Evgen Blohm
Incident Response @ InfoGuard AG
Hamburg, Germany
Actions
Evgen Blohm is an experienced DFIR expert who has been involved in responding to a large number of cyber incidents. He is based in Hamburg, Germany and is currently working for InfoGuard AG, where he is also supporting customers with compromise assessments and dark web monitoring.
Links
Area of Expertise
Topics
Slithering Through the Noise: Deep Dive into the VIPERTUNNEL Python Backdoor
Malware development is a process of continuous refinement. In this session, we analyze the evolution of **VIPERTUNNEL**, a Python-based backdoor used by the UNC2165 (EvilCorp) activity cluster for stealthy persistence and network pivoting.
The core of this talk focuses on the "evolutionary leap" in the malware's code logic and defensive posture. We will walk through three distinct stages of its development:
1. **The Public Phase:** Early variants that relied on well-documented, open-source obfuscators (like `pyobfuscate`), which are easily defeated by standard tools.
2. **The Prototype:** The emergence of a custom-built loader that, while still exhibiting "noisy" cleartext strings and linear execution, signaled a shift toward a private, proprietary framework .
3. **The Production Variant:** The current "gold standard" used in DragonForce engagements. This version is a multi-layered beast featuring **ChaCha20 encryption**, **BLAKE3 integrity checks**, and **control-flow flattening** to force analysts into a grueling, non-linear reversing process .
We will also explore the "Shared DNA" between VIPERTUNNEL and other tools like the ShadowCoil credential stealer. By analyzing a privately maintained, multi-stage packer common to both, we uncovered unexpected Linux-specific anti-debugging checks buried within Windows-targeted payloads—a clear indicator of modular, cross-platform ambitions by the developers .
Forged Kerberos Tickets: Forensic Detection and Response
This talk explores forged Kerberos tickets — Golden, Silver, Diamond and Sapphire — from a practical forensic angle without diving too deep into protocol details. It outlines what each ticket type represents, why attackers use them and how their presence changes the shape of an investigation. The focus is on the kinds of clues these forgeries leave behind: unusual authentication patterns, inconsistencies in logs, odd ticket lifetimes, and activity that doesn’t match normal account behavior. The session walks through where responders typically find the most useful evidence, which gaps often slow investigations, and how to judge the real scope of an incident once forged tickets are involved. Short case examples show how these attacks appear in practice and how investigators can separate false alarms from genuine compromise. The talk closes with clear steps for containment, recovery and long-term hardening, aimed at helping responders move from detection to confident remediation.
Worst Case Cyberattack – Recognise the extent quickly and efficiently
This webinar introduces and compares various technologies for detecting cyber attacks efficiently. We also take a look at the dark web to identify initial access brokers at an early stage to prevent a potential cyber attack.
Living on the Edge – Evicting threat actors from perimeter appliances
This presentation will showcase highlights from our past forensic investigations into different compromised edge devices (primarily network equipment), manufactured by Cisco, Fortinet, Citrix and Ivanti. Analyzing these appliances is not as straight forward as on normal endpoints and sometimes requires a bit of creativity. I will include information on the utilized exploits, the targets and motivation of the nation-state or cybercriminal perpetrators and practical tips to investigate and protect these appliances.
Initial Access Techniques - From Past to Present
The ways and techniques on how to obtain a initial access have changed over time as security measures and tools have improved and made some ways more difficult or even impossible. While most are familiar with traditional phishing emails and have visited countless security awareness lessons to identify such, do they know what click-fix is or why to not download any arbitrary browser extensions? Also some of these techniques target MacOS users, which is especially interesting as many companies do not protect their Mac Devices properly and still believe "We use MacOS, we are safe"
This talk aims to highlight past initial access techniques and why they are not used anymore. Based on this knowledge I'll show new and creative ways Threat Actors use today to establish initial access which is then abused directly by Ransomware Groups or sold in the Darkweb.
"All your files are belong to us!" - Investigating BianLian Extortion-Group Intrusion
Earlier this year we responded to an Intrusion attributed to the BianLian Data Exfiltration & Extortion Group. We will give a rundown of our findings and BianLian TTPs. It will also contain highlights from our Threat Intelligence investigation, e.g. the TA’s switch from Ransomware to Exfiltration-only and their infrastructure.
MacOS Investigation Workshop
The goal of this workshop is to equip participants with the essential knowledge and practical skills needed to perform forensic analysis of macOS systems in the context of modern threats.
Although macOS devices still represent a smaller share of enterprise environments compared to Windows, they are increasingly targeted by threat actors. As a result, macOS security and forensic analysis remain less mature and underrepresented in many organizations’ defensive strategies. Recent industry reports — including findings from Red Canary showing a 400% increase in macOS-related threats between 2023 and 2024 — highlight the urgent need for improved visibility and expertise in this area.
This workshop will guide participants through the fundamental steps of conducting macOS forensic investigations, including:
- Creating logical and triage images of macOS devices
- Identifying and interpreting key system artifacts
- Investigating artifacts for evidence of threat actor activity
- Utilizing common forensic tools to support analysis
- Understanding the evolving macOS threat landscape
By the end of this workshop, participants will be able to independently conduct forensic investigations on macOS systems and will receive additional resources to support continued learning and future casework.
Security BSidesLjubljana 0x7EA Sessionize Event
Bsides Göteborg
MacOS Forensic Workshop
Bsides Dresden
Initial Access Techniques - From Past to Present
Bsides Frankfurt
Living on the Edge – Evicting threat actors from perimeter appliances
Bsides Frankfurt
"All your files are belong to us!" - Investigating BianLian Extortion-Group Intrusion
Evgen Blohm
Incident Response @ InfoGuard AG
Hamburg, Germany
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top