Registration
- Main conference takes place from 21st to 23rd of May 2025
- Workshops are on 20th May - You will need to purchase additional tickets (to be made available as soon as we confirm the speakers)
- Early bird tickets are in limited capacity and are offered on a first come first serve basis [SOLD OUT]
- If you want to invite a guest at the Gala reception on Thursday 22nd, please purchase an optional Gala ticket
Schedule (to be announced)

Solomon Sonya 🗣
Abstract (click to view)
Malware creation and proliferation is on the rise! Generative AI and large language models (LLMs) exacerbate this issue by assisting in malware code creation and automating malware binary development, accelerating the spread of malicious software. Traditional detection mechanisms, including antivirus software, fail to adequately detect novel and varied malware. While academia & industry have studied malware classification techniques for many decades, challenges such as malware dataset standardization, sample diversity, and dataset sample size have limited the generalizability and effectiveness of these classification techniques using updated, real-world datasets. This is a practical hands-on talk in Artificial Intelligence and Natural Language Processing (NLP) that teaches the audience exactly how analyze malware using NLP and build AI classifiers for malware detection and malware family attribution. Participants will walk away with new state of the art AI models to analyze malware using NLP starting from a corpus of malicious binaries and ending with analysis from our AI models. More importantly, participants will learn how to convert these advanced frameworks into any domain in cybersecurity. Many people like to say they “use AI”, without truly knowing what is going on. This talk will actually teach and demonstrate how to code and train these AI models and apply these models to solve real world problems.


Muhammed Irfan V A 🗣 | Avinash Kumar 🗣 | Nirmal Singh
Abstract (click to view)
The escalation of cyber threats in recent years has introduced malware with advanced capabilities. Among these, backdoor malware has evolved significantly and new families of backdoor malware have surfaced, showcasing capabilities that threaten organizations worldwide. This research paper provides an in-depth analysis of three campaigns delivering backdoor malware families using VenomLNK, a Malware-as-a-Service (MaaS) tool.
Our research delves deeply into the analysis of two newly discovered backdoor malware, providing a comprehensive look at the attack chains they utilize and the ways in which they are delivered. We also investigate motives and the threat group behind these malicious campaigns. To conduct this analysis, we collected a vast array of samples from these campaigns. By examining these samples and campaigns, we uncovered information regarding motive and victimology.
This research also covers the core features of these backdoor malware, focusing on how they communicate over networks along with the commands they support. These commands include executing shell commands, Proxying traffic and many other intriguing commands. We also provide a detailed explanation of how each command works and its specific role within the malware.


Antonis Terefos 🗣 | Alexandr Shamshur
Abstract (click to view)
In this presentation, we will discuss our recent discovery of a novel malware-loading technique that leverages the Godot Engine—a popular open-source game development platform—to execute malicious commands and deliver payloads through crafted GDScript code. This method, deployed via a loader dubbed GodLoader, has remained largely undetected by antivirus solutions on VirusTotal and has infected over 17,000 machines since June 29, 2024.
The threat actor behind GodLoader has been distributing the malware through the Stargazers Ghost Network, a Distribution-as-a-Service (DaaS) network that exploits GitHub’s community features to legitimize malicious repositories. This network utilized 200 repositories and over 225 Stargazer accounts throughout September and October to mask malware as legitimate software, targeting developers, gamers, and general users.
Godot Engine is designed for 2D and 3D game development, allowing developers to export games across multiple platforms, including Windows, macOS, Linux, Android, iOS, and HTML5. This cross-platform functionality, combined with the engine’s Python-like GDScript, can enable attackers to effectively deploy malware across diverse operating systems.


Shun Morishita 🗣 | Satoshi Kobayashi | Eisei Hombu
Abstract (click to view)
In recent years, IoT malware frequently launches DDoS attacks, causing massive damage to ISPs. Since Mirai and its variants account for the vast majority of IoT malware, security researchers develop configuration extracting tools to understand its characteristics. However, Mirai is built on diverse architectures (e.g., ARM, MIPS, and PowerPC), developing tools is challenging. Indeed, existing tools only support one or two architectures.
In this study, we utilize Ghidra decompiler and intermediate representation P-Code to reduce architecture-dependent codes, and develop Mirai configuration extractor “mirai-toushi” that supported 8 architectures.
To evaluate mirai-toushi against real-world malwares, we applied mirai-toushi to 2,426 malwares collected in honeypot/IPS from March 2020 to March 2024. The existing tool extracted 673 tables containing data such as C2 server destinations and DoS parameters, while mirai-toushi extracted 1,743 tables. In addition, mirai-toushi extracted 1,641 password lists. The results show that mirai-toushi can extract Mirai configurations effectively. To be widely used by security researchers, we have made mirai-toushi publicly available on GitHub.


Masaki Kubo 🗣 | Yuki Umemura 🗣 | Yoshiki Mori | Hideyuki Furukawa | Kanta Okugawa
Abstract (click to view)
Since December 2021, we have been investigating DVRs that have been exploited as DDoS launchpads, impacting ISP networks. Our initial discovery came from external information provided by an ISP, revealing that infected devices do not propagate scans like Mirai. As a result, infections spread covertly and remain undetected.
The attackers identify research target devices through using passive scan data like shodan/Censys, as well as internet scanning. After identifying the target, they launch attacks exclusively against these specific devices. This focused targeting makes it impossible to observe the campaign through general honeypots because to observe the actual attacks, honeypot must return the actual response and unless the actual target is known, it is difficult to emulate. Using information from external sources, we have identified the targeted devices/brands, purchased them, and initiated direct analysis. Over the past three years, each time a new device was identified as a target, we acquired the physical hardware for analysis. This approach allowed us to investigate the ecosystem of the IoT bot:
- the global distribution of targeted devices
- Chinese, Korean, and Taiwanese OEM vendors and their rebranded ODM products
- the zero-day vulnerabilities exploited by attackers
- attack tools (obtained from confiscated attack infrastructure)
- and malware characteristics.
In this presentation, we will share the findings and insights gained from our three-year investigation and analysis.


Kyle Cucci 🗣
Abstract (click to view)
A new era of malware distribution is here, where “ghost”/bot accounts spread malicious links across multiple platforms. The Ghost Network is a sophisticated operation using fake and compromised accounts to act in a legitimate way while spreading and promoting malware. The first discovered Ghost Network operates on GitHub. The operator behind Stargazers Ghost Network controls over 30,000 GitHub accounts, driving rapid infections and generating significant profits in a remarkably short period. What makes this operation particularly dangerous is its ability to bypass platform defenses, minimizing the impact of any countermeasures imposed by GitHub. The continuous activity and low downtime of the distribution process allow the malware campaign to persist with little interruption. The success of the original GitHub-based Ghost Network has spurred its expansion to multiple other platforms, broadening the reach of this insidious malware distribution method and making it harder to contain.


Antonis Terefos 🗣
Abstract (click to view)
A new era of malware distribution is here, where “ghost”/bot accounts spread malicious links across multiple platforms. The Ghost Network is a sophisticated operation using fake and compromised accounts to act in a legitimate way while spreading and promoting malware. The first discovered Ghost Network operates on GitHub. The operator behind Stargazers Ghost Network controls over 30,000 GitHub accounts, driving rapid infections and generating significant profits in a remarkably short period. What makes this operation particularly dangerous is its ability to bypass platform defenses, minimizing the impact of any countermeasures imposed by GitHub. The continuous activity and low downtime of the distribution process allow the malware campaign to persist with little interruption. The success of the original GitHub-based Ghost Network has spurred its expansion to multiple other platforms, broadening the reach of this insidious malware distribution method and making it harder to contain.


Chetan Raghuprasad 🗣
Abstract (click to view)
In recent years, Vietnamese cybercrime groups have significantly advanced their capabilities, acquiring sophisticated tools and tactics that have enhanced their operational success. The pandemic era marked a turning point, as these groups expanded their credential theft operations to a global scale, discovering innovative methods to breach corporate firewalls worldwide, thereby facilitating further criminal activities such as ransomware and information-stealing attacks.
Since the close of 2023, our research has unveiled at least three hacking groups, originating from Vietnam, that are targeting a majority of Asian countries and select European nations. Driven by financial motivations, these groups are primarily focused on stealing credentials, financial data, and social media accounts, including those related to business and advertising. This presentation will expose the vast criminal enterprise these groups have constructed, detailing their comprehensive software stacks, networks, and their sophisticated techniques, tactics, and procedures (TTP). Through multiple case studies, we will illustrate the execution of information stealer attacks by Vietnamese cybercriminals, including the deployment of infostealers, the use of rare living-off-the-land binaries (LoLBins), data exfiltration strategies, and the exploitation of legitimate services for hosting command and control (C2) configuration files.
Additionally, we will reveal several newly discovered malware families, such as RotBot (a modified version of QuasarRAT), the XClient stealer, and the PXA_BOT stealer. The presentation will conclude with strategic approaches to mitigating info stealer attacks, equipping attendees with actionable insights to fortify defenses against these emerging threats. This compelling exploration not only highlights the evolving landscape of Vietnamese cyber threats but also underscores the critical need for proactive cybersecurity measures.


Pierre Marty 🗣 | Romain Guittienne 🗣 | Quentin Jacqmin | Jean-Yves Marion | Fabrice Sabatier
Abstract (click to view)
We introduce GoaTracer, a hybrid dynamic binary analysis platform combining instrumentation and introspection to efficiently reconstruct Control Flow Graphs and Call Graphs of Windows Portable Executable files. GoaTracer minimizes execution slowdowns, tracks obfuscated and self-modifying code, and bypasses anti-analysis measures, offering a comprehensive view of malware behavior.


Daji Ren 🗣
Abstract (click to view)
DDoS botnet attackers have consistently been in the spotlight of cyber threats, generating significant headlines over the past year. Telegram’s lenient content regulation has facilitated the growth of numerous related criminal groups. Meanwhile, the development of ChatGPT has demonstrated major advancements in natural language processing, with the potential to greatly enhance human productivity. So, what kind of sparks might fly when these three elements converge?
The theme of this presentation is to introduce how our team leverages the capabilities of ChatGPT to monitor botnet ecosystem activities, especially DDoS botnets and other illegal activities on Telegram. We will also outline our approach to building an automated monitoring system. We will showcase some high-value data we have collected and share observations on botnet ecosystem activities based on over 900 chats among 800+ botnets. During this process, you will learn how we promptly identified and linked two major botnets behind significant events.
For a long time, public understanding of the botnet-related ecosystem has been rather vague. Despite our extensive work and numerous blog publications, our analyses primarily focused on samples and vulnerability propagation. However, Telegram has provided an excellent platform that allows us to gain a deeper understanding of the DDoS-botnet ecosystem. Through this presentation, the audience will learn how to incorporate Telegram monitoring into their routine botnet tracking processes and build an automated system to monitor the illegal activities of numerous criminal groups on Telegram in real-time. By combining AI to analyze behavior and extract desired data, it is even possible to further analyze global trends and activities of attackers.


Sathwik Ram Prakki 🗣 | Kartik Jivani 🗣
Abstract (click to view)
In the aftermath of the disclosure of vulnerabilities within WinRAR, a concerning trend has emerged wherein multiple advanced persistent threat (APT) groups and malicious actors have leveraged these weaknesses to launch targeted attacks on critical sectors spanning various nations. This presentation delves into the exploitation of a specific WinRAR vulnerability, CVE-2023-38831, offering insights into the vulnerability and the tactics employed by threat actors who disseminate malicious ZIP archives through phishing campaigns.
Focusing on a notable case study involving the SideCopy APT, this talk explores the intricacies of how WinRAR is weaponized to compromise the security of entities in India. The examination includes a deep dive into six different clusters of this APT, a detailed dissection of payloads, strategically deployed in a sophisticated multi-platform attack campaign featuring diverse decoys and a consistent naming convention throughout 2024. Furthermore, this presentation sheds light on the discovery of the infrastructure utilized by SideCopy APT, revealing insights into the group’s modus operandi. Specifically focusing on compromised domains with shared IPs used across multiple campaigns throughout the year; targeting of government, maritime and even education sectors, and tons of correlation like shared code & infra with the parent APT group Transparent Tribe (APT36) and Operation RusticWeb.


Tristan Pourcelot 🗣 | Stéfan Le Berre 🗣
Abstract (click to view)
As threat hunters, we are often faced with the problems of analyzing many malicious binaries, related or not. Some of the problems encountered are ranging from classifying a sam-
ple to a known family, identifying common functions or used libraries, to finding a unique function across a large set of samples. Building on our experience with Machoc, a CFG matching algorithm published in 2016, our aim was to solve these problems while scaling our malware collection to tens of thousands of samples.
We will present the techniques we developped in order to scale Machoc comparison, and also an overview of a new algorithm we developped to identify common functions in a large dataset.


Dario Ferrero 🗣 | Maarten Weyns 🗣 | Harm Griffioen
Abstract (click to view)
The past decade has seen the proliferation of Botnets that propagate by scanning the Internet for vulnerable devices. This diffusion has been fueled by the poor adoption of security practices in IoT devices, such as weak default passwords and sporadic software updates, as well as the popularization of tools for fast scanning of the entire IPv4 address space. The capabilities of this threat have been showcased multiple times, in particular through Distributed Denial of Service (DDoS) attacks aimed at major institutions like news outlets and DNS providers. With the public release of the Mirai source code in 2016, the popularity of botnets has reached a new peak, leading to the appearance of a vast number of more or less successful malware variants based on the original. In an Internet landscape still largely populated by vulnerable devices, it is therefore critical for security practitioners to keep up with the latest developments of Botnets together with the Tactics, Techniques and Procedures they might introduce.
With this presentation, we outline a months-long study of the Gorilla Botnet that combines the deployment of IoT Honeypots, monitoring of live samples from a sandboxed environment, and analysis of Internet scans collected in a large darknet. We show the targets of the attacks and the potential attack sizes, and investigate the behavior of targets under attack. The victimization of this botnet shows how a DDoS-as-a-Service is used and what common targets for such networks are. The sheer amount of DDoS attacks performed by this network is staggering, and we aim to investigate whether these attacks are successful.
During the presentation, we will outline the datasets that we are using to track the gorilla botnet operations and will share key insights learnt from the DDoS attacks performed by clients of the botnet. The presentation focusses on tracking the botnet, its attacks, and estimating the impact of the attacks.


Julien Dugay 🗣 | Félix Guyard 🗣
Abstract (click to view)
In this presentation we will cover how we could retrieve latest C2s published by the admins of DDOSIA project as soon as a C2 is taken down. We will touch on the implemented custom docker-based sandbox for real-time target collection of DDOSIA’s victims thanks to a collaboration with a fellow at the ForensicXlab, which we will compare to other methodologies from the literature.


Chris Formosa 🗣
Abstract (click to view)
Proxy services have become a primary tool for many threat actors to obfuscate their tracks, due to their low prices and access to clean residential IPs in many locations. Although the “ngioweb” botnet has been around for seven years, it took until 2024 to uncover how it was powering one of the most notorious criminal proxy services in the world, known as “NSOCKS,” boasting a daily average of 35000 proxies in 180 countries. Join us as we discuss how we spent over a year researching this botnet and understanding how we could and did intervene to slow it down.
In this talk we will explore why malicious proxy services like NSOCKS are becoming more popular and show how dangerous they can truly be. First, we will show why many threat actors prefer using this proxy service, while describing how it was being abused by separate entities to launch DDoS attacks, create new proxy services, and obfuscate malware traffic. With this background in mind, we will explain the ngioweb botnet architecture which consists of three different command and control (C2) layers encompassing over 220 active C2s at its peak. We also show how the malware has been developed and changed over the years to become extremely resistant to takedown efforts.
We will bring this all together to then discuss how we worked with many different organizations to coordinate a severe disruption to this service and botnet, and what we learned along the way. We will focus on understanding how public and private sector entities can work together to disrupt botnets and malicious activity – not only in this case, but for many more like it even when a full-scale takedown is not an option.


Olivier Bilodeau 🗣 | Estelle Ruellan 🗣
Abstract (click to view)
Modern information stealers have evolved far beyond simple credential harvesters into sophisticated tools that capture complete digital profiles of their victims. Our deep-dive dissects the anatomy of stealer malware, exploring infection methods, attack chains, and the vast criminal ecosystems enabling their proliferation.
Through analysis of real-world compromises, including timestamped desktop screenshots at infection, we demonstrate how threat actors exploit compromised ad networks and trojanized software for mass deployment. We present case studies of campaigns targeting unauthorized distributions of Microsoft Office and MidJourney, revealing how attackers manipulate trust and human behavior.
We examine the Operation Magnus takedown, a collaborative effort with ESET and law enforcement, which exposed the sophisticated infrastructure of modern criminal enterprises. Drawing from extensive stealer log analysis, we demonstrate how these threats bypass multi-factor authentication, compromise password managers, and extract cryptocurrency wallets. Additionally, we analyze Chrome’s application-bound encryption and explain why its circumvention paradoxically creates new detection opportunities.
Our investigation uncovers unique stealer logs from C2 operators who inadvertently infected themselves, providing unprecedented insight into the backstage operations of cybercrime ecosystems. We profile the “Malware Maestro,” an advanced threat actor orchestrating multiple malware families—Private Loader, Mystic, Asuka, and Raccoon Stealer—to build a resilient criminal infrastructure.
To empower security practitioners, we’re releasing two community resources: a curated dataset of stealer logs for research and a PowerShell framework for automated credential testing against Entra ID. This comprehensive analysis and toolset equip defenders with practical insights to detect, defend against, and disrupt one of today’s most consequential yet underexamined threats.


Alex Turing 🗣
Abstract (click to view)
With the rapid proliferation of internet-connected devices, cybercrime groups have expanded their reach to increasingly diverse targets. While IoT-based botnets are common, large-scale infections involving set-top boxes (STBs), TV remain rare, especially at the scale of millions of devices. Enter Bigpanzi,a notable exception in this landscape. This group operates multiple million-scale botnets,including Pandoraspear and Pandorapcdn, and is closely linked to the recently uncovered v01d botnet which has infected nearly 1.6 million devices across 220 countries worldwide. Their operations encompass traffic proxy services, DDoS attacks, and OTT content delivery, showcasing their persistence and profitability.
Bigpanzi stands apart for three key reasons:
1. Long-term activity: Evidence traces its operations back to 2015.
2. Massive scale: Sinkhole analysis reveals over one million daily active nodes.
3. Unique targets: Focused infections on Android-based TVs, eCos-based STBs and satellite receivers.


Alexey Bukhteyev 🗣
Abstract (click to view)
Careful monitoring of malicious campaigns can sometimes uncover surprising discoveries. Our latest research revealed that even skilled cybercriminals, despite their meticulous efforts to stay in the shadows, can commit critical security blunders. This presentation unveils the discovery and analysis of Styx Stealer, a new malware variant derived from the infamous Phemedrone Stealer. Our investigation not only dissects the technical capabilities of Styx Stealer but also exposes significant missteps by its developer, leading to the unmasking of associated cybercriminals and their operations.
Styx Stealer emerged in early 2024 as a powerful malicious tool capable of exfiltrating sensitive information, including saved browser credentials, data from browser extensions, cryptocurrency wallet data, and sessions from messaging platforms like Telegram and Discord. Technically, Styx Stealer retains the core functions of its predecessor while incorporating new features such as a clipboard monitor, crypto-clipper, advanced sandbox evasion, and anti-analysis techniques. Despite its relatively recent appearance, we observed its deployment in spam campaigns targeting various sectors throughout 2024.
This investigation helps us better understand the inner workings of cybercriminal operations, both from the perspective of malware developers and distributors. It also serves as a warning to cybercriminals: they can never be certain where and what traces they leave behind, what mistakes they make, and that even over time, their actions and identities can be uncovered.


Fabian Marquardt 🗣 | Andreas Petker 🗣
Abstract (click to view)
Our work focuses not on the malware itself, but on the infrastructure and methodology used to orchestrate the malware distribution and operation. We show through correlation of both TTPs and infrastructure that there exist strong ties between current activities involving Latrodectus malware and past campaigns spreading malwares such as Bumblebee and IcedID, which were recently subject to a coordinated law enforcement operation named “Operation Endgame”. Our work suggests that key actors involved in dropper malware distribution such as TA577 remain largely unaffected by these operations and continue to spread similar malware with only minor infrastructure and TTP changes.


Souhail Hammou 🗣
Abstract (click to view)
Over the last few years, a significant part of our malware tracking efforts has focused on monitoring backconnect proxy malware families. What began in 2021 as an experiment with the SystemBC malware family has evolved into a project for monitoring multiple proxy botnets. Its primary aim has been to investigate proxied traffic with a particular focus on capturing spam campaigns. In 2024, we expanded our capabilities to monitor residential proxy providers suspected of facilitating spam.
This talk will share findings from our monitoring efforts and provide technical insights into impactful backconnect malware families and residential proxy providers.


Shohei Hiruta 🗣 | Yuki Umemura | Masaki Kubo | Nobuyuki Kanaya | Takahiro Kasama
Abstract (click to view)
Malware sandboxes are essential tools for malware analysis, allowing researchers to execute malware in controlled environments to reveal its behavior, communication destinations, and configuration settings. Due to their convenience, a wide variety of both free and commercial sandboxes are available. However, existing sandboxes face three major challenges: limited execution time for malware, inflexible execution environments, and restricted logging capabilities. To address these limitations, we developed a highly functional sandbox that eliminates execution time restrictions, allows for flexible configuration of execution environments, and provides real-time comprehensive logging. This sandbox is currently in operation at over 50 Japanese companies.
We have been operating this sandbox with improvements, and now we need to evaluate whether these functions are effective. Therefore, we evaluated our sandbox from two perspectives:
- Can we observe the activity of the attacker behind malware?
- Is the observed activity unobservable by existing sandboxes?
A remote access trojan (RAT), which can control an attacker-infected machine, was appropriate for this evaluation.
We conducted an analysis using RATs collected over a six-month period in our sandbox. As a result, we were able to observe four types of attacker activity through the RATs. We also found that these activities occurred more than an hour after the RAT had connected to the command and control (C2) server. These activities are impossible to observe with existing sandboxes. Finally, we discussed how to improve and operate our sandbox based on these results in the future.


Kevin Ratto 🗣
Abstract (click to view)
In late 2022, an unidentified AutoIt-based eCrime stealer was observed in the wild; it was named Doit. The malware was initially delivered via email spam campaigns targeting users from Chile, Mexico and Peru. In 2023, Doit shifted to exclusively target Mexico using phishing websites and search-engine optimization (SEO) poisoning. Doit aims to steal sensitive user data, install Chrome enrollment tokens, download additional components, and likely install actor-controlled browser extensions.
In the span of two years, Doit has been rewritten twice—from an Autoit-based stealer (version 1.0) to a C++ rewrite (version 2.0)—to be now a convoluted modular C++ malware (version 3.0), which is more technically complex than its earlier versions. The malware now consists of more than 10 modules which are dependent on each other, as the result from the previous module is used to execute the following. While the previous AutoIt and C++ versions are no longer active, the latest modular C++ version is still actively distributed as of this writing.
This presentation covers Doit’s evolution since it was first observed, including:
- A chronological view of the malware evolution from the first AutoIt version to the modular C++ version
- Detailed description of delivery methods to distribute the malware to Latin American (LATAM)-based users
- A deep dive into the convoluted execution process for the modular C++ version, describing several anti-analysis and evasion techniques
The audience will gain a better understanding of Doit technical development, uncommon techniques for LATAM-focused malware, and insights of how a threat actor targeting users in LATAM operates.


Kseniia Naumova 🗣
Abstract (click to view)
Today most malware and botnets use network communication for tasks such as downloading malicious files, sending stolen data, receiving commands from the C2, etc. Researchers worldwide analyze millions of network traffic streams daily to search for potential anomalies (in other words, suspicious communications). Nevertheless, hackers have long used various techniques not only to obfuscate the malware itself to make reverse engineering more difficult but also to hide C2 communication. Backdoors, bankers, botnets, loaders, spyware, stealers, and RATs… it has become more difficult to detect them in the network: some use encryption, others – custom protocols, and others – different obfuscation techniques. However, the main advantage of the network is that despite the attackers’ attempts to hide in it, their presence does not disappear, which means it can be detected. The question is – how?
During this session, you will learn: why DNS tunneling gives itself away, why symmetric encryption is not a barrier to detection, how to deal with fragmentation using rules, the main disadvantages of steganography in network traffic, and why TLS encryption will no longer save cybercriminals.
About these and other techniques, most frequently used in the current malware ecosystem, and by known APT groups, I will talk during this presentation, as well as provide various detection methods that actually work – from using the possibilities of Suricata rules to fuzzy hashes and scripting modules – to detect them all!

Tuesday 20th May 2025 - Workshops

Kyle Cucci 🗣 | Randy Pargman 🗣
Abstract (click to view)
Ready to dive into the world of malware evasion techniques? This hands-on workshop will give students the tools and skills to spot and defeat evasion tricks used by malicious code. Split into three “modules,” the workshop will take you through a journey of analyzing malware with free, open-source tools. You’ll tackle evasion techniques head-on, learning how to see through the malware’s tricks and gain a deeper understanding of its behavior.
Expect a mix of instructor-created malware (with code to analyze alongside the samples) and real-world malware found in the wild. By the end, you’ll walk away with a collection of malware samples, pages of code, and the expertise to continue your analysis at home. Plus, you’ll have the know-how to bypass common anti-analysis and evasion methods that malware uses to sneak past sandboxes and endpoint defenses. Are you ready to level up your malware analysis skills? Let’s dive in!
