Malware analysts regularly face samples that are packed or heavily obfuscated. While sandboxing can provide a quick overview of behavior, it often falls short: evasions can defeat automated systems, and the results are noisy or miss the details we really care about: local functions, custom control flow, or subtle instruction-level tricks.

TinyTracer is an open-source dynamic binary instrumentation tool built on Intel Pin. Originally a small side project, it has grown into a powerful yet simple-to-use tracer designed for reverse engineers. It can follow API calls, local functions (with both inputs and outputs), and even single instructions with contextual changes. TinyTracer also includes built-in bypasses for many common anti-analysis techniques, and supports both Windows and Linux on Intel architectures.

This talk will demonstrate how TinyTracer fits into a reverse engineering workflow. Through short case studies, we’ll show how it can untangle strongly obfuscated malware and generate output ready for integration with disassemblers such as IDA or Binary Ninja.

If you’ve ever wanted a lightweight, configurable tracer to cut through obfuscation and get straight to the interesting parts of a binary, TinyTracer might be the tool you’ll reach for next.

Andrew Case is the Director of Research at Volexity, and has significant experience in incident response handling and malware analysis. He has conducted numerous large-scale investigations that span enterprises and industries. Case is a core developer of the Volatility memory analysis framework, and a co-author of the highly popular and technical forensics analysis book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.”

In late 2024, analysts from Stroz Friedberg published a short report on a Linux malware sample they discovered in the wild and named sedexp. Given the relative rarity of novel Linux malware, our team obtained a copy of sedexp and began a full analysis. This analysis led us to discover several significant components of the malware not covered in any public report to date, including loading of a memory-only rootkit, hooking of the network stack, and several interesting anti-forensics techniques. In this presentation, our team will detail how we analyzed this malware, including debugging the malicious application to extracting the memory-only rootkit to analyzing its components using Volatility 3 and IDA Pro. Attendees will learn a detailed methodology for detecting and analyzing memory-only Linux rootkits and see a showcase of Volatility 3’s capabilities.

Daniel Gordon, CySA+, CISSP, CEH, GCIA, GCTI, GCFA is a cyber threat intelligence analyst with a background in network defense, digital forensics, incident response, and IT support. He has degrees in Political Science as well as Modeling and Simulation. He has published blogs in Dark Reading, War on the Rocks, and Risky.biz and spoken at a large number of events including MTEM and SleuthCon.

Citrine Sleet is one of the most difficult North Korean hacking groups to track but in July 2025 we discovered and disrupted a Citrine Sleet campaign.

This talk will have a little bit of everything!  Collaboration between different DPRK hacking groups! Citrine Sleet using a DPRK IT worker to help backstop their social engineering! Activity across platforms including GitHub, NPM, PyPI, Twitter, and Discord! 

This talk will also give some background on notable DPRK hacking groups, show simple pivoting in GitHub, and give some recommendations to help protect your network from DPRK threat actors.

Denis Bueno is a researcher at Sandia National Labs and the primary developer of CTADL. He is interested in large scale program analysis, especially where it intersects logic programming and databases. His website is https://denisbueno.net.

CTADL is a static taint analyzer developed at Sandia National Labs. Many kinds of interesting software understanding questions can be understood as taint analysis questions; for instance: “how is potentially sensitive data processed by this malware? where is it sent?” CTADL was developed as a performant and flexible way of answering these types of questions. It was designed so that users can modify the analysis, for example by augmenting it with other static analyses. CTADL’s architecture is compositional and summary-based, enabling efficient parallel execution. It reasons about fields using access paths and builds a call graph in the same fixpoint flow as the main analysis, enabling data flow analysis to increase call graph precision and vice versa. The talk will go over the problem of taint analysis, the reasons why CTADL was developed as a solution, the internals of the CTADL architecture, and some applications. CTADL is open source and available online at https://github.com/sandialabs/ctadl.

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Despite broader use of IOMMUs and other mitigation, DMA attacks are still alive and kicking. Open-source DMA attack tools are readily available, relatively inexpensive, and increasingly versatile. In addition to forensic analysis, they’ve found wide use in game cheating communities and a some minor adoption in system reverse engineering.

Epic Erebus is a new tool many years in the making designed for both analysis as well as attacks. The combination of a minimal form factor, open tool chain, and open implementation allow it to be a simple memory capture device that’s easily reconfigurable for analyzing new target systems, stress testing the implementation of various DMA mitigations, and prototyping fully embedded attacks.

Hopefully you’ll leave this session with new ideas of where too look for, how to use, and how to protect against PCIe DMA accesses.

Joseph is a malware reverse engineer and incident responder with experience on multiple operating systems and platforms. Prior to his current role at 7AI, he worked for SentinelOne’s DFIR team to investigate intrusions and analyze malware in customer environments. He also worked as a Senior Malware Researcher at ReversingLabs, where he published blogs on unique and emerging file-based threats. He holds several certifications from SANS for Malware Reverse Engineering and Digital Forensics, and is currently pursuing a Master’s in Information Security Engineering at the SANS Technology Institute.

Initial access threat actors and social engineers have long used videoconferencing software to convince victims to hand over remote control of their device. This type of access results in hands-on-keyboard activity by threat actors, leading to credential compromise and potentially infostealers. Zoom is one of the latest enterprise software offerings to be abused for remote access by attackers, namely a group reported as ELUSIVE COMET.

From a digital forensics perspective, how does remote access work through these applications? What information is recorded in more and less volatile sources? This research provides a methodology for profiling applications and their forensic impact (without getting into legal trouble as a reverse engineer).

Juan Andrés Guerrero-Saade (better known as ‘JAGS’) is Executive Director for Intelligence and Security Research at SentinelOne and Distinguished Resident Fellow for Threat Intelligence and Adj. Professor at the Johns Hopkins SAIS Alperovitch Institute for Cybersecurity Studies. He was Google Chronicle’s Research Tsar, co-founder of Stairwell, and a Principal Security Researcher at GReAT focusing on targeted attacks. Prior to that, JAGS worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. His joint work on Moonlight Maze is now featured in the International Spy Museum’s permanent exhibit in Washington, DC. JAGS is the Founder of LABScon and co-hosts the Three Buddy Problem podcast.

Presentation details will be revealed at FTSCon.

Michael Carson has been working in scalable malware analysis space since 2016 at Sandia. He is the creator of Thorium and a fan of the Rust programming language.

Thorium is a highly scalable, distributed malware analysis and data generation framework that has recently been open sourced (https://github.com/cisagov/thorium). Thorium is designed to make cyber incident response, triage, and file analysis easier through the safe ingestion and storage of data, automation of analyses and easy access results, files, tags, and repositories. It allows for analysts and developers to easily test, deploy, and share tools in a variety of formats including docker, VMs, and bare-metal. During this talk we will explain why we built Thorium, what it does, how it compares to other platforms, and how you can integrate it into your workflows.

Michael Horka is a Principal Information Security Engineer at Black Lotus Labs, the threat research division of Lumen Technologies. He is responsible for covert network, botnet and advanced actor tracking and intelligence. He has over a decade of experience performing threat analysis and reporting on nation-state campaigns, most notably as a Special Agent with the FBI’s Houston Field Office.

For more than four years, Black Lotus Labs, the threat intelligence division of Lumen Technologies, has monitored Chinese state-sponsored threat actor Lilac Typhoon’s intrusion operations against U.S. and Taiwan government, military, critical infrastructure, and communications sectors through an evolving covert network of compromised SOHO and IOT devices. Historically, Lilac Typhoon conducted their intrusion operations, including 0-day exploitation, through an array of compromised modems and routers we dubbed “Silverfox.” Jumping forward to present day, Silverfox has evolved into what we now call “Indigo Train”: a series of “malwareless,” elusive, geographically distributed, and chained operational nodes, consisting of hijacked SOHO and IOT devices. The structure of this chaining methodology mirrors what we have observed from an associated threat actor, indicating a likely shift to enhance operational security over the past few years by Chinese state-sponsored threat actors.

Tom Lancaster is the Director of Threat Intelligence at Volexity, where he applies more than 10 years of threat intelligence, malware detection and incident response experience. He is a specialist in both investigating and tracking nation-state threat actors, as well as finding new ones.

Josh Duke is a Threat Intelligence Analyst at Volexity with experience in tracking nation-state threat actors and infrastructure analysis, transforming findings from these investigations into defenses for customer networks. With a strong understanding of Computer Science, holding both a MS and BS in the field, Josh is able to connect his understanding of software and networking to inform his work as an intelligence analyst.

This presentation will discuss various state-sponsored threat actors, including Russian, Iranian, and Chinese threat actors, who have abused Microsoft’s Device Code and OAuth Code authentication workflows to phish users in order to gain access to their Microsoft 365 accounts. This access was then used to download emails, send additional phishing emails from compromised accounts, and download files. The particular phishing techniques used were passwordless; users never entered their password on an attacker-owned website, but attackers were allowed to obtain a token that authenticated them to the victim’s account for arbitrary access at a later time. This presentation will cover details of how these attacks were carried out, the post-exploitation activities conducted by the threat actors, and detection opportunities for network defenders.

Toni de la Fuente is the creator of Prowler, the most widely used open-source multi-cloud security tool, and the founder and CEO of Prowler. With a background as a Senior Security Engineer and Senior Security Consultant at AWS, Toni has dedicated his career to building practical, scalable security solutions that help organizations secure their cloud environments with transparency and efficiency. He is deeply passionate about Free Libre Open-Source Software (FLOSS) and is a leading advocate for open cloud security, democratizing access to security tools, and fostering a global community around security, incident response, and digital forensics.

Cloud security is a moving target, ephemeral resources, providers release new services daily, attackers evolve constantly, and compliance demands grow more complex. In this talk, we’ll explore key lessons learned from developing Prowler, an open-source cloud security scanning tool used across industries and cloud platforms. From architectural trade-offs to automation pitfalls, community-driven features, and hard-earned insights on multi-cloud security, this session distills years of experience into actionable takeaways for engineers, security teams, and open-source contributors.

Wesley Shields works at Google where he may or may not be a robot, but does spend most of his time working on understanding and disrupting Russian threat groups.

COLDRIVER is traditionally known for phishing and hack-and-leak campaigns against Western NGOs, NATO and governments, but they have also been known to use malware in highly targeted circumstances. This talk is an overview of their latest chain of malware and how it has evolved in 2025.