Fabian Marquardt
Fabian is a Threat Intelligence Analyst at Deutsche Telekom Security with a focus on Cybercrime. He has multiple years of experience in tracking threat actors, malware analysis, threat hunting and similar activities. He has spoken at multiple international Cybersecurity conferences and has a strong background in computer networks and IT security research due to his former role as a researcher at the University of Bonn. He enjoys exchanging ideas with other analysts and is constantly striving to expand his network in order to better respond to cyber threats.
Sessions
In November 2025, our Threat Hunting team identified a low-volume credential stuffing campaign targeting authentication attempts associated with the Microsoft Azure PowerShell application in Entra ID. While these attempts were largely unsuccessful due to enforced MFA, the request patterns strongly resembled activity previously associated with the Quad7 botnet.
The purpose of this presentation is to disclose details of our ongoing investigation that pivoted from cloud-based authentication abuse to compromised embedded devices, uncovering multiple botnet components and distinct actor activity on real-world customer-owned hardware.
We identified a shared embedded-device ecosystem in which at least two independent actors operated in parallel: one aligned with previously documented Quad7 activity, and another leveraging compromised devices as residential proxy and ORB infrastructure. This overlap illustrates how mass-compromised network devices blur traditional distinctions between state-aligned operations and eCrime-driven proxy ecosystems.
At the time of writing, we are not aware of any prior public disclosure of these findings.
This proposal describes the discovery and analysis of Izanagi RAT, a low-prevalence Go-based backdoor, which likely originates from a China-Nexus threat actor. The malware was discovered recently during an incident response engagement and was active in the victim’s environment since June 2021. Exceptionally long dwell time and initial lack of intelligence about this malware strain sparked our interest and led to further analysis and reverse engineering.
Although Izanagi RAT may overlap with the malware family Zingdoor previously described by Trend Micro, technical details about this malware have, to the best of our knowledge, never been published before. As of December 2025, none of the samples we analyzed have meaningful detections or signature matches in VirusTotal, other analysis engines or OSINT indicators and signatures. Furthermore, our work shows that the origins of this malware family can be traced back further than previously reported by Trend Micro.
The talk we intend to give at Botconf will not only provide a detailed insight into the technical details of Izanagi RAT, such as for example various anti-analysis techniques and a multi-protocol C2 communication scheme, but also showcase the methodology and tools used to derive these results.