In this LABScon 25 presentation, Joe FitzPatrick explores how networked devices manufactured overseas have quietly become indispensable to everything from small-business prototyping labs to roadside infrastructure. He argues that the safeguards meant to manage the risks these devices introduce are, in practice, largely ineffective.

Starting with recent reports of undocumented cellular radios found in solar inverters used in U.S. highway infrastructure, Joe notes that adding that kind of connectivity to a device with an exposed serial port takes minutes and can be done by anyone: the manufacturer, the installer, or someone who came along later.

From there he covers the familiar mechanisms by which banned hardware finds its way into supply chains anyway, through relabeling and FCC-certified modular components, before turning to mandatory product activation in consumer devices like drones and 3D printers, and what it actually takes to use them without phoning home.

The deeper problem is that small businesses and infrastructure operators are genuinely dependent on imported hardware because it works and it’s affordable. A significant amount of it runs on devices that connect to foreign entities by default, and there’s no clean domestic alternative.

Joe concludes that import bans don’t fix problems that exist equally in domestic products, and that trade policy is the wrong tool for what is fundamentally a consumer safety problem. His preferred alternatives are right to repair with offline use guarantees, hardware and firmware bills of materials, and comprehensive privacy legislation.

This talk is essential viewing for security practitioners concerned about hardware supply chain risks, the unexpected connectivity of critical infrastructure, or the US’s deep dependence on foreign-manufactured consumer electronics.

About the Author

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

LABScon 2026 | Call For Papers

Submission Deadline: June 19, 2026

LABScon is a unique venue for original research to be shared among peers. The benefit of an invite-only audience of researchers is that there’s no need for long preambles or introductions – speakers are encouraged to dive right into their technical findings.

• Original content only.
• Talks are 20 minutes long + 5 minutes for Q&A.
• Workshops are 90 minutes long.
• LABScon is primarily a threat intelligence and vulnerability research conference but we keep an open-mind.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

In this LABScon 25 presentation, Marc Rogers and Silas Cutler explore the complex, “shadow” supply chain of ultra-cheap Chinese smart home devices, specifically focusing on video doorbells and security cameras widely sold on mainstream online shopping platforms under various rotating brand names like Eken and Tuck.

Marc, who assisted the FCC Enforcement Bureau in its investigations, and Silas reveal how these devices often share identical hardware platforms powered by Allwinner semiconductors, a company heavily subsidized by the Chinese government.

Firmware analysis uncovered hardcoded root passwords and supposed security fixes that amounted to little more than commenting out vulnerable services from startup scripts rather than removing them. Despite appearing to use local cloud services, metadata and video content are frequently routed through servers in Hong Kong and China.

Rogers and Cutler trace a network of shell companies and fictional personas entirely absent from tax and voter records. These entities use non-responsive registered agents and PO boxes specifically set up to refuse legal service, effectively shielding the actual manufacturers from regulatory oversight and making enforcement nearly impossible.

The rapid iteration of hardware versions with no long-term support mirrors distribution patterns more commonly associated with malware campaigns.

While the investigation stops short of attributing direct malice, Rogers and Cutler argue that these devices collectively form a massive, vulnerable IoT surface that can be controlled through simple configuration pushes from overseas. Consumers are drawn in by low prices and subscription features, unaware that their data ultimately resides under foreign control.

About the Authors

Marc Rogers is Co-Founder and Chief Technology Officer for the AI observability startup nbhd.ai. Marc has served as VP of Cybersecurity Strategy for Okta, Head of Security for Cloudflare and Principal Security researcher for Lookout. In his role as technical advisor on USA’s “Mr. Robot” and the BBC’s “The Real Hustle”, he helped create on-screen hacks for both shows.

Silas Cutler is a Principal Security Researcher at Censys, with over a decade of experience tracking threat actors and developing methods for pursuit. Before Censys, he worked as Resident Hacker for Stairwell, Reverse Engineering Lead for Google Chronicle, and as a Senior Security Researcher on CrowdStrike’s Intelligence team.

LABScon 2026 | Call For Papers

Submission Deadline: June 19, 2026

LABScon is a unique venue for original research to be shared among peers. The benefit of an invite-only audience of researchers is that there’s no need for long preambles or introductions – speakers are encouraged to dive right into their technical findings.

• Original content only.
• Talks are 20 minutes long + 5 minutes for Q&A.
• Workshops are 90 minutes long.
• LABScon is primarily a threat intelligence and vulnerability research conference but we keep an open-mind.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

In this LABScon 25 talk, Andrew MacPherson dives deep into the high-stakes world of crypto crime, which has amassed approximately $9 billion in illicit funds. Andrew demystifies the technical landscape and exposes the sophisticated attack vectors plaguing the decentralized finance (DeFi) space.

The talk begins with an explanation of the core concepts necessary to understand crypto-related security threats, including definitions of blockchains, wallets, and smart contracts. Andrew explains that a key point in the architectural difference of many crypto applications is that they typically rely solely on frontends, with all interactions happening in the browser via the wallet extension.

The talk then moves on to focus on attack patterns. Crypto thieves target every weak point, from applications and code to the developers and executives themselves. The speaker details the largest crypto heist to date, the $1.5 billion loss from Bybit. This attack involved infecting a developer’s machine, gaining access to production JavaScript code, and modifying it to authorize a full wallet drain during a multi-signature transaction. The talk also covers supply chain risks like typo-squatting, exploitation of personal servers like Plex to compromise GitHub accounts, and the rise of “drainers as a service” that simplify crypto theft.

Andrew also covers the challenges attackers face in laundering stolen funds, and how they leverage techniques such as cross-chain swaps, using mixers like Tornado Cash, and non-KYC platforms for conversion to cash. Despite the fact that all blockchain logs are public and permanent, the presentation also discusses the challenges threat intel analysts face in tracking these rapidly moving funds.

Andrew’s presentation is essential viewing for anyone interested in cryptocurrency and cybersecurity, especially those looking to understand the technical realities of financial crime in the decentralized era.

About the Author

Starting at Paterva, Andrew Macpherson spent more than 10 years creating Maltego before moving to the US for security roles at BitMEX (IR), Robinhood (IR/D&R), Uniswap (Head of Security), and now Privy (Principal Security Engineer). He’s spoken at Black Hat, DEF CON, DSS, EthCC and countless others, teaching courses and drinking malibu on the way.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

In this talk, Phobos Group’s Dan Tentler evolves his previous work on hotel room security by demonstrating a fully portable security system built on Home Assistant, Z-Wave devices, CO2 sensors, and millimeter wave radar. What began as basic physical security measures has transformed into a tactical deployment platform capable of detecting human presence through walls, triggering automated alerts, and providing comprehensive situational awareness in temporary accommodations.

Dan walks through the technical fundamentals of each component, explaining how mmWave radar units can detect movement and presence in neighboring rooms or hallways, how CO2 sensors reveal occupancy patterns, and how Home Assistant ties everything together into an automation framework. The system can send alerts, capture images, or trigger any action Home Assistant supports, all deployed and configured rapidly in unfamiliar environments.

The presentation covers real-world use cases that demonstrate the system’s capabilities beyond traditional hotel rooms. For security professionals, researchers, and anyone concerned with physical security while traveling, this talk reveals how consumer automation technology can be repurposed into a sophisticated portable security platform.

About the Author

Dan Tentler is the Executive Founder and CTO of Phobos Group, a boutique information security services and products company. Having been on both red and blue teams, Dan brings a wealth of defensive and adversarial knowledge to the security landscape. Dan has spent time at Twitter, British Telecom, Websense, Anonymizer, Intuit and Sempra Energy and has a strong background in systems, networking, architecture and wireless networks.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

This LABScon talk explores how hacktivist activity is strategically leveraged by nation-states and mercenary groups to obscure intent, destabilize targets, and weaponize public narratives. SentinelLABS’ Jim Walter draws on his decades of malware research and threat intelligence experience to decode the hacktivism ecosystem through a unique tooling-based analysis.

Using a four-tier framework for categorizing hacktivist groups, Jim describes a pyramid-shaped ecosystem that ranges from “commodity craptivism” at its bottom, characterized by high noise and low signal, to sophisticated state-front operations at the top, responsible for attacks with physical consequences timed to real-world events.

Jim explains why state-level threat actors increasingly adopt hacktivist personas. The motivations include plausible deniability, narrative control, and strategic influence operations designed to erode confidence in target regimes.

Through examples like Anon Sudan, Belarusian Cyber Partisans, NullBulge, and state-linked operations such as MeteorExpress and Handala, the talk reveals the distinguishing traits that separate top-tier actors from the rest. These indicators include consistent multi-year messaging, willingness to forego financial gain, sophisticated prepositioning capabilities, and measured communications crafted by professional writers.

The presentation concludes that most high-impact hacktivism reported today is actually “fictivism”, state-sponsored proxy operations masquerading as grassroots activism. With state actors leveraging this increasingly chaotic landscape to advance geopolitical objectives while maintaining deniability, this talk is essential viewing for anyone interested in the current hacktivist threat landscape.

About the Author

Jim Walter is a Senior Threat Researcher at SentinelLABS focusing on evolving trends, actors, and tactics within the thriving ecosystem of cybercrime and crimeware. He specializes in the discovery and analysis of emerging cybercrime “services” and evolving communication channels leveraged by mid-level criminal organizations. Jim joined SentinelOne following ~4 years at a security start-up, also focused on malware research and organized crime. Previously, he spent over 17 years at McAfee/Intel running their Threat Intelligence and Advanced Threat Research teams.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

Between late 2024 and early 2025, the United States government issued indictments or sanctions against three Chinese information security firms – i-SOON, Sichuan Silence, and Integrity Tech – alleging their support for or links to malicious cyber groups targeting US government and critical infrastructure systems.

In this talk, Mei Danowski and Eugenio Benincasa discuss their research in which they found that all three companies serve as a key seedbed for nurturing China’s offensive cyber talent with cyber range services, which train cybersecurity professionals through “attack-defense live-fire” (攻防实战) exercises.

The speakers explain how, alongside hacking contests and crowdsourced bug bounty programs, attack-defense live-fire exercises are one of the primary mechanisms leveraged by the Chinese government to enhance its cyber capabilities, with support from a rapidly growing private cybersecurity industry with more than 4000 products and services providers.

The presentation goes on to focus on the development of attack-defense exercises and commercial cyber ranges in China, areas that have received relatively little attention to date, examining how this ecosystem shapes China’s offensive cyber capabilities.

The presentation is based on an upcoming research report that draws on Chinese-language sources – including company directories, public business data, job postings, university websites, and interviews in obscure publications – to map China’s cybersecurity industry. This unique talk discusses 120 companies identified as providers of attack-defense exercises and cyber range services, and profiles several of these key companies to assess their role in supporting state-linked cyber operations.

About the Authors

Mei Danowski is co-founder and principal of Natto Thoughts, a provider of cyber threat intelligence research and analysis with a specialization in geopolitical, economic, social, cultural, and linguistic perspectives. Mei’s research areas include strategic threat intelligence and East Asian political, military, economic, and strategic affairs.

Eugenio Benincasa is a Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich. Prior to joining CSS, Eugenio worked as a Threat Analyst at the Italian Presidency of the Council of Ministers in Rome and as a Research Fellow at the think tank Pacific Forum in Honolulu, where he focused on cybersecurity issues.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

This presentation explores the emerging threat of LLM-enabled malware, where adversaries embed Large Language Model capabilities directly into malicious payloads. Unlike traditional malware, these threats generate malicious code at runtime rather than embedding it statically, creating significant detection challenges for security teams.

SentinelLABS’ Alex Delamotte and Gabriel Bernadett-Shapiro present their team’s research on how LLMs are weaponized in the wild, distinguishing between various adversarial uses, from AI-themed lures to genuine LLM-embedded malware. The research focused on malware that leverages LLM capabilities as a core operational component, exemplified by notable cases like PromptLock ransomware and APT28’s LameHug/PROMPTSTEAL campaigns.

The presentation reveals a fundamental flaw in the way much current LLM-enabled malware is coded: despite their adaptive capabilities, these threats hardcode artifacts like API keys and prompts. This dependency creates a detection opportunity. Delamotte and Bernade-Shapiro share two novel hunting strategies: wide API key detection using YARA rules to identify provider-specific key structures (such as OpenAI’s Base64-encoded identifiers), and prompt hunting that searches for hardcoded prompt structures within binaries.

A year-long retrohunt across VirusTotal identified over 7,000 samples containing 6,000+ unique API keys. By pairing prompt detection with lightweight LLM classifiers to assess malicious intent, the SentinelLABS researchers successfully discovered previously unknown samples, including “MalTerminal”, potentially the earliest known LLM-enabled malware.

The presentation addresses implications for defenders, highlighting how traditional detection signatures fail against runtime-generated code, while demonstrating that hunting for “prompts as code” and embedded API keys provides a viable detection methodology for this evolving threat landscape. A companion blog post was published by SentinelLABS here.

About the Authors

Alex Delamotte is a Senior Threat Researcher at SentinelOne. Over the past decade, Alex has worked with blue, purple, and red teams serving companies in the technology, financial, pharmaceuticals, and telecom sectors and she has shared research with several ISACs. Alex enjoys researching the intersection of cybercrime and state-sponsored activity.

Gabriel Bernadett-Shapiro is a Distinguished AI Research Scientist at SentinelOne, specializing in incorporating large language model (LLM) capabilities for security applications. He also serves as an Adjunct Lecturer at the Johns Hopkins SAIS Alperovitch Institute. Before joining SentinelOne, Gabriel helped launch OpenAI’s inaugural cyber capability-evaluation initiative and served as a senior analyst within Apple Information Security’s Threat Intelligence team.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon here.

In this LABScon25 talk, Dreadnode’s Martin Wendiggensen and Brad Palm explore how AI is changing Cyber Threat Intelligence and the research practices that support it.

Analytical tradecraft and shared standards have transformed Cyber Threat Intelligence from a niche discipline into a collaborative industry-wide research endeavor. Researchers and analysts now routinely build on each other’s work, creating a foundation of trust and shared methodology.

That ecosystem is being disrupted as teams increasingly hand off data preparation, analysis, and entire workflows to AI assistants. These tools boost productivity, but they introduce new costs. You might have confidence in your own AI-assisted process, but how much can you rely on another researcher’s prompts or agentic workflow?

Given concerns over reliability and transparency, the CTI community will need to adapt its research methodology and develop a new joint understanding of the promises, pitfalls, and probabilities inherent in AI-assisted work.

Wendiggensen and Palm present a case study to illustrate their approach. They created an LLM-driven agentic system to analyze Russian internet content leaked by Ukrainian cyber activists. The speakers’ detail the system’s architecture and show how it performs across tasks from straightforward data collation to complex analytical pipelines used to track adversaries. They then explain how to assess the technology’s strengths and limits and, crucially, how to communicate those judgments to peers and wider audiences to preserve both accountability and transparency.

This engaging talk lays the groundwork for discussions not only in threat intelligence but in any collaborative discipline seeking to navigate the challenges of integrating agentic systems into their data analysis and decision-making pipelines.

About the Authors

Martin Wendiggensen is an AI Research Scientist at Dreadnode and PhD candidate at Johns Hopkins AIST. His research focuses on how AI is shifting the Cybersecurity Offensive-Defensive Balance.

Brad Palm is the COO at Dreadnode. Previously, he was a VP of Services and Technology for Pathfynder and the Managing Director of Software at Ascent, where he focused on SOC automation and the integration of CTI in the delivery of managed services.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

Back by popular demand, LABScon, the premier invite-only threat intelligence conference from SentinelLABS, returns for four days of immersive talks, hands-on workshops, and off-the-record sessions.

Now in its fourth year, LABScon brings together the world’s foremost cybersecurity minds to share cutting-edge research and advance collective understanding of the evolving threat landscape. Hosted in Scottsdale, Arizona, from September 17–20, this year’s event features an exceptional lineup of speakers and thought leaders.

A full schedule of the event is now available here. In this post, we put a spotlight on some of the most hotly-anticipated presentations we’ve got lined up for LABScon 2025. As with previous years, we’ll be releasing videos of some of the most popular talks in the weeks ahead, so bookmark the SentinelLABS home page, follow us on your favorite social media platform (LinkedIn, X, Bluesky), or sign up for the SentinelOne weekly email digest (eyes right →) to find out when the talks that catch your eye are publicly released.

Plunging the Internet Toilets: The Illicit Economy Enabling High-Tech Harassment, Stalking and Sextortion in the Stratosphere

SpyCloud Labs’ Trevor Hilligoss and Aurora Johnson bring us a deep dive into ‘internet toilets’: toxic online communities where netizens can dox their enemies and exes and collaborate with others to conduct aggressive cyberbullying and harassment campaigns. Focusing on Chinese online cesspools, Hilligoss and Johnson show how these Chinese internet toilets have strong similarities to western doxing communities and sadistic harm groups. More broadly, the presenters argue that digital gender-based-violence acts as a core motivator and monetary driver of cybercrime across the globe.

Internet toilet users often purchase data and technical services to enable targeted harassment and stalking. The speakers go over some of the tools and services marketed to doxers, stalkers, and harassers on Chinese darknet marketplaces across three main categories: personal data lookup services, which are often serviced by corrupt insiders with positions in public security and technology companies, digital harassment tools such as SMS bombardment services, and sexploitation tools like AI nudify apps.

Because some of this activity occurs on monetizable social media platforms, harassers and internet toilet admins can also get paid simply for making popular posts that get a lot of engagement. In many cases, this doxing and harassment escalates to physical violence and has even driven victims to suicide.

Honeypots and Hostile Takeovers: A Field Guide to Organizational Arbitrage

Not all compromises happen at the endpoint. While technical compromise is well understood, behavioral compromise enabled by social engineering, organizational dysfunction, and misaligned incentives remains a threat vector ripe for exploitation. Kristin Del Rosso (DEVSEC) walks through a methodological means of recognizing patterns that lead to cultivated insider threats, where actors exploit gaps in organizational visibility, policy exceptions, or social dynamics to gain influence, access, or placement.

Through anonymized case studies involving honeypotted executives, attempted hostile internal takeovers, and corporate espionage efforts, this talk dissects how subtle signals such as behavioral changes, relationship mapping, and broken enforcement norms can reveal growing security debt inside an organization. It will also show how technical instrumentation often misses this layer entirely unless designed with these dynamics in mind.

Kristin offers a practical framework for identifying organizational arbitrage, enforcing security culture, and separating malicious insiders from “move fast” employees, before a network compromise ever occurs.

How to Bug Hotel Rooms

Do you travel with expensive stuff? Do you like feeling safe about leaving your expensive stuff in your hotel room? Have you ever had anything stolen out of your room, or discovered someone has gained access to your room while you weren’t there? What about…other rooms? Maybe not EXACTLY a hotel room? Phobos Group’s Dan Tentler has presented on securing hotel rooms in the past, but now with Home Assistant, Z-Wave devices, Co2 sensors and mmWave radar, it’s become a whole new game.

In this talk, Dan shares his full travel security system. Using Home Assistant to automate things makes it incredibly easy to create rules to send alerts, turn lights on or off, make sounds, take pictures or anything else Home Assistant is capable of, but who knew it could be deployed tactically? Millimeter wave radar units can see through walls, which makes for a uniquely interesting development: like, who is lurking outside your room, or even in the room next door.

Dan’s presentation covers the basics of how all this equipment works, including a brief introduction to Home Assistant, deployment methodologies, how it can be used and future considerations – up to and including manufacturing and selling kits for deployment.

Your Apes May Be Gone, But the Hackers Made $9 Billion and They’re Still Here

Last year, crypto thefts hit $9.32 billion—more than half of all cybercrime losses. North Korea just pulled off a $1.5 billion heist from a single exchange. Meanwhile, most security professionals still think crypto is just magic internet money for buying NFT monkeys.

Andrew Macpherson’s talk is for the crypto-skeptical security professional who’s tired of hearing about “blockchain” and shows why crypto security is 90% the same Web2 skills you already have—phishing, social engineering, API abuse—just with irreversible consequences and way better attacker ROI.

Beginning with a practical crypto primer covering the essentials, the talks explains how blockchains work, what wallets actually do, and why stablecoins matter. Then, Andrew dives into the current threat landscape: who’s stealing what, how OFAC sanctions work in a pseudonymous world, and why traditional threat intel is failing miserably at tracking crypto crime.

Most importantly, the presentation shows what makes crypto security uniquely interesting: immutable code, irreversible transactions, and attackers’ monetary wins that can’t just be rolled or clawed back. Threat actors range from nation-states to teenage hackers, the attack surface spans everything from smart contract logic to social engineering, and the defensive tooling is still being invented.

Come for the massive heist stories, stay because you realize this is an unexplored frontier with its own unique problems. By the end, you’ll understand why crypto security attracts both sophisticated attackers and curious defenders—not for the hype, but because it’s a different kind of security challenge worth understanding.

LLM Malware In the Wild

Large language models (LLMs) are now part of mainstream software‑development workflows, but they have also become a powerful new tool for adversaries. Over the past year, the presenters wrote a multi‑provider YARA rule that hunts for hard‑coded OpenAI and Anthropic model credentials inside files uploaded to VirusTotal. The rule triggered on fully‑weaponised binaries and scripts that outsource key stages of the attack chain to commercial AI services.

In this talk, SentinelLABS’ Gabriel Bernadett-Shapiro and Alex Delamotte unpack what they found. The presentation walks through multiple malware families that embed real API keys and offload tasks such as phishing‑email generation, victim triage, code‑signing bypasses and on‑device payload generation to commercial LLMs.

Gabriel and Alex explore how LLM‑powered malware changes the defender’s problem space: static signatures fail because the malicious logic is produced only at run‑time; network inspection is harder because calls look identical to legitimate use; and prompt engineering itself becomes an adversarial discipline.

The Elephant in Many Rooms: Orange Indra’s Consistent Hunt for Access in the Asia Pacific Region

Within the ecosystem of espionage-oriented threat actors, there is often an unspoken hierarchy of intrusion sets; China-based, Russia-based, Iran-based, and North Korea-based threat actors are often regarded as being both tactically and strategically more relevant to Western organisations versus others.

In this talk, PwC’s Jono Davis shines a light on one of the less-discussed threat actors, introducing an intrusion set PwC assesses to be based in South Asia and have observed since at least 2024 conducting substantial credential phishing activity across the Asia Pacific region and beyond.

This is a threat actor PwC has dubbed Orange Indra (currently not aligned to any open-source nomenclature), responsible for campaigns targeting defence and government entities of countries that align with foreign policy objectives of the country it is based in.

In using Orange Indra as an example, Jono highlights the tools, techniques, and procedures (TTPs) of a prolific, efficient threat actor, alongside a strategic overview of the South Asia more broadly as it pertains to the wider Asia Pacific, and the potential near-future conflicts for regional hegemony.

Finally, this talk provides a platform to emphasise the strategic imperative for organisations, analysts, and the wider intelligence community to pay attention to threat actors emanating beyond the “Big 4” outlined above.

Are Your Chinese Cameras Spying For You or on You?

Hundreds of thousands, if not millions, of Chinese cameras, alarms and security systems have backdoors, and are designed to be ready to spy on you out of the box. Destined for the dumpster, most of these devices are designed to be unmaintainable.

Delivered by a sophisticated shadow supply chain that bypasses regulatory scrutiny supplying fake FCC, CE and UL certification, these devices are carefully laundered through online shopping platforms like Amazon and even high street shops.

In this talk, Silas Cutler (Censys) and Marc Rogers (nbhd.ai) present their analysis of the devices and current understanding of present backdoors. Additionally, this talk will cover past and ongoing efforts to hold transgressors accountable.

Auto-Poking The Bear – Analytical Tradecraft In The AI Age

Analytical tradecraft and shared standards have transformed Cyber Threat Intelligence from a niche discipline into a collaborative industry-wide research endeavor. Researchers and analysts now routinely build on each other’s work, creating a foundation of trust and shared methodology.

AI is disrupting this ecosystem, as we increasingly delegate data preparation, analysis, and entire workflows to AI assistants. Doing so will make us more productive, but not without cost. While you may trust your own AI-assisted analysis, can you trust another researcher’s prompts/agent process? As questions about reliability and transparency persist, we will need to adapt our research methodology and develop a new joint understanding of the promises, pitfalls, and probabilities inherent in AI-assisted work.

Dreadnode’s Martin Wendiggensen and Brad Palm tackle these challenges through a concrete case study, presenting their own LLM-based agentic system, developed to analyze Russian internet data leaked by Ukrainian cyber activists. The speakers walk through the system’s architecture and demonstrate its performance across tasks ranging from simple data collation to sophisticated analytical workflows to track adversaries.

Along the way, they outline how to understand the promises and limitations of this technology and more importantly, how to communicate them transparently to other researchers and audiences in order to maintain transparency and accountability for published products.

Hacktivism and War: Malicious Activism and Nation-State Fronts in Times of Conflict – A Clarifying Discussion

SentinelLABS’ own Jim Walter explores how malicious hacktivist activity is being strategically leveraged by nation-states and mercenary groups to obscure intent, destabilize targets, and weaponize public narratives. Through technical case studies and geopolitical analysis, Jim’s talk examines how these actors blend ransomware, data leaks, DDoS, and psychological operations under activist façades—creating significant challenges for attribution, response, and long-term threat modeling.

Combined with a review of existing and still highly-prolific traditional hacktivist groups and their role in the current landscape, this presentation offers to bring some much needed clarity to a very murky and confusing landscape.

Simulation Meets Reality: How China’s Cyber Ranges Fuel Cyber Operations

Between late 2024 and early 2025, the United States government issued indictments or sanctions against three Chinese information security firms – i-SOON, Sichuan Silence, and Integrity Tech – alleging their support for or links to malicious cyber groups targeting US government and critical infrastructure systems.

In their research, Mei Danowski (Natto Thoughts) and Eugenio Benincasa (ETH Zurich) found that all three companies serve as a key seedbed for nurturing China’s offensive cyber talent with cyber range services, which train cybersecurity professionals through “attack-defense live-fire” (攻防实战) exercises. Alongside hacking contests and crowdsourced bug bounty programs, attack-defense live-fire exercises are one of the primary mechanisms leveraged by the Chinese government to enhance its cyber capabilities, with support from a rapidly growing private cybersecurity industry with more than 4000 products and services providers.

This presentation focuses on the development of attack-defense exercises and commercial cyber ranges in China, areas that have received relatively little attention to date.

The talk examines how this ecosystem is shaping China’s offensive cyber capabilities and discusses 120 companies identified as providers of attack-defense exercises and cyber range services.

CamoFei Meets the Taliban

SentinelLABS’ Aleksandar Milenkoski and Insikt Group’s Julian-Ferdinand Vögele team up once again to bring you a unique talk on CamoFei, a threat actor that overlaps with ChamelGang (aka TAG-112, Evasive Panda), and which sets itself apart within the landscape of China-linked APT groups through a dual-track operational model that blends traditional cyber espionage with disruptive activities.

The group continues to target high-profile entities of strategic interest to Chinese intelligence, including Tibetan and Taiwanese organizations, while simultaneously engaging in operations that suggest influence or destabilization objectives, often layered with plausible deniability.

As of early 2025, CamoFei remains highly active, expanding its reach across a diverse set of governmental and private-sector targets in Southeast Asia, Europe, and the Middle East while adopting new tactics and techniques. Its recent compromise of Taliban networks in Afghanistan, which coincided with a suspected hack-and-leak influence campaign targeting the Taliban itself, points to a possible evolution toward hybrid operations that merge technical intrusions with geopolitical narratives.

While the shift remains unconfirmed, it reflects the broader challenge posed by the increasingly blurred lines between espionage, influence operations, and cybercrime, making attribution and intent analysis more difficult.

As multiple CamoFei victims exhibit signs of concurrent compromise by other Chinese-nexus groups, the case underscores a broader analytic challenge, namely, that overlapping intrusions within the same victim environments complicate attribution and intent analysis, raising important questions about coordination, operational autonomy, and competition within the broader Chinese threat ecosystem.