This talk will focus on the Pirpi (AKA: UPS, SHOTPUT, Backdoor.APT.CookieCutter) malware employed by APT3 over the last 10 years.During this talk, I will describe how their malware has changed over time, but also how it has stayed the same through code-reuse and other artifacts.While analyzing samples from various campaigns, I was able to identify several repeating functions and basic blocks that tie together a decade’s worth of malware.Since Pirpi’s code has been re-used over the years, I will show how that has direct links to other malware used in their intrusions.