Zhassulan Zhussupov
Malware Researcher, Threat Hunter, Buttefly Effect Team
Istanbul, Turkey
Actions
cybersecurity enthusiast, author, speaker and mathematician. Author of popular books:
MD MZ Malware Development Book (2022, 2024)
MALWILD: Malware in the Wild Book (2023)
Malware Development for Ethical Hackers Book: https://www.amazon.com/dp/1801810176 (2024)
Author and tech reviewer at Packt. Co founder of MSSP Research LAB, author of many cybersecurity blogs, HVCK magazine
Malpedia contributor
Speaker at BlackHat, Security BSides, Arab Security Conference, Hack.lu, Standoff, etc conferences
Links
Area of Expertise
Topics
Deanon Hackers via Public Leaks: Tracking APT Groups using Leaks
Advanced Persistent Threat (APT) groups rely on anonymity and compartmentalization, but even the best operational security can be compromised by public leaks and open-source intelligence (OSINT). This talk will explore how we can deanonymize APT groups, nation-state actors, and other malicious entities by leveraging public data leaks, open-source tools like OCCRP’s Aleph, and cross-referencing leaked databases with existing intelligence.
Through real-world case studies, we will demonstrate how cybercriminals, state-sponsored hacking groups (such as APT28, Sandworm, and Refined Kitten), and even intelligence operatives can be traced and identified using open data sources. The talk will include a live Proof of Concept (PoC) showcasing techniques for correlating leaked emails, financial records, and digital footprints to unmask cyber actors.
Attendees will gain insights into OSINT methodologies, digital forensic techniques, and tools that can be used for cyber threat hunting and intelligence gathering.
Key takeaways:
How database leaks (e.g., T-Mobile, Facebook, NSA, Ukraine, Turkey, Israel voter leaks) can be weaponized for APT hunting.
How OCCRP's Aleph is used by journalists and researchers to uncover hidden connections.
The role of cross-referencing leaked data with official indictments and FBI wanted lists.
A live PoC showing how we can track APT groups and Russian GRU operatives using open-source intelligence.
Discussion on implications for national security and cyber warfare.
Exploiting Legit APIs for Covert C2: A New Perspective on Cloud-based Malware Operations
As modern security defenses evolve, attackers continue to leverage legitimate cloud services for command-and-control (C2) communication, effectively bypassing traditional network detection systems. This talk presents original research into the abuse of lesser-known free cloud APIs such as GitHub Gists, Telegram Bot API, Discord Webhooks, and Google Apps Script for stealthy malware communication. Unlike well-documented abuses of Google Drive or Dropbox, our study explores new, unmonitored attack surfaces that can be exploited by adversaries while remaining under the radar of enterprise security monitoring tools.
Key topics of my talk:
Techniques for establishing C2 channels using free cloud services.
Encryption and obfuscation strategies to evade EDR/ML-based detection.
Case studies demonstrating real-world proof-of-concepts (PoC) of API abuse.
Recommendations for mitigating risks and detecting malicious API-based C2 activity.
Traditional C2 detection methods focus on recognizing known malware signatures or anomalous network traffic. However, API-based C2 channels blend seamlessly into normal cloud service usage, making them exceptionally difficult to detect. This talk will provide defenders with insight into how attackers exploit these mechanisms and offer practical countermeasures to strengthen security postures against emerging threats.
Target Audience:
Red Teamers, Ethical Hackers, and Penetration Testers
SOC Analysts and Threat Hunters
Incident Responders and Security Engineers
Malware and Hunting for Persistence: how adversaries hacking your Windows?
The story of how I discovered several non-standard and unusual methods for malware persistence using the registry
modifications and DLL hijacking vulnerability: Windows Internet Explorer, Win32API Cryptography features, Windows
Troubleshooting Feature and Process Hacker 2.
Research in the field of hunting new persistence techniques for malware.
Also a comparison of these methods with classical tricks and techniques that are used by various APT groups and
Ransomware's authors.
Malware, Persistence and Cryptography
Whether you are a Red Team or Blue Team specialist, learning the techniques
and tricks of malware development gives you the most complete picture of
advanced attacks. Also, due to the fact that most (classic) malwares are written
under Windows, as a rule, this gives you tangible knowledge of developing under Windows.
The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.
The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.
The course is divided into four logical sections:
- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)
- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)
- Persistence techniques
- Cryptographic functions in malware development (exclusive)
Most of the example in this course require a deep understanding of the Python
and C/C++ programming languages.
Knowledge of assembly language basics is not required but will be an advantage
Malware, Cats and Cryptography
Research in the field of reimplementation of ransomware and the role of cryptography in malware development. Application of classical
cryptographic algorithms for payload and ransomware encryption. Practical research has been carried out: the results of
using Skipjack, TEA, Madryga, RC5, A5/1, Z85, DES, mmb, Kuznechik, etc. encryption algorithms have been analysed. The
application of cryptography based on elliptic curves is also being researched. How does all this affect the VirusTotal detection score and how applicable is it for bypassing AV solutions (AV bypass). In some researched practical cases, we get FUD malware.
Bypass AV Kaspersky, Windows Defender. ESET NOD32 in some practical cases.
Reverse engineering and code reconstruction with malware development tricks from ransomware and malware like Conti, Snowyamber, Paradise Ransomware, CopyKittens, Hello Kitty etc. Discovered new tricks from Russian APT29 related malware.
BSides Tirana 2024 Sessionize Event
BSides Kraków 2024 Sessionize Event
BSides Prishtina 2024 Sessionize Event
Security BSides Sofia 2024 Sessionize Event
Zhassulan Zhussupov
Malware Researcher, Threat Hunter, Buttefly Effect Team
Istanbul, Turkey
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top