One of the most challenging aspects of adversary emulation is replicating the custom implants used by threat actors. To accurately assess security measures, emulated implants must not only mimic functionalities and quirks but also reproduce the obfuscation techniques of the original malware. This talk presents our re-implementation of APT41’s _Scatterbrain_ obfuscator, including instruction dispatchers that disrupt control flow and import protection mechanisms leveraging Linear Congruential Generator (LCG)-based encryption. To validate our approach, we tested our sample against Mandiant’s deobfuscation tool for the original _Scatterbrain_. The results demonstrated that our re-implementation could be correctly deobfuscated, confirming its accuracy. However, we took this a step further—by slightly modifying the obfuscation, we successfully broke the deobfuscator’s heuristics, creating a variant that required new tools to analyze while still maintaining strong structural similarity to the original.