Talks

Various research publications suggest that, since its inception, the Chinese Communist Party (CCP) has maintained ties with criminal organizations. Indicators suggest that this legacy likely persists in the cyber domain today. Suspected state-aligned Chinese cyber actors affiliate with cybercriminal groups and use tactics typically associated with them, including ransomware, a destructive malware typically linked to cybercrime.

This discussion-based seminar will explore the alleged CCP’s historical relationship with criminal elements and examine how that relationship has likely evolved in the modern era. It will broaden the conversation beyond ransomware to consider currently relevant strategic objectives associated with its use by suspected Chinese threat actors, including personal enrichment, which is likely overlooked or tolerated by the state and driven by socio-economic factors, strategic disruption, and plausible deniability.

Continuing the discussion of plausible deniability, the seminar will also invite dialogue on China’s growing efforts to portray itself as a responsible actor in the cyber domain and shape the public narrative around cyber conflict, particularly through the disclosure of alleged cyberespionage operations by Western-aligned entities.

CamoFei (which overlaps with ChamelGang, TAG-112, or Evasive Panda) sets itself apart within the landscape of China-linked APT groups through a dual-track operational model that blends traditional cyber espionage with disruptive activities. The group continues to target high-profile entities of strategic interest to Chinese intelligence, including Tibetan and Taiwanese organizations, while simultaneously engaging in operations that suggest influence or destabilization objectives, often layered with plausible deniability.

As of early 2025, CamoFei remains highly active, expanding its reach across a diverse set of governmental and private-sector targets in Southeast Asia, Europe, and the Middle East while adopting new tactics and techniques. Its recent compromise of Taliban networks in Afghanistan, which coincided with a suspected hack-and-leak influence campaign targeting the Taliban itself, points to a possible evolution toward hybrid operations that merge technical intrusions with geopolitical narratives. While the shift remains unconfirmed, it reflects the broader challenge posed by the increasingly blurred lines between espionage, influence operations, and cybercrime, making attribution and intent analysis more difficult.

As multiple of these CamoFei victims exhibit signs of concurrent compromise by other Chinese-nexus groups, the case underscores a broader analytic challenge, namely, that overlapping intrusions within the same victim environments complicate attribution and intent analysis, raising important questions about coordination, operational autonomy, and competition within the broader Chinese threat ecosystem.

Ransomware is no longer just a tool for financial extortion. Nation-states now use this destructive malware for disruption, misattribution, and evidence removal. In this talk, we explore how state-linked threat actors associated with some of the most prominent players in the cyber threat landscape — Russia, North Korea, China, and Iran — are using ransomware not only for financial gain but to advance their strategic goals.

This talk takes a comparative look at the key differences and similarities in how these threat groups use ransomware. We examine their operational methods and objectives, considering how each country's geopolitical context shapes their approach. We provide both historical and current perspectives, including past cases and previously undisclosed details on recent cyber operations.

We also explore the growing involvement of state-linked actors in ransomware-as-a-service (RaaS) operations, leveraging cybercriminal networks to increase operational efficiency and maintain plausible deniability. Finally, we discuss the future of ransomware in state-sponsored operations, examining how and to what end states are likely to continue using this tactic, implications for defenders, and challenges in countering this threat.

Threat actors have long demonstrated an interest in public threat intelligence reporting about them. This interest is driven by strategic motivations: to assess their exposure, adapt their operations, and undermine the effectiveness of defensive measures.

In this talk, we present our investigation into a campaign in which suspected North Korean threat actors showed significant interest in Validin’s threat intelligence data, particularly infrastructure publicly attributed to them and related disclosures about their operations. We detail how we attributed this activity to a specific North Korean threat cluster known for cyberespionage and financial crimes with a focus on targeting individuals and organizations in the cryptocurrency industry.

Our investigation also uncovered backend web code used by the threat actors to support their campaigns, likely exposed due to operational security lapses.

The APT vs. cybercrime debate has been a staple of cyber threat discussions for years, but recent years have seen a convergence that challenges traditional categorizations and demands a fresh perspective. Cyberespionage groups are involved in a disturbing scheme: deploying ransomware as a final act in their operations to secure financial gain, cause disruption, create confusion, misdirect blame, or erase evidence. This tactic allows adversarial countries to maintain plausible deniability by attributing these actions to independent cybercriminals rather than state-sponsored entities.

From high-tech research in Europe to healthcare in India. From manufacturing in the Americas to aviation and government in the Indian subcontinent and the Far East. We trace this global trail of suspected Chinese APT clusters taking on cybercriminal roles. The involvement of operatives moonlighting as cybercriminals and dual-role contractors in the Chinese cyberespionage ecosystem adds further layers of ambiguity. We expose custom tooling, dubious "ransomware affiliates", and additional links between ransomware operations and espionage clusters. We dive into key risks this ransomware tactic poses to government cybersecurity organizations and private sector defenders, such as missed intelligence opportunities and diminished situational awareness, and explore challenges in countering this threat.

In this talk, we reveal previously undisclosed details about several North Korean APT activities we have unearthed over the past months. Our objective is to enrich the accumulated intelligence on the North Korean cyber threat landscape within the community and contribute to a deeper understanding of the evolving tactics used by its constituent groups.

This presentation begins by revealing deceptive lateral movement tactics observed during our investigation into an intrusion at NPO Mashinostroyeniya, a Russian missile engineering firm. We then explore ScarCruft's testing grounds — a collection of malware recovered during the planning and testing phases of the group's development cycle, likely intended for future campaigns. We disclose here our insights into ScarCruft's infrastructure, malware implementation processes, and experimentation with staging and evasive techniques. In concluding the technical discussion, we share curious relationships to cryptocurrency scams, highlighting North Korea's evolving interest in the cryptocurrency industry.

During times of major shifts in the North Korean foreign policy, the future trajectory of the country's cyber activities is uncertain. We conclude our presentation by speculating on potential changes in North Korea's cyber strategies and their implications for threat intelligence collection and effective defense.

Based on a compelling data leak within Russia's defense sector, we recently unearthed an intrusion by DPRK-affiliated threat actors into the Russian missile engineering firm NPO Mashinostroyeniya. With an intensive public display of the strengthening military relationship between the two countries, our findings provide rare insight into DPRK’s clandestine operations against Russia.

This presentation begins by exploring the ties between DPRK and Russia during the period of the noted breach. We subsequently delve into our methods for pinpointing and recognizing the data breach at NPO Mashinostroyeniya and its significance in the Russian Defense Industrial Base. We then shed light on the organization's security challenges and highlight the threat activity we attribute to DPRK, amidst a slew of peculiar infections and abused network services. We finish by discussing the complexities and dilemmas we faced during this distinctive intrusion investigation.

SentinelLabs has observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman. Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent.

The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection. Sandman has deployed a novel modular backdoor utilizing the LuaJIT platform, a relatively rare occurrence in the threat landscape. We refer to this malware as LuaDream. The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale.

At this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.

Telecommunication providers are frequent targets of espionage and cybercriminal activity due to the sensitive data they hold. From close-knit groups with strategic interests, such as LightBasin and APT41, to loosely affiliated assemblies, such as Lapsus$, the security of Telcos is under constant threat.

In this talk, we review recent targeted attacks against telecommunication providers. We provide insights into a variety of threat activities whose understanding is relevant for better defending against them - from initial infection vectors, detection evasion techniques at malware implementation- and network-level, to OPSEC awareness levels threat actors exhibit. We peek into the current Telco threat landscape to provide relevant takeaways for defenders and foster further discussions on the topic.

This talk reviews recent espionage and hacktivism activities, most of which are aligned to Chinese and Russian interests. We discuss the growing trend of espionage actors using Cloud infrastructure for C2 purposes in an attempt to evade detection. We also delve into operation Tainted Love, an APT activity in the nexus of the Chinese cyberespionage groups Gallium and APT41. Next, we explore the Russian-aligned hacktivist group NoName057(16) targeting NATO's infrastructure and end up with an overview of the Russian Winter Vivern group, which has been conducting espionage campaigns in the US and Europe since at least 2018.

Time is critical for ransomware operators – the faster they encrypt the victim's files, the less likely they are to be detected in the process. Encryption can be a time-consuming process, and ransomware developers know this. That is why they get creative when programming encryption routines – the goal is to minimize the time spent on encryption and maximize the amount of encrypted file content. In this way, the greatest possible irretrievable damage is done in the shortest possible time.

BlackCat is a new and very high-profile player in the current ransomware scene. The way BlackCat performs encryption is highly customizable and ALPHV uses this as an advertising tool to attract affiliates. BlackCat operators can choose between six encryption modes and two encryption algorithms. Ransomware operators can further configure each encryption mode with mode-specific settings. Each encryption mode and algorithm occupies a specific position on the trade-off scale between encryption speed and completeness.

We reverse-engineered the BlackCat ransomware to provide a first look into the inner workings of the encryption modes that BlackCat implements. Our analysis provides a unique insight into the design decisions that ransomware developers make to achieve an optimal balance between encryption speed and encryption completeness. This work also tests the encryption modes and encryption algorithms that BlackCat implements. We conducted a series of experiments to measure in numbers the trade-off between encryption speed and completeness that the different modes achieve. We examine metrics such as encryption speed, time spent on encryption, and amount of file content encrypted.

SentinelLabs researchers uncovered a never-before-seen advanced threat actor we’ve dubbed ‘Metador’. Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions. Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory.

SentinelLabs researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant. At this time, there’s no clear, reliable sense of attribution. Traces point to multiple developers and operators that speak both English and Spanish, alongside varied cultural references including British pop punk lyrics and Argentinian political cartoons. While Metador appears primarily focused on enabling collection operations aligned with state interests, we’d point to the possibility of a high-end contractor arrangement not tied to a specific country. This release is a call to action for threat intelligence researchers, service providers, and defenders to collaborate on tracking an elusive adversary acting with impunity.

This talk focusses on the malicious use of PowerShell in attack campaigns. In addition, this talk presents the architecture of PowerShell and how PowerShell integrates in the Windows operating system.

Telemetry, a mechanism for transmitting collected data to a remote location for analysis, is becoming increasingly ubiquitous in software. Its widespread presence raises concerns related to the content, the security, and the privacy of collected data. This makes telemetry an important target for analysis.

This talk focusses on the telemetry mechanism implemented in Windows 10 – Windows Telemetry. We first discuss the relevance of Windows Telemetry for analysis, with an emphasis on concerns critical to users of Windows 10 and of telemetry-enabled software in general. We then give an overview of its architecture. This includes the data sources, showing the extent of integration of Windows Telemetry in the operating system itself. In addition, we present on the communication interfaces of Windows Telemetry and characterize the network traffic originating from it. Finally, we discuss how the activity of Windows Telemetry can be reduced or stopped. We present the advantages and disadvantages of the different approaches for achieving this as well as relevant operational aspects.

With the widespread adoption of virtualization, intrusion detection systems (IDSes) are increasingly being deployed in virtualized environments. When securing an environment, IT security officers are often faced with the question of how accurate deployed IDSes are at detecting attacks. To this end, metrics for assessing the attack detection accuracy of IDSes have been developed. However, these metrics are defined with respect to a fixed set of hardware resources available to the tested IDS. Therefore, IDSes deployed in virtualized environments featuring elasticity (i.e., on-demand allocation or deallocation of virtualized hardware resources during system operation) cannot be evaluated in an accurate manner using existing metrics. In this paper, we demonstrate the impact of elasticity on IDS attack detection accuracy. In addition, we propose a novel metric and measurement methodology for accurately quantifying the accuracy of IDSes deployed in virtualized environments featuring elasticity. We demonstrate their practical use through case studies involving commonly used IDSes.

The evaluation of intrusion detection systems (IDSes) is an active research area with many open challenges, one of which is the generation of representative workloads that contain attacks. In this paper, we propose a novel approach for the rigorous evaluation of IDSes in virtualized environments, with a focus on IDSes designed to detect attacks leveraging or targeting the hypervisor via its hypercall interface. We present hInjector, a tool for generating IDS evaluation workloads by injecting such attacks during regular operation of a virtualized environment. We demonstrate the application of our approach and show its practical usefulness by evaluating a representative IDS designed to operate in virtualized environments. The virtualized environment of the industry-standard benchmark SPECvirt_sc2013 is used as a testbed, whose drivers generate workloads representative of workloads seen in production environments. This work enables for the first time the injection of attacks in virtualized environments for the purpose of generating representative IDS evaluation workloads.

Hypervisors are becoming increasingly ubiquitous with the growing proliferation of virtualized data centers. As a result, attackers are exploring vectors to attack hypervisors, against which an attack may be executed via several attack vectors such as device drivers, virtual machine exit events, or hypercalls. Hypercalls enable intrusions in hypervisors through their hypercall interfaces. Despite the importance, there is very limited publicly available information on vulnerabilities of hypercall handlers and attacks triggering them, which significantly hinders advances towards monitoring and securing these interfaces. In this paper, we characterize the hypercall attack surface based on analyzing a set of vulnerabilities of hypercall handlers. We systematize and discuss the errors that caused the considered vulnerabilities, and activities for executing attacks triggering them. We also demonstrate attacks triggering the considered vulnerabilities and analyze their effects. Finally, we suggest an action plan for improving the security of hypercall interfaces.