2.0 -//Pentabarf//Schedule//EN

PUBLISH L38XLJ@@cfp.securityfest.com

-L38XLJ

Claude is your insider threat now en

20260528T093000 20260528T101500 0.04500

Claude is your insider threat now

PUBLIC CONFIRMED Keynote https://cfp.securityfest.com/2026/talk/L38XLJ/ Main Stage Dan Tentler PUBLISH D9ZPZD@@cfp.securityfest.com

-D9ZPZD

From Code to Compromise: Turning modern day IDEs into attack vectors via malicious Extensions en

20260528T103000 20260528T111000 0.04000

From Code to Compromise: Turning modern day IDEs into attack vectors via malicious Extensions

PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/D9ZPZD/ Main Stage Debjeet Banerjee PUBLISH LCMPBH@@cfp.securityfest.com

-LCMPBH

Abusing Mutating Admission Webhooks for Stealthy Cluster Dominance en

20260528T113000 20260528T121000 0.04000

Abusing Mutating Admission Webhooks for Stealthy Cluster Dominance

We will perform a live-style technical deep dive into the architecture of a Mutating Admission Webhook attack. The session starts by compromising a cluster and installing a rogue controller that intercepts every CREATE and UPDATE request. We will walk through the logic of injecting a stealthy C2 sidecar that uses the cluster's internal service mesh to hide its traffic. Finally, we will transition to defense, showing how to implement Validated Infrastructure using OPA/Kyverno to ensure only authorized mutations occur, effectively "rebooting" the security posture of the cluster. What the audience will gain: Technical Exploit Knowledge: A step-by-step understanding of how admission controllers can be manipulated for persistence. Detection Strategies: Actionable methods to identify non-standard mutations in high-traffic production environments. Defense Blueprints: Practical configuration examples for OPA and Kyverno to prevent unauthorized pod mutations. PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/LCMPBH/ Main Stage Nikita Verma Harshita Varma PUBLISH HSRHP9@@cfp.securityfest.com

-HSRHP9

Practical Exploitation – No CVE Required en

20260528T140000 20260528T144000 0.04000

Practical Exploitation – No CVE Required

PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/HSRHP9/ Main Stage Emil Trägårdh PUBLISH MT7DSG@@cfp.securityfest.com

-MT7DSG

From Convenience to Consequences: Vehicle-Level Cybersecurity Impact of Engineering Functions en

20260528T150000 20260528T154000 0.04000

From Convenience to Consequences: Vehicle-Level Cybersecurity Impact of Engineering Functions

PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/MT7DSG/ Main Stage Yuqiao Ning PUBLISH BXGMG9@@cfp.securityfest.com

-BXGMG9

Hacking Big Iron: When Modern Security Assumptions Fail on Mainframes en

20260528T160000 20260528T164000 0.04000

Hacking Big Iron: When Modern Security Assumptions Fail on Mainframes

IBM mainframes were designed long before modern operating systems, networks, and security models existed, yet they remain central to some of the world’s most critical environments. As a result, security teams often evaluate them using mental models that simply do not apply. This talk demystifies how mainframe operating systems enforce trust and privilege, with a practical focus on security-relevant components such as JES, JCL, RACF, CICS, and TMAM. We examine why traditional approaches based on shells, services, and ports break down, and how real-world attackers instead navigate transactions, security definitions, and control boundaries. Rather than concentrating on legacy exploits, the emphasis is on methodology: how to reason about exposure, privilege, and segmentation within mainframe operating systems designed for batch processing, transaction processing, and long-running workloads. Real TN3270 terminal screens, generated using a custom tool, are used throughout to ground the discussion in real-world systems. The session concludes with a practical assessment workflow and a demo of an open-source tool designed to help testers and defenders understand TN3270 environments and interpret mainframe screens during security reviews. Attendees will leave with a clear mental model and a concrete checklist they can apply when assessing or defending mainframe systems. PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/BXGMG9/ Main Stage Adam Toscher PUBLISH Y8RHXG@@cfp.securityfest.com

-Y8RHXG

MeshHacks: Exploiting Linksys Intelligent Mesh from the internet en

20260529T093000 20260529T101000 0.04000

MeshHacks: Exploiting Linksys Intelligent Mesh from the internet

PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/Y8RHXG/ Main Stage Christian Zäske PUBLISH CJXNTP@@cfp.securityfest.com

-CJXNTP

Aether: Engineering a Cross - Architecture Linux Process Injector en

20260529T103000 20260529T111000 0.04000

Aether: Engineering a Cross - Architecture Linux Process Injector

The current landscape of Linux process injection is dominated by aging techniques that are increasingly visible to modern Endpoint Detection and Response (EDR) systems. While tools leveraging LD_PRELOAD or basic shellcode injection remain functional, they often fall victim to heuristic scanners that flag predictable memory allocation patterns and standard C library calls. This presentation introduces Aether, a framework designed to bypass these limitations by utilizing low-level primitive operations, specifically ptrace and Procedure Linkage Table (PLT) hooking, to achieve cross-architecture code execution. By operating at the binary level rather than relying on high-level environment variables, Aether provides a robust foundation for runtime code modification in both 32-bit and 64-bit environments. The technical core of the talk focuses on the orchestration of ptrace for non-cooperative process attachment. We will examine the mechanics of capturing a running process's execution state, manipulating registers to redirect control flow, and the precise use of PTRACE_POKETEXT to inject our "parasite" shared library. A significant portion of the deep dive is dedicated to PLT Hooking, a technique that allows Aether to intercept specific function calls by overwriting entries in the Global Offset Table (GOT). This method ensures that our injected code remains synchronized with the host process's legitimate activities, allowing for stealthy monitoring or modification of data without crashing the target, a common failure point in traditional "fire-and-forget" injectors. The research then pivots to the "Oxidation" of the framework: the integration of Rust via a Foreign Function Interface (FFI) tunnel. We explore the hypothesis that mixing programming languages can act as a form of binary-level obfuscation. By wrapping our performance-critical C++ injection engine in a Rust-based daemon, we fragment the call stack and generate machine code signatures that differ significantly from "pure" C++ malware. This section of the presentation will provide a comparative analysis of memory signatures, demonstrating how Rust’s unique binary structure and its "safety-first" memory management can be weaponized to evade modern heuristics and complicate the work of a reverse engineer attempting to trace the hybrid execution flow. Finally, the session concludes with a series of high-stakes demonstrations. We will first show a baseline "Legacy" injection being detected by standard Linux audit tools, followed by the successful deployment of the Oxidized Aether framework. The demo will highlight the tool's dedicated monitoring daemon, which maintains the health of the injected parasite and ensures persistence even through host process fluctuations. Attendees will be provided with a technical roadmap for porting their own offensive tools to this hybrid architecture, along with access to the Aether source code to further the community's research into polyglot exploitation. PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/CJXNTP/ Main Stage Lora PUBLISH XRQQJB@@cfp.securityfest.com

-XRQQJB

Building Trusted CTI for the Public Sector at CSIRT Slovakia en

20260529T113000 20260529T121000 0.04000

Building Trusted CTI for the Public Sector at CSIRT Slovakia

Key takeaways: 1. How a sectoral CSIRT operates a centralized MISP ecosystem (Afrodita–Aura–Atena) within Governmental Network. 2. Lessons learned from trusted CTI sharing under regulatory and operational constraints. 3. How CTI supports NIS2 implementation in public-sector environments. PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/XRQQJB/ Main Stage Adrian Ondov Michal Rampasek PUBLISH KRKY9H@@cfp.securityfest.com

-KRKY9H

The Never-Implemented Story of Penetration Tests on Video Surveillance Networks en

20260529T140000 20260529T144000 0.04000

The Never-Implemented Story of Penetration Tests on Video Surveillance Networks

PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/KRKY9H/ Main Stage Claire Vacherot PUBLISH DJTBVS@@cfp.securityfest.com

-DJTBVS

Versus Killnet en

20260529T150000 20260529T154000 0.04000

Versus Killnet

The infamous Russian hacktivist group, Killnet, operated as a clandestine cyber army, orchestrated by a select few to create chaos and inflict harm. Despite its notoriety, investigating the true operators behind Killnet proved to be a significant challenge, given its checkered history and inconsistent behavior. However, through an in-depth investigation and direct confrontation with the gang, we shed the veil of secrecy shrouding the group and will share a compelling personal account detailing how we disrupted Killnet, plunging it into a death spiral. Our strategy to dismantle this cyber army hinged on identifying a critical vulnerability – its connection to the Russian illegal drug marketplace - Solaris. By exposing this nefarious link and diverting proceeds from the Russian drug operation to support a Ukrainian charity, we triggered widespread questioning of Killnet's leadership and actions. This created an instability and within the group and beyond, ultimately leading to loss of support of the Russian government and breaking of financial ties. Delving deeper, we will explore the true identity of Killnet's leader, KillMilk, and explore his dark and criminal past. This will allow you to see some of the Killnet’s actions in a different light and interpret the public events and actions associated with Killnet. Our successful efforts to undermine Killnet's leadership have led to a spectacular downfall and disintegration of the entire collective. As of the beginning of this year, Killnet changed drastically, leaving behind remnants of a group once synonymous with disruptive hacktivism. Our small push against Killnet set forth a chain of events changing the trajectory of the group and leaving it far removed from its former destructive pursuits. Join me as I unravel the complex narrative of Killnet, offering insights into the evolution of cyber warfare and the enduring struggle to combat malicious actors in the world of cyber warfare and disruptive hacktivism. PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/DJTBVS/ Main Stage Alex Holden PUBLISH 9G7B9Q@@cfp.securityfest.com

-9G7B9Q

Stayin' Alive: Stealthy Persistence in Enterprise Environments en

20260529T162000 20260529T170000 0.04000

Stayin' Alive: Stealthy Persistence in Enterprise Environments

This talk explores persistence, focusing on what actually works in real-world intrusions versus techniques that only look impressive. Using a mix of real-world cases and novel research, the presentation highlights both common mistakes and solid persistence mechanisms. The talk will feature multiple live demos. The talk content is based on (1) my experience leading hundreds of complex investigations as a Pricipal Forensic Consultant, (2) learnings from years of developing proprietary forensic tooling, and (3) an extensive review of persistence techniques and the limitations of current forensic tooling. PUBLIC CONFIRMED Talk https://cfp.securityfest.com/2026/talk/9G7B9Q/ Main Stage Alexander Andersson