Schedule
<Talks_That_Break_Boundaries/>
08:30
–
08:45
Lilla Szervátiusz – Opening Ceremony
08:45
–
09:25
Ignat Korchagin – What is Linux kernel keystore and why you should use it in your next application
Did you know that Linux has a full-featured keystore ready to be used by any application or service it runs? …
Applications can securely store and share credentials, secrets and cryptographic keys, sign and encrypt data, negotiate a common encryption key – all this by never touching a single byte of the underlying cryptographic material.
This is especially useful in the post-heartbleed and cloud-native environments, where services authenticate and securely talk to each other using some kind of credentials. But if a network-facing service also has some secret in its process address space, it sets itself up for a security failure as any potential out-of-bounds memory access vulnerability may allow the secret to be leaked. Imagine a world where you don’t have to run an SSH agent just to protect your SSH keys.
On top of keeping your secrets secret Linux keystore nicely integrates with specialized security hardware, like TPMs and HSMs and may provide a single entry point on the system for applications to obtain their secrets. Thus Linux keystore is a very useful building block for a corporate key management system.
09:30
–
10:10
Roland NagY – How to find rootkits in the Linux kernel
Malware is an age-old problem of IT systems, and apart from a few notable examples, they don’t want to be found…
Many samples use cheap tricks, like renaming their processes, packing or injecting code into other processes. Rootkits, however, take this to a whole new level, and can achieve total invisibility, by tampering with the deep layers of the operating system to hide processes, files or whatever resources an attacker wants to hide. On Linux, they are typically implemented in Loadable Kernel Modules, like drivers, and they often hide these modules as well.
Throughout the years, many techniques were developed to detect traces of rootkit infection, but typically this is all they do: detect the fact that an infection happened. In this talk, I present a tool, that I developed, that not only detects rootkit infections but finds their hidden modules and enable deeper investigation of them as well.
10:10
–
10:20
Cofee Break
10:20
–
11:00
Bianka Bálint – Demystifying Internal Threat Intelligence
Presenting the advantages and pitfalls of different CTI integration approaches through practical examples collected during the rollout and initial phases of CTI programs…
Showing the importance of internal threat intelligence, and collaboration opportunities with other teams like the SOC.
11:05
–
11:45
Konrad Jędrzejczyk & Marek Zmyslowski – AI in Adversarial Hands
Masterminds and Machines
Artificial Intelligence (AI) is a powerful technology, yet in the wrong hands it becomes a formidable weapon…
This presentation examines how malicious actors leverage AI to orchestrate cyberattacks, manipulate opinions, and spread misinformation. Drawing on real-world cases and technical insights, we’ll explore how AI systems can be co-opted for hacking and other nefarious activities.
Throughout the discussion, we’ll address the complex interplay between AI’s benefits and its risks, highlighting the psychological and social implications of AI-driven manipulation. We will also touch on vulnerabilities within AI systems and the critical need to distinguish between theoretical threats and realistic, imminent dangers. Attendees will leave with a deeper understanding of the offensive applications of AI and the urgent necessity of bolstering defenses in a rapidly evolving technological landscape.
11:50
–
12:30
Tobias Schrödel – Real RansomChats
This session is LIVE ONLY and will not be recorded or accessible afterward.
After a ransomware attack, victims have to deal with cybercriminals…
Talks are normally done via a secured chat system. In this talk Tobias will share real chats of some famous ransomware gangs with their victims. He shows, how negotiations went and that – sometimes – talks went really crazy with relentless gangs. Be curious, these conversations don’t take place at the kitchen table.
12:30
–
13:30
Lunch Break
13:35
–
13:55
Szilárd Pfeiffer – TOTP is not a silver bullet
14:00
–
14:40
Sean Hopkins – Full Stack Red Team
From Code to Hardware
This session is LIVE ONLY and will not be recorded or accessible afterward.
Modern red team operations require a comprehensive approach that spans the entire attack surface – from supply chain compromise to physical access…
This presentation demonstrates advanced multi-vector techniques that combine software exploitation, infrastructure targeting, and operational security to achieve persistent access in enterprise environments.
We’ll explore practical methods for compromising development workflows through GitHub Actions poisoning and repository enumeration, deploying covert physical devices with sophisticated network evasion techniques, and harvesting high-value credentials from memory. Additionally, we’ll cover essential OPSEC practices including containerized proxying to protect red team infrastructure during operations.
Attendees will learn how to chain these techniques together for maximum impact while maintaining operational security throughout the engagement lifecycle.
14:40
–
14:50
Reboot
14:50
–
15:30
Vikas Khanna – Unlocking the Gates
Understanding Authentication Bypass Vulnerabilities
15:35
–
16:15
Dániel Markovics, János Kovács, Maksa Dominik – Where the treasure is
Security Scanning the DICOM stack of Medical IT environments
The DICOM standard is used for implementing the communication and management of medical imaging information…
— the data that is the basis for diagnosing patients and determining their treatment. The DICOM stack is known to be subject to a number of vulnerabilities. Those could permit harm to all security aspects of the patient data. This presentation gives a quick dive in the DICOM standard, then enumerates some of the most prevalent known vulnerabilities related to it. Finally, it demonstrates a security scanning strategy that enables the timely discovery of insecure configurations of DICOM servers that would open up the gates to adversaries and allow then to harm patients.
16:20
–
17:00
Shahmeer Amir – Hack the Sky
Exploring Satellite Vulnerabilities and Cyber Threats
In an age where satellites orbiting Earth play an indispensable role in our daily lives, they have become prime targets for cyber threats…
This presentation, titled “Hack the Sky,” delves into the captivating and concerning world of satellite hacking, shedding light on the vulnerabilities and cyber threats that loom above us in the boundless expanse of space.
As we increasingly rely on satellites for communications, navigation, weather forecasting, and global connectivity, their security is paramount. This presentation unravels the complex landscape of satellite vulnerabilities, discussing the potential consequences of unauthorized access, manipulation, or disruption of satellite systems.
We will explore the tactics, techniques, and procedures employed by both malicious actors and ethical hackers in probing and safeguarding these high-tech spaceborne assets. From unauthorized data interception and GPS signal manipulation to satellite hijacking and cyber espionage, “Hack the Sky” will provide a comprehensive understanding of the risks posed to our satellite infrastructure.
To defend against these threats, we will also delve into the emerging technologies and strategies employed to safeguard satellites from cyberattacks. This session aims to empower attendees with the knowledge to appreciate the scope and intricacies of satellite security, contributing to a more secure and resilient satellite ecosystem.
17:05
–
17:45
Marta Janus – AI Security Landscape
Tales and Techniques from the Frontlines
The once theoretical AI bogeyman has arrived—and it brought friends…
Over the past 12 months, adversaries have shifted from exploratory probing to weaponized exploitation across the entire AI stack, requiring a fundamental reassessment of defense postures. This presentation dissects the evolution of AI-specific TTPs, including advancements in model backdooring, LLM jailbreaking techniques, and the abuse of insecure agentic AI systems.
17:50
–
18:10
Gábor Arányi – Challenges while developing a ransomware-proof backup solution
Securing the software supply chain sounds straightforward—until you try to do it…
Between SBOMs, signed artifacts, third-party risks, and ever-growing customer demands, even well-resourced teams struggle to keep up. This talk explores the messy, expensive reality of securing the supply chain in the context of today’s secure software development lifecycle (SSDLC).
Through a fictional case study, we’ll follow one company’s attempt to build a solid supply chain security strategy—and all the ways it goes sideways. You’ll walk away with a clearer view of the standards, the gaps, and the trade-offs, plus some practical takeaways you can apply without a massive budget or a 30-person AppSec team.
18:15
–
18:20
Attila Marosi-Bauer – Closing notes
08:45
–
09:25
Aurelio Picon Lopez – At Home with the Enemy
How APTs Weaponize IoT Devices as Residential Proxies
This presentation explores how Advanced Persistent Threat (APT) actors are compromising consumer IoT devices…
—such as routers, smart cameras, and other connected hardware—to build residential proxy botnets that provide stealth, persistence, and geolocation camouflage. Drawing from unique telemetry across over 3 billion IoT devices in North America and Europe, the session presents fresh behavioral data and threat statistics observed in 2025. We’ll examine how APT groups use multi-hop relay chains, proxy-as-a-service abuse, and co-opted infrastructure to evade detection and attribution.
The talk will also provide actionable strategies for detecting and disrupting these covert proxy networks—highlighting why securing consumer IoT is now a critical piece of national and enterprise defense.
09:30
–
10:10
JÓzsef Ottucsak– The Big Software Supply Chain Security Problem
Securing the software supply chain sounds straightforward—until you try to do it...
Between SBOMs, signed artifacts, third-party risks, and ever-growing customer demands, even well-resourced teams struggle to keep up. This talk explores the messy, expensive reality of securing the supply chain in the context of today’s secure software development lifecycle (SSDLC).
Through a fictional case study, we’ll follow one company’s attempt to build a solid supply chain security strategy—and all the ways it goes sideways. You’ll walk away with a clearer view of the standards, the gaps, and the trade-offs, plus some practical takeaways you can apply without a massive budget or a 30-person AppSec team.
10:10
–
10:20
Cofee Break
10:20
–
11:00
Chen Shiri – How I took over two platforms of Google including Google Cloud, Google Collaboratory and Used It on Gemini AI
This presentation explores the world of remote code executions (RCEs) and container escapes that pose significant threats to web applications running on containers..
Revealing research on 3 different platforms of Google, that involves exploits through container attacks- Google Collaboratory- a platform for running data science and experiments, Google Cloud and Gemini AI.
We will focus on the new dangers posed by container escapes and Remote Code Executions (RCEs), we will dive into real-world examples, exploits, and practical research involving Google’s platforms. It also examines the architectural change brought about by containerization, which creates new problems and weak spots in the cyber resilience of web applications and how to utilize them to attack web applications and Microservices environments.
11:05
–
11:45
DÁniel HegeDűs – Anti-Bot Measures Gone Wild
The Rise of Legitimate Malware
11:50
–
12:30
Vincenzo Santucci – Revamping Reflection
Enhancing the Timeless Concept of Reflective Loading
12:30
–
13:30
Lunch Break
13:35
–
13:55
Dr. Matthias Keisenheimer – Your SoC implements a glitch detector?
Hold my beer!
14:00
–
14:40
Giorgio Perticone – Crafting effective Security Operations tactics
Deep Dive Forensics VS Rapid Response
In the evolving landscape of Security Operations, organizations face a critical choice: invest in deep-dive forensic capabilities or prioritize rapid response mechanisms...
This talk explores the strategic implications of both approaches, providing insights into their respective advantages and challenges. Deep-dive forensics offers thorough, detailed analysis crucial for understanding complex threats and mitigating long-term risks. However, it often requires significant resources and time. On the other hand, rapid response tools enable organizations to quickly detect and neutralize threats, minimizing immediate damage but potentially overlooking deeper systemic issues. By comparing these methodologies, attendees will gain a clearer understanding of how to balance depth and speed in their security strategies, ensuring robust protection against an ever-expanding array of digital threats.
14:40
–
14:50
Reboot
14:50
–
15:30
Ananda Krishna, Anand Sreekumar – Ghost Math: Syscall-Only Injection, Deterministic Shellcode & QUIC C2
A Full Kill-Chain that Slipped Past CrowdStrike Falcon
Can an attacker still remain invisible in a network blanketed by next-gen EDR? …
During a 2025 red-team engagement we proved it, chaining three ideas that rarely show up together:
Thread-less, syscall-only injection. A signed-MSI sideload landed us in explorer.exe; a reflective loader rebuilt raw syscall stubs from a clean ntdll mapping, queued a user-mode APC into an existing thread, and flipped pages RW→RX with NtProtectVirtualMemory, evading the classic “handle + RW + thread + DLL” heuristic.
15:35
–
16:15
Gabor Fuchs – Targeted Attacks on the TLSH Similarity Digest Scheme
Similarity digest schemes proved to be quite promising tools in many IT security applications...
Such schemes consist of two algorithms: The first algorithm maps an arbitrary input to a small, usually fixed size digest, and the second one compares two of such digests and outputs a score regarding how similar or dissimilar it believes the original inputs were. The advantage of using a pair of algorithms like this is that it only requires the digests of two files to evaluate their similarity, and the computational complexity of the comparison does not depend on the lengths of the original inputs either.
TLSH is a widely used similarity digest scheme in the scope of comparing software binaries, especially malware samples. TLSH proved to be quite robust against natural and random-like modifications like software updates and attacks aiming to mislead the scheme by applying lots of random little changes. However, we show that it is quite easy to mislead the scheme by targeted attacks with specially crafted modifications. We show both an attack that makes a file be considered dissimilar to what it was and should still be considered similar to, and an attack that makes the file be considered similar to another arbitrary given by making it have almost or exactly the same TLSH digest. We present the results of these attacks evaluated on a large set of malware samples.
16:20
–
17:00
Shubham Kumar, Sagar Tiwari – Dark Ships & Transparent Seas
Tracking Vessels with Open-Source Intelligence
Maritime OSINT is often overlooked in favor of shinier targets, but the world’s waterways hold a goldmine of intelligence...
This talk dives deep into the art of tracking ships, sniffing signals, and connecting port calls to geopolitics. From decoding NAVTEX alerts to listening for AIS beacons on WebSDR and analyzing satellite images of ship formations, we’ll navigate the oceans of open data to understand real-world implications in law enforcement, geopolitics, smuggling, and maritime security.
17:05
–
17:45
Balázs Gerlei – Don’t let attackers exploit your Android app via Intents
Intents are the starting points for every Android application...
The platform is very much built on Activities, potentially from different apps interacting with each other to complete some tasks. This open nature can be an avenue for exploitation.
You have to consider Intents what they are: inputs. And inputs must be sanitized. With this mentality, you can protect against many attacks, but some can only be avoided with the right architecture and platform support. Google finally made strides in this area with Android 15’s safer Intents. At the same time, you need to understand the attack surface to defend your apps.
We will describe and demonstrate such issues:
- Privilege escalation via Intent redirection
- Denial-of-service via malformed Intents
- Leaking data via Intent parameter injection
- App impersonation via Task hijacking (StrandHogg)
At the end of the talk, you will have an understanding of mitigating and remediating many Intent-based Android vulnerabilities.
room Nr. 4
09:00
–
11:00
Santi Abastante – Attacking AWS
From initial access to hardcore persistance
11:15
–
13:15
William Robinet – In bed with Qubes OS
tips & tricks exchange party
13:30
–
15:30
Thomas Fischer – Masterclass connecting your car
With AI we have a new player. Still real Software in modern cars started with the CAN-Bus and this is the connecting link between the most important components.
I hope you were lucky and got one of the few spaces of my Workshop in 2024. Now I am back.
If not don’t be scared we got you covered.
I will give you an introduction in a lot of different ways to connect to modern cars. We will simulate the internals of the different car components. We will start with microcomputers up to special developed embedded systems to get your hands dirty (at least virtual). We will have our “classroom” with our own can-bus on specially prepared touchscreen devices and will play and learn how a real car interacts.
room Nr. 1
09:00
–
11:00
Fs00ciety – Spoofed Skies and Signal Lies
Tracking Aircraft and Unmasking Deception in the Age of GPS War
11:15
–
13:15
Kirils Solovjovs – So you’re interested in social engineering?
The very first steps
13:30
–
15:30
Craig Balding – Pair Programming with Aider to Create High-Performance Web Security Tools
room Nr. 8
09:00
–
17:45
Hackathon
room Nr. 7
09:00
–
17:45