In this beginner-friendly, hands-on workshop, participants will walk through the full attack chain of a real-world Fancy Bear (APT28/GRU) intrusion - from the initial phishing email to command & control - guided by a purpose-built interactive training platform.
What to expect:
The workshop is structured across five chapters, each building on the last: threat actor background, payload delivery, exploitation, persistence & installation, and command & control. Participants work hands-on with real artefacts (phishing email headers, a weaponised RTF document, malware samples, and a C2 implant) and answer quiz questions via an interactive platform to validate their findings along the way - making progress immediately visible and keeping the session engaging for all skill levels.
What you will learn:
- How to analyse phishing emails and extract indicators from mail headers
- How to identify and dissect malicious Office documents (including MIME type mismatches and OLE/COM object abuse triggering CVE-2026-21509)
- Persistence techniques: file staging, scheduled task abuse, and LSB steganography in PNG files
- How to reverse simple string obfuscation (XOR + Base64) using CyberChef
- How threat actors repurpose legitimate open-source tools (Covenant C2 framework) and abuse trusted cloud services to blend into normal traffic
- All tools demoed/used throughout the workshop (e.g. oletools, CyberChef, and Covenant) are free and open-source, making every technique immediately reproducible.
Who should attend:
No prior malware analysis experience is required. Basic familiarity with the command line and a curiosity for how attacks actually work is all you need. Security students, CTF players, sysadmins, and blue teamers looking to build intuition for real-world threat actor tradecraft will get the most out of this session.
What to bring:
A laptop with a browser and internet access. All you need is a web brower, a text editor and an archive tool to unpack ZIP (AES-256) archives - other than that, no prior setup is required.
