place and extracts only the essentials—shrinking your footprint, reducing alerting risk, and keeping ops quiet.

DeadMatter on GitHub

We’re excited to share that DeadMatter is now open source. The full codebase, docs, and issue tracker are live on GitHub under a permissive BSD-3-Clause license—use it, audit it, fork it, and help us harden it with real-world artifacts. 

QSecure's core contribution to this event was DeadMatter: an open-source tool built to enable credential extraction without reliance on memory address layouts.

Dead Matter on GitHub.

Install / build (from source)

git clone https://github.com/qsecure-labs/DeadMatter.git

cd DeadMatter

# Open the solution in Visual Studio (or build via CLI) targeting .NET Framework

Quick start:

::Extract credentials from a full memory dump file in raw format using both Mimikatz structure and carving techniques

Deadmatter.exe -f memory_dump.raw

:: Extract credentials from a full memory dump file in raw format using carving techniques only

Deadmatter.exe -f memory_dump.raw -m carve

:: Fingerprint OS (no extraction)

Deadmatter.exe -f memory_dump.raw -m none -i

:: Extract credentials from a minidump file using Windows 10 version 1507 Mimikatz structure technique with verbose output

Deadmatter.exe -f lsass.dmp -m mimikatz -w WIN_10_1507 -v

What’s next for DeadMatter?

We plan to expand DeadMatter beyond MSV/DPAPI by adding the capabilities below:

• SAM parsing
• Kerberos tickets
• WDigest & cached creds 
• BitLocker-related keys
• Security questions
• STDIN pipeline support 

For those who couldn’t attend, you can:

• Read more about our journey at QSecure
• Revisit our previous publications at The Break Out
• Try DeadMatter today on GitHub

Quick Links

• Publications 
  
• Contact Us