{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2025.2.2"}, "schedule": {"url": "https://cfp.securityfest.com/2026/schedule/", "version": "0.1", "base_url": "https://cfp.securityfest.com", "conference": {"acronym": "2026", "title": "Security Fest 2026", "start": "2026-05-28", "end": "2026-05-29", "daysCount": 2, "timeslot_duration": "00:05", "time_zone_name": "Europe/Stockholm", "colors": {"primary": "#101010"}, "rooms": [{"name": "Main Stage", "slug": "5-main-stage", "guid": "26a63b37-e76e-5864-8499-5fb98a9e2f3d", "description": null, "capacity": null}], "tracks": [{"name": "Talks", "slug": "5-talks", "color": "#730000"}, {"name": "Villages", "slug": "6-villages", "color": "#CD6868"}], "days": [{"index": 1, "date": "2026-05-28", "day_start": "2026-05-28T04:00:00+02:00", "day_end": "2026-05-29T03:59:00+02:00", "rooms": {"Main Stage": [{"guid": "19fb87cf-8055-516c-b357-e3d2fb80868a", "code": "L38XLJ", "id": 696, "logo": null, "date": "2026-05-28T09:30:00+02:00", "start": "09:30", "duration": "00:45", "room": "Main Stage", "slug": "2026-696-claude-is-your-insider-threat-now", "url": "https://cfp.securityfest.com/2026/talk/L38XLJ/", "title": "Claude is your insider threat now", "subtitle": "", "track": null, "type": "Keynote", "language": "en", "abstract": "Everyone is diving headfirst into the AI pool. The problem is they're diving into the shallow end. LLMs are being packed into every nook and crannie, mostly places nobody wanted it or asked for it. I'm going to be taking a baseball bat to LLMs - their hallucinatory nature and the extra instructions we're saddled with we don't get to see.. I'll be showing logs of how they literally talk themselves into lying to you. It's bad. Bring a helmet. Prompt engineering has become harness engineering, and now its \"memory and context engineering\". Openclaw and now codex are storing local files and 'memories' to try and handle the 'context window problem'. Moltbook has 3 million 'agents'. Openclaw is being used as a c2 now. TeamPCP is infecting every npm package they can with backdoors - weekly at this point! Just in 2026 alone we have more than tripled the number of supply chain bugs in tooling used in the LLM landscape The attack surface is growing so rapidly we can barely keep track of it. This talk will explore all this new attack surface, and cover some of the things you can do about it, and how to avoid the landmines and pitfalls when using LLMs.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "UQKDZT", "name": "Dan Tentler", "avatar": "https://cfp.securityfest.com/media/avatars/UQKDZT_hJVGBUa.jpg", "biography": "Dan is the founder of Phobos Group, a boutique information security consulting and architecture firm, specializing in assessment work, security architecture, remediation efforts, advisory and simulation services. Dan's been at this a long time. Come talk to him about Phobos Airlock!", "public_name": "Dan Tentler", "guid": "1eb22925-35fd-5f16-ae83-699294c5de0e", "url": "https://cfp.securityfest.com/2026/speaker/UQKDZT/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/L38XLJ/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/L38XLJ/", "attachments": []}, {"guid": "1ca7b3de-1a87-5c0d-b885-03001f3a0d07", "code": "D9ZPZD", "id": 532, "logo": null, "date": "2026-05-28T10:30:00+02:00", "start": "10:30", "duration": "00:40", "room": "Main Stage", "slug": "2026-532-from-code-to-compromise-turning-modern-day-ides-into-attack-vectors-via-malicious-extensions", "url": "https://cfp.securityfest.com/2026/talk/D9ZPZD/", "title": "From Code to Compromise: Turning modern day IDEs into attack vectors via malicious Extensions", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Visual Studio Code has become the de-facto IDE for millions of developers, and its extension marketplace is now a first-class target for supply-chain compromise. In this talk we move beyond yesterday\u2019s JavaScript-only \u201ctheme\u201d backdoors and show how to fuse high-level TypeScript with low-level Rust to create extensions that are indistinguishable from legitimate Microsoft-signed add-ons\u2014yet silently execute native x86_64 shellcode inside the IDE process.\r\n\r\nWe begin with a data-driven tour of recent in-the-wild incidents: the [Material Theme extension with vulnerable dependencies](https://www.koi.ai/blog/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions), the \u201cSolidity\u201d extension that stole $500 k in crypto from a Russian blockchain developer, and the [new self propagating GlassWorm extension](https://www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension). The rise of AI-centric forks (Cursor, Windsurf, etc.) has also given a rise to new extension marketplaces where malicious extension can use inflated download counts to serve as perfect camouflage. Next we deep-dive into the malicious extension toolchain: a Rust FFI bridge that compiles to a library, exposes a single innocent-looking TypeScript API, and preserves the marketplace\u2019s blue \u201cverified\u201d tick. We demonstrate live how to backdoor a top-10 Microsoft-published extension so that every subsequent update remains functionally identical while the Rust payload executes shellcode \u2014without triggering Windows Defender, AMSI, or the new Extension Host sandbox.\r\n\r\nWe close with defensive takeaways: IoCs and TTPs to look for, defensive rules which can prevent such attacks and possible detection vectors. Attendees leave with a fully annotated GitHub repo that walks them through the process of developing such malware - starting with a \"hello-world\" C++ addon and building a stealthy rust based shellcode loader backdoored into a popular Microsoft extension.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BNV9GT", "name": "Debjeet Banerjee", "avatar": "https://cfp.securityfest.com/media/avatars/BNV9GT_Nowbj46.jpeg", "biography": "I am a Researcher with Black Hills Information Security. I develop malware and build automation pipelines for engagements. As a hobby, I like diving into IDA disassemblies and WinDBG to find increasingly complex way to do things which would annoy EDRs and Reverse Engineers. When I am not looking at screens, I am riding motorcycles, trekking along the himalayas or reading history and philosophy.", "public_name": "Debjeet Banerjee", "guid": "f6131efc-302a-532a-8a8a-e96ed0945bc4", "url": "https://cfp.securityfest.com/2026/speaker/BNV9GT/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/D9ZPZD/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/D9ZPZD/", "attachments": []}, {"guid": "4a87f1fb-b721-5f2a-98dc-3401a6d1c63a", "code": "LCMPBH", "id": 669, "logo": null, "date": "2026-05-28T11:30:00+02:00", "start": "11:30", "duration": "00:40", "room": "Main Stage", "slug": "2026-669-abusing-mutating-admission-webhooks-for-stealthy-cluster-dominance", "url": "https://cfp.securityfest.com/2026/talk/LCMPBH/", "title": "Abusing Mutating Admission Webhooks for Stealthy Cluster Dominance", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "This session moves beyond initial cluster access to explore a highly stealthy persistence vector: the weaponization of Mutating Admission Controllers. While typically used for security policy enforcement, these controllers can be subverted to inject malicious sidecars or modify pod specs in real-time without altering original deployment manifests. We will demonstrate how an attacker can maintain a \"ghost\" presence that survives standard audits, image updates, and pod restarts, effectively turning the Kubernetes control plane against itself.", "description": "We will perform a live-style technical deep dive into the architecture of a Mutating Admission Webhook attack. The session starts by compromising a cluster and installing a rogue controller that intercepts every CREATE and UPDATE request. We will walk through the logic of injecting a stealthy C2 sidecar that uses the cluster's internal service mesh to hide its traffic. Finally, we will transition to defense, showing how to implement Validated Infrastructure using OPA/Kyverno to ensure only authorized mutations occur, effectively \"rebooting\" the security posture of the cluster.\r\n\r\nWhat the audience will gain:\r\n\r\nTechnical Exploit Knowledge: A step-by-step understanding of how admission controllers can be manipulated for persistence.\r\n\r\nDetection Strategies: Actionable methods to identify non-standard mutations in high-traffic production environments.\r\n\r\nDefense Blueprints: Practical configuration examples for OPA and Kyverno to prevent unauthorized pod mutations.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CR9PU8", "name": "Nikita Verma", "avatar": "https://cfp.securityfest.com/media/avatars/CR9PU8_VRQeo6O.png", "biography": "Nikita Verma is a Platform Engineer and Cloud Native Advocate with over three years of experience building resilient, automated infrastructure. A dedicated open-source contributor, Nikita has worked on core Kubernetes projects and cloud-native automation, including impactful work with Moja Global during an Outreachy internship.\r\n\r\nBeyond engineering, Nikita is a passionate educator who has mentored over 10,000 students in Data Structures, Algorithms, and Cloud Native technologies. As an active member of the global tech community, she has shared her expertise at major conferences across the globe, including KubeCon + CloudNativeCon North America 2025 in Atlanta, ContainerDays London, and SeleniumConf Valencia.", "public_name": "Nikita Verma", "guid": "2f46e092-15f8-5ea5-8ea8-27f59ae72252", "url": "https://cfp.securityfest.com/2026/speaker/CR9PU8/"}, {"code": "EVZJUE", "name": "Harshita Varma", "avatar": "https://cfp.securityfest.com/media/avatars/EVZJUE_CupeBoy.png", "biography": "With a background that bridges technical engineering and product strategy, Harshita has a unique perspective on scaling complex systems while maintaining a high bar for quality and security. She was awarded the Dan Kohn Scholarship to attend KubeCon EU 2023 and recently co-presented the session \"From Noise to Clarity: Humanizing Observability\" at KubeCon + CloudNativeCon North America 2025 in Atlanta.\r\n\r\nHarshita is an active international speaker, with upcoming engagements at ContainerDays London 2026. Traveling from India, she is passionate about fostering a \"Security-First\" culture within DevOps teams and advocating for more inclusive, sustainable open-source communities.", "public_name": "Harshita Varma", "guid": "b4d7f61e-144b-5e61-84d3-5deade2e0cb7", "url": "https://cfp.securityfest.com/2026/speaker/EVZJUE/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/LCMPBH/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/LCMPBH/", "attachments": []}, {"guid": "103179d3-414d-5bf2-b9cc-5e7a150e624a", "code": "HSRHP9", "id": 702, "logo": null, "date": "2026-05-28T14:00:00+02:00", "start": "14:00", "duration": "00:40", "room": "Main Stage", "slug": "2026-702-practical-exploitation-no-cve-required", "url": "https://cfp.securityfest.com/2026/talk/HSRHP9/", "title": "Practical Exploitation \u2013 No CVE Required", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Practical Exploitation \u2013 No CVE Required\r\nA live hacking session\r\n\r\nWhat actually happens between \u201cno known vulnerability\u201d and full compromise?\r\nIn this session, we move beyond slides and theory and exploit real systems on stage. You will see how small implementation details, unsafe assumptions, and overlooked behaviors turn into working attack paths.\r\n\r\nNo pre-recorded demos. Just live analysis. Live mistakes. Live exploitation.\r\nWe start with exposed functionality and pull at the threads.\r\n\r\nWe read the code.\r\nWe question the assumptions.\r\nWe look for the place where \u201cthis should be safe\u201d quietly becomes \u201cthis is game over\u201d.\r\n\r\nSometimes there is no CVE, no advisory, no warning \u2014 just logic, trust, and attack surface waiting to be understood. This session is for developers, defenders, and security engineers who want to understand not just that something is vulnerable \u2014 but why it is exploitable, and how attackers convert technical nuance into control.\r\n\r\nIf you build systems, you should know how they break.\r\nIf you defend systems, you should know how they fall.\r\nBecause exploitation is not magic. It is method.\r\n\r\nAnd method scales.", "description": "", "recording_license": "", "do_not_record": true, "persons": [{"code": "RYTGCV", "name": "Emil Tr\u00e4g\u00e5rdh", "avatar": "https://cfp.securityfest.com/media/avatars/IMG_0496_gTvGhDp.jpg", "biography": "Emil Tr\u00e4g\u00e5rdh is a Swedish hacker, entrepreneur and Blueteamer. At the age of 14 he created his first botnet and in high school he hacked a small city. At the age of 20 he founded a web dev agency and four years later he did his first large scale government contract with the Swedish authorities. In between, he traveled the world with his family for a year and he no longer works like regular people. Instead he devotes most of his time to security because it's fun!", "public_name": "Emil Tr\u00e4g\u00e5rdh", "guid": "e6adace7-6d1f-5ea5-b013-9807197f5c7c", "url": "https://cfp.securityfest.com/2026/speaker/RYTGCV/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/HSRHP9/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/HSRHP9/", "attachments": []}, {"guid": "e73e8bd4-5f3c-53c7-bdc8-ca9fcffea067", "code": "MT7DSG", "id": 657, "logo": null, "date": "2026-05-28T15:00:00+02:00", "start": "15:00", "duration": "00:40", "room": "Main Stage", "slug": "2026-657-from-convenience-to-consequences-vehicle-level-cybersecurity-impact-of-engineering-functions", "url": "https://cfp.securityfest.com/2026/talk/MT7DSG/", "title": "From Convenience to Consequences:  Vehicle-Level   Cybersecurity Impact of Engineering Functions", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The In-Vehicle Infotainment (IVI) system is increasingly becoming the core interaction and computing platform in connected vehicles, and is deeply coupled with in-vehicle networks through vehicle signal services, diagnostic channels, and gateway policies. Engineering/Factory Mode, designed for R&D debugging, manufacturing validation, and after-sales servicing, typically provides highly privileged capabilities such as debug toggles, logging/diagnostics, configuration writing, OTA-related operations, and vehicle integration testing. If Engineering/Factory Mode remains accessible in production builds via hidden entry points, weak authentication, or unclear authorization boundaries, attackers may obtain elevated privileges at low cost and expand their reach to vehicle control functions, resulting in vehicle-level cybersecurity risks.\r\n\r\nIn this work, we conduct a security assessment of Engineering/Factory components on production IVI systems, summarize common entry-path categories and weaknesses, and evaluate the reachable control boundaries after privilege escalation from the perspective of coupling between engineering utilities and vehicle control services/middleware We finally provide practical hardening recommendations for production deployments to reduce vehicle-level risks introduced by engineering functions while preserving serviceability and operational efficiency.", "description": "", "recording_license": "", "do_not_record": true, "persons": [{"code": "PMACSC", "name": "Yuqiao Ning", "avatar": "https://cfp.securityfest.com/media/avatars/PMACSC_GK2jUJz.jpg", "biography": "Yuqiao Ning is the Technical Director of CATARC Intelligent and Connected Technology Co., Ltd. He has extensive experience in computer systems and software security research. In his current role, he is primarily responsible for pioneering research in automotive penetration technology and the development of automated detection tools. His work focuses on analyzing security risks within automotive open-source software, with a particular emphasis on understanding the critical intersection of automotive security vulnerabilities and functional safety. He has played a pivotal role in organizing numerous automotive information security attack and defense challenges, contributing significantly to the advancement of safer and more secure automotive technologies. Furthermore, he has played an instrumental role in shaping national automotive information security standards, contributing to the drafting of several key national standards.", "public_name": "Yuqiao Ning", "guid": "492d4664-07d5-545f-ba74-79e1a487f079", "url": "https://cfp.securityfest.com/2026/speaker/PMACSC/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/MT7DSG/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/MT7DSG/", "attachments": []}, {"guid": "1a5d2d7c-0e61-574b-92c4-1da36056dc05", "code": "BXGMG9", "id": 639, "logo": null, "date": "2026-05-28T16:00:00+02:00", "start": "16:00", "duration": "00:40", "room": "Main Stage", "slug": "2026-639-hacking-big-iron-when-modern-security-assumptions-fail-on-mainframes", "url": "https://cfp.securityfest.com/2026/talk/BXGMG9/", "title": "Hacking Big Iron: When Modern Security Assumptions Fail on Mainframes", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Mainframes still underpin critical infrastructure such\u00a0as banking, airlines, and government systems, yet most modern security teams approach them\u00a0using assumptions formed around Unix, Windows,\u00a0and enterprise platforms. These assumptions often fail\u00a0on z/OS, creating blind spots\u00a0that are difficult to detect and easy to\u00a0underestimate.\r\n\r\nThis talk explains\u00a0how mainframe security actually works and why\u00a0familiar concepts such as \"root,\" shells, ports, and lateral movement do not\u00a0translate cleanly. Focusing on components\u00a0like JES, JCL,\u00a0RACF, CICS, and PR/SM, we explore where attackers and defenders\u00a0truly operate today: transactions, security managers, and management boundaries.\r\n\r\nFrom an\u00a0offensive perspective, the talk reframes how\u00a0attackers actually move inside mainframe environments: not through shells or services, but\u00a0via job submission paths, inherited authority,\u00a0transaction routing, and security manager behavior.\u00a0The session highlights concrete failure modes red teams\u00a0encounter when modern assumptions are applied to z/OS, and how those blind spots\u00a0are exploited in real assessments.\r\nUsing real TN3270\u00a0terminal screens and practical examples, attendees\u00a0will learn a repeatable methodology for assessing mainframe environments and identifying misconfigurations that appear harmless but can\u00a0have severe impact.\r\n\r\nThe talk also\u00a0demonstrates an AI-assisted assessment approach:\u00a0a local LLM interprets TN3270 screens in real-time, narrates walkthroughs, and tutors interactively; all running 100% offline with no\u00a0cloud APIs or data exfiltration\u00a0risk.\r\nNo prior mainframe experience\u00a0is required.", "description": "IBM mainframes were designed long before modern operating systems, networks, and security models existed, yet they remain central to some of the world\u2019s most critical environments. As a result, security teams often evaluate them using mental models that simply do not apply.\r\n\r\nThis talk demystifies how mainframe operating systems enforce trust and privilege, with a practical focus on security-relevant components such as JES, JCL, RACF, CICS,  and TMAM. We examine why traditional approaches based on shells, services, and ports break down, and how real-world attackers instead navigate transactions, security definitions, and control boundaries.\r\n\r\nRather than concentrating on legacy exploits, the emphasis is on methodology: how to reason about exposure, privilege, and segmentation within mainframe operating systems designed for batch processing, transaction processing, and long-running workloads. Real TN3270 terminal screens, generated using a custom tool, are used throughout to ground the discussion in real-world systems.\r\n\r\nThe session concludes with a practical assessment workflow and a demo of an open-source tool designed to help testers and defenders understand TN3270 environments and interpret mainframe screens during security reviews.\r\n\r\nAttendees will leave with a clear mental model and a concrete checklist they can apply when assessing or defending mainframe systems.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KELUPJ", "name": "Adam Toscher", "avatar": "https://cfp.securityfest.com/media/avatars/KELUPJ_VY8A6zP.jpg", "biography": "Adam Toscher is a New York\u2013based security engineer and red team operator with over two decades of experience in offensive security, adversary simulation, and automation. Born in New York City and raised upstate, Adam built his career as an \u201cIT vagabond,\u201d beginning as a freshman IBM intern porting Linux applications to mainframe system. Mainframe work tgrounded him in large-scale computing, operating systems, and complex enterprise environment, before transitioning into offensive security.\r\n\r\nHe later progressed through senior security roles at Adobe, Optiv, Accenture, IBM X-Force, and NYC Cyber Command, where he focused on realistic adversary emulation and advanced red-team operations.\r\n\r\nMost recently, Adam has been working with Cobalt Labs, supporting advanced red-teaming and offensive security engagements for private-sector organizations. Prior to this, he led red-team and adversary simulation efforts in support of critical public infrastructure with NYC Cyber Command and the FDNY.\r\n\r\nHis work centers on penetration testing, red teaming, adversary emulation, and practical automation across both private-sector companies and government agencies. Outside of security, Adam values balance and lifelong learning, and is an avid reader, runner, swimmer, and gamer.", "public_name": "Adam Toscher", "guid": "26a83f01-4102-5108-9938-5c3a092e7e74", "url": "https://cfp.securityfest.com/2026/speaker/KELUPJ/"}], "links": [{"title": "Video of AI Mainframe Tool", "url": "https://w00t3k.github.io/mainframe-ai/", "type": "related"}, {"title": "Slides", "url": "https://w00t3k.github.io/mainframe-ai/IBM-MF-A.pdf", "type": "related"}], "feedback_url": "https://cfp.securityfest.com/2026/talk/BXGMG9/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/BXGMG9/", "attachments": []}]}}, {"index": 2, "date": "2026-05-29", "day_start": "2026-05-29T04:00:00+02:00", "day_end": "2026-05-30T03:59:00+02:00", "rooms": {"Main Stage": [{"guid": "c21763a4-1fac-54c5-b29e-ccd36f9456cc", "code": "Y8RHXG", "id": 659, "logo": null, "date": "2026-05-29T09:30:00+02:00", "start": "09:30", "duration": "00:40", "room": "Main Stage", "slug": "2026-659-meshhacks-exploiting-linksys-intelligent-mesh-from-the-internet", "url": "https://cfp.securityfest.com/2026/talk/Y8RHXG/", "title": "MeshHacks: Exploiting Linksys Intelligent Mesh from the internet", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The days of hacking home routers are not over! Because every household, that wants internet access at their house, needs some kind of router, these could be a very interesting target, as there are millions of devices in use with an direct connection to the internet. One might think, that manufacturer should take extra care to make them as secure as possible, but apparently there is still room for improvement. A lot of room.\r\n\r\nThis talk will show the accidental discovery of the most dangerous vulnerability type a device, especially a home router, can have: the unauthenticated remote code execution over the internet. It will not only focus on the technical part but also a practical example of how manufacturers should not respond to responsible disclosure.\r\n\r\nBe curious about non existing input validation resulting in various outcomes, a lot of \"Wait... what?\" moments and the difficulties of responsible disclosure.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "J3KDC8", "name": "Christian Z\u00e4ske", "avatar": "https://cfp.securityfest.com/media/avatars/J3KDC8_5miAsG5.jpg", "biography": "Christian Z\u00e4ske is an IT security consultant for the pentest company SySS GmbH located in Germany. By starting his Bachelor's degree in computer science in cooperation with SySS GmbH in 2020, he turned his hobby into his profession: Security research. Being passionate about embedded security, he specialized in analysing hardware of various types. From tiny hearing aids to full size EV charging stations.", "public_name": "Christian Z\u00e4ske", "guid": "899729a5-296e-5556-b3e1-46721b216e0e", "url": "https://cfp.securityfest.com/2026/speaker/J3KDC8/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/Y8RHXG/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/Y8RHXG/", "attachments": []}, {"guid": "57161dff-ad27-5586-848b-9d9199dae77c", "code": "CJXNTP", "id": 618, "logo": null, "date": "2026-05-29T10:30:00+02:00", "start": "10:30", "duration": "00:40", "room": "Main Stage", "slug": "2026-618-aether-engineering-a-cross-architecture-linux-process-injector", "url": "https://cfp.securityfest.com/2026/talk/CJXNTP/", "title": "Aether: Engineering a Cross - Architecture Linux Process Injector", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Process injection on Linux is often treated as a solved problem. Yet, many modern tools remain architecture-locked or are easily flagged by basic heuristic analysis. This session introduces Aether, a Linux process injection framework designed for today\u2019s landscape. We will deep-dive into the technical hurdles of building a tool that handles both 32-bit and 64-bit processes seamlessly. Aether utilizes ptrace for attachment and PLT (Procedure Linkage Table) hooking for precise function interception.\r\nThe talk goes beyond the basics by exploring a \"Polyglot\" approach to offensive tooling. We will demonstrate how wrapping a performance-heavy C/C++ injection core within a Rust-based FFI (Foreign Function Interface) tunnel creates a \"safe\" but powerful parasite. This hybrid architecture increases exploit stability. It also complicates the work of reverse engineers by fragmenting the call stack across language boundaries. Attendees will walk away with a functional understanding of Linux runtime code modification, the state of modern PLT hooking, and a roadmap for \"oxidizing\" legacy C++ tools to stay ahead of evolving detection engines.", "description": "The current landscape of Linux process injection is dominated by aging techniques that are increasingly visible to modern Endpoint Detection and Response (EDR) systems. While tools leveraging LD_PRELOAD or basic shellcode injection remain functional, they often fall victim to heuristic scanners that flag predictable memory allocation patterns and standard C library calls. This presentation introduces Aether, a framework designed to bypass these limitations by utilizing low-level primitive operations, specifically ptrace and Procedure Linkage Table (PLT) hooking, to achieve cross-architecture code execution. By operating at the binary level rather than relying on high-level environment variables, Aether provides a robust foundation for runtime code modification in both 32-bit and 64-bit environments.\r\n\r\nThe technical core of the talk focuses on the orchestration of ptrace for non-cooperative process attachment. We will examine the mechanics of capturing a running process's execution state, manipulating registers to redirect control flow, and the precise use of PTRACE_POKETEXT to inject our \"parasite\" shared library. A significant portion of the deep dive is dedicated to PLT Hooking, a technique that allows Aether to intercept specific function calls by overwriting entries in the Global Offset Table (GOT). This method ensures that our injected code remains synchronized with the host process's legitimate activities, allowing for stealthy monitoring or modification of data without crashing the target, a common failure point in traditional \"fire-and-forget\" injectors.\r\n\r\nThe research then pivots to the \"Oxidation\" of the framework: the integration of Rust via a Foreign Function Interface (FFI) tunnel. We explore the hypothesis that mixing programming languages can act as a form of binary-level obfuscation. By wrapping our performance-critical C++ injection engine in a Rust-based daemon, we fragment the call stack and generate machine code signatures that differ significantly from \"pure\" C++ malware. This section of the presentation will provide a comparative analysis of memory signatures, demonstrating how Rust\u2019s unique binary structure and its \"safety-first\" memory management can be weaponized to evade modern heuristics and complicate the work of a reverse engineer attempting to trace the hybrid execution flow.\r\nFinally, the session concludes with a series of high-stakes demonstrations. We will first show a baseline \"Legacy\" injection being detected by standard Linux audit tools, followed by the successful deployment of the Oxidized Aether framework. The demo will highlight the tool's dedicated monitoring daemon, which maintains the health of the injected parasite and ensures persistence even through host process fluctuations. Attendees will be provided with a technical roadmap for porting their own offensive tools to this hybrid architecture, along with access to the Aether source code to further the community's research into polyglot exploitation.", "recording_license": "", "do_not_record": false, "persons": [{"code": "JGKMUG", "name": "Lora", "avatar": "https://cfp.securityfest.com/media/avatars/JGKMUG_gkYhFK0.jpg", "biography": "Hey, I'm Lora. I build tools that live in other people\u2019s memory space. I\u2019m a Linux security researcher and the developer of Aether, a 32/64-bit process injection framework. My recent work involves weaponizing Rust\u2019s safety features to create more stable and undetectable C++ hybrids. I\u2019m here to show you how process injection is evolving on Linux and why the future of offensive tooling is polyglot.", "public_name": "Lora", "guid": "059e2e29-16ad-50b3-bad9-71df47f7c21a", "url": "https://cfp.securityfest.com/2026/speaker/JGKMUG/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/CJXNTP/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/CJXNTP/", "attachments": []}, {"guid": "9fc43948-921f-5713-bab4-03e6f20d7c91", "code": "XRQQJB", "id": 615, "logo": null, "date": "2026-05-29T11:30:00+02:00", "start": "11:30", "duration": "00:40", "room": "Main Stage", "slug": "2026-615-building-trusted-cti-for-the-public-sector-at-csirt-slovakia", "url": "https://cfp.securityfest.com/2026/talk/XRQQJB/", "title": "Building Trusted CTI for the Public Sector at CSIRT Slovakia", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Operating a Cyber Threat Intelligence (CTI) capability for the public sector means working at the intersection of security, regulation, and trust. This presentation by CSIRT.SK shows how its Afrodita platform, built on MISP and integrated with several internal systems Aura and Atena, delivers actionable CTI while meeting the specific requirements of NIS2 directive and Slovak cybersecurity legislation.\r\n\r\nCSIRT.SK runs a centralized architecture of MISP instances connected across GOVNET, the governmental network, and beyond. This design enables secure CTI exchange among public institutions and partners, including selected international instances such as NATO MISP and FIRST MISP. Afrodita acts as the main interface for constituents, while Aura provides internal automation and correlation of incident data, and Atena links threat indicators to the Governmental Security Operation Center (SOC). In return, data collected during SOC operations and incident response, are used for building situational awareness as one of the core services defined by FIRST CSIRT Services.\r\n\r\nThe presentation explains how this multi-layered architecture ensures data enrichment, contextualization, and traceable sharing of IoCs, enabling faster detection and coordinated response within a controlled trust domain. It also highlights practical challenges unique to the public sector constituency and the benefits for other CSIRT Services.\r\n\r\nAttendees will learn how CTI sharing under Afrodita helps public entities demonstrate NIS2 compliance, by integrating intelligence into vulnerability assessment, security monitoring, incident reporting, and evidence of \u201cstate of the art\u201d cybersecurity controls.", "description": "Key takeaways:\r\n1.\tHow a sectoral CSIRT operates a centralized MISP ecosystem (Afrodita\u2013Aura\u2013Atena) within Governmental Network.\r\n2.\tLessons learned from trusted CTI sharing under regulatory and operational constraints.\r\n3.\tHow CTI supports NIS2 implementation in public-sector environments.", "recording_license": "", "do_not_record": false, "persons": [{"code": "X9H3UQ", "name": "Adrian Ondov", "avatar": "https://cfp.securityfest.com/media/avatars/X9H3UQ_eiBa7yG.jpg", "biography": "Adrian is a Threat Intelligence Analyst at Government Unit CSIRT.SK within the Ministry of Investment, Regional Development and Informatization of the Slovak Republic. He specializes in threat intelligence, process automation, and the administration of the local MISP instance network within the public sector, and has been working at CSIRT.SK since 2023. He is also a core member of the Afrodita project, where he contributes to providing Threat Intelligence to the constituency of CSIRT.SK.\r\n\r\nIn addition to his professional role, he runs a computer repair shop as a personal endeavor and leads courses on the fundamentals of network technologies at the Faculty of Informatics and Information Technologies, Slovak University of Technology (STU) in Bratislava.", "public_name": "Adrian Ondov", "guid": "6057e9dd-841d-516e-a260-c9828a1268e3", "url": "https://cfp.securityfest.com/2026/speaker/X9H3UQ/"}, {"code": "D3W3LW", "name": "Michal Rampasek", "avatar": "https://cfp.securityfest.com/media/avatars/D3W3LW_j64Dkjd.JPG", "biography": "Michal is a PhD candidate and lecturer at the Faculty of Law of Comenius University in Bratislava, the Institute of Information Technology Law and Intellectual Property Law. He is a Slovak attorney and lawyer of Slovak Government CSIRT unit. \r\nHis practice and academic research focuses on ICT law, cybersecurity law, and criminal law. His recent research address issues such as legal aspects of OSINT, CTI and information sharing, as well as legal protection of good-faith security researchers and coordinated vulnerability disclosure (CVD),", "public_name": "Michal Rampasek", "guid": "a8305265-4239-5f8d-929f-e74d3eeddaca", "url": "https://cfp.securityfest.com/2026/speaker/D3W3LW/"}], "links": [{"title": "CSIRT.SK MISP Community", "url": "https://www.misp-project.org/communities/#csirtsk-misp-community", "type": "related"}, {"title": "MISP Afrodita operated by CSIRT.SK", "url": "https://csirt.sk/registracia-afrodita.html", "type": "related"}], "feedback_url": "https://cfp.securityfest.com/2026/talk/XRQQJB/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/XRQQJB/", "attachments": [{"title": "The Aphrodite Project Presentation by CSIRT.SK", "url": "/media/2026/submissions/XRQQJB/resources/SecurityF_Z36LuDa.pdf", "type": "related"}]}, {"guid": "a55ba672-e7ba-5d0f-858d-f2d5f1bccbb8", "code": "KRKY9H", "id": 699, "logo": null, "date": "2026-05-29T14:00:00+02:00", "start": "14:00", "duration": "00:40", "room": "Main Stage", "slug": "2026-699-the-never-implemented-story-of-penetration-tests-on-video-surveillance-networks", "url": "https://cfp.securityfest.com/2026/talk/KRKY9H/", "title": "The Never-Implemented Story of Penetration Tests on Video Surveillance Networks", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Offensive research on video surveillance systems is really not a new topic. Their components, especially cameras, are everywhere. It is very common to see at least one of them on the network during penetration tests on IT or OT. They have all been torn apart in many ways, from hardware to network services and configurations. Almost everyone has heard about the scenario of camera sequence looping to hide intrusions from security personnel.\r\n\r\nBut how many tools and techniques do you know to address video surveillance systems during IT/OT pentests? How many of them are truly plug-and-play or at least practical? Do you know any ready-to-use scripts to perform the looping trick? Of course tools and scripts exist, but I was confident I would find many, and even comprehensive, practical toolkits. When I didn't, I also discovered that there are good technical reasons behind that.\r\n\r\nOne of them relies on the constraints of assessments conditions, which is our starting point here. Many interesting attacks require a setup that is hardly achievable outside of test benches. Therefore, we will discuss a few techniques and tools that can be used during pentests, with a focus on those that rely on the very common ONVIF standard. In this context, we consider that the only way to reach the video surveillance components is through the network. One of these techniques is, of course, the video looping trick, but this approach has specific requirements that are bypassed in most demos and tutorials I\u2019ve seen (including one I\u2019ve done myself :)). Now, let\u2019s face the challenge and make the attack work in real-world conditions - always with safety in mind.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "VVRXDY", "name": "Claire Vacherot", "avatar": "https://cfp.securityfest.com/media/avatars/VVRXDY_pIHLfOy.jpg", "biography": "Claire\u202fVacherot\u202fis a pentester and\u202fresearcher\u202fat Orange\u202fCyberdefense in France. She likes to test systems and devices that interact with the real world, and to play with industrial network protocols. Sometimes, she also speaks about all of this at conferences such as GreHack, Defcon, Hack.lu or SSTIC. As a former software developer, she never misses a chance to write scripts and tools.", "public_name": "Claire Vacherot", "guid": "ee9de8f6-bc1d-5a4c-8bbe-2dd5578d2700", "url": "https://cfp.securityfest.com/2026/speaker/VVRXDY/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/KRKY9H/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/KRKY9H/", "attachments": []}, {"guid": "79883abf-367c-5ec0-b458-58b4d6c97289", "code": "DJTBVS", "id": 531, "logo": null, "date": "2026-05-29T15:00:00+02:00", "start": "15:00", "duration": "00:40", "room": "Main Stage", "slug": "2026-531-versus-killnet", "url": "https://cfp.securityfest.com/2026/talk/DJTBVS/", "title": "Versus Killnet", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The Russian infamous hacktivist group Killnet is more than meets the eye; it's a cyber army directed by a few to cause harm. With a checkered history and inconsistent behaviors, deciphering who is behind this group is challenging. Nevertheless, we will lift this veil and share a personal story of disrupting the group, unbalancing Killnet into chaos.", "description": "The infamous Russian hacktivist group, Killnet, operated as a clandestine cyber army, orchestrated by a select few to create chaos and inflict harm. Despite its notoriety, investigating the true operators behind Killnet proved to be a significant challenge, given its checkered history and inconsistent behavior. However, through an in-depth investigation and direct confrontation with the gang, we shed the veil of secrecy shrouding the group and will share a compelling personal account detailing how we disrupted Killnet, plunging it into a death spiral. Our strategy to dismantle this cyber army hinged on identifying a critical vulnerability \u2013 its connection to the Russian illegal drug marketplace - Solaris. By exposing this nefarious link and diverting proceeds from the Russian drug operation to support a Ukrainian charity, we triggered widespread questioning of Killnet's leadership and actions. This created an instability and within the group and beyond, ultimately leading to loss of support of the Russian government and breaking of financial ties. Delving deeper, we will explore the true identity of Killnet's leader, KillMilk, and explore his dark and criminal past. This will allow you to see some of the Killnet\u2019s actions in a different light and interpret the public events and actions associated with Killnet. Our successful efforts to undermine Killnet's leadership have led to a spectacular downfall and disintegration of the entire collective. As of the beginning of this year, Killnet changed drastically, leaving behind remnants of a group once synonymous with disruptive hacktivism. Our small push against Killnet set forth a chain of events changing the trajectory of the group and leaving it far removed from its former destructive pursuits. Join me as I unravel the complex narrative of Killnet, offering insights into the evolution of cyber warfare and the enduring struggle to combat malicious actors in the world of cyber warfare and disruptive hacktivism.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RZBPJJ", "name": "Alex Holden", "avatar": "https://cfp.securityfest.com/media/avatars/RZBPJJ_YiIi5LH.jpg", "biography": "Alex Holden is the founder and CISO of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence, becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks.", "public_name": "Alex Holden", "guid": "463d55c4-3cc3-5172-828f-420afeb33a08", "url": "https://cfp.securityfest.com/2026/speaker/RZBPJJ/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/DJTBVS/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/DJTBVS/", "attachments": []}, {"guid": "0a86740a-4ee7-57dd-aff2-946811921eaf", "code": "9G7B9Q", "id": 735, "logo": null, "date": "2026-05-29T16:20:00+02:00", "start": "16:20", "duration": "00:40", "room": "Main Stage", "slug": "2026-735-stayin-alive-stealthy-persistence-in-enterprise-environments", "url": "https://cfp.securityfest.com/2026/talk/9G7B9Q/", "title": "Stayin' Alive: Stealthy Persistence in Enterprise Environments", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "You've successfully compromised your target. How do you maintain access in the face of reboots, crashes, credential resets, and active remediation?\r\n\r\nIn this presentation, we take a deep dive into stealthy persistence techniques that go far beyond the basic Windows services, run keys, and cron jobs. We explore the latest attacker tradecraft that abuses trusted components and blends into normal enterprise operations.\r\n\r\nThe talk covers persistence techniques derived from novel research and techniques observed in the wild from my work as a Principal Forensic Consultant. These techniques evade modern detection/AV/NDR/EDR and, more importantly, are difficult for forensic investigators to identify and eradicate. We also examine how to exploit the limitations in modern forensic tooling and common DFIR workflows. \r\n\r\nFinally, the presentation distills these findings into practical attacker tradecraft for maintaining covert, resilient access in enterprise networks.", "description": "This talk explores persistence, focusing on what actually works in real-world intrusions versus techniques that only look impressive. Using a mix of real-world cases and novel research, the presentation highlights both common mistakes and solid persistence mechanisms. \r\n\r\nThe talk will feature multiple live demos.\r\n\r\nThe talk content is based on (1) my experience leading hundreds of complex investigations as a Pricipal Forensic Consultant, (2) learnings from years of developing proprietary forensic tooling, and (3) an extensive review of persistence techniques and the limitations of current forensic tooling.", "recording_license": "", "do_not_record": false, "persons": [{"code": "8PCKJC", "name": "Alexander Andersson", "avatar": "https://cfp.securityfest.com/media/avatars/81ee-200o200o2-9XynWVe7zmiPvjFStSgd1t_isA8UYG.jpg", "biography": "Alexander is a Principal Forensic Consultant at Truesec. Alexander has a background in red teaming and software development. Today, he spends most of his time providing incident response services to companies that have suffered from an attack. He has led hundreds of complex investigations into everything from full-scale ransomware attacks to zero-day exploits and APT campaigns. Whenever not in an active incident, Alexander spends time in research and development with a focus on both novel forensic techniques and offensive vulnerability research.", "public_name": "Alexander Andersson", "guid": "2d41f367-318d-50ea-9ef1-6777ca9c8e6b", "url": "https://cfp.securityfest.com/2026/speaker/8PCKJC/"}], "links": [], "feedback_url": "https://cfp.securityfest.com/2026/talk/9G7B9Q/feedback/", "origin_url": "https://cfp.securityfest.com/2026/talk/9G7B9Q/", "attachments": []}]}}]}}}