Hunting at scale, identifying Internet connected OT devices
Have you ever been on an Internet safari? Join us on an expedition into the world of internet-connected OT-devices! We’ll introduce you to our OT Big Five and share fascinating cases we have encountered. We’ll also explore the motivations behind our research, how the NCSC identifies OT-devices at scale using repeatable methods, and the legal […]
Edge Devices: Your network blindspot
Edge devices are often a black box: limited transparency, minimal monitoring, and when compromised, they offer a direct stepping stone into your internal network. Precisely because signs of an attack are barely noticeable, breaches are often detected too late. And every time a new zero-day vulnerability emerges, swift and targeted investigation is essential—but in practice, […]
Inside NCSC’s CTI Team: Tracking Threat Actors Targeting the Netherlands
“From covert state-backed espionage to financially motivated cybercrime, from politically charged hacktivism to digital sabotage—threat actors targeting the Netherlands come in many forms, and their tactics are constantly evolving. In this talk, the Cyber Threat Intelligence (CTI) team of the Dutch National Cyber Security Centre (NCSC) offers a rare behind-the-scenes look at how they investigate […]
Nationaal Detectie Netwerk Doorontwikkeling
Binnen het NIS2-programma werken we hard aan de modernisering van het Nationaal Detectie Netwerk (NDN). Waar het netwerk nu vooral steunt op netwerksensoren binnen de rijksoverheid, breiden we het uit met ondersteuning voor nieuwe technologieën, zoals detectie binnen cloudomgevingen. Bovendien maken we het NDN schaalbaar, zodat alle NIS2-doelgroeporganisaties dreigingsinformatie kunnen uitwisselen. Dit jaar zetten we […]
Threat From The Inside: eBPF Used by Malware
eBPF (extended Berkeley Packet Filter) is a powerful and mysterious technology in the Linux kernel. As its name suggests, it was originally created for network packet filtering. However, it evolved into a more general-purpose mechanism to observe and manipulate kernel behavior. What could go wrong? We will not pick on eBPF because it is not […]
Tracking the North Korean B-Team Persistent Threat (BPT)
Since early 2025, Fox-IT has been tracking a cluster of activity linked to the Contagious Interview campaign, involving the malware families known as BeaverTail, InvisibleFerret, and OtterCookie. This talk provides a behind-the-scenes look at our threat intelligence methodology for tracking this campaign and actor. We’ll demonstrate our investigation approach, showing how we first manually investigate […]
Turning Malware Against Itself for Proactive Defense
What if the key to stopping malware was hidden inside the malware itself? In this talk, we will explore the concept of malware vaccines—leveraging the techniques malware uses for self-preservation to turn the tables on attackers. By analyzing how malware checks its execution environment—whether through sandbox evasion, mutex creation, process enumeration, or infection markers—we can […]
Elevate Your API Testing Game: WuppieFuzz in Action
With many businesses depending on communications between digital services, well-specified application programming interfaces (APIs) are used to facilitate this. However, as these APIs form a point of entry to critical applications, they are an attractive target for malicious actors. Therefore, thorough testing of these APIs is desired. With the growing number of APIs available for […]
From Comments With Love
At the request of the Dutch public broadcasting company NOS, two experts of DataExpert and Infoblox investigated a wave of spammy, sexualized GIF comments on Instagram. They uncovered a coordinated campaign tied to an affiliate of the cybercriminal network VexTrio. These seemingly harmless GIFs were designed to lure users towards malicious websites, with traffic routed […]
From Lab to Field: Hansken Dev Joins Cyber Team
Team Cybercrime Rotterdam (TCC Rotterdam) recently dismantled a facilitator network behind large scale helpdesk fraud. The operation offers a rare inside look at how modern digital evidence techniques reconstruct a criminal modus operandi—and how Digital Forensics as a Service (DFaaS) accelerates that process. Facilitators supplied everything the callers needed: phishing portals, victim lead lists, VOIP […]
