As part of the National Cyber Strategy (NCS) of the NCSC, sectors are encouraged to organise themselves into Information Sharing and Analysis Centers (ISACs - also named in the NCS "CSC" - Cyber Security Centers) to strengthen cooperation between institutions and authorities in the fight against cyber threats and to increase a sector's resiliency. In this context, the Swiss Federal Railways (SBB / CFF) is establishing such an ISAC for the railway sector in close collaboration with the railways and the Federal Office of Transport (FOT). This talk will take the audience through the journey of the creation of the Rail ISAC from the initial idea to its full operationalization, which took place on May 1st, 2025. We will also share details about some operational services we specialize in, including: - How we monitor, detect, analyze, and elaborate recommendations about current and upcoming cyber threats. - How we analyse en masse malware and generate actionable threat intelligence out of it. - Details how the generated information is shared, with a focus on adapted outputs for the various stakeholders of the sector but also with the community of Critical infrastructures in Switzerland. Rail ISAC dedicates significant resources to covering and better understanding Operational Technology (OT) environments, which are critical in the railways sector. This strong focus yields additional intelligence and enables us to track specific threats and their threat actors, enhancing proactive security. We will show our first steps in understanding the threat landscape in the OT sector and what our current perception is.

Alexandre Herzog

Alexandre currently works at Swiss Federal Railways, where he is a part of a team building up an Information Sharing and Analysis Center (ISAC) for the railway sector. Previously, he worked for the Swiss Government at the Governmental Computer Emergency Response Team (GovCERT) of the National Cyber Security Centre (NCSC) .

Reto Inversini

Reto Inversini holds degrees in Geography/Climatology from the University of Bern and Information Technology from the University of Applied Sciences in Bern. He currently works at Swiss Federal Railways, where he is a part of a team building up an Information Sharing and Analysis Center (ISAC) for the railway sector. Previously, he worked as a threat analyst for the Swiss Government at the Governmental Computer Emergency Response Team (GovCERT) of the National Cyber Security Centre (NCSC) . Reto is also a part-time lecturer at the University of Applied Sciences in Bern, teaching and researching in the fields of network forensics and threat analysis. His main focus is on network intrusion detection, malware analysis, and identifying threats to operational technology systems.

Third-party libraries dominate the modern landscape of software development: nearly every project benefits from available code that solves existing tasks. At the same time, a few errors in any of these libraries generate a cascade effect for millions of projects. Consequently, identifying vulnerabilities in third-party libraries is key to safeguarding final users. To cope with this problem, fuzzing can effectively discover vulnerabilities. Unfortunately, applying this technique to libraries requires non-trivial domain knowledge and manual effort. Specifically, developers need to write dedicated fuzz drivers encoding correct library interactions. Given these barriers, many libraries remain under-tested, even in large-scale efforts like OSS Fuzz. This talk introduces libErator: our tool for discovering errors in third-party libraries automatically. Our tool infers libraries’ usage through static analysis and then synthesizes fuzz drivers. Crucially, libErator requires minimal domain knowledge while maximizing library interaction, thus discovering flaws in otherwise overlooked code segments. We deployed libErator on 15 widely used open source C libraries and discovered 24 confirmed bugs, including one assigned a CVE. Our approach achieves coverage on par with manually written drivers and doubles the true positive rate of prior automated tools. Some of the bugs found were in code already fuzzed for years. This talk will be of interest to security professionals, fuzzing practitioners, and developers who care about scaling vulnerability discovery to complex software components that lack obvious entry points.

Flavio Toffalini

Nicolas Badoux

We all love our SIEMs. They collect logs, trigger alerts, and give us that comforting feeling that somehow we are in control, like a responsible security bestie. But here's the twist: attackers love them too. Not in a "wow, great correlation rules" type of way, but more like "this thing knows everything, let’s break into it." Your SIEM sees it all. When configured properly, it touches nearly every corner of your environment. It's like the over sharing friend at brunch, the one who knows every secret and sometimes spills too much. Only in this case, the oversharing can help an attacker move faster, stay longer, and remain undetected. And let's be honest: sometimes, we make it a little too easy. Bad baselines, noisy rules, ignored alerts, misconfigured sources, we inadvertently give attackers plenty of help. They can flood your SIEM with noise, tamper with log sources, or even manipulate alerts to hide in plain sight. So how do we keep our SIEM from becoming an attacker's best sidekick? And how do we stop ourselves from sabotaging the very tool that's supposed to have our back? Join me as we dive into the messy world of SIEM abuse, attacker tactics, and the security oopsies that make it all possible!

Melina Phillips

Offensive Security Engineer III
GCI

Melina Phillips is an Offensive Security Engineer with a background in Security Operations and Incident Detection. She has over ten years of IT experience and six years working directly in cybersecurity, blending hands on blue team work with her current focus on adversary simulation and endpoint compromise. Her recent talks have been featured at Bsides Cambridge, Security Fest, BruCon and LeHack. She's known for making complex technical concepts accessible without watering them down, and for delivering practical insights grounded in real world attack and defense experience. She strongly believes that Linux security doesn’t have to be presented in a boring way, and that technical depth and creativity can (and should) coexist. Outside of breaking into infrastructure and chasing down Linux threats, she's usually at CrossFit or playing with makeup, ideally not at the same time.

HTTP/3 is it a thing? Yes, no hallucinations involved ;) HTTP3 (the third major version of the Hypertext Transfer Protocol) is one of the new protocols in town. Does anyone use it? Well, more than 35% of all internet-facing websites do! (crazy right!?) In this session, we will share our journey into researching HTTP3 and its internals. During our research we discovered a lack of user-friendly tools for HTTP3 security testing, fuzzing, and particularly race conditions testing, which led us to develop our own open-source tool. HTTP3 over QUIC (originally developed by google) has taken security seriously, this is reflected in the RFC. One of HTTP3's most promising features is its ability to solve Head-of-Line (HOL) blocking, ensuring each request has its own stream (to minimize bottlenecks between requests). In the session we will cover our journey to overcome these limitations and "Make Fuzzing and Race Conditions Work on HTTP/3" leading to the development of our open-source tool QuicDraw. In the last part we will demonstrate using QuicDraw and exploiting a 1-day race-condition on a well-known identity provider hosted on a well-known cloud-provider (over HTTP/3 :)) Attendees will be armed with the theory and tools required for their own HTTP/3 research.

Maor Abutbul

Senior Security Researcher
CyberArk

Maor Abutbul is a Senior Security Researcher at CyberArk Labs with about 20 years of experience in the Network & Security fields. Prior to joining CyberArk, Maor performed various security roles form Engineering thru R&D and Research. Loves constantly evolving and implementing learned methods in his research. In addition, Maor possesses an Engineering and a master's degree in communication systems engineering from BGU You can reach him on LinkedIn

In mid-February, Orange Cyberdefense’s CSIRT was tasked with investigating a server that had been hosting a now-unavailable website. The site had been built using CraftCMS running version 4.12.8. The forensic investigation and post-analysis with the Ethical Hacking team led to the discovery of two CVEs: CVE-2024-58136 and CVE-2025-32432, one of which is in the parent framework, Yii. The aim of this presentation is to retrace the history of these CVEs. It starts with a forensic analysis, during which it was revealed an attacker gained remote access to a system, uploading a PHP file manager through unknown means. At first, their automatic exploit failed, and they had to fix their code - live. It continues with a detailed analysis, during which it was made clear there were two vulnerabilities. One in Yii was actually the regression of a known bug it its component system, allowing for arbitrary class instantiation in specific cases. The second one in CraftCMS is based on this behavior, and works by accessing an unrestricted administration page to trigger the class instantiation. The executed code is previously saved in the PHP session file through the authentication system which saves the "return URL". It will touch on building a python exploit, and porting it to nuclei. Finally, it will mention the large scan of vulnerable instances that was conducted with Onyphe, and the CVEs exploitation by the Mimo group (crypto miner, residential proxy).

Nicolas Bourras

Nicolas Bourras is a junior pentester at Orange Cyberdefense, having recently obtained the OSEP certification. His current research focus is on purple-team techniques. Outside of work, he's preparing his BSCP certification, while also doing CTFs and solving labs.

Modern x86_64 processors still expose subtle speculative-execution pathways that can be weaponized even in the presence of today’s strongest branch-predictor barriers. New families of post-IBPB attacks was analyzed by ETHZ. PB-RRSBA breaks Intel Golden-/Raptor-Cove cores by exploiting the fallback Restricted Return Stack Buffer Alternate (RRSBA): when the architectural RSB underflows, RRSBA continues to predict returns from historical instruction-pointer patterns that an attacker can poison, steering speculation into attackerchosen gadgets. PB-Inception shows that on AMD Zen 1/2, the return predictor retains speculative state across context switches despite an IBPB, enabling unprivileged code to mistrain the kernel’s return path. We further show an ASLR bypass concept by ETHZ via BTB aliasing, recovering the lower 32 bits of victim return addresses and paving the way for reliable exploitation. We place these techniques in the context of Confidential Computing. Although AMD SEV-SNP encrypts and authenticates VM memory, decrypted instructions and data are still processed speculatively inside the core. By crafting RRSBA poison payloads, we induce the secure guest to speculatively execute attacker-controlled gadgets, exfiltrating plaintext secrets to an unencrypted buffer and breaching VM isolation. A proof-of-concept (PoC) RSB-poisoning attack leaks kernel-resident data from a protected guest. This PoC is effective only on Linux kernels < 4.15 where RSB flushing at context switch is not mitigated. Second, we contribute a PB‑RRSBA proof‑of‑concept that targets the fallback Restricted Return Stack Buffer Alternate; unless a system both advertises RRSBA_CTRL and the kernel (>= 6.9) sets the new IA32_SPEC_CTRL.RRSBA_DIS_U,S bits, this predictor remains trainable across context switches, allowing speculative user‑to‑user and user‑to‑kernel data leakage despite IBPB and RSB‑stuffing defenses. The findings reveal that existing IBPB-based mitigations do not provide complete return-prediction isolation. We outline immediate software countermeasures, such as aggressive RSB stuffing and fine-grained speculation barriers and call for architectural fixes that hard-partition or flush all return predictors on domain transitions.

Kaya Ercihan

Security Engineer
Switch

I served as a Security Engineer at Switch in Zürich, where I make advanced malware analysis across macOS, Linux, Android and iOS, run the organisation’s MISP threat‑sharing platforms, and analyze phishing kits to exfiltrate compromised customer data for affected clients. Their remit also extends to proactive OT‑security threat mitigation for critical energy, logistics and manufacturing environments. Previously, I was a Cyber Security Advisor to the Swiss Armed Forces in Frauenfeld. In that role, I provided technical assessments of IT‑security architectures, implemented zero‑trust frameworks, and acted as the security responsible in projects. My hands‑on work included system hardening for Windows and Linux systems, firmware analysis, threat‑modelling and comprehensive vulnerability assessments. Previously I developed C++, Java, Python and PHP and was a system specialist.

What happens when Kubernetes clusters and their secrets are a little too accessible? The answer is both alarming and eye-opening. In this talk, we will explore real-world exposures starting with credentials for accessing container image registries, long-lived JWTs, and TLS certificates. Just this year, we detected several dozens such valid credentials exposed in public GitHub repositories. What makes this particularly concerning is that all of them could be used to easily compromise publicly accessible clusters. The potential for lateral movement and privilege escalation in these scenarios is significant. This isn’t a theoretical threat; leaks are already happening, and attackers are already paying attention. Building on these findings, we will then look at publicly exposed etcd instances identified in hosts searchh engines, such as Shodan. Surprisingly, some are accessible without any authentication and allow attackers to retrieve stored secrets and compromise clusters by manipulating raw objects stored in etcd (distributed key-value store). Finally, we will present mitigation strategies and best practices that could help protect your clusters from such leaks. As a bonus, we'll also be presenting the inconclusive results of scanning Helm Charts and the associated repositories. This research highlights additional areas requiring security attention.

Guillaume Valadon

Staff Cybersecurity Researcher
GitGuardian

Guillaume is a Cybersecurity Researcher at GitGuardian. He holds a PhD in networking. He likes looking at data and crafting packets. He co-maintains Scapy. And he still remembers what AT+MS=V34 means!

Security teams no longer need to manually configure and perform purple team exercises. It is possible to automate and orchestrate all this flow with a combination of automation and artificial intelligence. Powered by n8n, Elastic, Caldera, TheHive, and LLMs, this orchestration requires zero manual effort after launch. It continuously fetches and updates APT profiles, executes attack techniques, and analyzes detection logs in the alerting system. If a technique is not detected the system checks SIEM logs, if the activity is logged, it suggests a Sigma use case. If both detection and logging are absent, the system recommends configuration adjustments to ensure future visibility. In addition, security teams no longer need to manually perform Threat profiling to select the correct adversary TTPs. The system analyzes the target organization’s landscape and intelligently suggests the most relevant APT attack scenarios, or allows users to select one. The final output is a comprehensive report detailing the detection rate, logging rate, technique descriptions, and recommendations to enhance visibility by suggesting new Sigma rules and refining logging configurations. This is not just another attack simulation tool, it’s a scalable and flexible AI-driven automation workflow that can be adapted depending on the technologies in your environment while continuously optimizing detection, helping defenders stay ahead of evolving threats.

Ralph El Khoury

I am a Senior Offensive Security Engineer at Hacknowledge with extensive experience in red teaming, web application hacking, and Active Directory exploitation. When not hacking, you’ll find me automating offensive security workflows and refining detection evasion techniques.

Patrick Mkhael

Currently leading the Offensive Security R&D at Hacknowledge SA and a member of the offensive security team. Coming from a blue team background, I transitioned to the red side, focusing on offensive tool development, cloud penetration testing, and purple teaming. With expertise in both attack and defense, I work on advancing adversary emulation, bypassing detection techniques, and automated security assessments.

Checking into a hotel should mean a good night’s sleep, not handing your room key to a stranger. But what if we told you that unlocking some hotel doors only takes a bit of social engineering, a laptop, and the kind of information your luggage tag practically advertises? During a pentest engagement in Switzerland, we stayed at a cutting-edge “smart” hotel featuring mobile check-in and digital room keys. With few vulnerabilities found in the API’s environment, we turned our attention to the hotel’s own systems. What we uncovered was surprising: some simple metadata were enough to bypass access controls and unlock rooms not through brute force, but via social engineering, a laptop, and a basic script. We’ll walk through the technical flow behind these systems, show how flawed assumptions about guest privacy can be weaponized, and demonstrate how prioritizing simplicity in the user experience can lead to critical security oversights. While we’ll provide mitigation tips for hoteliers, this talk is ultimately aimed at travelers: those who trust digital keys without questioning the infrastructure behind them. Because sometimes, convenience comes at the cost of control and that’s a trade-off guests deserve to understand.

Fabrice Caralinda

Fabrice Caralinda is an IT security professional with over 10 years of experience in the field. He joined SCRT (now Orange Cyberdefense Switzerland) in 2016 and currently serves as a Team Leader within the Offensive Security team. Specialized in mobile application penetration testing, he actively shares his expertise through hands-on workshops delivered at prominent security conferences such as Insomni’hack. His sessions often cover advanced topics like mobile exploitation techniques. He plays an influential role in Switzerland’s cybersecurity community not only as a speaker and trainer, but also as a key contributor to the organizing team behind the Insomni’hack CTF competition events. In addition, he is involved in conference program committees, helping shape the content and direction of notable events like BlackAlps.

From the research whitepaper: This whitepaper accompanies the original talk and presentation delivered at the conference. It delves into the critical cybersecurity flaws discovered in ABB’s building automation systems, specifically focusing on two widely deployed controllers: the ABB Cylon Aspect and ABB Cylon FLXeon Series (also known as BACnet Building Control). Since April 2024, I have identified over 800 zero-day vulnerabilities in these Building Management Systems (BMS) and Building Automation Systems (BAS). The scale of impact is staggering, affecting high-profile infrastructures such as skyscrapers, stadiums, hospitals, airports, museums, industrial control systems, educational institutions, and other critical facilities worldwide. The handling of these vulnerabilities by ABB, the vendor, has demonstrated a margin of improvement required to have a more secure ecosystem. Silent patching practices emerged throughout 2024 with the release of version 3.08.01 of Aspect system, leaving numerous flaws unaddressed. Among the issues discovered are backdoors, unauthenticated remote root exploits, and a lack of transparency in vulnerability disclosure. The vendor’s failure to release timely advisories, misassignment and incorrect scoring of CVEs, and overall neglect of cybersecurity best practices have amplified the risks. In one of the devices the root cause of these vulnerabilities lies in the 18-year-old codebase and firmware, which has passed through multiple acquisitions without significant security updates.

Gjoko Krstic

F/ISE
Zero Science Lab

Gjoko Krstic is a security engineer and vulnerability researcher, with a bachelor's degree in Computer Science, and various certifications specializing in cyber security. He has over 18 years of experience in security architecture, exploit development, reverse engineering, red teaming and penetration testing for various corporate and government organizations. Gjoko is the founder of Zero Science Lab, a Macedonian information security research and development laboratory, discovering and responsibly disclosing a wide range of vulnerabilities in commercial products. He's also an author of security research papers related to WAFs and BMS including embedded systems and a speaker at various conferences.

This talk explores the exploitation of CVE-2025-29824, an use-after-free vulnerability due to a race condition in the Windows CLFS (Common Log File System) driver disclosed in April 2025. Unlike previous CLFS-related vulnerabilities, the adopted exploitation approach requires no manipulation of log file structures or tampering with CLFS containers. The presentation will walk through the vulnerability's root cause, discuss reliable triggering mechanisms in user space, and demonstrate how controlled object reuse leads to kernel-level privilege escalation. The talk concludes with guidance on detection strategies and discussion about potential forensic artifacts to monitor in real-world environments.

Marco Ortisi

Marco has been working in IT security professionally since 1999. After several roles in Italy and abroad—as a penetration tester, vulnerability researcher, team leader, and eventually red team manager—he went through a midlife crisis that led him to return to vulnerability research and analysis (especially 0days). He rediscovered the joy of reporting to no one but himself. Marco is a former speaker and trainer at Black Hat, BruCON, HackInBo, TyphoonCon, and many other conferences.

Security teams spend countless hours protecting infrastructure, web applications, and networks, but often overlook one critical area: developer environments. If an attacker can compromise a single developer’s IDE, they can inject malicious code directly into source control, compromising applications before they're even deployed. IDE plugins for tools like VSCode and Visual Studio can enhance productivity, but due to minimal security oversight (and I really mean minimal) in their marketplaces, they've become prime targets for attackers. Developers often inherently trust these plugins, creating an opportunity for easy and widespread exploitation. In this talk, I'll explore: Inside the Plugin Ecosystem: Understand why IDE plugins are uniquely vulnerable, and how their openness makes it easy for attackers to exploit the developer's trust. Real-World Attacks: Through practical examples, I'll show how malicious plugins can achieve command execution, credential theft, persistent backdoors, and stealthy data exfiltration. These examples will be supported by clear screenshots of crafted malicious plugins in real marketplaces, illustrating exactly how attackers could execute these threats. Marketplace Manipulation Techniques: We'll examine tactics like typosquatting, starjacking, and social engineering to persuade developers to install malicious software. Real-Life Incidents: Highlighting actual cases involving malicious IDE plugins, reinforcing that these attacks are actively occurring, not just some theoretical threats. Simple Defenses for Developers: Practical advice for recognizing and mitigating these threats without sacrificing productivity, including verifying authorship, validating plugin authenticity, and adopting manageable security checks within developer workflows. While malicious plugins themselves aren't entirely novel, this talk explores under-discussed attacker tactics within IDE plugin ecosystems, specifically focusing on subtle but powerful manipulation techniques in VSCode extensions. I'll demonstrate how attackers creatively abuse the plugin manifest, for example, leveraging extensionPack and extensionDependencies features to obscure malicious plugins within seemingly legitimate ones. These nuanced techniques introduce novel detection and remediation challenges, which have received minimal public attention to date, as there are few talks touching on these specific topics (apart from just SCS in general).

Raphael Silva

Security Researcher
Checkmarx

Raphael Silva is a Security Researcher at Checkmarx, specializing in security research, SAST methodologies, and Supply Chain Security. Over the course of his career, he has presented and done workshops at various conferences, such as OWASP Global AppSec, RootedCon and DEFCON. In addition, he is experienced in vulnerability analysis, research, and disclosure, having reported multiple bugs to companies and open-source projects.

This work presents a comprehensive exploration of techniques for obtaining unrestricted access devices manufactured by Dahua, a video surveillance equipment manufacturer, through hardware analysis and reverse engineering. Following an initial examination of the device components, encrypted flash memory was identified, leading to a detailed statistical analysis of the memory dump to evaluate the underlying cipher. An unencrypted bootloader partition, responsible for loading and deciphering the kernel, was subsequently discovered and analyzed. Tools and plugins were developed to simplify the reverse engineering process by assisting in cryptographic primitive identification, peripheral memory mapping, and source code integration into the workflow. Through this process, hidden functionalities were revealed, including a device-specific password-protected lockout mechanism. By developing a tailored key generator to bypass this protection, complete device access was successfully achieved. During the conclusions, we will cover some ideas on how to keep focused on a very open exercise such as during the reverse engineering of a big binary to maximize our chances of success; how understanding the principles of basic techniques may unlock steps on both simple and complex exercises when tools fail to shed meaningful results, and will highlight interesting details on the findings to open a debate on where the security problems arise and why the hidden functionality was left in place.

Antonio Vázquez Blanco

Industrial Engineer turned Security Researcher, now part of the Innovation Department at Tarlogic. Passionate about electronics, reverse engineering—especially bare-metal—, radio frequency, and everything low-level. Author and contributor to projects like BlueTrust, BSAM, UsbBluetooth and Ghidra Findcrypt, Ghidra SVD, Ghidra DTB...

In November of 1998, David Mordinson wrote the Headend Report on exploiting an ST16CF54 television smart card from Nagra and Dish Network. Years later, this brilliant and secret report was made public through a lawsuit. In this talk, I'll explain how how to modernize this report's exploit for USB smart card readers, and how the exploit abuses mirrored (ghosted) memory ranges to smash the call stack by writing past the end of SRAM. My first draft of an exploit was hand-written 6805 machine code in NASM, with DB directives and comments but no 6805 language support. I later wrote my own 6805 assembler, with source code building a Golang byte array with comments of the original assembly language instructions and their comments. Exploitation tricks include using an undocumented mirroring behavior of memory to clobber the return stack after the end of SRAM, calling back into ROM to reduce the shellcode size, and the lazy continuation trick of letting the card crash and reboot between packets. The application works on Windows and Linux to dump the EEPROM of any vulnerable card. While these cards no longer have any commercial importance, they are an excellent case study for students to learn smart card hacking and for exploit writers to learn the history of their craft.

Travis Goodspeed

Travis Goodspeed is a reverse engineer from East Tennessee, which you oughtn't confuse with West Tennessee or Middle Tennessee. (There is no such place as Central Tennessee.) He drives a 1946 Studebaker, takes his pictures in infrared on film, and enjoys conversations with cats, dogs and the occasional horse. He has never conversed with an LLM, a djinn or a parrot.

Building Automation (BA) systems control critical infrastructure in modern buildings,including HVAC, lighting, and access control, yet are often overlooked from a security perspective. At the heart of many BA networks lies BACnet, a communication protocol developed decades ago to facilitate interoperability between devices from different manufacturers. However, BACnet was not designed with security in mind and lacks core protections such as authentication and encryption. Nevertheless, it remains widely deployed in both commercial and industrial environments. This talk explores the design and security shortcomings of BACnet. It delve in the inherent security weaknesses of BACnet, emphasizing the protocol’s outdated design and the alarming number of devices that are publicly exposed to the internet. In addition, the talk will demonstrate concrete, real-world consequences of what can happen if a malicious actor gains access to a vulnerable BACnet network. Finally It critically evaluates the industry's proposed successor, BACnet Secure Connect (BACnet/SC). The second half presents BACteria a custom-built penetration testing tool designed to target BACnet environments. Featuring scanning reconnaissance, command injection, proxying, capabilities. The tool also offer an advance protocole-aware fuzzing module, enabling the discovery of novel vulnerabilities in embedded BA devices. This session aims to raise awareness about the real-world risks of insecure BA deployments and provide practical insights for researchers and defenders.

AdriNels

Every aspiring penetration tester has encountered this moment: you download a tool from GitHub, execute it, and within seconds, it’s flagged, quarantined, or outright blocked by an Endpoint Detection and Response (EDR) solution. This talk explores what separates a typical script user from a skilled adversary: the ability to adapt, build, and iterate. Our goal is to demystify the entry point into malware development by walking through a real-world learning process focused on evading modern EDR technologies. We’ll start by demonstrating the limitations of well-known tools like Mimikatz and Cobalt Strike when used in default configurations. From there, we’ll explore the impact of simple obfuscation techniques using frameworks like Avet, and explain why these approaches often fail against modern EDRs that recognize and signature the obfuscators themselves. The heart of the talk centers on building a custom shellcode loader and modifying it through trial and error to eliminate detectable Indicators of Compromise (IoCs). Through live examples and a structured methodology, attendees will learn how to identify detection points, debug EDR responses, and refine tooling to slip past defenses. By the end, participants will walk away with a solid foundation in malware development and a roadmap to begin crafting their own evasion tools.

Baptiste Copros

Baptiste Copros is a master's student in Cybersecurity at EPFL, passionate about offensive security. They are currently working on their master's thesis in collaboration with Wavestone's cybersecurity auditing team, focusing on EDR evasion techniques for penetration testing and red team tools.

Windows shortcut (.LNK) files have remained a consistent attack vector for over several decades, yet their underlying format is still largely archaic and remains the "gift that keeps on giving" by presenting new opportunities for abuse, even in 2025. This talk provides, after showing an overview of the LNK file structure that outlines its quirks and legacy design choices that contribute to persistent security weaknesses, several novel and previously undocumented techniques will be presented that enable more stealthy, deceptive, and flexible payload delivery/command execution through LNK files than those currently known. We will look at why these new techniques 'work', compare them to existing LNK tricks, and discuss the implications for defenders. The research involved developing a custom testing framework aimed at black-box testing and probing Microsoft’s LNK parsing implementation, revealing subtle flaws and unexpected behaviours exploitable by attackers. We will discuss how adopting a "hackers's mindset" helps in uncovering new methods for abuse like this; and how this way of thinking can benefit everyone active in cyber security, regardless of your sub-discipline or specialisation. Finally, this session will also introduce an open-source tool designed to assist security professionals, red teams, and researchers in generating and experimenting with advanced LNK payloads. This tool aims to enhance the ability to simulate and defend against sophisticated shortcut-based attacks, thereby improving Windows endpoint security.

Wietze Beukema

Lead Threat Detection & Response Engineer

Wietze has been hacking around with computers for years. Originally from the Netherlands, he currently works as a Lead Threat Detection & Response Engineer in London. As a cyber security enthusiast and threat researcher, he has presented his findings on topics including attacker emulation, PowerShell obfuscation, command-line obfuscation and DLL Hijacking at a variety of security conferences. By sharing his research, publishing related tools and his involvement in the open-source projects such as LOLBAS, HijackLibs and ArgFuscator, he aims to give back to the community he learnt so much from.

Whether it is for applications, operating systems, databases, etc. anything that reads, writes, manipulates data must be using an encoding. On modern days, it will mostly always be UTF-8 by default, sometimes UTF-16, both are Unicode standards. Security auditors and researchers often manipulate data or protocols, but what about manipulating the underlying encoding? Unicode has become the one encoding to rule them all, replacing hundreds of old standards. At first glance, it could feel like a simplification. It is not. All those old encodings where ultra-basic while Unicode is overwhelmingly complex beyond what you can imagine until reading the specifications. Over the years, the lack of awareness about Unicode and its complexity have led to a lot of issues and implementation errors. The version 16.0 of the Unicode Standard is 1140 pages long, and there are over 60 UAX (Unicode Standard Annexes), UTS (Unicode Technical Standards), UTR (Unicode Technical Reports), each of which is comparable to an IETF RFC. During the last 3 years, I have analysed about 15 programming languages, none of which is fully implementing 100% of the Unicode standard. Any piece of software around you is probably using Unicode, but none of them have complete implementation of it and all of them a probably different. What could go wrong?

Alexandre Zanni

Synacktiv

I'm a pentester & security researcher, so I'm mostly focus on offensive security. Outside penetration tests (where I enjoy web the most), I spent a lot of time in R&D, where a majority of this time investment was spent on one topic: Unicode. So Unicode is, by far, the topic I know best. Some people may know me for my Github activity: writing tools, contributing to open-source software a lot as well as security resources, maintaining packages at [BlackArch](https://blackarch.org/), etc.