DeepSec 2025 Conference Summary

Posted by

9 min read

DeepSec 20251 took place in Vienna from 18 to 21 November 2025, bringing together leading security professionals from academia, government, industry, and the underground hacking community.

The conference featured a strong lineup of talks and hands-on workshops covering topics such as IoT hardware hacking, OT security, web penetration testing, threat modeling, eCrime intelligence, mobile security, social engineering, and lock system exploitation.

The Epignosis Security Team participated in DS25 with a presentation titled “L.E.E.C.H – Lazy Entity Exploits Cursed Hosts”2, showcasing data exfiltration techniques that abuse publicly exposed web server logs, detection capabilities in AWS cloud environments, and malware families employing similar tactics.

Below is a summary of selected sessions we attended, along with key takeaways:

JWT Puzzles – A Unique Large-Scale Application Attack for Red Team Engagements

How shared signing keys and insufficient validation across multiple web applications can allow the same JWT to access unintended resources.

Déjà Vu with Scattered Spider: Are Your SaaS Doors Still Unlocked?

An in-depth analysis of the LUCR-3 (Scattered Spider) threat group and their techniques3 .

Ransomware vs. Info Stealers: A Comparative Analysis

A comparison between ransomware and info-stealer operations, focusing on how stolen information accelerates and supports ransomware campaigns.

Hunting Shadows: Using Threat Intelligence to Outpace Adversaries

How threat intelligence can be leveraged to identify threat actors and enhance detection, prevention, and response efforts.

Spotter – Universal Kubernetes Security Engine

An introduction to Spotter, an open-source solution designed to secure Kubernetes clusters across their entire lifecycle4.

L.E.E.C.H – Lazy Entity Exploits Cursed Hosts

Data exfiltration through exposed server logs, examples of malware using similar techniques, AWS-native detection strategies using CloudWatch and VPC Flow Logs, and a live demonstration of the tool5.

Android Malware Detection Through an Integrated System Using Permission-to-Exploitation Associations

A presentation on AuthProtect, a scalable, integrated model for Android malware detection that uses incremental learning to proactively identify malicious behavior.

GitHub Security at Scale: One Open-Source Tool to Rule Them All

An overview of a comprehensive open-source tool that helps organizations secure their GitHub environments at scale. It performs organization- and repository-level posture checks, scans for hardcoded secrets, conducts Software Composition Analysis (SCA), validates security rules, detects misconfigurations, and generates detailed reports with prioritized remediation guidance6.

Physical Security Talk (Replacement Session)

A last-minute replacement session demonstrating attacks on physical door systems (e.g., server rooms, garage doors). Techniques included lock manipulation, key duplication, under-door tools, card-reader tampering, and much more.

“Machine Learning Poisoning: How Attackers Can Manipulate AI Models for Malicious Purposes”

How injecting malicious samples into training datasets can manipulate machine-learning models—often while remaining undetected for long periods.

“Quantum-Safe Cryptography: The Future of Cyber(Un)Security”

The state of quantum-resistant cryptography, which key types are vulnerable (asymmetric vs. symmetric), existing challenges such as quantum-secure authentication, and future projections.

“Catching WordPress 0-Days on the Fly”

A technique for monitoring newly introduced WordPress code for risky functions and generating alerts for code review. While promising, the current system produces a high number of false positives.

How To Breach: From Unconventional Initial Access Vectors to Modern Lateral Movement

Using offline HTML files as a stealthy phishing vector to bypass conventional detection mechanisms.

GenAI and Beyond – Whither Offensive Cyber Operations?

How attackers increasingly leverage AI for phishing content generation, malware authoring and obfuscation, debugging malicious scripts, information gathering, and more.

Predicting IOCs with Historical Analysis

By analyzing historical data from various malware families—primarily ransomware—the presentation demonstrated how relationships between indicators of compromise (IOCs) can be used to predict future infrastructure and threat activity.

Let us not forget to mention DeepINTEL7, which is DeepSec’s sister conference, dedicated to security intelligence. It offers a strategic perspective on who may target your organization, why, and with what capabilities. Security intelligence relies on several methods, including algorithmic and statistical analysis, adversary infiltration, data correlation, meta-analysis, and related techniques.

DeepSec 2025 was an amazing experience. I had the chance to meet great people, exchange ideas, and share interesting stories from the field. The conversations were inspiring, and it was refreshing to be surrounded by so much curiosity and passion for security. Overall, it was a genuinely enjoyable and memorable event.

Thank you DeepSec !

References

  1. https://deepsec.net ↩︎
  2. https://deepsec.net/speaker.html#PSLOT773 ↩︎
  3. https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud ↩︎
  4. https://spotter.run ↩︎
  5. https://github.com/nitsa ↩︎
  6. https://github.com/aplite-de/gitsec ↩︎
  7. https://deepintel.net ↩︎

Nikolaos Tsapakis Nikolaos Tsapakis - Senior Security Engineer

Nikolaos Tsapakis is a reverse engineering enthusiast and poetry lover from Greece. He has been working as a malware analyst and security & software engineer in companies like NCR, Persado, Fujitsu, Symantec, Citrix. He has also written articles or presented for leHACK, AthCon, DeepSec, Virus Bulletin, 2600 Magazine, Symantec, and Hakin9. He currently works as a senior security engineer at Epignosis Learning Technologies.