Public Papers, Publications and Talks

Kobalos – A complex Linux threat to high performance computing infrastructure - (2021-02)

  • A white paper about an unique multiplatform malware

Operation NightScout: Supply‑chain attack targets online gaming in Asia - (2021-02)

  • A supply-chain attack used in a cyberespionage operation targeting online‑gaming communities in Asia

Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia ’ (2020-12)

  • A supply-chain attack on the website of a government in Southeast Asia.

Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks - (2020-05)

Linux.Rekoobe Operating Undetected - (01-2020)

  • Rekoobe is a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015, reemerging in early 2020.

ELF Crafting. Uncovering Advance Anti-analysis techniques for the Linux Platform (r2con2019)

A presentation covering the intricacies of the ELF file format, and how could it be abused by threat-actors to make their malware more challenging to analyze for malware researchers.

ChinaZ updates toolset - (12-2019)

  • Analysis of new samples of ChinaZ, a Chinese-speaking cybercrime group authors of Elknot, and BillGates among other botnets.

ACBackdoor - The story of a multiplatform trojan - (10-2019)

  • Analysis of a Linux trojan in which authors tried to port to Windows.

How we disrupted 15 active ransomware campaigns targeting Linux file-storage servers - (07-2019)

  • How to temporarily DoS’d the operation of a ransomware targeting Linux-based file storage systems (NAS servers) abusing on a bug in the logic of the malware.

Watching the Watchbog, new Cython sample and Linux Exploits - (07-2019)

  • Analysis of a new version of Linux.WatchBog writen in Cython that was suspected to have compromised more than 4,500 linux machines, highlighting how effective Cython could be for obfuscation purposes.

HiddenWasp - Linux implant targeting Linux systems - (95-2019)

  • Analysis of a Linux implant with ties to Winnti malware used by Chinese state-nexus actors.

War in the cloud: East Asian Cybercrime actors compete for persistance - (05-2019)

  • Pacha Group, a Chinese-speaking group targeting cloud-based infrastructure was disrupting foothold of other crypto-mining groups, namely Rocke Group/Iron Group which was also known to target cloud environments at the time.

Analysis of Pacha Group unconventional toolset - (02-2019)

  • Pacha Group, a suspected Chinese-speaking ecrime group showcased unconventional Linux malware at the time, with no ties to other known threat actors.

Muhstik reloaded - New Linux variants target phpmyadmin servers - (11-2018)

  • This was my first public malware analysis report, nothing too special really. Staying here for historic purposes

ELF 101: Part 3 - (04-2018)

ELF 101: Part 2 - (02-2018)

ELF 101: Part 1 - (01-2018)

glibc heap analysis with Radare2 (r2con2016)

Talk intended to document the internals of the Linux heap layout formed by the glibc malloc dynamic memory allocator algorithm along with its analysis using radare2.