Botconf 2023 – List of workshops and talks

Additional talks will be added as soon as they are confirmed. This is the current list as of February 7th 2023.

Workshops (11th April)

Specific tickets should be purchased in addition to the main conference tickets to attend one of the following workshops:

  • Workshop 1 (5 hours): “One SMALI step for man, one giant step for researchers”, Gabriel Cirlig
    This will be a simple and short introduction into Android reverse engineering, taking the student from zero to hero. No previous reversing knowledge is required and all of the tools will be provided in the form of a VM packed with goodies. The course will cover the basics of Android, APK structure, DEX file internals and how this can be exploited in order to decompile and deobfuscate malware. In addition, hands on exercises will be provided with fresh malware samples where the knowledge can be put to good use in extracting C2s and other interesting information.
    The course aims to introduce people into the world of Android reversing. It will be a mostly hands on experience with just enough theory to provide the student a solid base upon to build their reversing skills. The course covers spotting suspicious samples, C2 deobfuscation, secondary payload extraction through both static and dynamic analysis.
  • Workshop 2 (5 hours): “Malware forensics from a distance”, Vitaly Kamluk and Nicolas Collery
    This workshop aims to share knowledge of live triage and analysis of remote compromised systems to assist incident response, digital forensics, or malware discovery and in-place analysis. There are many other applications of the techniques and tools that the participants are encouraged to explore on their own. Although the knowledge shared during the workshop can be applied independently of the tools proposed, it starts with the attendees building their own toolkit for remote threat reconnaissance. It features Bitscout, a project based on a collection of free open-source software for Linux, that is extendable with any set of tools the analyst wants to embed before or in the middle of the operation. Incident response to live cyberattacks requires silent navigation through compromised assets, sometimes in large distributed networks. The popular approach relies on EDR or other live agent-based solutions. However, the activation of security agents and obvious activities on live compromised systems may trigger alerts of advanced threat actors. Once alerted, a clean-up operation and destruction of evidence can happen. Moreover, offline system analysis may not be easy due to the physical distance to the compromised system or scale of the network. This is where remote stealthy threat discovery with “scoutware”, software for threat hunting and instant system analysis, becomes incredibly useful. Bitscout, used for the workshop, is just one such toolkit. In addition to working with local virtual machines during the workshop, the attendees will be provided with access to 60+ live servers to be analyzed simultaneously to simulate large-scale compromise – online access will therefore be required.
  • Workshop 3 (3 hours): “Using systematic code reuse analysis to create robust YARA rules”, Jonas Wagner and Endre Bangerter
    YARA is a commonly used tool to detect and identify malware. There are roughly two types of YARA rules used on binary files: 1) based on metadata and strings and 2) based on code. There are certain benefits by basing YARA rules on code. Since code reuse is frequent amongst binaries of a malware family, it offers plenty of options to base a YARA rule on. If the chosen code is heavily reused amongst the binaries, then it can result in very robust rules. This approach comes with certain challenges. A key aspect is being able to find heavily reused code amongst many binaries of a malware family. Unless some sort of automation is at play, this quickly becomes difficult and time-consuming. Once suitable reused code is identified, it needs to be turned into a YARA rule, so that it works even when compiler differences, optimizations or instruction set changes are involved. In this workshop we will create robust YARA rules for a handful of malware families based on automatically identifying shared code between many binaries of a family.

Main Conference (12th April – 14th April)


  • ” Security Implications of QUIC”, Paul Vixie and Ben April


  • “MCRIT: The MinHash-based Code Relationship & Investigation Toolkit”, Daniel Plohmann, Manuel Blatt and Daniel Enders
  • “RAT as a Ransomware – An Hybrid Approach”, Dr. Nirmal Singh, Avinash Kumar and Niraj Shivtarkar
  • “You OTA Know: Combating Malicious Android System Updaters”, Alec Guertin and Łukasz Siewierski
  • “Life on a Crooked RedLine: Analyzing the Infamous InfoStealer’s Backend”, Alexandre Côté Cyr and Mathieu Lavoie
  • “Syslogk Linux Kernel Rootkit – Executing Bots via “Magic Packets””, David Álvarez Pérez
  • “Yara Studies: A Deep Dive into Scanning Performance”, Dominika Regéciová
  • “When a botnet cries: detecting botnets infection chains”, Erwan Chevalier and Guillaume Couchard
  • “Operation drIBAN: insight from modern banking frauds behind Ramnit”, Federico Valentini and Alessandro Strino
  • “Bohemian IcedID”, Josh Hopkins and Thibault Seret
  • “Digital threats against civil society in the rest of the world”, Martijn Grooten
  • “Asylum Ambuscade: Crimeware or cyberespionage?”, Matthieu Faou
  • “Boss, our data is in Russia – a case-based study of employee criminal liability for cyberattacks”, Olivier Beaudet-Labrecque, Luca Brunoni and Renaud Zbinden
  • “Perfect Smoke and Mirrors of Enemy: Following Lazarus group by tracking DeathNote campaign”, Seongsu Park
  • “From GhostNet to PseudoManuscrypt – The evolution of Gh0st RAT”, Souhail Hammou and Jorge Rodriguez
  • “Iron Tiger Enhances its TTPs and Targets Linux and MacOS Users”, Daniel Lunghi
  • “Read The Manual Locker: A Private RaaS Provider”, Max ‘Libra’ Kersten
  • “Tracking residential proxies (for fun and profit)”, Michał Praszmo and Paweł Srokosz
  • “Catching the Big Phish: Earth Preta Targets Government, Educational, and Research Institutes Around the World”, Nick Dai, Vickie Su and Sunny Lu

Short presentations

  • “Ransom Cartel trying not to “REvil” its identity”, Jérémie Destuynder, Alexandre Matousek
  • “A dissection of the KmsdBot”, Larry W. Cashdollar and Allen West
  • “Cyber Swachhta Bharat- India’s answer to botnet and malware ecosystems?”, Pratiksha Ashok
  • “Key results and limitations in applying Natural Language Processing and Association Rules to Tactical Cyber Threat Intelligence”, Ronan Mouchoux and François Moerman
  • “Tracking Bumblebee’s Development”, Suweera De Souza
  • “The Case For Real Time Detection of Data Exchange Over the DNS Protocol”, Yarin Ozery
  • “The Plague of Advanced Bad Bots : Deconstructing the Malicious Bot Problem”, Yohann Sillam
  • “The Fodcha Botnets We Watched”, Lingming Tu and Wenji Qu

Lightning talks

All participants to the conference are invited to propose a 3 minutes talk on any topic relevant to the conference audience. The session will start with a short invited talk.

  • Introductory talk: “A student’s guide to free and open-source enterprise level malware analysis tooling”, Max ‘Libra’ Kersten

Additional papers

The programme committee has accepted additional papers to be published in the conference proceedings, but that will not be presented in the official programme.

  • “Conti ПАО: Uncovering Conti’s internal organization with machine learning”, Estelle Ruellan, Masarah Paquet-Clouston and Sebastian Garcia
  • “Incremental clustering of malware packers using features based on transformed CFG”, Ludovic Robin, Corentin Jannier and Jean-Yves Marion

Print Friendly, PDF & Email