Zhassulan Zhussupov
Malware Researcher, Threat Hunter, Malpedia
Istanbul, Turkey
Actions
cybersecurity enthusiast, author, speaker and mathematician. Author of popular books:
MD MZ Malware Development Book (Github, 2022, 2024)
MALWILD: Malware in the Wild Book (Github, 2023)
Malware Development for Ethical Hackers Book: (Packt, 2024)
AIYA Mobile Malware Development Book (Github, 2025)
Malware Development for Ethical Hackers 2nd edition (Packt, 2026, in progress)
Author and tech reviewer at Packt.
Co founder of various cybersecurity research labs, author of many cybersecurity blogs, HVCK magazine
Malpedia contributor
Speaker at BlackHat, DEFCON, Security BSides, Arab Security Conference, Hack.lu, Standoff, etc conferences
Links
Area of Expertise
Topics
Reveng AI and NSO-generation Mobile Spyware Arhitecture
Advanced mobile spyware has crossed a new threshold. A modular, cross-platform implant recovered from compromised iOS and Android devices represents a qualitative leap over prior NSO/Candiru-generation tooling. It does not merely exploit a single vulnerability: it orchestrates a full five-phase kill chain from zero-click media parser exploitation through kernel R/W primitive establishment, dylib/.so injection, stealth persistence, and AI-augmented polymorphic exfiltration - all within the trust boundary of a messaging application.
This talk presents the full reverse-engineered architecture of NSO-based on forensic artifacts, memory dumps, disassembled payloads, and C2 telemetry. We dissect the dual-platform exploit chain (iOS CoreGraphics heap overflow + ARM64 ROP; Android Image Codec OOB write + SELinux bypass), the modular C/Rust/ObjC/Kotlin polyglot implant core, and the first documented evidence of an LLM-integrated C2 server performing server-side dynamic exploit variant generation - a development with profound implications for the future of evasion-by-design.
Malware Development for Ethical Hackers (Windows, Linux, Android)
The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.
The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.
The course is divided into four logical sections:
- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)
- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)
- Persistence techniques
- Cryptographic functions in malware development (exclusive)
- Malware Development for Android and Linux (bonus)
Most of the example in this course require a deep understanding of the Python, Kotlin
and C/C++ programming languages.
Knowledge of assembly language basics is not required but will be an advantage
Training Outline (detailed):
MALWARE INJECTION TECHNIQUES:
1. Traditional Injection Approaches: Code and DLL (2 practical examples, LAB + 1 homework) - 10 min
2. Exploring Hijacking Techniques (2 practical examples, LAB + 1 homework) - 10 min
3. Understanding Asynchronous Procedure Call (APC) Injections (2 practical examples, LAB + 1 homework) - 10 min
4. Mastering New Injection/Hooking Techniques (4 practical example, LAB) - 10 min
PERSISTENCE MECHANISMS:
5. Classic Path: Registry Run Keys / Persistence via Registry Keys ( 3 practical example, LAB) - 10 min
6. Persistence via Winlogon Process ( 2 practical example, LAB) - 10 min
7. Exploiting Windows Services for Persistence ( 2 practical examples, LAB + 1 homework) - 10 min
8. Exploring Non-Trivial Loopholes and New Persistence Techniques ( 5 practical examples, LAB + 2 homework) - 10 min
MALWARE FOR PRIVILEGE ESCALATION:
9. Manipulating Access Tokens like APT (1 practical example, LAB + 1 homework) - 10 min
10. Password stealing / LSASS.exe dumping (3 practical example, LAB + 1 homework) - 10 min
11. Malware for bypass User Access Control (2 practical example LAB + 1 homework) - 10 min
ANTI-VM AND AV BYPASSING
12. Anti-Virtual Machine Strategies (4 practical example, LAB + 1 homework) - 10 min
13. Practical use of hash algorithms in malware ( 1 practical example, LAB + 1 homework) - 10 min
14. Evasion Static Detection ( 1 practical example, LAB + 1 homework) - 10 min
15. Evasion Dynamic Detection (1 practical example, LAB + 1 homework) - 10 min
16. Advanced Evasion Techniques (1 practical example, LAB + 1 homework) - 10 min
17. Cryptography for bypassing security solutions ( 4 practical examples, LAB + 2 homework) - 10 min
Linux and Android Malware
18. Linux Kernel Hacking (1 practical example, LAB) - 10 min
19. Linux process injection (1 practical example, LAB) - 10 min
20. Introduction to Android Malware (3 practical examples, LAB) - 60 min
21. Leveraging legit APIs for Android Malware (2 practical examples, LAB) - 40 min
RESEARCH AND PRACTICE:
22. Simple Tricks and Automation for Malware Development and Emulation (3 practical examples, LAB + 1 homework) - 10 min
23. How to find New Persistence Techniques (2 practical examples, LAB + 1 homework) - 10 min
24. Elliptic Curve Cryptography (ECC) and Malware ( 1 practical example, LAB + 1 homework) - 10 min
Covert Command-and-Control: Leveraging Legitimate APIs for Evasive Malware Operations
In this hands-on workshop, participants will learn how attackers exploit legitimate cloud-based APIs to establish stealthy command-and-control (C2) channels. Through guided exercises, attendees will implement real-world techniques for abusing APIs such as GitHub Gists, Telegram Bots, Discord Webhooks, and Google Apps Script to bypass traditional security defenses. This session blends theory with practical application, demonstrating the challenges of detecting API-based malware communication while providing defenders with the tools needed to counter these threats.
Module 1: Understanding API-based C2 (30 min)
Overview of modern malware communication methods.
Case studies on API abuse by APT groups.
Limitations of traditional network-based detection systems.
Module 2: Setting Up API-based C2 Channels (45 min)
Hands-on exercise: Establishing a covert C2 using GitHub Gists.
Configuring Telegram Bot API as a remote shell.
Sending and receiving commands via Discord Webhooks.
Encrypting C2 communications to evade detection.
Module 3: Building a Dropper and Malware Loader (45 min)
Writing a simple C/C++ dropper to retrieve and execute payloads.
Obfuscation techniques to evade static analysis.
Bypassing signature-based detections with encryption and packing.
Module 4: Evasion Techniques & Detection Countermeasures (45 min)
Bypassing Endpoint Detection & Response (EDR) and Machine Learning (ML) defenses.
Implementing polymorphic techniques for API-based malware.
Hands-on: Detecting and mitigating API-based C2 in enterprise environments.
Final Q&A and Discussion (15 min)
Open discussion on emerging threats in cloud-based malware.
Recommendations for security practitioners to improve defenses.
Deanon Hackers via Public Leaks: Tracking APT Groups using Leaks
Advanced Persistent Threat (APT) groups rely on anonymity and compartmentalization, but even the best operational security can be compromised by public leaks and open-source intelligence (OSINT). This talk will explore how we can deanonymize APT groups, nation-state actors, and other malicious entities by leveraging public data leaks, open-source tools like OCCRP’s Aleph, and cross-referencing leaked databases with existing intelligence.
Through real-world case studies, we will demonstrate how cybercriminals, state-sponsored hacking groups (such as APT28, Sandworm, and Refined Kitten), and even intelligence operatives can be traced and identified using open data sources. The talk will include a live Proof of Concept (PoC) showcasing techniques for correlating leaked emails, financial records, and digital footprints to unmask cyber actors.
Attendees will gain insights into OSINT methodologies, digital forensic techniques, and tools that can be used for cyber threat hunting and intelligence gathering.
Key takeaways:
How database leaks (e.g., T-Mobile, Facebook, NSA, Ukraine, Turkey, Israel voter leaks) can be weaponized for APT hunting.
How OCCRP's Aleph is used by journalists and researchers to uncover hidden connections.
The role of cross-referencing leaked data with official indictments and FBI wanted lists.
A live PoC showing how we can track APT groups and Russian GRU operatives using open-source intelligence.
Discussion on implications for national security and cyber warfare.
Exploiting Legit APIs for Covert C2: A New Perspective on Cloud-based Malware Operations
As modern security defenses evolve, attackers continue to leverage legitimate cloud services for command-and-control (C2) communication, effectively bypassing traditional network detection systems. This talk presents original research into the abuse of lesser-known free cloud APIs such as GitHub Gists, Telegram Bot API, Discord Webhooks, and Google Apps Script for stealthy malware communication. Unlike well-documented abuses of Google Drive or Dropbox, our study explores new, unmonitored attack surfaces that can be exploited by adversaries while remaining under the radar of enterprise security monitoring tools.
Key topics of my talk:
Techniques for establishing C2 channels using free cloud services.
Encryption and obfuscation strategies to evade EDR/ML-based detection.
Case studies demonstrating real-world proof-of-concepts (PoC) of API abuse.
Recommendations for mitigating risks and detecting malicious API-based C2 activity.
Traditional C2 detection methods focus on recognizing known malware signatures or anomalous network traffic. However, API-based C2 channels blend seamlessly into normal cloud service usage, making them exceptionally difficult to detect. This talk will provide defenders with insight into how attackers exploit these mechanisms and offer practical countermeasures to strengthen security postures against emerging threats.
Target Audience:
Red Teamers, Ethical Hackers, and Penetration Testers
SOC Analysts and Threat Hunters
Incident Responders and Security Engineers
Malware and Hunting for Persistence: how adversaries hacking your Windows?
The story of how I discovered several non-standard and unusual methods for malware persistence using the registry
modifications and DLL hijacking vulnerability: Windows Internet Explorer, Win32API Cryptography features, Windows
Troubleshooting Feature and Process Hacker 2.
Research in the field of hunting new persistence techniques for malware.
Also a comparison of these methods with classical tricks and techniques that are used by various APT groups and
Ransomware's authors.
Malware, Persistence and Cryptography
Whether you are a Red Team or Blue Team specialist, learning the techniques
and tricks of malware development gives you the most complete picture of
advanced attacks. Also, due to the fact that most (classic) malwares are written
under Windows, as a rule, this gives you tangible knowledge of developing under Windows.
The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.
The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.
The course is divided into four logical sections:
- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)
- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)
- Persistence techniques
- Cryptographic functions in malware development (exclusive)
Most of the example in this course require a deep understanding of the Python
and C/C++ programming languages.
Knowledge of assembly language basics is not required but will be an advantage
Malware, Cats and Cryptography
Research in the field of reimplementation of ransomware and the role of cryptography in malware development. Application of classical
cryptographic algorithms for payload and ransomware encryption. Practical research has been carried out: the results of
using Skipjack, TEA, Madryga, RC5, A5/1, Z85, DES, mmb, Kuznechik, etc. encryption algorithms have been analysed. The
application of cryptography based on elliptic curves is also being researched. How does all this affect the VirusTotal detection score and how applicable is it for bypassing AV solutions (AV bypass). In some researched practical cases, we get FUD malware.
Bypass AV Kaspersky, Windows Defender. ESET NOD32 in some practical cases.
Reverse engineering and code reconstruction with malware development tricks from ransomware and malware like Conti, Snowyamber, Paradise Ransomware, CopyKittens, Hello Kitty etc. Discovered new tricks from Russian APT29 related malware.
Signal processing and math for malware R&D for fun and profit
Modern AV and EDR platforms treat malware as data: they compute Shannon entropy, match byte patterns, and blacklist known cryptographic primitives. AES resembles AES. XOR is XOR.
The statistical fingerprint is always there - until you stop looking at the payload as data and start looking at it as a signal.
This presentation shows how Digital Signal Processing (DSP), particularly the Discrete Fourier Transform (DFT) and DFT-like math algorithms, with a phase shifted mathematical key, converts shellcode bytes into a buffer of complex floating point frequency coefficients. The output is mathematically indistinguishable from sensor noise or audio noise. No byte patterns: No signature of high entropy . There is no recognizable structure until the matching key is used at runtime by the Inverse DFT.
The delivery mechanism completely bypasses the network layer. The payload is encoded into audio tones and played through a speaker using FSK. A victim machine demodulates the tones with the Goertzel algorithm of a standard microphone, rebuilds the shellcode and executes it. The covert channel is physics. Like acoustic weapon. There is no socket. There is no pipe. There is no network alert.
We present a working, open-source PoC for Linux and Windows covering two threat models:
shellcode delivery (attacker -> speaker -> air -> victim mic -> execute) and data exfiltration (victim -> speaker -> air -> attacker mic -> stolen data). All source code will be released after session.
BSides Prishtina 2026 Sessionize Event
MCTTP Munich Cyber Tactics, Techniques und Procedures 2025 Sessionize Event
BSides Prishtina 2025 Sessionize Event
BSides Tirana 2024 Sessionize Event
BSides Kraków 2024 Sessionize Event
BSides Prishtina 2024 Sessionize Event
Security BSides Sofia 2024 Sessionize Event
Zhassulan Zhussupov
Malware Researcher, Threat Hunter, Malpedia
Istanbul, Turkey
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top