BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.botconf.org//botconf-2026//talk//PAF7CV
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-botconf-2026-PAF7CV@cfp.botconf.org
DTSTART;TZID=CET:20260416T163200
DTEND;TZID=CET:20260416T163500
DESCRIPTION:Early February\, we identified 2 DLL samples impersonating legi
 timate products and tools uploaded from Kazakhstan to a popular online fil
 e analysis platform. These DLLs notably provide an operator with command e
 xecution and file download capabilities\, and rely on Telegram for C2 comm
 unication.\n\nWe were able to retrieve the operators' activity log from th
 e Telegram channels\, as well as some of the intended next stages. These l
 ogs gave us some insights into the compromised organizations and the likel
 y targeting. It also revealed the struggle the operators went through to a
 ttempt to run their downloaded next stages\, ultimately failing to do so.\
 n\nIn this lightning talk\, we will present the operators' activity journa
 l associated with 2 different machines\, highlighting the failed attempts 
 to run the next stages\, their troubleshooting attempts and the culminatio
 n of their frustration resulting in very noisy activity.
DTSTAMP:20260429T221828Z
LOCATION:Amphitheater
SUMMARY:LT05-One day in the life of a threat actor targeting Kazakhstani di
 plomatic entities - Pierre Lorinquer
URL:https://cfp.botconf.org/botconf-2026/talk/PAF7CV/
END:VEVENT
END:VCALENDAR