7.5.2026 (Thursday) at Park Boutique Hotel Varaždin.

Technical lectures, single track, relevant technical content with no sales talks.

Additional activities include: OWASP Croatia meeting (19:00 - 20:00).

Time	Speaker	Subject
09:00 - 09:30		Registration
09:30 - 10:15	Ivan Fratric	Goodbye, XSLT
10:30 - 10:50	Vanja Svajcer	Voidlink - cloud-first post exploitation framework
10:55 - 11:15	Tomislav Turek	Times change, tricks don't
11:30 - 12:15	Dejan Strbad	Silent Receipts, Loud Signals: Offensive and Defensive ML for Messaging App Surveillance
12:15 - 14:00		Lunch Break (no organized lunch, make your own arrangements)
14:00 - 14:45	Dejan Grubic, Vlatko Kosturjak	Technical Analysis and Lessons from a Real-World Ransomware incident
15:00 - 15:45	Dinko Korunić	Caveats using eBPF in Linux
15:45 - 16:15		Cake Break*
16:15 - 16:35	Vlado Vince	Networked Anachronisms: Building a Global AppleTalk Network a Few Decades Too Late
16:40 - 17:00	Matko Zlatić	Review of Open Source Wireguard Solutions
17:15 - 18:00	Hank Scorpio	Fun with VMs
18:00 ->		Closing Ceremony and Social Time

Originally introduced in the late 1990s, XSLT is a technology designed to transform XML documents into HTML and other formats. Late last year, Chrome announced plans to deprecate and remove support for the feature, with other major browsers following suit. This decision was justified by a security risk, specifically citing research from Project Zero. In this talk, we are going to take a closer look at how XSLT was implemented in web browsers and analyze some of the most difficult-to-fix vulnerabilities that contributed to the decision to remove the feature.

Ivan Fratric is a tech lead and a security researcher at Google Project Zero. In his research work, he mainly focuses on remote attack surfaces and tooling. Previously, he worked on the Google Security Team and, before that, at the University of Zagreb where he received his PhD. He has been publishing security research for almost two decades and is the author of multiple open-source security tools.

VoidLink is a new modular framework that targets Linux based systems. Modular frameworks are prevalent on the landscape today with the likes of Cobalt Strike, Manjusaka, Alchimist, and SuperShell among the many operating today. This framework is an implant management framework denoting a consistent and concerning evolution with shorter development cycles.

VoidLink development appears to be a more recent addition with the aid of large language model (LLM) based integrated development environment (IDE).

VoidLink only appears to have implants developed for Linux, although the implant code is written in such a way that can easily be adapted to other languages. The main implant is written in ZigLang, a rather uncommon language; however the plugins are written in C. When needed these are loaded via an ELF linker and loader.

The Linux implants have advanced features, such as an eBPF or Loadable Kernel Module (LKM) based rootkit, container privilege escalation, and sandbox escape. Voidlink is an excellent example that shows how threat actors are moving away from exploiting Windows endpoints into cloud environments and edge devices. This presentation is an in-depth discussion of the functionality as well as the threat actor using it.

Vanja Svajcer works as a Threat Researcher at Cisco Talos. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as FSec, Bsides, Virus Bulletin, RSA, CARO, AVAR, BalcCon and others.

In this talk, we will walk through a case where a conversational interface with conventional backend tooling had seemingly reasonable design choices which eventually led to unexpected security issues and remote code execution. The talk shows that standard security best practices still apply in the new AI-driven landscape and that changing the interface does not mean you can skip the usual defenses and hard boundaries.

Tomislav Turek works in Infobip's Application Security team, which analyzes and performs security reviews of application systems, integrations and code. While mostly focused on application security and software engineering, he likes to tinker with all things related to security. He is an active member of the Croatian capture the flag team 'Phish Paprikaš', with whom he has achieved significant success in information security competitions.

Silent delivery receipts in WhatsApp and Signal can be exploited to infer a target's online status, device count, and operating system, all without generating any notification.

Building on the "Careless Whisper" research (https://arxiv.org/abs/2411.11194), we reproduce and extend this attack using practical tooling built with AI agents and custom ML pipelines, pushing the boundaries on both the offensive and defensive side.

On the offensive side, we train a classification model on delivery receipt timing patterns to infer a user's physical context (home, work, commuting, sleeping). We further explore whether timing correlation of receipt patterns can reveal co-location, determining if two target phone numbers share the same network.

On the defensive side, we build a local network monitor that uses traffic analysis to detect when delivery receipt probing is being conducted against devices on your network, turning the attack into a detection opportunity.

We discuss implications for stalkerware detection — reminding that metadata alone can be deeply revealing, and a phone number remains a dangerously powerful attack surface.

Dejan Strbad breaks things and builds things — sometimes in that order. A serial entrepreneur and security enthusiast, he co-founded Ascalia (IIoT/Industry 4.0) and is a researcher at the Lisbon Council. With over a decade of experience spanning solution architecture, software engineering, and machine learning, his current obsession is solving problems with ML - the messier, the better.

Ransomware continues to pose a significant threat to modern organizations, disrupting operations and compromising critical data assets. We will present a detailed case study of a ransomware incident, focusing on the technical progression of the attack, from initial access to payload execution and lateral movement. Through forensic analysis, we reconstruct the attacker’s tactics, techniques, and procedures (TTPs), highlighting vulnerabilities that enabled the breach. The study also evaluates the effectiveness of detection and response mechanisms, identifying key gaps in security posture. Finally, the paper outlines actionable lessons learned and provides recommendations for strengthening resilience against similar attacks, including improvements in monitoring, incident response planning, and system hardening.

Dejan Grubić, IT expert with long experience in creating virtual and cloud IT environments. He gained experience and knowledge through work for large system integrators in the region and as a regional representative of global companies in the field of virtualization, security solutions and data protection. Currently, as the head of the Cybersecurity Incident Response Team within Marlink Cyber, he encounters various types of incidents that occur globally, not only within the Adriatic region.

Vlatko Kosturjak serves as the VP of Research at Marlink Cyber, boasting over two decades of dedicated experience in the realms of information security and cybersecurity. He have successful M&A experience in different fields of cyber security and in different roles.

This talk explores the real-world caveats of using eBPF in production systems. We’ll examine verifier limitations, kernel version drift, CO-RE portability challenges, memory and stack constraints, and the often-overlooked operational complexity of deploying and maintaining eBPF programs at scale.

Dinko Korunić is a seasoned IT professional and Principal Cloud Architect at HAProxy Technologies, with over two decades of experience in cloud architecture, systems engineering, and large-scale infrastructure design. He has led cloud platform development and interoperability projects across container and hypervisor environments, and has deep expertise in Unix/Linux systems, security, and open-source technologies. Korunić holds a degree in computer science and has contributed to numerous technology deployments, published technical articles, and maintained open-source software throughout his career.

AppleTalk was a collection of standards, protocols and products developed by Apple in the mid 1980s to connect Macintosh computers to each other. 40 years later, a bunch of nerds found an obscure routing software and connected their ancient Macs into the first global AppleTalk network: GlobalTalk. This is the story of how we looked back and accidentally reinvented a new networked community... Again!

Vlado is a technologist with an interest in the history of computing and networks, with a focus on non-Western countries before the end of the Cold War. He posts about his research on his blog, Bluesky and Mastodon.

A review of vulnerabilities and bugs found while researching available open source solutions that utilize Wireguard. These applications are often used in home and lab setups because they enable easier configuration and generally extend the use of the protocol. However, they also introduce a whole new attack surface attractive to attackers.

Security consultant and researcher, CS masters student, in general a chaos gremlin.

IR engagement

Supervillain with a heart of gold