2 days (24 – 25 November 2025), 2 Keynotes, 11 Presentations
Opening Keynote
Speaker Name : Puan Shariffah Rashidah Syed Othman
Designation : Timbalan Ketua Pengarah (Deputy Director General), Jabatan Perlindungan Data Peribadi (Department of Personal Data Protection)
Puan Shariffah, formerly at NACSA as Director of Policy & International Cooperation, has served the Government of Malaysia as an Administrative and Diplomatic Officer since 2004, starting in the ICT and Technical Division of the National Security Council (NSC) before moving to the Cyber and Space Security Division in 2006. She began as an Assistant Director and later advanced to Principal Assistant Director. She has spent nearly two decades formulating, coordinating, and monitoring national cyber security policies in Malaysia.
Her key contributions include the development of the NSC Directive No. 24: Policy and Mechanism for National Cyber Crisis Management, the NSC Directive No. 26: National Cyber Security Management, the National Cyber Crisis Management Plan, the National Cyber Coordination and Command Centre (NC4), the National Cryptography Policy, the Malaysia Cyber Security Strategy 2020-2025, the Cyber Security Act 2024 [Act 854] and the Malaysia Cyber Security Strategy 2025-2030. In the ASEAN arena, she helped shape the ASEAN Regional Forum (ARF) Work Plan on the Security of and in the Use of ICTs, facilitating the establishment of the ARF Inter-Sessional Meeting on ICTs Security (ARF ISM on ICTs Security) and the ARF Points of Contact on ICTs Security.
AWS Compromises Explored: Through the Attacker’s Eyes and the Defender’s Lens
Speaker Name : In Ming
Designation : Principal Consultant, CrowdStrike
Speaker’s Profile
In Ming specialises on incident response and technical assessment engagements focusing on cloud. He has also worked on several high profile investigations involving both nation state and eCrime threat actors for a wide range of industries across the globe.
Abstract
Organizations are rapidly adopting AWS to host critical workloads, but attackers are evolving just as quickly, developing and refining techniques that exploit cloud native services and misconfigurations that are often overlooked by defenders unfamiliar with AWS.
We have worked on multiple incident investigations across industries where threat actors have successfully targeted AWS environments.
In this talk, we will break down real world techniques used by these actors across the MITRE ATT&CK lifecycle, including gaining initial access through exposed credentials, launching compute for long term persistence, living off the land via SSM and Lambda, and exfiltrating data.
We will highlight the recurring misconfigurations and insecure patterns that enabled these compromises, such as overly permissive instance profiles, neglected monitoring in non default regions, and failure to control service to service communication.
Through this talk, attendees will gain a better understanding of the attacker’s playbook in AWS and receive actionable guidance on detection, prevention, and response. The content is relevant for both Red and Blue Teams looking to simulate real attack paths, strengthen cloud posture, and develop incident response capabilities specifically for AWS workloads.
Automating Intelligence: Building SOCMINT Pipelines with n8n and MCP
Speaker Name : Luqman Azzaki
Designation : Solution Architect at Eclogic Sdn Bhd
Speaker Name : Ammar Aryani bin Abdul Rani
Designation : OSINT Data Analyst at Eclogic Sdn Bhd
Speaker’s Profile
Luqman is a Solution Architect specializing in digital footprint analysis, open-source data gathering, and intelligence reporting. He designs and builds OSINT systems with advanced tools for link analysis and automation. With years of experience, he also shares his knowledge through training and writing to help others apply OSINT in real investigations and threat assessments.
Ammar is an OSINT (Open-Source Intelligence) Data Analyst specializing in transforming publicly available data into actionable insights. He leverages machine learning, SEO techniques, and data analysis to support investigations, cybersecurity, and informed decision-making. He also applies geospatial intelligence to uncover location-based patterns and connections. Ammar is a certified Data Science Specialist.
Abstract
In today’s threat landscape, social media is no longer just a source of information—it’s a battleground for misinformation, cybercrime coordination, and reputational sabotage.
This talk introduces a practical, open-source approach for automating Social Media Open-Source Intelligence (SOCMINT) using n8n, built around a structured design methodology known as the Model Context Protocol (MCP).
Attendees will learn how to design an automated Social Media threat monitoring pipeline that is modular, scalable, and mapped to the Prevent, Detect, Respond, and Recover (PDRR) cybersecurity model. We’ll walk through real case scenarios—including threat indicators during the conflict—where the system successfully tracked impersonation, leaked credentials, and coordinated disinformation across multiple platforms.
The audience will gain practical insights into building open-source, budget-friendly alternatives to commercial threat intelligence platforms—without sacrificing capability or responsiveness.
Following the Breadcrumbs: MacOS Unified Logs & FSEvents
Speaker Name: Jason Phang Vern – Onn
Designation: Principal Cybersecurity Analyst at Gen Digital
Speaker Name: Robbin Ooi Zhen Heng
Designation: Cybersecurity Analyst at Gen Digital
Speaker’s Profile: Jason Phang Vern – Onn
Jason Phang is a Principal Cybersecurity Analyst at Gen Digital, with extensive experience in threat hunting, incident response, and detection engineering. Before his current role, he served as CSIRT Lead at MoneyLion, leading incident response operations and cyber defense initiatives. He was previously a Threat Hunter at WithSecure, where he successfully uncovered and analyzed macOS malware families including AMOS, Frigid, and Cuckoo, and developed detection rules to protect enterprise customers.
Earlier in his career, he worked as a SOC Analyst at Experian and Maybank, building a strong foundation in security operations and threat monitoring. His expertise lies in uncovering advanced threats and transforming forensic insights into actionable detections, with a particular focus on macOS malware hunting and defense.
Speaker’s Profile: Robbin Ooi Zhen Heng
Robbin is a passionate DFIR professional with over 1.5 years of experience, currently working as both an Incident Responder and Threat Hunter at Gen Digital. From an early stage, Robbin developed a fascination with the world of digital forensics, which laid the foundation for his career path. He began honing their skills through CTF competitions, focusing on challenges in forensics and reverse engineering.
As macOS adoption continues to grow across enterprises, Robbin recognizes the increasing importance of research in this domain and has been actively exploring new attack techniques, artifacts, and detection methods to help strengthen defenses against such threats.
Abstract
What if your macOS environment has no EDR agent and no centralized logging? Are you blind to attacker activity? Not quite. Apple’s Unified Logs and FSEvents offer a powerful but often overlooked visibility surface for hunting and forensics. As malware families like AMOS adopt increasingly sophisticated tradecraft, these artifacts become critical for exposing execution anomalies, persistence attempts, and stealthy file operations. This talk demonstrates how to extract and correlate Unified Logs and FSEvents to reconstruct attacker behavior and operationalize these insights with osquery, enabling defenders to scale detection and response. Attendees will leave with practical methods for leveraging built-in macOS telemetry to track malware even without EDR.
This deep technical session walks through how to investigate macOS malware using native telemetry sources when traditional EDR visibility is unavailable. We’ll begin with an overview of the macOS malware landscape, highlighting families like AMOS, Cuckoo, and Frigid, then dive into practical methods for parsing and correlating Unified Logs to trace process execution and persistence.
Next, we’ll examine how FSEvents reveals file system activity that attackers rely on for stealth and persistence. Finally, we’ll show how these insights can be operationalized with osquery to build scalable detection and hunting capabilities across enterprise fleets. Participants will leave with concrete techniques to apply forensic data for macOS threat hunting and incident response even in environments without EDR.
50 Shades of Purple: Mastering the Art & Science of Purple Team Evolution
Speaker Name: Peng Fei Yu
Designation: Solutions Architect (APJ & SAARC ) at Picus Security
Speaker’s Profile
Pengfei is the APJ & SAARC Solutions Architect at Picus Security. Previously, he worked as a Cybersecurity Engineer in GovTech’s GCSOC team, where he led the implementation of continuous purple teaming across the Whole-of-Government. Before this role, he served on GovTech’s red team, mainly dabbling in VAPT and Adversary Simulation. Pengfei is certified with OSCP, eMAPT, Crest CRT, CCSK V4, etc. He has conducted research on emerging cybersecurity technologies and presented his findings at renowned conferences like Black Hat USA & Asia, DEFCON, SINCON, ROOTCON, etc.
Abstract
Remember when we thought putting red & blue teams in the same room was revolutionary? Yeah…about that. After spending quite sometime in the trenches implementing purple teams across various sectors, I’ve collected enough failures and unexpected wins to piece together what actually works. Trust me – it wasn’t pretty at first, but those hard lessons led to something valuable.
My talk “”50 Shades of Purple”” gets right to the heart of the matter.
I’ll break down why most “”purple team”” exercises fail to deliver real value (hint: it’s not the tools), then walk through the 4-phase methodology I developed through painful trial & error – and more importantly, how we transformed that initial framework into a continuous, integrated process that actually keeps pace with today’s threats. We’ll explore:
– How we evolved from one-off exercises to a continuous validation ecosystem
– The emergence of “”Continuous Purple Teaming”” as a game-changer
– The good/bad/ugly of manual vs automated testing (& when each makes sense)
– Measuring stuff that executives actually care about
– The path toward Adversarial Exposure Validation (AEV) – Gartner’s term for the next evolution in security validation that’s transforming how we approach defense
Whether you’re struggling with your first purple team exercise or trying to convince leadership why your existing program needs more investment, this talk delivers concrete next steps. No silver bullets or vendor pitches – just honest lessons from someone who’s screwed this up enough times to finally get it right.
Unveiling the Shadow: How a Security Breach in the WordPress Ecosystem Compromised Millions of Sites
Speaker Name: Rafie Muhammad
Designation: Lead Security Researcher at Patchstack
Speaker’s Profile
Rafie Muhammad is a Lead security researcher at Patchstack. He specializes in web application security, WordPress security, and PHP code review.
Rafie is passionate about web application security with a white-box approach. He likes listening to podcasts while reading a bunch of PHP code on VSCode. With 3+ years of experience in WordPress security, Rafie has secured critical and most popular WordPress environments, ranging from WordPress Core, Plugins, and Themes.
Rafie also likes doing CTF and bug bounty in his free time.
Abstract
WordPress powers over 40% of the web, making its plugin and theme ecosystem a prime target for attackers. While the plugin and theme ecosystem is now much more mature in terms of vulnerability reporting and handling, we still encounter unexpected attack vectors that could easily compromise a site.
This talk explores multiple major security breaches within the WordPress ecosystem that affected millions of websites worldwide, where an attacker maliciously injected malware or a backdoor into the plugin or theme code repository. We will analyze briefly how the breach occurred, the types of malware involved, and the impact on website security and data integrity.
We will technically break down how the malware is pushed as an additional code to the plugin or theme and how it plants itself as a persistent backdoor on a site. We will also analyze how each vendor handles each security breach incident and takeaways from the breach.
By the end of this session, attendees will gain insights into attack vectors from breaches, details of WordPress-based malware, and best practices to defend against similar threats, ensuring a safer WordPress environment for all users.
UAV Forensics: Unveiling the Black Box Secrets
Speaker Name: Captain Kelvin
Designation: Independent Security Researcher
Speaker’s Profile
Captain Kelvin, founder of LOONG Community, is an independent security researcher. He focuses on hardware security research, penetration test, incidents response and digital forensics analysis. He was the first and the only Asian leading a group of white-hat hackers to hold an in-depth, hands-on hardware hacking village in BLACK HAT and DEFCON. He is also a frequent speaker and trainer in different top-notch security and forensics conferences including SANS, HTCIA, DFRWS, GCC, CodeBlue, HITB, SINCON, AVTokyo and HITCON.
Abstract
Unmanned Aerial Vehicles (UAVs), commonly known as drones, have become ubiquitous in civilian, commercial, and military applications, raising critical concerns in digital forensics when involved in incidents such as unauthorized surveillance, crashes, or criminal misuse. Traditional forensic investigations often overlook the “black box” equivalent of UAVs—their embedded firmware—which stores invaluable data on flight logs, telemetry, control commands, and sensor inputs. This paper introduces a novel firmware extraction technique tailored for UAV forensics analysis, enabling investigators to bypass hardware obfuscation and proprietary encryption mechanisms without compromising evidentiary integrity.
Engineering Multi-Agent AI Systems for Threat Intelligence
Speaker Name: Rashmi Nagpal
Designation: Research Affiliate at MIT
Speaker’s Profile
Rashmi is a Research Affiliate at MIT, working in the intersection of deep learning and cybersecurity to solve complex engineering challenges. Her work has contributed to scientific publications and international conferences.
Rashmi is a passionate advocate for equity in tech and volunteers her time in mentoring women from diverse socio-economic backgrounds to pursue careers in STEM.
Abstract
Ever wondered how we can design and implement multi-agentic AI systems for threat intelligence? In an era where vulnerabilities emerge daily, it’s vital to keep up with the unprecedented pace. In this talk, let’s deep-dive into the engineering practices required to build and deploy multi-agent AI systems that don’t just react, but autonomously manage the entire vulnerability lifecycle.
Attackers often exploit software vulnerabilities within days of their discovery, while organizations typically require months to deploy patches, leading to extended periods of exposure. With the increasing volume of new vulnerabilities (over 29,000 CVEs reported in 2023), traditional human-driven security processes are no longer sufficient to counter machine-speed threats. In this talk, we will understand the engineering principles behind building a multi-agentic system designed to automate the entire security lifecycle. We will explore its architecture, which integrates specialized AI agents for distinct tasks:
- Vulnerability Detection: Utilizing fine-tuned large language models to identify security flaws in code.
- Patch Generation: Automatically creating code fixes for identified vulnerabilities.
- Fix Validation: Verifying the effectiveness of generated patches.
The three key takeaways from this talk are:
1. Learn practical techniques to fine-tune code analysis models for the security system lifecycle.
2. Discover how to architect a reliable multi-agent system with robust error handling, agent coordination, and fail-safe mechanisms for production environments.
3. Implement strategies for managing edge cases where automated patching fails, ensuring the system remains both effective and safe.
0-Days and N-Days in AI/ML Supply Chain Frameworks
Speaker Name: Aden Yap
Designation: Lead Penetration Tester at BAE Systems DI, Malaysia
Speaker’s Profile
Aden is a Lead Penetration Tester at BAE Systems DI based in Malaysia, with over 9 years of experience in offensive security. He has successfully led red teaming and advanced penetration testing engagements across multiple industries worldwide, uncovering critical vulnerabilities in both applications and infrastructure. Beyond client work, he actively contributes to bug bounty and vulnerability disclosure programs. His research has led to the discovery of multiple internet-exposed vulnerabilities, earning him 18 CVE IDs to date. He has previously shared his work at BSides, ROOTCON, and RedTeam Hacker Academy conferences.
Abstract
AI/ML supply chain frameworks remain a high-value target for attackers. Our focused research into open source Mage-AI and Dify uncovered six CVE-assigned vulnerabilities that expose systemic security gaps and provide key lessons for defenders and researchers.
In this talk, we reveal critical vulnerabilities discovered in two widely adopted open-source AI/ML frameworks – Mage-AI and Dify – discovered through months of focused research into the AI software supply chain. The Mage-AI flaw enabled remote code execution through insecure default configurations, while Dify suffered from multiple broken access control vulnerabilities within its application layer. The disclosure process took nearly a year and was at times disputed, with Mage-AI contesting the RCE severity and leaving the issue unpatched in default deployments, while Dify addressed and fixed all reported flaws. These findings, now assigned a total of six CVEs, highlight the widening gap between rapid AI adoption and secure-by-design engineering practices. We’ll walk through our discovery methodology, real-world internet exposure data analysis, exploit vectors, and lessons for defenders, researchers, and developers building on top of modern AI/ML infrastructure.
The Tsunami That Swept The Cyber Battlefield: Analysis of Lazarus’s Operation
Speaker Name: Hankuk Jo
Designation: Threat Intelligence Researcher at NSHC Threat Research Lab
Speaker’s Profile
Hankuk Jo is a threat intelligence researcher at NSHC’s Threat Research Lab, specializing in the analysis of cyber attackers’ tactics, techniques, and procedures (TTPs). He has experience presenting his research findings at JSAC 2025 (hosted by JPCERT/CC) and K-CTI 2025 (organized by DailySecu).
Abstract
This presentation provides an in-depth analysis of a sophisticated cyber operation conducted by the North Korean state-sponsored threat group Lazarus, uncovered in May 2025. The campaign primarily targeted the cryptocurrency sector through a multi-stage malware framework disguised as a legitimate trading application.
The attack chain began with an NSIS-based installer that deployed an Electron application containing a JavaScript loader. Subsequent stages included Python modules for remote control and data exfiltration, culminating in a modular .NET-based backdoor named “Tsunami.” This malware leveraged encrypted payload staging via Pastebin, Tor-based C2 communication, and abuse of legitimate tools like AnyDesk to maintain persistence and evade detection.
The operation demonstrates strong overlaps with prior Lazarus campaigns from 2023 and 2024, confirming an evolution of their long-term cyber strategy. The modular design of Tsunami suggests capabilities beyond cryptocurrency theft, potentially enabling espionage or destructive actions.
The Qualcomm Dungeon: Recovering data with EDL, Sahara, Firehose and Port 9008
Speakers Name: Jason Kek & Lee Zhi Wei (Dennis)
Designation: Independent Security Researchers
Speaker’s Profile
Jason Kek is a recent Ngee Ann Polytechnic graduate (Diploma in Cybersecurity & Digital Forensics) and the founder of the ISC2 Singapore Chapter Youth Wing. He’s worked across blue-, red-, and build-side roles: supporting quantum-safe and HSM initiatives at IBM (on OpenShift), SOC operations at CyberProof, and contributing to VAPT assessments at KPMG. Jason enjoys learning from the community he helps organize and focuses on practical, responsible approaches to security and digital forensics.
Lee Zhi Wei is a graduate of Ngee Ann Polytechnic in the Diploma of Information Technology and has mentored teams in Hackathons. He has a passion for technology, formerly interning in a Datacenter and part time providing IT support and deployment of applications in an SME, also having a home-lab environment made up of decommissioned enterprise hardware and Virtualisation, dealing with Cisco, Lenovo, Proxmox and other technologies that may be found in the wild. Zhi Wei also is very supportive of the Open Source community, contributing back, and learning from the community whenever he can, and is very open to new technologies that comes along.
Abstract
Modern flagship Android devices harden the device-side recovery surface: ADB is disabled or unauthorized on locked devices, MTP is suppressed until user authentication, and unsigned recovery images are blocked by OEM lock and AVB. This session presents a student research proof-of-concept(PoC) that moves past these dead ends to focus exclusively on Qualcomm Emergency Download (EDL) mode. Particularly, using the HS-USB QDLoader 9008 recovery endpoint as the last resort for forensic acquisition on locked Snapdragon devices. After standard user-level avenues (ADB, MTP, and TWRP custom recovery) are blocked by FRP, OEM bootlock, and Knox. Utilizing community tooling like (bkerler/edl) and ChimeraTool for orchestration to eliminate the need for rooting, plus a custom EDL cable that we DIY ourselves, to bring the device to the QDLoader 9008 state.
This session is aimed at forensic practitioners and researchers with a view to how EDL can be used responsibly to acquire authoritative device images when higher-level channels are unavailable.
Down to 256 : Offensive Response Utilizing Errors Made by Ransomware Gangs
Speaker Name: Sangsoo Jeong
Designation: Offensive vulnerability researcher @78ResearchLab
Speaker’s Profile
Sangsoo Jeong is an offensive vulnerability researcher @78ResearchLab and a former Red Team leader of global company. 78ResearchLab is based in South Korea, and specialises in the development of cyber warfare tactics and offensive and attack technologies. They analyse the cyber warfare strategies of Advanced Persistent Threat (APT) groups and conduct research on of attack techniques such as 0-day vulnerabilities and develop various cyber weapons, exploits, post-exploitation techniques that can be utilized in cyber warfare operations.
Abstract
Many agency and companies facing ransomware attacks are often cornered into negotiations to protect business continuity and prevent data leaks. Gunra ransomware, a prominent variant of the Conti ransomware, first surfaced in April 2025 and targeted major South Korean financial institutions, demanding a ransom.
The encryption used by the Gunra ransomware gang was initially deemed undecipherable. However, the South Korean Financial Security Institute(FSI) successfully decrypted the encrypted data. 78ResearchLab was so intrigued by the successful decryption of the encrypted data by Gunra ransomware that our researchers analyzed the Gunra ransomware in detail.
This presentation will explain detail the technical findings of our analysis and research. We will also demonstrate how we reverse engineered Gunra ransomware, discovered a critical vulnerability, and successfully replicated the decryption using a Known-Plaintext Attack.
Keynote: Securing and Governing AI
Speaker’s Name: Eugene Teo
Designation: ASEAN Chief Security Advisor, Microsoft
Speaker’s Profile
Eugene Teo is Microsoft ASEAN’s Chief Security Advisor. He advises and guides enterprise CISOs, CIOs, and Board Directors to enhance their cybersecurity oversight, strategy, and posture. Additionally, he serves as the Data Protection Officer (DPO) for the Singapore subsidiary and is a member of the extended regional leadership team. Eugene provides strategic advice on security matters and ensures senior leadership enablement.
Before joining Microsoft, Eugene was the Vice President of Security and APAC Chief Security Officer (CSO) at UKG (formerly Ultimate Software). He also served as a Subsidiary Board Director for a UKG subsidiary in Singapore. Eugene has held security leadership positions at Symantec Security Response and Red Hat Product Security.
Abstract
As artificial intelligence becomes ubiquitous, it opens new frontiers for both innovation and exploitation. This session provides a strategic overview of AI security. We will analyse the current threat landscape targeting AI systems and identify the key security and governance challenges organisations face during its implementation. We will then look forward, discussing the future of AI-driven cyber defence and outlining how organisations can leverage these new technologies to move from a reactive posture to one of proactive resilience against emerging threats.