BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.botconf.org//botconf-2026//talk//N88ZFD
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-botconf-2026-N88ZFD@cfp.botconf.org
DTSTART;TZID=CET:20260416T162600
DTEND;TZID=CET:20260416T162900
DESCRIPTION:A proxy botnet bills itself as a monetization SDK for Android a
 pps: consent API\, bandwidth caps\, the works. It also distributes binarie
 s via IPFS\, discovers C2 servers through encrypted Ethereum Name Service 
 records\, polls a blockchain for updates like `apt update`\, and ships a c
 ustom P2P mesh relay. The operator built three layers of decentralized res
 ilience on the assumption that compute is free when it belongs to someone 
 else.\n\nWhen a researcher published IOCs for that proxy botnet infrastruc
 ture in early April\, we began monitoring the download server where the AP
 K was being delivered to devices compromised through proxy-to-ADB exploita
 tion (the same initial access used by Kimwolf). Within weeks\, the SDK gai
 ned three DDoS flood modules and a template-push system for rotating HTTP 
 payloads. The proxy service had become a dual-purpose attack platform.\n\n
 This lightning talk traces the operator architecture from proxy to botnet:
  the ENS update manifest\, the IPFS distribution pipeline\, and the moment
  the operator decided bandwidth monetization wasn't enough.
DTSTAMP:20260429T221835Z
LOCATION:Amphitheater
SUMMARY:LT03-ENS\, IPFS\, and a custom mesh network walk into a botnet - J
 érôme Meyer
URL:https://cfp.botconf.org/botconf-2026/talk/N88ZFD/
END:VEVENT
END:VCALENDAR