Agenda 2025
The following is a tentative structure of the schedule. Times are all in CEST
May 7, 2025
1:30 pm
Workshop 1: JA4+ Workshop
In this workshop I will explain JA4+ network fingerprinting and show you how to use it to detect malware clients, their c2 servers, reverse SSH shells, connections from proxies and VPNs, and estimating the location of the true client behind the proxy or VPN, all just by passively looking at the network traffic with JA4+ and without the need to break encryption. You will also learn how to use JA4+ active server fingerprinting and how it can see beyond the NAT.
Workshop 2: Building with AI
LLMs are the current buzz. Systems built around them promise to retrieve information from a pile of data and let you have conversations with your pdfs. Others are supposed to be capable of autonomous analysis or automating tedious tasks. But are they actually useful? And what are the challenges on route to a good implementation?
Workshop 3: It's a Cluster!
Cyber threat intelligence (CTI) is built on the reliable identification and grouping (clustering) of activity. This includes accurately recognizing and classifying code samples as well as reliably linking and attributing malicious activity. While straightforward in theory, this process is very challenging in practice, especially as we try to cross-reference public reporting with our own internal intelligence. How reliable is another organization’s intelligence? Are other organizations clustering things the same way or with the same precision? How might clustering decisions vary, based on visibility or even available tools? And of course, how do I make sense of all the naming conventions?!? Join The Vertex Project as we delve into these questions, using Synapse Enterprise to examine real-world data drawn from public threat reporting. We’ll look at technical indicators as well as TTPs to try and sort out whether different reports are really talking about “the same thing”…or not…or whether it’s even possible for us to determine. All in the attempt to answer that age-old CTI question: “Is this a cluster? Or a cluster?”
Attendees will receive a login to a hosted Synapse Enterprise instance for use during the workshop – all you need is a laptop and a Chromium-compatible browser (Chrome is preferred). Want to learn more before (or after!) the workshop? You can request a demo instance of Synapse Enterprise at any time for evaluation or personal use from https://vertex.link/request-a-demo. (Demo instances include all rapid Power-Ups and some advanced Power-Ups. If third-party API keys are needed, they must be provided by the user.)
Workshop organized by The Vertex Project.
5:00 pm
End of workshops
May 8, 2025
9:15 am
PIVOTcon Opening
California Dreaming: Hunting and Disrupting a Sophisticated Fraud Actor
Business email compromise (BEC) threat activity can be difficult to track and cluster, but when paired with credential phishing campaigns to enable fraudulent activity, it’s much easier to attribute with high confidence a sophisticated threat actor that’s constantly trying to swindle businesses globally.
In this talk, we will discuss how we track this actor including pivots on existing infrastructure like monitoring Azure tenants and their use of M365 honeypots to observe how the actor operates once in an environment, how our tracking and campaigning has forced this actor to change behaviors multiple times, and how we have disrupted in-flight BEC payments to keep money out of actors’ hands. We will also discuss how the actor uses various software and enterprise tooling, real-world physical spaces, and shifting payment collection schemes that can shed light on how BEC enterprises operate.
We’ve been tracking TA4903 since 2022 and have developed a picture of a BEC actor unlike most of the activity we see. They impersonate governments and small businesses, conduct phishing campaigns for intelligence collection to enable future BEC, and register dozens of legitimate bank accounts to collect stolen funds.
While we have published some details publicly on TA4903, this is the first time sharing new and specific details about hunting, pivoting, and disrupting their operations. Most of this talk will be TLP:AMBER+Strict.
China's Subliminal Cyberspace
Many China-based threat actors have a long history of successfully targeting telecommunications providers, but in recent years only a few have honed their skills to operate natively in these environments. One in particular has a global remit, with victims spanning Brazil, Maldives, Italy, Pakistan, Iran, Taiwan and Costa Rica. It has been operating since at least 2019, deploying bespoke telco-specific backdoors to the victim networks. The global telecommunications remit and the customized telecommunications network tooling highlights some of the group’s specialty capability and target focus, making it a stealthy and global espionage threat. In this presentation, we dive into the actor’s infrastructure, detailing specific traits and pivots, SSH server forwarding through external infrastructure, customized passive malware scanning and hosted files. Additionally, we connect the infrastructure findings to open-source tooling such as TinyShell usage, custom malware and specialized tooling to link the malware and infrastructure side of the threat actor, providing a holistic view of a modern global threat to the telecommunications sector.
Cracking Attribution Research: The Rise of Collaborative Tactics Among Chinese Cyber Espionage Campaigns
In this talk, we will delve into the evolving landscape of coordination in Chinese cyber espionage attacks, focusing on the collaborative tactics among Chinese APT groups.
We will share several previously undisclosed case studies, shedding light on the shared TTPs between Earth Estries and several notorious Chinese APT groups. Our research reveals that these sophisticated Chinese APT campaigns have impacted governments and telecommunications organizations across multiple nations. Furthermore, we observe that these well-resourced threat actors continue to evolve their tactics to achieve their goals.
This presentation will provide actionable insights for tracking, analyzing, and understanding the complexities of collaborative operations in cyberspace. The key points we will cover include:
– How we monitor DEMODEX activities targeting governments and telecommunications entities across multiple countries
– Challenges in attribution when attackers share C2 infrastructure, such as using shared certificates or anonymous infrastructure providers
– Insights into how collaborative operations in cyberspace complicate attribution efforts for CTI researchers, turning them into a daunting “attribution nightmare.”
11:10 am
Coffee Break
Edge Devices Investigation
Over the last few years, Volexity has worked on several investigations involving compromised edge devices. In many cases, the attackers used zero-days to take control of systems exposed to the Internet and used this initial foothold to move laterally. In this presentation, Volexity will provide a behind-the-scenes look at these incidents from an operational perspective. Several aspects will be covered, including how an investigation begins, and how a compromise is detected by proactive monitoring . This presentation will also discuss forensic capture on edge devices, including how it can be done, the types of artifacts that can be captured, and difficulties encountered during the incident response process. The malware analysis portion of the presentation will cover techniques used by attackers, and how to analyze binaries designed for edge devices with standard tools and machines. The presentation will conclude with a discussion covering the post-incident phase, where scanners were developed to identify compromised devices based on knowledge of the malware that was acquired during these investigations. Statistics will be presented for each incident to visualize the impact of these campaigns targeting edge devices.
KEYNOTE
12:45 pm
Lunch Break
Hello Zebrocy, my old friend
What happened to Zebrocy, a Russia-aligned APT group? The latest publication about this threat actor was released in 2021, before coverage went radio silent. In 2023, we discovered an attack targeting a Ukrainian governmental organization. A malicious document was attached to an email, that, if opened, downloads additional malware including interesting and complex payloads, and finally drops an obfuscated Python backdoor, keylogger, and file stealer.
Pivoting on the discovered artifacts allowed us to find similarities with older tools attributed to Zebrocy. From this starting point, following the breadcrumbs allowed us to attribute recent campaigns to Zebrocy based on ESET telemetry, level of sophistication, victimology, and TTPs. With these new insights, we were able to track and monitor the group closely, identifying recent campaigns targeting Central Asia and Eastern Europe.
A characteristic of its modus operandi is having only a minimal footprint on the victim’s machine, hiding its tracks as fast as possible. To achieve this, Zebrocy nowadays relies on memory-only artifacts whenever possible. The group also carefully fingerprints compromised computers to deliver backdoors and additional tools to selected victims only. Finally, over time the group has put considerable effort into renewing its arsenal in different programming languages.
This presentation highlights operations of the advanced threat actor, Zebrocy, uncovering a multiyear espionage campaign, with continual toolset updates. The group’s infrastructure is well managed and recalibrated for each campaign. It continues to evolve toward even more stealthiness to achieve its primary goal: obtaining and maintaining access for cyberespionage.
2:35 pm
Discussion Panel
3:20 pm
Coffee Break
How to track the most profitable threat actor in the world, for free
In recent years, one of the most impactful advancements in the field of threat intelligence is the tracking of actor-controlled infrastructure through internet scanners. Slow Pisces (TraderTraitor, Jade Sleet), who is thought to have stolen billions of USD from the cryptocurrency sector, is particularly susceptible to this as they favour using custom malware and communication protocols, resulting in distinct fingerprints on internet scanners.
However, this approach is not without flaws: scanning the internet takes time; querying internet scanners takes time; minor changes by the threat actor can invalidate our tracking; and ultimately, we must know what to look for.
These challenges were exemplified in June 2023 when Slow Pisces carried out a supply chain attack on customers of JumpCloud. New infrastructure was created and deployed within the span of a single day, supporting five different malware families—one of which I had never observed before. This raises an intriguing question: how could threat intelligence have preempted such an attack, given the speed at which it occurred and the use of novel tools?
This presentation explores my journey toward solving this problem for Slow Pisces, shifting from reactively tracking the group’s tools towards tracking the team that makes the infrastructure for all of their tools. I will discuss how certificate transparency logs (CTL) can be leveraged to detect infrastructure as soon as it is created, strategies for building hunting pipelines using the CTL, and how this approach can complement internet scanners to uncover novel activity associated with Slow Pisces.
Manager W, and the PhD Robust Tech Wizards
This presentation is a deep dive into a new south-east asian group that we track as UNC5638, which has been running a long-term and highly organized data-and-network disassociated service provider. That we have observed across multiple high profile incident response engagements. This provider we assess are responsible for maintaining and brokering a large-scale botnet of SOHO routers (e.g tplink, asus) using custom OpenWRT firmware images, GOST tunneling and gnarly go-lang based mirai variants. That we have observed used for intricate network tunneling, intrusion operations, denial of service, and more. We will discuss and share insight into their botnet management lifecycle and provide a historical timeline of events and activity. Indicating their enduring effort to support large scale disassociated espionage or network attack capabilities for a myriad of threat actors. We will provide an in-depth technical view into the complex and enduring relationship between an initial-access broker, the access consumer(s) and the network maintainer’s operations. And how we leveraged our analytical techniques and tradecraft to determine the key important signals and clustering needed. To track and detect symbolic network communication and server infrastructure across their campaign. We will share the pivots which enabled our team to unravel the provider and how we surfaced troves of actor-controlled C2’s, network tunnels and malware. Which led to identification of victim network infrastructure and overlaps with well known attributed threat groups. We will also discuss some of the analyst rabbit-holes and attribution challenges along the way. The provider self-proclaim themselves as a data acquisition, collection & access services agency, who host several websites in operation for over a decade specialising in scraping and hosting. According to their resume and current PhD research thesis, they would like to let you know they specialise in adversarial infrastructure resiliency & robustness.
Melting Secret Blizzard through pivoting and advanced analysis techniques
This presentation will follow our investigation surrounding a multi-year campaign by the Russian threat actor Secret Blizzard against the Pakistani threat actor Storm-0156. Similar to their previous operations against Iranian actors, Secret Blizzard’s campaign targeted the malware control infrastructure of Storm-0156 and deployed their own malware on already compromised systems.
Our investigation, initiated in December 2024, focused on identifying and differentiating the infrastructure and unique tools utilized by both actors. By leveraging infrastructure pivots enriched with internet scan data, we mapped both sets of activity, leading to the identification of abandoned domains linked to Storm-0156. Through sinkholing of expired domains, we were able to identify residual Wainscot infections affecting active-duty military personnel stationed along a contested border actively exfiltrating sensitive information.
This talk will present the key findings of our investigation and detail the pivoting techniques used across both malware and internet scan data to effectively map complex, contested threat actors’ infrastructure.
7:00 pm
Very Social Dinner
May 9, 2025
On-Chaining Together Attribution: Using Blockchain Transaction Analysis to Inform the Threat Picture
Within the cyber crime ecosystem, it is common practice for threat actors to conduct financial transactions, such as to purchase tools and services, outsource portions of their operations, or to split funds gained through affiliate partnerships. These transactions are typically accomplished via cryptocurrency payments, often Bitcoin. However, when it comes to performing blockchain analysis for cyber crime, much of the focus is often placed on actors specifically stealing cryptocurrency or leveraging it to launder illicit funds, rather than using it as a tool for attribution.
This talk will discuss how analysts can layer cryptocurrency analysis on top of more traditional analysis, such as reviewing intrusion and incident response data, network indicators, and underground forum activity. Specifically, It will also show how analysts can use blockchain analysis techniques to inform attribution assessments and map out transactional relationships between actors. These techniques will be demonstrated through a case study involving UNC4393, a prominent ransomware operator that deploys Basta ransomware, and relied heavily on Qakbot infections for initial access prior to the Qakbot disruption efforts in late 2023.
PSNoWay: Disrupting the activities of an advanced PSOA
Private sector offensive actors (PSOAs), also known as cyber mercenaries, can often be difficult to track due to their highly experienced developers, well resourced exploit acquisition programs and innovative malware techniques. However, the well-documented widespread abuse of their tools makes them a worthy disruption target, and which analyst doesn’t love a challenge?
In this talk we will discuss recent Microsoft findings regarding an advanced PSOA and their tools being used to target people and organizations across Europe and the Middle East.
We will cover how we tracked their infrastructure, how their Windows malware has evolved over time, and the interesting exploit delivery mechanisms being used. We will discuss pivot and detection opportunities for vendors and defenders, and talk about some of the difficulties and dead ends we encountered during our work. Finally, we will present an overview of the victimology as well as some interesting links with other PSOAs.
Redefining IABs: Impacts of Compartmentalization on Threat Tracking & Modeling
Initial Access Brokers (IABs), once primarily associated with criminal actors, are now taking on an increasingly pivotal role in espionage. Traditionally, IABs were viewed as criminal organizations selling compromised network access to financially motivated attackers—especially ransomware operators—effectively splitting a single attack kill chain into two stages: the initial compromise and subsequent exploitation.
Our research reveals a significant shift in the landscape. For example, State-sponsored groups are acquiring or providing access for espionage purposes, sometimes passing it between separate APTs. Alternatively, a state actor may purchase access from financially motivated brokers or even sell it to criminal organizations for profit. Furthermore, opportunistic attackers are suspected reselling high-value targets to government entities while offloading other victims onto the black market. In light of these developments, the classical definition of IABs—focused solely on the intent to sell initial access—no longer holds. From a defender’s standpoint, recognizing how disparate groups collaborate within the same attack chain is crucial for effective actor profiling, campaign tracking, and attribution.
To address this complexity, our work introduces a refined definition of Initial Access Groups and an enhanced actor profiling framework. These updates are aimed at adapting to emergent multi-party dynamics, improving threat hunting, and strengthening defensive strategies. Moreover, our findings highlight the limitations of conventional profiling approaches when applied to these increasingly segmented operations, underscoring the need for models that account for both financial incentives and state-sponsored agendas.
10:55 am
Coffee Break
Silent Operators: Attribution Challenges and the Role of Private Contractors in China’s Mobile Surveillance Ecosystem
While there have been numerous reports of Chinese threat actors using mobile surveillance tools to monitor minority groups, dissidents, and activists both within China and abroad, attribution to the Chinese government remains a significant challenge. Unlike some nation-state APT groups that develop surveillance tooling in-house, China’s reliance on an extensive network of private contractors to design, distribute, and even maintain lawful intercept tooling creates an “air gap” between the government and its surveillance operations. This serves as a buffer between the CCP and controversial surveillance operations, making it more difficult to directly tie surveillance activities to the state and providing the CCP with plausible deniability. The i-SOON data leak in early 2024 provided valuable insight into some of these contractors and their internal operations, but there are dozens of other players in this space that fuel China’s surveillance state.
In this talk, we will explore the attribution process for previously undisclosed mobile surveillance tooling tied to private contractors throughout mainland China. We’ll examine how these tools fit into China’s broader intelligence ecosystem, how the use of third-party contractors complicates attribution, and discuss strategies for uncovering and tracking these somewhat silent operators using recent case studies.
From Pyongyang with Code
North Korea’s scheme of using citizens as IT workers to generate revenue for the regime has been closely tracked by security researchers. The activities present a multitude of security risks to global organizations. In this presentation, we’ll delve into some of the recent and unique findings related to the threat. Some indicates an accelerating trend for the IT workers to work with known Chinese cybercriminals and sophisticated North Korean Advanced Persistent Threats like the Lazarus Group. We’ll look into laptop farms, collaboration with cybercriminals, and inner workings among the IT workers themselves. We will explore methodologies and data sources to track the actors. With the insights gathered from the investigation, we will look ahead to identify trends and upcoming tactics, techniques, and procedures (TTPs) still being developed by these actors. We will aim to anticipate the threats originating from these actors in the near future, allowing us to stay informed and vigilant.
12:20 pm
Lunch Break
REDACTED
Trevor, did you forget the WHOIS Guard?
North Korean cyber operations are notorious for their audacity, resourcefulness, and relentless pursuit of revenue generation. Something they’re not well known for? Demonstrating much concern about their operational security. Join me for a deep dive into ContagiousInterview — one of the most active and widespread DPRK-attributed campaigns in recent memory.
This talk will take you on a journey down many rabbit holes, where some of the findings will make you wonder if the “A” in APT stands for “Advanced” or “Amateur”. We’ll relive the investigation step by step: starting with just a few suspicious domains, we’ll uncover fake video interview lures and a Golang backdoor used for cryptocurrency theft. From there, we’ll follow each breadcrumb—uncovering exposed registrant emails, misconfigured malware staging domains, victimology and crossing streams between personas.
Along the way, we’ll explore how collaboration with trusted partners provided key insights to more effectively track and disrupt the campaign. Finally, we’ll piece together the evidence that solidifies attribution and highlights any unexplored investigation paths. Attendees will walk away with IOCs and Synapse nodes to kickstart their own research.
Let’s go beyond typical malware analysis and unravel an entire operation turn by turn – with unusual pivot points and unexpected twists, this journey might just go deep enough to question your own sanity – it certainly did mine.
2:35 pm
Coffee Break
Unmasking the FreeDrain Network
What appeared to be an isolated cryptocurrency phishing case quickly unraveled into something much bigger: a massive, industrial-scale phishing network that has been operating under the radar for years.
This talk unveils an enterprise-grade financial theft operation that has weaponized search engines, free web services, and multi-layered redirection techniques to systematically drain cryptocurrency wallets at scale for years.
We will expose the network’s vast infrastructure, reveal how it evades traditional detections, walkthrough its operational workflow, and detail how we built an automated system to hunt for and monitor its operations at scale. Most importantly, this research is an open call to action—we will share ways the attendees can collaborate with us to expand detection, impose further costs on the actors, and proactively defend against similar large-scale abuse networks. This will be the first public unveiling of this investigation, delivering new intelligence, tooling, and seeking collaboration opportunities.
You-Know-Who’s Cyber Crew: Attributing Widespread Voldemort Phishing Campaign to China-nexus TA415
In summer 2024, Proofpoint Threat Research identified a highly unusual phishing campaign targeting over 70 organizations, which we characterized as “APT activity with cybercrime vibes”. The campaign employed tax return lures and an intricate infection chain to deliver a custom backdoor—named Voldemort by the threat actor—which used Google Sheets for command and control (C2). While the tactics, techniques, and procedures (TTPs) and use of tax return lures was suggestive of cybercriminal activity, further analysis indicated the operation’s likely primary objective was espionage.
Subsequent attribution analysis led us to attribute this campaign to the China-aligned threat actor TA415 (overlaps with APT41, Wicked Panda, Brass Typhoon). This group, previously indicted by the US government and linked to the private contractor Chengdu 404 Network Technology Company, has a history of conducting both state-sponsored cyber espionage and financially motivated operations for personal gain. This talk will detail previously undisclosed technical artifacts and analytical pivots using a variety of datasets that led us to attribute this unusual campaign to TA415. Additionally, we explore subsequent TA415 phishing campaigns in late 2024, which demonstrated a shift in TTPs and a more targeted approach against US and Taiwanese aerospace entities.
REDACTED
7:00 pm
Gala Dinner
