Thank you for joining us at this year’s IT Security Conference!

Your insights and participation made this event a success.
We look forward to seeing you again next year as we continue shaping the future of cybersecurity!

BLUE TALKS

Aurelio Picon Lopez – At Home with the Enemy

How APTs Weaponize IoT Devices as Residential Proxies

This presentation explores how Advanced Persistent Threat (APT) actors are compromising consumer IoT devices…

—such as routers, smart cameras, and other connected hardware—to build residential proxy botnets that provide stealth, persistence, and geolocation camouflage. Drawing from unique telemetry across over 3 billion IoT devices in North America and Europe, the session presents fresh behavioral data and threat statistics observed in 2025. We’ll examine how APT groups use multi-hop relay chains, proxy-as-a-service abuse, and co-opted infrastructure to evade detection and attribution.

The talk will also provide actionable strategies for detecting and disrupting these covert proxy networks—highlighting why securing consumer IoT is now a critical piece of national and enterprise defense.

Vikas Khanna – Unlocking the Gates

Understanding Authentication Bypass Vulnerabilities

Chen Shiri – How I took over two platforms of Google including Google Cloud, Google Collaboratory and Used It on Gemini AI

This presentation explores the world of remote code executions (RCEs) and container escapes that pose significant threats to web applications running on containers..

Revealing research on 3 different platforms of Google, that involves exploits through container attacks- Google Collaboratory- a platform for running data science and experiments, Google Cloud and Gemini AI.
We will focus on the new dangers posed by container escapes and Remote Code Executions (RCEs), we will dive into real-world examples, exploits, and practical research involving Google’s platforms. It also examines the architectural change brought about by containerization, which creates new problems and weak spots in the cyber resilience of web applications and how to utilize them to attack web applications and Microservices environments.

Dániel HegeDűs – Anti-Bot Measures Gone Wild

The Rise of Legitimate Malware

Vincenzo Santucci – Revamping Reflection

Enhancing the Timeless Concept of Reflective Loading

Dr. Matthias Kesenheimer – Your SoC implements a glitch detector?

Hold my beer!

Giorgio Perticone – Crafting effective Security Operations tactics

Deep Dive Forensics VS Rapid Response

In the evolving landscape of Security Operations, organizations face a critical choice: invest in deep-dive forensic capabilities or prioritize rapid response mechanisms...

This talk explores the strategic implications of both approaches, providing insights into their respective advantages and challenges. Deep-dive forensics offers thorough, detailed analysis crucial for understanding complex threats and mitigating long-term risks. However, it often requires significant resources and time. On the other hand, rapid response tools enable organizations to quickly detect and neutralize threats, minimizing immediate damage but potentially overlooking deeper systemic issues. By comparing these methodologies, attendees will gain a clearer understanding of how to balance depth and speed in their security strategies, ensuring robust protection against an ever-expanding array of digital threats.

Ananda Krishna – Ghost Math: Syscall-Only Injection, Deterministic Shellcode & QUIC C2

A Full Kill-Chain that Slipped Past CrowdStrike Falcon

Can an attacker still remain invisible in a network blanketed by next-gen EDR? …

During a 2025 red-team engagement we proved it, chaining three ideas that rarely show up together:

Thread-less, syscall-only injection. A signed-MSI sideload landed us in explorer.exe; a reflective loader rebuilt raw syscall stubs from a clean ntdll mapping, queued a user-mode APC into an existing thread, and flipped pages RW→RX with NtProtectVirtualMemory, evading the classic “handle + RW + thread + DLL” heuristic.

Gabor Fuchs – Targeted Attacks on the TLSH Similarity Digest Scheme

Similarity digest schemes proved to be quite promising tools in many IT security applications...

Such schemes consist of two algorithms: The first algorithm maps an arbitrary input to a small, usually fixed size digest, and the second one compares two of such digests and outputs a score regarding how similar or dissimilar it believes the original inputs were. The advantage of using a pair of algorithms like this is that it only requires the digests of two files to evaluate their similarity, and the computational complexity of the comparison does not depend on the lengths of the original inputs either.
TLSH is a widely used similarity digest scheme in the scope of comparing software binaries, especially malware samples. TLSH proved to be quite robust against natural and random-like modifications like software updates and attacks aiming to mislead the scheme by applying lots of random little changes. However, we show that it is quite easy to mislead the scheme by targeted attacks with specially crafted modifications. We show both an attack that makes a file be considered dissimilar to what it was and should still be considered similar to, and an attack that makes the file be considered similar to another arbitrary given by making it have almost or exactly the same TLSH digest. We present the results of these attacks evaluated on a large set of malware samples.

Shubham Kumar, Sagar Tiwari – Dark Ships & Transparent Seas

Tracking Vessels with Open-Source Intelligence

Maritime OSINT is often overlooked in favor of shinier targets, but the world’s waterways hold a goldmine of intelligence...

This talk dives deep into the art of tracking ships, sniffing signals, and connecting port calls to geopolitics. From decoding NAVTEX alerts to listening for AIS beacons on WebSDR and analyzing satellite images of ship formations, we’ll navigate the oceans of open data to understand real-world implications in law enforcement, geopolitics, smuggling, and maritime security.

Balázs Gerlei – Don’t let attackers exploit your Android app via Intents

Intents are the starting points for every Android application...

The platform is very much built on Activities, potentially from different apps interacting with each other to complete some tasks. This open nature can be an avenue for exploitation.

You have to consider Intents what they are: inputs. And inputs must be sanitized. With this mentality, you can protect against many attacks, but some can only be avoided with the right architecture and platform support. Google finally made strides in this area with Android 15’s safer Intents. At the same time, you need to understand the attack surface to defend your apps.

We will describe and demonstrate such issues:

Privilege escalation via Intent redirection
Denial-of-service via malformed Intents
Leaking data via Intent parameter injection
App impersonation via Task hijacking (StrandHogg)

At the end of the talk, you will have an understanding of mitigating and remediating many Intent-based Android vulnerabilities.

BLUE TALKS

Santi Abastante – Practical AWS Antiforensics

Roland NagY – How to find rootkits in the Linux kernel

Malware is an age-old problem of IT systems, and apart from a few notable examples, they don’t want to be found…

Many samples use cheap tricks, like renaming their processes, packing or injecting code into other processes. Rootkits, however, take this to a whole new level, and can achieve total invisibility, by tampering with the deep layers of the operating system to hide processes, files or whatever resources an attacker wants to hide. On Linux, they are typically implemented in Loadable Kernel Modules, like drivers, and they often hide these modules as well.
Throughout the years, many techniques were developed to detect traces of rootkit infection, but typically this is all they do: detect the fact that an infection happened. In this talk, I present a tool, that I developed, that not only detects rootkit infections but finds their hidden modules and enable deeper investigation of them as well.

Bianka Bálint – Demystifying Internal Threat Intelligence

Presenting the advantages and pitfalls of different CTI integration approaches through practical examples collected during the rollout and initial phases of CTI programs…

Showing the importance of internal threat intelligence, and collaboration opportunities with other teams like the SOC.

Konrad Jędrzejczyk & Marek Zmyslowski – AI in Adversarial Hands

Masterminds and Machines

Artificial Intelligence (AI) is a powerful technology, yet in the wrong hands it becomes a formidable weapon…

This presentation examines how malicious actors leverage AI to orchestrate cyberattacks, manipulate opinions, and spread misinformation. Drawing on real-world cases and technical insights, we’ll explore how AI systems can be co-opted for hacking and other nefarious activities.

Throughout the discussion, we’ll address the complex interplay between AI’s benefits and its risks, highlighting the psychological and social implications of AI-driven manipulation. We will also touch on vulnerabilities within AI systems and the critical need to distinguish between theoretical threats and realistic, imminent dangers. Attendees will leave with a deeper understanding of the offensive applications of AI and the urgent necessity of bolstering defenses in a rapidly evolving technological landscape.

Tobias Schrödel – Real RansomChats

This session was LIVE ONLY.

After a ransomware attack, victims have to deal with cybercriminals…

Talks are normally done via a secured chat system. In this talk Tobias will share real chats of some famous ransomware gangs with their victims. He shows, how negotiations went and that – sometimes – talks went really crazy with relentless gangs. Be curious, these conversations don’t take place at the kitchen table.

Szilárd Pfeiffer – TOTP is not a silver bullet

Sean Hopkins – Full Stack Red Team

From Code to Hardware

This session was LIVE ONLY.

Modern red team operations require a comprehensive approach that spans the entire attack surface – from supply chain compromise to physical access…

This presentation demonstrates advanced multi-vector techniques that combine software exploitation, infrastructure targeting, and operational security to achieve persistent access in enterprise environments.
We’ll explore practical methods for compromising development workflows through GitHub Actions poisoning and repository enumeration, deploying covert physical devices with sophisticated network evasion techniques, and harvesting high-value credentials from memory. Additionally, we’ll cover essential OPSEC practices including containerized proxying to protect red team infrastructure during operations.
Attendees will learn how to chain these techniques together for maximum impact while maintaining operational security throughout the engagement lifecycle.

JÓzsef Ottucsak– The Big Software Supply Chain Security Problem

Securing the software supply chain sounds straightforward—until you try to do it...

Between SBOMs, signed artifacts, third-party risks, and ever-growing customer demands, even well-resourced teams struggle to keep up. This talk explores the messy, expensive reality of securing the supply chain in the context of today’s secure software development lifecycle (SSDLC).

Through a fictional case study, we’ll follow one company’s attempt to build a solid supply chain security strategy—and all the ways it goes sideways. You’ll walk away with a clearer view of the standards, the gaps, and the trade-offs, plus some practical takeaways you can apply without a massive budget or a 30-person AppSec team.

Dániel Markovics, János Kovács, Maksa Dominik – Where the treasure is

Security Scanning the DICOM stack of Medical IT environments

The DICOM standard is used for implementing the communication and management of medical imaging information…

— the data that is the basis for diagnosing patients and determining their treatment. The DICOM stack is known to be subject to a number of vulnerabilities. Those could permit harm to all security aspects of the patient data. This presentation gives a quick dive in the DICOM standard, then enumerates some of the most prevalent known vulnerabilities related to it. Finally, it demonstrates a security scanning strategy that enables the timely discovery of insecure configurations of DICOM servers that would open up the gates to adversaries and allow then to harm patients.

Shahmeer Amir – Hack the Sky

Exploring Satellite Vulnerabilities and Cyber Threats

In an age where satellites orbiting Earth play an indispensable role in our daily lives, they have become prime targets for cyber threats…

This presentation, titled “Hack the Sky,” delves into the captivating and concerning world of satellite hacking, shedding light on the vulnerabilities and cyber threats that loom above us in the boundless expanse of space.

As we increasingly rely on satellites for communications, navigation, weather forecasting, and global connectivity, their security is paramount. This presentation unravels the complex landscape of satellite vulnerabilities, discussing the potential consequences of unauthorized access, manipulation, or disruption of satellite systems.

We will explore the tactics, techniques, and procedures employed by both malicious actors and ethical hackers in probing and safeguarding these high-tech spaceborne assets. From unauthorized data interception and GPS signal manipulation to satellite hijacking and cyber espionage, “Hack the Sky” will provide a comprehensive understanding of the risks posed to our satellite infrastructure.

To defend against these threats, we will also delve into the emerging technologies and strategies employed to safeguard satellites from cyberattacks. This session aims to empower attendees with the knowledge to appreciate the scope and intricacies of satellite security, contributing to a more secure and resilient satellite ecosystem.

Marta Janus – AI Security Landscape

Tales and Techniques from the Frontlines

The once theoretical AI bogeyman has arrived—and it brought friends…

Over the past 12 months, adversaries have shifted from exploratory probing to weaponized exploitation across the entire AI stack, requiring a fundamental reassessment of defense postures. This presentation dissects the evolution of AI-specific TTPs, including advancements in model backdooring, LLM jailbreaking techniques, and the abuse of insecure agentic AI systems.

Gábor Arányi – Challenges while developing a ransomware-proof backup solution

This session is LIVE ONLY and will not be recorded or accessible afterward.

Since the focus of protection against ransomware viruses is usually shifting towards antivirus solutions.

DLP systems and complex cloud services, there are only a few systems that can effectively resist such an attack while running directly on the file server in an on-prem configuration. In fact, in case of using centralized data storage, this is the most appropriate place to acquire aggregated file operation sequences, track metrics and monitor relevant network traffic. In this talk, I will briefly demonstrate how we built a lab environment running real-world ransomware viruses, how we extracted the right data sequences to train AI, how we implement and monitor honeypots, and how we validate our read-only snapshot-based backups. Of course some hardening tricks will be also mentioned and you will be invited to a bug bounty challenge.