Android malware analysis can be intimidating, especially when samples employ aggressive obfuscation, layered encryption, anti-analysis techniques, and native code to conceal their behavior. This workshop is designed to guide analysts beyond these barriers and into a disciplined, scientific approach to understanding what modern Android malware actually does. Rather than treating obfuscation as a blocker, the workshop focuses on identifying it, understanding its purpose, and actively defeating it. Participants will learn how to recognize common and advanced obfuscation patterns, isolate relevant logic, and reconstruct the overall malware execution flow. The methodology presented combines static reverse engineering with dynamic analysis and runtime instrumentation, reflecting real-world workflows used by professional malware analysts.

A core theme of the workshop is analyst efficiency and automation. Attendees will explore techniques to dynamically resolve encrypted code paths, automatically identify and neutralize encryption routines, and interact with malware at runtime. This includes injecting into the execution flow, patching binaries or memory on the fly, and forcing the execution of specific instructions to extract hidden behavior.

The workshop begins with a custom-built Android application and progressively introduces techniques commonly found in modern Android malware. These techniques are applicable across malware families, including banking trojans, spyware, and more advanced threats, and are not tied to a single campaign or actor. To make the overall learning experience effective, the workshop includes a custom Capture the Flag (CTF) designed specifically for attendees. The challenges mirror real-world analysis scenarios, allowing participants to apply the techniques covered during the sessions immediately.

Apple Silicon Macs introduce a radically different platform for digital investigations. Strong security controls, a closed boot chain, and limited support for external operating systems make traditional forensic workflows impractical. This workshop is designed for practitioners who need working techniques, not just theory, to analyze modern macOS systems in the field.

We start by reviewing core live forensics principles, including software write-blocking, and compare traditional dead-box acquisition with live approaches. Realistic investigation scenarios are discussed, from local device access to remote and cloud-based systems, highlighting when live analysis is the only viable option.

The workshop then focuses on booting strategies. After a brief comparison with PCs and servers, we dive into Apple Silicon-specific boot mechanics: standard boot, recovery mode, and failsafe recovery mode. Participants will learn how Apple’s boot design restricts custom OS loading and how these restrictions impact forensic workflows.

A key part of the workshop explores what methods exist to access to Apple Silicon hardware. We explain the chainloading model, installation steps, and practical challenges such as hardware device trees and external boot constraints.

Finally, we demonstrate how to boot and use live USB-based forensic operating system on Apple Silicon Macs. According to our knowledge, external USB boot is still a problem for Apple Silicon Macs, which has not been solved in any existing Linux distributions. However, we found a workaround which helps to solve this problem. We hope we will have a chance to present it publicly for the first time during Botconf 2026. The workshop concludes with a practical overview of building a custom live forensic OS, enabling investigators to tailor their tooling for modern macOS targets both locally and remotely.

Requirements:
1. Apple Silicon Macbook (M1 or M2)
2. USB-C flash drive (at least 64GB)
3. USB-C cable and a secondary laptop

Every time you open a malware sample in your favourite analysis tool and you are greeted with hundreds or thousands of functions with unknown names, you know it is time to find shortcuts and automate renaming steps whenever possible. This workshop dives into the recovery of function symbols. The examples in this workshop are all Golang related as the static compilation of Golang binaries serve as excellent examples.

During this four hour workshop, you will dive into two different malware families which were used in the wild by threat actors, and find out how function symbol recovery works and how to apply the theory in practice. You will also learn how to create your own symbol databases, allowing you to use your privately analysed malware as the starting point for further research into the development of those malware families. Additionally, you will better understand how source code and compiled code relate, especially with regards to Golang files.

Note that the taught techniques are applicable for any binary supported by Ghidra. You can reuse the techniques in other tools, albeit with (minor) changes depending on the specifics.

This hands-on workshop provides an in-depth exploration of advanced techniques for maximizing network threat detection using Suricata. Building upon core Suricata capabilities, this session delves into critical areas such as effective utilization of metadata keywords, including MITRE and regular metadata, to enrich detection context.

Participants will learn practical methods for achieving fast Indicator of Compromise (IOC) matching and strategies for managing multiple Suricata versions within diverse environments.

The workshop will also cover leveraging the Suricata Language Server (SLS) for rule development and optimization, including interpreting performance hints and implementing Continuous Integration (CI) for rulesets using SLS in batch mode.

This session is designed for cybersecurity professionals seeking to enhance their Suricata expertise and implement cutting-edge threat detection strategies. Attendees will leave equipped with actionable techniques and practical examples to improve their organization's security posture.

APK malformation has ceased to be a niche evasion tactic; it is now the de facto standard for anti-analysis in the modern Android threat landscape. Implemented by default in the vast majority of Malware-as-a-Service (MaaS) builders and crypters, this technique allows families like TeaBot, TrickMo, and SpyNote to exploit Android's installation leniency while crippling traditional static analysis tools. By intentionally corrupting the APK structure, Threat Actors cause standard parsers (e.g., JADX) to crash or yield incomplete data, effectively blinding analysts and breaking automated triage pipelines.

In this session, we will present a comprehensive dissection of these techniques, categorized into three pillars:
- ZIP Structure Manipulation: Exploiting parser discrepancies via Unsupported Compression Methods and deliberate Local File Header/Central Directory mismatches.
- AXML Obfuscation: Corrupting the AndroidManifest binary XML through Attribute Size Violations and String Pool manipulation to exploit parser rigidity.
- Asset Directory Abuse: Leveraging non-ASCII characters to induce path traversal errors.

Critically, the defensive landscape lacks consolidated tools to reliably handle these malformations. To bridge this gap, we introduce Malfixer, a specialized utility that has been developed and refined over the past two years within our threat intelligence operations. We will demonstrate how Malfixer detects and surgically repairs structural corruptions, restoring file integrity without altering the payload, to unblock large-scale triage and classification pipelines.

Finally, Malfixer will be officially released as open-source during this talk. This contribution aims to provide analysts with a standard for APK repair and to foster a collaborative framework, enabling the community to extend capabilities against future, yet unknown, malformation techniques.

The media piracy ecosystem represents a significant attack surface that remains critically understudied. With over a 100 billion visits recorded to piracy sites, it is a lucrative target for attackers to distribute malware disguised as popular content. This is a recurring method in other pirated content such as software or games. These have been studied before, but despite similar effects and a much higher potential audience, malicious media is largely ignored. As the amount of visits to especially media piracy sites is anticipated to increase over time with rising platform costs and spread of popular media over several streaming sites, this is a target that is becoming increasingly lucrative over time.

In order to understand these attacks, we create our own measurement pipeline to understand the nature of the attacks from end to end, starting from scraping popular torrent aggregation sites and downloading the malicious files and tracking the hosts that were involved in seeding and leeching these files, giving us an idea of the infrastructure involved in spreading this malware and also the spread of victims. We find certain methods that attackers use to boost their reach and also other practises around these torrents that inadvertently boost these malicious files.

We also use data from sources such as MagnetDB and work with Iknowwhatyoudownload to get a longitudinal and comprehensive view of malware in media torrents, uncovering campaign that span years. We also analyze over 500 malicious files that we capture and identify the end goals of the malicious parties.

Minecraft is a popular video game with a massive global player base. With over 200 million monthly active players, making it one of the best-selling video games ever. Minecraft supports mods (user-created modifications), which enrich the user experience by improving gameplay, fixing bugs, enhancing graphics, and adding new content.

This popularity got noticed by cybercriminals, who create stealers in form of game mods and disguise them as game cheats, cracks, or macros. These stealers are then uploaded to file sharing platforms and links to them are distributed via various distribution platforms (instant messengers, social media, video sharing). When installed and executed by unsuspecting victims, these stealers collect a wide range of data from infected devices, causing loss of (not only) game accounts and their associated assets.

In this presentation, we examine the current landscape of Minecraft stealers and analyze the most common techniques employed by cybercriminals to deceive users. We will focus on a few prolific stealer families, dissecting their entire infection chains from initial engagement to the final payload delivery. Examples of Youtube videos advertising game cheats with misleading descriptions, repositories controlled by the Stargazers Github Network, mod sharing websites, and such similar will be presented. We will demonstrate our approach to analyzing (both statically and dynamically) these often multi-layered, obfuscated packages and extracting critical artifacts, such as campaign IDs and command-and-control (C&C) servers, from the samples.

Additionally, we will analyze several notable malware families observed in the wild, including:
a) Baikal Stealer - multi stage stealer with anti-analysis capabilities.
b) Maks RAT - multi stage stealer, with builder, loader, Discord spamming module, and main stealing module. Very popular among ratters (cybercriminals distributing malware), often rebranded, with regularly appearing new building servers.

Information stealers have become a core component of modern cybercrime, driven by their availability, ease of use, rapid evolution, and direct path to monetization. This talk examines Stealerium and PhantomStealer, two closely related infostealer families that demonstrate how open-source and so-called (and sometimes, falsely-claimed) “ethical hacking” tools are routinely repurposed for real-world attacks.

The session begins with background on Stealerium’s origins, overlap with other families, and distribution models, including how multiple threat actors leverage and modify the malware. We will explore the technical relationship between Stealerium and PhantomStealer, highlighting areas of code reuse and key differences in functionality. From there, we’ll dive into technical analysis of the malware, covering what data these stealers target, ranging from browser credentials and Wi-Fi information to cryptocurrency wallets, clipboard data, and content flagged as “Not Safe for Work,” which may be used to support sextortion activity.

The presentation also breaks down Stealerium’s unique exfiltration methods, including the use of uncommon services such as GoFile and ZulipChat, along with its anti-analysis and anti-sandbox techniques. Finally, we’ll examine notable campaigns, attack chains, and practical methods for tracking, detecting, and mitigating Stealerium using configuration extraction and behavioral indicators.

Over the past few years, the Adversary-in-the-Middle (AitM) phishing threat has evolved into a highly professionalised market featuring numerous Phishing-as-a-Service (PhaaS) platforms. For a subscription costing a few hundred dollars, these platforms offer fully-featured phishing kits with regular updates and professional support. In this presentation, we will demonstrate how this professionalised ecosystem empowers low-skilled threat actors to conduct phishing campaigns, and how to investigate them.

First, we will analyse the PhaaS market, where Telegram serves as the central hub for sales and support. To present an overview of the threat landscape, we will provide a timeline, statistics, and context for major PhaaS platforms, including Tycoon 2FA, Storm-1167, NakedPages, Sneaky 2FA, and Mamba 2FA, supported by our telemetry data. We will also examine the evolution of delivery techniques, from QR codes in 2023 to SVG files in 2025.

Next, we will detail our research methodology for unveiling emerging AitM phishing kits through proactive threat hunting using common TTPs. We will present Sneaky 2FA as a case study, providing context on code reuse and its evolution into two previously undocumented variants: Kratos (a decentralised kit) and Smile Cookies (featuring centralised infrastructure). We will share actionable tracking methods including infrastructure fingerprinting, and detection opportunities from authentication log anomalies.

Finally, we will present an attribution case study of the threat actor “Dr. James Wilson”, who operated four PhaaS platforms and whose operational security failures led to exposure via infostealer logs. Our analysis of browsing data revealed two digital identities - one for AitM phishing operations and another for personal activities. By profiling the attacker, we will share valuable insights into the ecosystem and services facilitating AitM phishing, from domain registration to cryptocurrency platforms.

We explored a decade of open-source offensive tools used in operations worldwide. After analysing hundreds of APT reports and threat-intelligence publications, we compiled a collection of tunnelling tools, reverse shells, loaders, RATs, and living-off-the-land components that threat actors have repeatedly repurposed.

This presentation examines if these legacy tools still “work,” how reliably they operate today, and, most critically, whether modern AV and EDR solutions still detect them. We evaluated whether security products have deprioritized or even dropped signatures for aging tools, inadvertently creating blind spots that sophisticated threat actors continue to exploit.

In 2025, we observed a new backdoor, LaxGopher, being deployed within a government institution of Mongolia by a previously unknown China-aligned group that we named GopherWhisper. Following this discovery, we uncovered additional backdoors that use various legitimate cloud-based services as C&C infrastructure. By analyzing the C&C traffic using API tokens stashed in the various backdoors, for Slack, Discord, and Microsoft Graph, we obtained insights into the group’s internal operations and post-compromise activities.

From the analysis of all C&C traffic, we recovered over 5,000 messages, revealing that the group’s earliest activity began in 2023-11. These messages were pivotal to our research as it helped in identifying times of when threat actors were most active, commands issued on targets, and tools deployed. Notably, it was through these messages that we were able to extract previously unknown tools such as CompactGopher and other information stealers. The dataset further exposed testing artifacts, including enumerations from the testing machines and snippets of backdoor code uploaded by testers..
Our research and analysis of GopherWhisper resulted in identifying a variety of custom tools that include Go-based backdoors LaxGopher, RatGopher, and BoxofFriends, an injector named JabGopher, a loader called FriendDelivery, an exfiltration tool, CompactGopher, and a C++ backdoor, SSLORDoor. From what we see in messages and telemetry, these tools were often deployed resulting in data exfiltration through either the C&C server or the simple file sharing service, file.io.

In this session, we will dissect the most interesting tools in GopherWhisper’s arsenal and will share how analyzing C&C traffic and code snippets from the attackers’ cloud accounts helped us gain critical insights into their activities. Finally, we will provide tips for fellow defenders to uncover and remediate a GopherWhisper compromise.

Once a subscription is established, a calendar server can deliver any amount of events in your schedule, some which may contain harmful content, turning a helpful tool into an unexpected attack vector. The lack of awareness surrounding calendars, creates a dangerous blind spot in both personal and corporate security ecosystems.

In this investigation we unveil a growing ecosystem, vast dedicated networks that deceive users at scale into subscriptions: from compromising websites, to redirecting victims and tricking them into subscriptions via fake captchas. This subscription “space”, which allows actors to create any amount of events in your calendars, is then either used by the actors themselves or sold to third-parties as-a-service. By pivoting, we sinkholed part of 2 networks conducting this operation, in return we received daily requests from Millions of iOS devices.

Here we uncover the tactics and techniques utilized by this dedicated infrastructure, but also the risks a subscribed user/organization might incur (phishing, malware, etc), culminating with the economic motivation behind the services currently selling this “space”.

Lastly we conclude with some exploratory work on possible correlations between proxy botnets/services that might be utilizing this illegitimate infrastructure to “acquire” new proxy nodes. The intent is to share this ecosystem with the community so further correlations can be explored. We terminate with some open discussion / early thoughts on challenges of mapping, and potential use of this new ecosystem to track active campaigns.

Node.js has become a staple in the malware development toolkit of crimeware authors: It is easy to develop, trivial to obfuscate and difficult to analyze, with a rich ecosystem of open-source tools such as packers and obfuscators available to threat actors.

This talk introduces a purpose-built, open-source Node.js Tracer designed to cut through the noise by instrumenting the runtime rather than having to deal with tedious manual source code deobfuscation, ultimately saving precious time for analysts and incident responders. After an overview on different forms of Node.js malware observable in the wild, the talk reconstructs a malware research that sparked the tool's development, outlines the mechanics of tracing as a dynamic reverse-engineering method, and demonstrates how runtime hooking exposes the malware's real behavior.

Attendees will see, using case studies of several real cases, how the utility neutralizes anti-analysis checks, bypasses obfuscation and speeds up the analysis process - the result is a practical workflow for reverse engineers, malware analysts and incident response teams facing increasingly obfuscated JavaScript-based malware families.

For years, software supply chain security in ecosystems like npm and PyPI was treated as a "developer problem"- an issue delegated to posture management tools and policy enforcement. However, the threat landscape has fundamentally changed. Since 2025, we are no longer facing just simple credential stealers; we are witnessing massive, sophisticated campaigns involving destructive malware and self-replicating worms.
This shift is exacerbated by the explosion of "vibe coding" and AI-assisted development. As the definition of "developer" expands, more users are implementing code they do not fully understand, while attackers leverage AI to compromise packages or hallucinate new ones at scale.
In this session, we start by analyzing the anatomy of these modern compromises: how they happen and what they typically execute. Then, we strip away the abstraction. When a developer runs npm install or pip install, they aren't just downloading code; they are executing a process tree with the full privileges of that user.
We will demonstrate that visibility into the endpoint is the missing link in supply chain defense. By the time a malicious package is reported and removed from the public registry, it is often too late- the code has already run. We will expose the attacker’s playbook, dissecting notable campaigns to reveal their tradecraft. We will break down every step of the kill chain, mapping the attacks from the initial install command to the malicious child processes and network beacons.
Attendees will leave with more than just theory. The session concludes with practical hunting tips and specific query logic, empowering defenders to detect these anomalies in their own environments and spot the signs of a compromised supply chain before it spreads.

XLoader is an actively developed rebrand of the well known Formbook information stealer. First appearing in 2020, XLoader builds on the strengths of its predecessor with a particular focus on improving the build engine to complicate analysis and large-scale IOC extraction. Addressing this challenge is crucial for organizations aiming to track XLoader at scale.

This talk brings together presenters from Check Point and Intel 471, each using distinct methodologies and tooling to build reliable tracking for XLoader. Intel 471’s approach is primarily based on manual reverse engineering, while Check Point’s approach combines generative AI with targeted manual analysis to accelerate this process.

The talk is intended to serve as a reference for reverse engineers seeking a practical entry point into automating XLoader tracking, with a focus on configuration extraction and C2 communications.

Malware configuration data often holds the key to understanding a threat actor’s intent, infrastructure, and operational scope. Yet, as adversaries evolve their tooling, extracting this configuration information has become a progressively cumbersome challenge for analysts. This talk provides a hands-on exploration of how malware stores, hides, and protects its configuration; moving from easily accessible static artifacts to deeply obfuscated and encrypted structures.

Starting with fundamental patterns and low-hanging fruits, we’ll walk through practical examples of locating embedded configuration data in binaries, analyzing common encoding routines. The session then escalates to advanced cases where adversaries deploy custom encryption layers, smart contracts, or dynamically generated configuration schemas - illustrated through live demonstrations of real-world samples.

To ground these techniques in recent reality, the talk highlights several emerging malware families observed in the wild throughout recent years. Each case-study outlines how the configuration is structured and stored, and demonstrates the methods and the logic used to extract and decode it - offering actionable know-how directly transferable to day-to-day reverse engineering.

Attendees will gain not only conceptual insights into malware configuration structures across different malware families but also actionable findings for configuration extraction workflows. By the end of the talk, participants will be able to tackle both the straightforward and the sophisticated: turning malware configuration data into actionable threat intelligence.

Prior to 2023, commodity information stealers targeting macOS remained a niche activity rarely found advertised in cybercrime communities. The March 2023 release of COOKIE SPIDER’s Atomic macOS Stealer (aka AMOS) sparked rapid adoption among Russian-speaking “traffer” groups and, subsequently, the rise of many competitor stealer projects that continue to proliferate to this day.

This talk will trace the origins of AMOS and its main operator, COOKIE SPIDER, as well as profile its major competitors, touching on similarities and differences between each malware family, their customers, and novel distribution methods and trends. We will also showcase the use of crypto analysis to map relationships between stealer vendors, their customers, and their infrastructure.

The presentation will also highlight the ecosystem in which macOS malware vendors and users exist including the monetization of their infections via cryptocurrency theft, sale of logs, and the emergence of some of the first Pay-Per-Install (PPI) services leveraging macOS infections. We will also conclude our talk with a look at recent and future trends in commodity macOS malware development.

Exploitation of internet exposed devices is not new, yet we keep seeing threat actors abusing this vector to create botnets. In 2025 one new botnet named RondoDox started making some waves due to its aggressive scanning and exploitation approach, making use of dozens of vulnerabilities in internet exposed devices.

In this talk we'll do a deep technical dive into this fairly new botnet, focusing on the activity observed between its emergence in May 2025 and the end of the year. We'll go over their infection chain, starting with the wide-variety of used exploits, and we'll then look into the infrastructure supporting the scanning and exploitation, and the dropper and implants used. From there we'll dive into the technical details of the malware, focusing on details that enable researchers to quickly identify it, how its network protocol communicates with the C2, and highlighting the diverse DoS capabilities at different network levels built into the malware.

We'll also explore the evolution of the threat with observed changes in both the infrastructure and malware, that highlight the active development of this threat, as well as some operational details regarding patterns in the activity and telemetry information.

By the end of the session the audience will have a comprehensive understanding of this recent threat. The audience will also be able to identify, monitor, and track RondoDox activity within their own environments.

Distributed Denial of Service (DDoS) attacks continue to pose a significant threat to online services. The raw bandwidth and packet rate of DDoS attacks keeps increasing, and attack methods keep adapting to new mitigation techniques. This results in a never-ending cat-and-mouse game between defenders and attackers.

In addition, the vast DDoS-for-Hire market makes it increasingly easy for new adversaries to enter the DDoS space. With just a few dollars and a few clicks, users can get hold of DDoS tools powerful enough to take down any target they like. Having multiple providers implies competition, each fighting to have the most attack power and get the most paying users. In order to measure the strength of their networks, DDoS-for-Hire providers abuse legitimate services as "trusted third parties" to get accurate measurements on performed DDoS attacks, called "Power Proofs". This raises the question: what is the impact of Power Proofs on the DDoS-for-Hire market?

In this talk, we present our findings concerning these DDoS Power Proofs. We show which services are abused by the community to create power proofs and how they use the results to build leaderboards. We investigate whether advertisements and claims are accurate, and analyze whether power proofs have an impact on the usage of DDoS networks. Our goal: investigating the impact of Power Proofs on the DDoS-for-Hire market.

During the presentation, we will show the data we collect concerning DDoS power proofs. We leverage self-reported statistics of DDoS-for-Hire providers, Telegram messages and DDoS test attack logs to get a "big picture" overview of the inner workings of the DDoS-for-Hire market. We also share a live dashboard showing live observations of DDoS test attacks.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative dedicated to collecting, analyzing, and responding to computer security threats and incidents. As part of its mission, CIRCL operates a IPv4 /18 network telescope (black-hole address space) observing unsolicited Internet traffic.

This presentation introduces the foundations of network telescopes and their value for observing Internet background noise, scanning activity, botnet behavior, malicious probing, and misconfigurations. Since no legitimate services are hosted, all captured traffic provides an unbiased view of Internet-wide malicious activity.

The talk then presents the data processing pipeline deployed at CIRCL, from ingestion and normalization to long-term storage in a queryable data lake, enabling large-scale and longitudinal analysis.

Several concrete use cases are discussed, including scanner and bot detection through activity correlation and PTR analysis, identification of SNMP scanning campaigns, detection of emerging CVE trends by port and scanner type, Mirai botnet fingerprinting using TCP SYN window sizes, and DDoS victim identification via backscatter traffic.

Operationally, these observations are used to generate warning lists and early alerts for CIRCL constituents. Relevant events and indicators are shared through MISP or Warning lists, enabling collaborative detection and response.

Overall, the talk shows how actionable security intelligence can be extracted from unused address space, turning “the void” into a powerful Internet-scale security observatory.

The U.S. Department of Justice reported that RapperBot's Command and Control (C2) servers have been successfully seized by the Defense Criminal Investigation Service (DCIS) on August 6, 2025 in conjunction with Operation PowerOFF. Two months before that, we took over one of 8 C2 domains of RapperBot and about 60,000 infected devices were observed as of June 2025. But that sinkhole C2 domain is no longer valid for the latest RapperBot which removed the sinkhole domains.

These victim devices should be still vulnerable even after the C2 servers were powered off. Though our honeypots had been optimized for the Digital Video Recorders to obtain the RapperBot, we sometimes receive the other exploitations from the different botnets. Because RapperBot has no killer function for the competitors, the exploitation from the other botnet means the replacement of the bot. Our passive darknet monitoring system is already observing non-RapperBot scan packets from the former RapperBots.

From March to October 2025, the exploitations to install the new Mirai-based malware were observed on our honeypots. The most notable point we found is that this malware family hides the own process by mounting "/proc/1" to "/proc/self". Because we couldn't find any existing report about this malware, we began to call it MountBot. We found that some DDoS attacks by MountBot exactly link AISURU botnet's attacks. Another botnet is MooBot. We found the log data on the exposed download server. It indicates that some former RapperBots were replaced with MooBot. We will present the detailed analysis results and the activities of the possible next botnets which would take over the victim devices from RapperBot.

We will also show the detailed analysis results of the Mirai-based proxy peers including RapperBot and AISURU botnet.

Kimwolf is a massive botnet first disclosed by QI-ANXIN XLab in December 2025, primarily targeting
Android devices—especially TV boxes—with an estimated 1.8+ million active infected devices across
222 countries and regions worldwide. The botnet is highly versatile, featuring DDoS attacks, traffic proxying, reverse shells, and file management capabilities. In one recorded instance, it issued a staggering 1.7 billion DDoS commands over just a few days, with a potential peak attack capacity approaching 30 Tbps. The moment Kimwolf shot to fame came in October 2025, when one of its C2 domains briefly outranked tech behemoths like Google and Apple, claiming the number one spot on Cloudflare's global popularity chart.

Kimwolf conceals its C2 domain resolution using DNS over TLS (DoT) and employs elliptic curve digital
signatures (ECDSA) for robust C2 server authentication, ensuring bots only accept commands from
legitimate sources. After repeated infrastructure takedowns by security researchers and third parties,
its operators adopted the EtherHiding technique, leveraging blockchain-based domains such as
Ethereum Name Service (ENS) to significantly boost C2 resilience against disruption. Additionally, technical analysis reveals extensive code and infrastructure overlap between Kimwolf and the notorious Aisuru botnet — holder of the world record for largest DDoS attack — strongly indicating that both are controlled by the same threat actor group.

This presentation details the full story of the analysis and ongoing battle against the Kimwolf botnet.
We will dive into the technical specifics, share behind-the-scenes insights and provide the first detailed public breakdown of its infection and propagation chain.

TA410 is a cyber-espionage umbrella group consisting of three subgroups: FlowingFrog, LookingFrog, and JollyFrog. TA410 activity has been observed since 2018, targeting a diverse range of sectors.

FlowCloud is a toolset exclusively used by FlowingFrog. One interesting point is that a HUMINT-driven technique was used for initial access: using a USB device to deliver and install FlowCloud.

The name “FlowCloud” has often been used to refer to the RAT because the string “FlowCloud” appears in its configuration data and PDB strings. However, based on our analysis of samples and PDB strings, we believe FlowCloud is actually the name of a finely crafted attack framework, specifically an MSVC solution containing multiple projects beyond the RAT itself, including a loader, a rootkit driver, and an installer, uninstaller.

The FlowCloud solution consists of two primary RAT components: fcClient and hcClient. These RATs are sophisticated C++/C applications and have common application designs: encryption algorithms, extensive use of Google Protocol Buffer for C2 communication data formats and configuration, communicating with two external servers (exchange_server and file_server). fcClient has a more structured C++-based design, whereas hcClient is a C-based application.
Previously, fcClient and hcClient were categorized under the FlowCloud RAT. However, our analysis reveals that they are distinct, yet related RATs with separate development paths. We have continued tracking the FlowCloud toolset and identified two new FlowCloud RATs, which are updated versions of hcClient: FlowCross (v5.0.5dz) and FlowThrough (v7.0.0).

In this presentation we will provide in-depth details on the long-term used twin RATs (fcClient and hcClient). Especially, we will do deep dive into:
- New FlowCloud tools, which have not been publicly documented
- Parsing and extracting Protocol Buffers messages from fcClient and hcClient
- Deobfuscation of hcClient payload, including a live demo

Over the past years, we closely monitored and tracked the evolution of FrostyNeighbor, also known as UNC1151. Aligned with the interests of an Eastern European country, this APT group has demonstrated since 2016 technical sophistication and strategic intent, mixing cyberespionage with political influence operations, highlighting how this group evolved from targeting military and governmental entities to interfering in democratic processes.
Initially focused on intelligence collection against Ukrainian defense and governmental organizations, the group expanded its scope to other countries, aligning its operations with geopolitical interests, like the Polish parliamentary elections in 2023 and presidential election in 2025. The group uses spearphishing and credential theft alongside narratives to shake up public opinion on sensitive political issues.
FrostyNeighbor has continually refined its methods to thwart defenders. Over time, it went from relatively simple lure documents to complex compromise chains, using custom malware implemented in multiple programming languages. Its modular toolset enabled FrostyNeighbor to deliver payloads only to selected targets, hidden inside seemingly benign files such as images or style sheets. The group also ran many phishing campaigns, using spoofed login pages to target victims, and by exploiting vulnerabilities in widely used webmail platforms, notably Roundcube.
This dual approach, espionage for strategic advantage and political disruption to sow discord, highlights the growing complexity of modern cyberconflict. FrostyNeighbor’s operations illustrate how state-linked threat actors exploit digital ecosystems not only to steal secrets but also to shape narratives and erode trust in democratic institutions. In this presentation, we describe the most interesting tools in FrostyNeighbor’s arsenal, including advanced compromise chains and multistage malware. Finally, we highlight the group’s victimology and post-compromise activities.

Sometimes, you disrupt a massive fraud operation only for it to return bigger and stronger two years later.

That's what HUMAN Security found with the successor to the original BADBOX campaign. BADBOX 2.0 targets millions of victims with more backdoor variants, more fraud schemes, and more sophistication than ever before. The China-based threat actors created an entire fraud ecosystem, infecting over 1 million consumer devices with a backdoor in over 200 countries and territories. BADBOX 2.0 is the largest botnet of infected connected TV devices ever uncovered and represents a significant evolution in cybercrime in which multiple types of fraud co-occur.

This talk will dive into all of the details of BADBOX 2.0, including its interconnected nature, how threat actors target the entire customer journey, and how it can be impossible to thwart crimes like this without proper protection. HUMAN’s Satori Research team will present the technical intricacies, including the backdoor techniques, infection vectors, monetization strategies, and the infrastructure that enabled threat actors to hijack millions of devices worldwide, in addition to BADBOX’s implications for the Internet and how the company worked to stop it. We will also provide an update about what happened after the report was released, including how the takedown has progressed.

The modern Ransomware-as-a-Service (RaaS) ecosystem has evolved beyond simple file encryption into a complex landscape of psychological operations, identity deception, and aggressive defense evasion. This presentation provides a comparative technical analysis of three emerging threats—Chaos, Kraken, and DeadLock—to demonstrate how threat actors are prioritizing misattribution and anti-forensics to outmaneuver defenders.
First, I will talk about the "Identity Deception" trend and examine the new Chaos ransomware, which deliberately adopts the name of an older, unrelated malware builder to confuse attribution efforts, masking its true links to the BlackSuit (Royal) cartel. Parallel to this, I will demonstrate the Kraken RaaS analysis and TTPs, a group that has risen from the ashes of the HelloKitty cartel, leveraging its predecessor's brand while introducing unique cross-platform capabilities and performance benchmarking.
Second, I will pivot to the "Defense Evasion" trend, utilizing exclusive insights into the DeadLock ransomware. Unlike groups focusing solely on branding, DeadLock illustrates the resurgence of "Bring Your Own Vulnerable Driver" (BYOVD) attacks. I will detail how the DeadLock operators use a loader named "EDRGay" to exploit a specific vulnerability (CVE-2024-51324) in the Baidu Antivirus driver disguised with the file name DriverGay.sys to terminate EDR and antivirus processes at the kernel level , clearing the path for a custom stream cipher encryption that utilizes time-based keys.
In this presentation, I will also discuss the attacker’s commands at each stage of the attack chains that enable them to achieve their objectives in the Chaos, Karken, and DeadLock attacks. Finally, I will conclude the talk with a recommendation for defenders to focus on robust intelligence and strengthening endpoint security.

Silver Fox, first observed in 2024, has quickly grown into a major cyber threat, initially targeting Chinese-speaking users. The group employs a wide range of techniques, including targeted phishing, SEO poisoning, and the distribution of trojanized software. Unlike actors focused solely on RAT deployment, Silver Fox operates as a hybrid threat, combining cyber espionage with criminal objectives such as deploying custom malware, stealing credentials, and installing tools for persistent remote access. Our investigation in early 2025 uncovered attacks using the Winos malware against users in Taiwan. Further analysis revealed these incidents were part of a larger, coordinated campaign affecting multiple Asian regions.
Notably, Silver Fox demonstrates versatility in its tool selection. In addition to custom malware like Winos and HoldingHands, the group has started abusing legitimate Remote Monitoring and Management (RMM) software to carry out data theft. These signed RMM tools, normally used for IT administration, give attackers a layer of credibility that helps them avoid detection. By blending malicious activity with trusted applications, Silver Fox can bypass standard security controls and operate under the radar.
This presentation offers a comprehensive technical investigation into the Silver Fox campaign, dissecting their attack chains, analyzing the behavior of RAT tools, and detailing the execution patterns of commercially available RMM software. By correlating infrastructure across related clusters, we reveal valuable insights for defenders, including key indicators and patterns to facilitate early detection. This presentation concludes with a discussion of persistent patterns in Silver Fox’s infrastructure and tool selection, aiding in accurate attribution and proactive threat hunting initiatives.

In November 2025, our Threat Hunting team identified a low-volume credential stuffing campaign targeting authentication attempts associated with the Microsoft Azure PowerShell application in Entra ID. While these attempts were largely unsuccessful due to enforced MFA, the request patterns strongly resembled activity previously associated with the Quad7 botnet.
The purpose of this presentation is to disclose details of our ongoing investigation that pivoted from cloud-based authentication abuse to compromised embedded devices, uncovering multiple botnet components and distinct actor activity on real-world customer-owned hardware.
We identified a shared embedded-device ecosystem in which at least two independent actors operated in parallel: one aligned with previously documented Quad7 activity, and another leveraging compromised devices as residential proxy and ORB infrastructure. This overlap illustrates how mass-compromised network devices blur traditional distinctions between state-aligned operations and eCrime-driven proxy ecosystems.
At the time of writing, we are not aware of any prior public disclosure of these findings.

This proposal describes the discovery and analysis of Izanagi RAT, a low-prevalence Go-based backdoor, which likely originates from a China-Nexus threat actor. The malware was discovered recently during an incident response engagement and was active in the victim’s environment since June 2021. Exceptionally long dwell time and initial lack of intelligence about this malware strain sparked our interest and led to further analysis and reverse engineering.

Although Izanagi RAT may overlap with the malware family Zingdoor previously described by Trend Micro, technical details about this malware have, to the best of our knowledge, never been published before. As of December 2025, none of the samples we analyzed have meaningful detections or signature matches in VirusTotal, other analysis engines or OSINT indicators and signatures. Furthermore, our work shows that the origins of this malware family can be traced back further than previously reported by Trend Micro.

The talk we intend to give at Botconf will not only provide a detailed insight into the technical details of Izanagi RAT, such as for example various anti-analysis techniques and a multi-protocol C2 communication scheme, but also showcase the methodology and tools used to derive these results.