2026-04-16 –, Amphitheater
What happens when a MaaS (Malware-as-a-Service) operator deploys a commercial packer like Virbox Protector to shield their Android banking trojan, but forgets to secure the rest of their operation? In this lightning talk, we walk through a real-world case where advanced anti-analysis protections initially broke our internal pipelines, only for a simple pivoting technique to reveal a debug build of the same malware, completely unprotected. From there, we fully reversed the core malware logic, uncovered an unauthenticated API endpoint leaking live botnet data, and mapped detailed infection statistics across targeted countries. The key takeaway: commercial packers can harden the payload, but they cannot patch a poorly managed botnet infrastructure. Sometimes, all it takes is thinking outside the box.
Federico is passionate about technology in general, with a deep interest in cybersecurity, particularly Penetration Testing, Malware Analysis, and Social Engineering. He's currently leading the Threat Intelligence Team and Incident Response at Cleafy. He oversees all activities related to monitoring and uncovering new threats and attack patterns used by malicious actors. He has spoken at HackInBO 2022, Botconf 2023, Cert-EU 2023, BSides Cyprus 2023, FS-ISAC 2024, Botconf 2025, DEFCON33 and other private events managed by CertFIN in the Italian territory.