API Obfuscation is a common technique employed by malware authors to conceal the capabilities and behaviour of their malware from reverse engineers. Usually, such obfuscation is overcome via decoding obfuscated API names during static analysis or observing the API calls during dynamic execution. But what can a reverse engineer do if even the obfuscated API names are removed from the binary? In this presentation we’ll discuss the analysis of “TCP Listener”, an implant encountered by the ACSC during incident response. In a novel approach this implant receives its obfuscated API references with its command and control payloads, which made analysis difficult – but not impossible. Gathering our clues (strings, constants, function prototypes, and call structure), and armed with our tools (IDA, Yara, and the MSDN documentation), we’ll go on a journey of deductive reasoning (along with a tiny bit of speculative imagination) to reverse engineer this implant and fully understand its functionality.