2026-07-02 –, Room LW112
In this beginner-friendly, hands-on workshop, participants will walk through the full attack chain of a real-world Fancy Bear (APT28/GRU) intrusion - from the initial phishing email to command & control - guided by a purpose-built interactive training platform.
What to expect:
The workshop is structured across five chapters, each building on the last: threat actor background, payload delivery, exploitation, persistence & installation, and command & control. Participants work hands-on with real artefacts (phishing email headers, a weaponised RTF document, malware samples, and a C2 implant) and answer quiz questions via an interactive platform to validate their findings along the way - making progress immediately visible and keeping the session engaging for all skill levels.
What you will learn:
- How to analyse phishing emails and extract indicators from mail headers
- How to identify and dissect malicious Office documents (including MIME type mismatches and OLE/COM object abuse triggering CVE-2026-21509)
- Persistence techniques: file staging, scheduled task abuse, and LSB steganography in PNG files
- How to reverse simple string obfuscation (XOR + Base64) using CyberChef
- How threat actors repurpose legitimate open-source tools (Covenant C2 framework) and abuse trusted cloud services to blend into normal traffic
- All tools demoed/used throughout the workshop (e.g. oletools, CyberChef, and Covenant) are free and open-source, making every technique immediately reproducible.
Who should attend:
No prior malware analysis experience is required. Basic familiarity with the command line and a curiosity for how attacks actually work is all you need. Security students, CTF players, sysadmins, and blue teamers looking to build intuition for real-world threat actor tradecraft will get the most out of this session.
What to bring:
A laptop with a browser and internet access. All you need is a web brower, a text editor and an archive tool to unpack ZIP (AES-256) archives - other than that, no prior setup is required.
This workshop does not depend on domain-specific knowledge, we will try to break the steps down as far as possible. Attendees will follow along through small exercises, with the opportunity to compare their solution through a quiz/validation system. Questions will be answered by the instructor, collaboration between attendees is strongly encouraged!
Important for message for attendees: If you would like to follow along, please bring laptop with a charged battery. You will be handling real-world malware (you act at your own risk; No backup, no pity). I recommend to use a virtual machine (e.g. FLARE-VM, Remnux). No special tooling is required, make sure to have the basics (Text and Hex Editor, Browser, ZIP utility) installed. No photos during the workshop please, you will receive a copy of the slides.
Marius Genheimer is a DFIR Specialist and Threat Researcher with the SECUINFRA Falcon Team. He specializes in malware analysis and defensive security training.