Black Hat Videos

The macOS threat landscape has changed considerably in recent years with the ever-increasing prevalence of macOS malware. In response, Apple has expanded the capabilities of XProtect by introducing new features such as XProtect Remediator (XPR) and XProtect Behavior Service. XPR periodically scans to remove malware and restores infected devices. However, due to a lack of detailed reverse engineering efforts, its detection or remediation capabilities remain unclear. In this presentation, we share our reverse engineering results of XPR. Since XPR binaries are stripped Swift binaries, the detailed analysis was challenging. We developed custom tools for static and dynamic analysis of Swift binaries, which allowed us to perform a thorough investigation. Our analysis uncovered intriguing detection logics that go beyond the previously known simple scanning using YARA rules. These include a creative mechanism that employs OCR to detect malware performing a Gatekeeper bypass. Furthermore, our examination revealed Apple-exclusive threat intelligence, including information related to malware believed to be the TriangleDB macOS implants. Remarkably, we discovered that XPR’s detection logic is described with a custom DSL using Swift Result Builders—the same technology that powers SwiftUI’s declarative syntax. Our analysis of the DSL demonstrated that it significantly helps in understanding the details of XPR’s detection logic. In addition, we revealed a novel mechanism—Provenance Sandbox—that XPR uses to track the origin of remediated files. This provenance information serves as a valuable forensic artifact even for third-party security vendors. This presentation provides valuable insights into XPR internals for blue teams working on macOS security. The tools being introduced will help security researchers analyze future XPR updates to obtain Apple’s threat intelligence included in XPR. Additionally, information on XPR vulnerabilities and Provenance Sandbox bypasses will benefit red teams. By: Koh Nakagawa | Security Researcher, FFRI Security, Inc. Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/?#xunprotect-reverse-engineering-macos-xprotect-remediator-44791

Apple’s on device AI frameworks CoreML, Vision, AVFoundation enable powerful automation and advanced media processing. However, these same capabilities introduce a stealthy attack surface that allows for payload execution, covert data exchange, and fully AI assisted command and control operations. This talk introduces MLArc, a CoreML based C2 framework that abuses Apple AI processing pipeline for payload embedding, execution, and real time attacker controlled communication. By leveraging machine learning models, image processing APIs, and macOS native AI features, attackers can establish a fully functional AI assisted C2 without relying on traditional execution mechanisms or external dependencies. Beyond MLArc as a standalone C2, this talk explores how Apple’s AI frameworks can be weaponized to enhance existing C2s like Mythic, providing stealthy AI assisted payload delivery, execution, and persistence. This includes the below list of Apple AI framework used for embedding Apfell Payload. CoreML – Embedding and executing encrypted shellcode inside AI models. Vision – Concealing payloads/encryption keys inside AI processed images and retrieving them dynamically to bypass detection. AVFoundation – Hiding and extracting payloads within high frequency AI enhanced audio files using steganographic techniques. This research marks the first public disclosure of Apple AI assisted payload execution and AI driven C2 on macOS, revealing a new class of offensive tradecraft that weaponizes Apple AI pipelines for adversarial operations. I will demonstrate MLArc in action, showing how Apple’s AI stack can be abused to establish fileless, stealthy C2 channels that evade traditional security measures. This talk is highly technical, delivering new research and attack techniques that impact macOS security, Apple AI exploitation, and red team tradecraft. By: Hariharan Shanmugam | Lead Red Teamer Full Session Details Available at: https://blackhat.com/us-25/briefings/schedule/?#weaponizing-apple-ai-for-offensive-operations-44700

OPC UA is a standardized communication protocol that is widely used in the areas of industrial automation and IoT. It is used within and between OT networks, but also as a bridge between IT and OT environments or to connect field systems with the cloud. Traditionally, VPN tunnels are used to secure connections between OT trust zones (especially when they cross the internet), but this is often considered not to be necessary when using OPC UA because the protocol offers its own cryptographic authentication and transport security layer. This makes OPC UA a valuable target for attackers, because if they could hijack a (potentially internet-exposed) OPC UA server they might be able to wreak havoc on whatever industrial systems are controlled by it. Therefore, I decided to take a look at the cryptography used by the protocol, and whether any protocol-level flaws could be used to compromise implementations. As a result, I managed to identify two protocol flaws that I could turn into practical authentication bypass attacks that worked against various implementations and configurations. These attacks involve signing oracles, signature spoofing padding oracles and turning “RSA-ECB” into a “timing side channel amplifier”. In this talk, I will explore the protocols and the issues I identified, as well as the process of turning two theoretical crypto flaws into highly practical exploits. By: Tom Tervoort | Principal Security Specialist, Bureau Veritas Cybersecurity Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/?#no-vpn-needed-cryptographic-attacks-against-the-opc-ua-protocol-44760

As web applications evolve, so do their data processing pipelines—handling Unicode normalization, encoding, and translation before storing or executing user input. But what if these same data transformations could be weaponized by attackers? This talk exposes how Unicode normalization flaws (such as visual confusables/best-fit mappings, truncation/overflows, case-mappings and entity decodings) lead to critical security bypasses—allowing attackers to evade WAFs, input filters, and backend logic to execute Remote Code Execution (RCE), Cross-Site Scripting (XSS), Server-Side Template Injection (SSTI), Open Redirects, and HTTP Response Splitting. Using real-world attack data from Akamai’s research team, this session will showcase live exploitation demos, explore the impact of vulnerabilities like CVE-2024-4577 (PHP-CGI Argument Injection), and introduce cutting-edge Unicode fuzzing techniques. Attendees will leave with a deep understanding of Unicode security pitfalls and hands-on tools like Shazzer, recollapse, and Burp Activescan++ enhancements to detect these issues. By: Ryan Barnett | Principal Security Researcher, Akamai Isabella Barnett | Cyber Security Engineering Student, Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/?#lost-in-translation-exploiting-unicode-normalization-44923

Gaining initial access to an intranet is one of the most challenging parts of red teaming. If an attack chain is intercepted by an incident response team, the entire operation must be restarted. In this talk, we introduce a technique for gaining initial access to an intranet that does not involve phishing, exploiting public-facing applications, or having a valid account. Instead, we leverage the use of stateless tunnels, such as GRE and VxLAN, which are widely used by companies like Cloudflare and Amazon. This technique affects not only Cloudflare’s customers but also other companies. Additionally, we will share evasion techniques that take advantage of company intranets that do not implement source IP filtering, preventing IR teams from intercepting the full attack chain. Red teamers could confidently perform password spraying within an internal network without worrying about losing a compromised foothold. Also, we will reveal a nightmare of VxLAN in Linux Kernel and RouterOS. This affects many companies, including ISPs. This feature is enabled by default and allows anyone to hijack the entire tunnel, granting intranet access, even if the VxLAN is configured on a private IP interface through an encrypted tunnel. What’s worse, RouterOS users cannot disable this feature. This problem can be triggered simply by following the basic VxLAN official tutorial. Furthermore, if the tunnel runs routing protocols like BGP or OSPF, it can lead to the hijacking of internal IPs, which could result in domain compromises. We will demonstrate the attack vectors that red teamers can exploit after hijacking a tunnel or compromising a router by manipulating the routing protocols. Lastly, we will conclude the presentation by showing how companies can mitigate these vulnerabilities. Red teamers can use these techniques and tools to scan targets and access company intranets. This approach opens new avenues for further research. By: Shu-Hao Tung | Threat Researcher, Trend Micro Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/index.html#from-spoofing-to-tunneling-new-red-teams-networking-techniques-for-initial-access-and-evasion-44678

Diving into Windows HTTP: Unveiling Hidden Preauth Vulnerabilities in Windows HTTP Services (PRE-RECORDED) The Windows operating system heavily relies on HTTP services. Numerous Windows HTTP services such as IIS, ADFS, ADCS, Hyper-V, Kerberos, WSUS, Windows Storage, SSDP, UPnP, WinRM, RDP, BranchCache and MSMQ are widely deployed and play a crucial role in supporting various core functions within the Windows ecosystem. Although the security of Windows HTTP services is of utmost importance, almost no related security research has been made public in the past. Based on this gap, we decided to dive into the security of Windows HTTP Services and discovered many new things! After conducting an in-depth analysis of the internal mechanisms of Windows HTTP components, we discovered many novel vulnerability patterns in Windows HTTP services over the past year. These include not only classic memory corruption bugs but also a large number of logical bugs caused by the incorrect usage of Windows HTTP APIs by developers. Our research has identified more than 100 critical pre-auth vulnerabilities in almost all key services, including IIS, ADFS, ADCS, Hyper-V, Kerberos, WSUS, Windows Storage, SSDP, UPnP, WinRM, RDP, BranchCache and MSMQ. These vulnerabilities cover a wide range of issues, including pre-auth remote code execution (RCE), information leakage, and denial-of-service (DoS). Importantly, exploiting these vulnerabilities requires no credentials, no additional configurations, and no user interaction (0-click), which means that any Windows system running them is at risk. In this presentation, we will discuss the different architectures of Windows HTTP services and share multiple previously undisclosed vulnerability cases and attacks. We will also summarize these new vulnerability patterns and provide a comprehensive interpretation of the security threats within the realm of Windows HTTP services. By: Qibo Shi | Senior Security Researcher, Cyber Kunlun Lab Victor V | Senior Security Researcher, Cyber Kunlun Lab Wei Xiao | Senior Security Researcher, Cyber Kunlun Lab Zhiniang Peng | Associate Professor, Huazhong University of Science and Technology Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/?#diving-into-windows-http-unveiling-hidden-preauth-vulnerabilities-in-windows-http-services-pre-recorded-44873

In this talk, we will present a novel timing side-channel attack on the TLB, combined with kernel allocator massaging, to derandomize the location of security-critical kernel objects in the latest Linux kernel. We call these location disclosure attacks, as they reveal memory layout information, an essential step for most modern kernel exploits. In contrast to prior TLB side-channel attacks, which reveal only coarse-grained memory locations (e.g., physical mapping base address or code segment), our attack is the first to leak the locations of security-critical kernel objects, including kernel heap objects, page tables, and the kernel stack. Using our location disclosure combined with memory corruption attacks significantly enhances the stability and reliability of kernel exploitation. Our approach enables new exploit techniques as well as re-enables previously mitigated ones. We conduct an in-depth root cause analysis of this side channel, examining how TLB leakage arises. Specifically, we show how design decisions in kernel defenses and the kernel memory allocator unintentionally facilitate these attacks, making location leakage possible. Finally, we show an end-to-end attack in which an unprivileged user leaks most of the security-critical kernel objects within seconds on a recent Intel CPU and an up-to-date Ubuntu Linux kernel. By: Lukas Maar | InfoSec Researcher, Graz University of Technology Lukas Giner | InfoSec Researcher, Graz University of Technology Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/?#derandomizing-the-location-of-security-critical-kernel-objects-in-the-linux-kernel-44902

Windows Server Failover Cluster (WSFC) implementations represent a critical yet underexamined attack surface in enterprise environments. This research exposes how WSFC’s architectural design inadvertently creates exploitable abuse paths and presents novel attack methodologies demonstrating how the compromise of a single cluster node can lead to complete cluster takeover, lateral movement across clustered infrastructure, and ultimately, domain compromise. This Briefing will present previously undiscovered techniques for extracting and leveraging cluster credentials, manipulating Kerberos authentication, and exploiting excessive permissions granted to cluster objects. This “set it and forget it” high-availability infrastructure represents a significant blind spot for organizations. You will leave with a better understanding of WSFC’s internal security architecture, strategies for enumerating and abusing these new attack paths, and concrete defensive guidance for protecting organizations from these new abuses. By: Garrett Foster | Senior Security Researcher, SpecterOps, Inc.

(PRE-RECORDED) PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing. It is one of the most popular deep learning frameworks. However, beneath its powerful capabilities lies a potential security risk. Initially, PyTorch used pickle to save models, but due to the insecurity of pickle deserialization, there was a risk of Remote Code Execution (RCE) when loading models. Subsequently, PyTorch introduced the weights_only parameter to enhance security. The official documentation states that weights_only=True is considered safe and recommends using it over weights_only=False. For years, the security of weights_only=True remained unchallenged. Our research, however, uncovered unsettling truths. We discovered that torch.load with weights_only=True supports TorchScript, leading us to delve into TorchScript’s inner workings. After a period of research, we discovered several vulnerabilities and ultimately achieved RCE. We promptly reported this finding to PyTorch, who acknowledged the vulnerability and assigned us CVE-2025-32434. This revelation overturns established understandings and has profound implications for numerous AI applications. We will provide an in-depth analysis of the impact of this vulnerability. In this Briefing, we will introduce how we gained inspiration and discovered this interesting vulnerability. Meanwhile, our findings once again confirm the statement, “The Safe Harbor you once thought was actually Hostile Waters.” By: Ji’an Zhou | Security Engineer, Alibaba Cloud Li’shuo Song | Security Engineer, Alibaba Cloud Full Abstract and Presentation Materials: https://www.blackhat.com/us-25/briefings/schedule/?#safe-harbor-or-hostile-waters-unveiling-the-hidden-perils-of-the-torchscript-engine-in-pytorch-pre-recorded-44682

Managed languages facilitate convenient ways for serializing objects, allowing applications to persist and transfer them easily, yet this feature opens them up to attacks. By manipulating serialized objects, attackers can trigger a chained execution of existing code segments, using them as gadgets to form an exploit. Protecting deserialization calls against attacks is cumbersome and tedious, leading to many developers avoiding deploying defenses properly. We present QUACK, a framework for automatically protecting applications by fixing calls to deserialization APIs. This “binding” limits the classes allowed for usage in the deserialization process, severely limiting the code available for (ab)use as part of exploits. QUACK computes the set of classes that should be allowed using a novel static duck typing inference technique. In particular, it statically collects all statements in the program code that manipulate objects after they are deserialized, and puts together a filter for the list of classes that should be available at runtime. We have implemented QUACK for PHP and evaluated it on a set of applications with known CVEs and popular applications crawled from GitHub. QUACK managed to fix the applications in a way that prevented any attempt at automatically generating an exploit against them, by blocking, on average, 97% of the application’s code that could be used as gadgets. We submitted a sample of three fixes generated by QUACK as pull requests, and their developers merged them. By: Neophytos Christou | PhD Candidate, Brown University Andreas Kellas | Security Researcher, Columbia University Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/?#quack-hindering-deserialization-attacks-via-static-duck-typing-44934

Virtual Secure Mode, or VSM, on Windows marked the most significant leap in security innovation in quite some time, allowing the hypervisor to provide unprecedented protection to the Windows OS. With VSM features like Credential Guard, preventing in-memory credential theft and Hypervisor-Protected Code Integrity (HVCI), protecting against unsigned kernel-mode code, VSM has significantly reshaped the way many offensive security practitioners and threat actors alike think about tradecraft. In the exploitation world, similar shifts have occurred with both Control Flow Guard (CFG) and Intel Control Flow Enforcement Technology (CET) being readily available in user-mode. However, we don’t hear or read much about their kernel-mode counter parts, KCFG and KCET. Why is this if CFG and CET are both relatively well-established exploit mitigations in user-mode? At the time when CFG in user-mode was first released, kernel mode was the highest security boundary available on Windows – therefore making the implementation of CFG, or any CFI mitigation in kernel mode, impossible. However, since we now have a higher security boundary on Windows, thanks to the hypervisor, it is now possible to robustly implement CFG and CET in the Windows kernel! This talk will cover what kernel mode CFI would look like without the presence of a hypervisor; why KCFG and KCET rely on VTL 1; how these mitigations differ from their user-mode counterparts; known limitations which exist today, including the recent deprecation of the next iteration of CFG known as eXtended Control Flow Guard (XFG); and the future of kernel-mode exploitation on Windows in the presence of KCFG and KCET. By: Connor McGarr | Software Engineer, Prelude Security Presentation Materials Available at: https://blackhat.com/us-25/briefings/schedule/?#out-of-control-how-kcfg-and-kcet-redefine-control-flow-integrity-in-the-windows-kernel-44726

Back with another year of soul-crushing statistics, the Black Hat NOC team will be sharing all of the data that keeps us equally puzzled and entertained, year after year. We’ll let you know all the tools and techniques we’re using to set up, stabilize, and secure the network, and what changes we’ve made over the past year to try and keep doing things better. Of course, we’ll be sharing some of the more humorous network activity and what it helps us learn about the way security professionals conduct themselves on an open WiFi network. By: Neil (Grifter) Wyler | Vice President of Defensive Services, Coalfire Bart Stump | Managing Principal, Coalfire Full Abstract Available: https://www.blackhat.com/us-25/briefings/schedule/index.html#the-11th-annual-black-hat-usa-network-operations-center-noc-report-47642

Corporate security teams worldwide are drowning in cover-your-ass checklists, keeping them from building real defenses against real threats. Attackers thrive in exactly these gaps — that’s why the same attack trends remain successful for years and even decades. Ransomware is just the most visible symptom of a severely misguided security paradigm. But don’t despair — salvation is at hand! The CRA and DORA are the regulations that will finally fix all other regulations — by mandating a holistic understanding of your risks and ensuring that everyone can now officially cover their bases the proper way. Meanwhile, under the banners of fighting terrorism or child abuse, the security of the public’s communication infrastructure is under constant political attack. Proposals such as AI “snitches” built into phones keep haunting the EU legislative process — despite years of clear opposition from every credible expert out there. There are so many self-proclaimed “solutions” that we’ve long lost sight of the actual problems. Do we even want to address them? If so, then let’s re-focus — and get things done. By: Linus Neumann | Head of Security Strategy, Chaos Computer Club Full Session Details Available at: https://blackhat.com/eu-25/briefings/schedule/?#keynote-cyber-please-check-all-boxes-before-you-get-pwned-50320

As cyber threats grow more sophisticated and geopolitically complex, the international community continues to grapple with fundamental questions about how states should behave in cyberspace—and how to hold them accountable when they don’t. International efforts to establish responsible state behaviour in cyberspace have traditionally centred on a narrow set of voices and technical capabilities. This talk will examine the current diplomatic landscape—from the UN’s work on norms of responsible state behaviour to emerging frameworks on state responsibility—and reveal critical gaps in how we think about public cyber attribution. Drawing on research with middle-ground states, the session will explore how Global South nations are developing alternative approaches to attribution that challenge Western-centric assumptions about evidence, legitimacy, and strategic advantage. What happens when countries with limited technical infrastructure are inclined to attribute? How do differing regional threat landscapes shape attribution priorities? And crucially, what can the private sector learn from these perspectives as companies increasingly fill attribution gaps left by states? This talk will bridge high-level diplomatic negotiations with on-the-ground realities on this topic. By: Louise Marie Hurel | Researcher, Royal United Services Institute Full Session Details Available at: https://blackhat.com/eu-25/briefings/schedule/index.html#keynote-who-gets-to-point-fingers-technical-capacity-and-international-accountability-50480

The ransomware gold rush days are fading, but the business model will adapt. Based on unique access to leaked data and years of analysis, this keynote explains what really keeps the ransomware economy running and what might finally stop it. By: Max Smeets | Co-Director, Virtual Routes Full Session Details Available at: https://blackhat.com/eu-25/briefings/schedule/?#keynote-inside-the-ransomware-machine-50319