JSAC2026 -Day 1-
JPCERT/CC hosted JSAC2026 from January 21 to 23, 2026. JSAC is an annual conference dedicated to advancing the capabilities of security analysts by fostering the exchange of technical knowledge and operational insights related to incident analysis and response. Now in its ninth year, the event incorporated a new training program, expanding the program to three days. Across two days, the conference featured 17 presentations, three workshops, and six lightning talks. Presentation materials are available on the JSAC website(some materials are not publicly available). This series in JPCERT/CC Eyes presents highlights from the conference in three installments. This first installment covers the presentations from Day 1 of the Main Track.
The Betrayed Update: Beyond the Signpost
Speaker: Takahiro Yamamoto (ITOCHU Cyber & Intelligence Inc.)
Presentation Materials (Japanese)
Presentation Materials (English)
Takahiro Yamamoto discussed a case involving a compromised update process of a legitimate application attributed to the threat actor “Tropic Trooper.” The investigative process leading to identification of the root cause was outlined, along with key lessons learned.
At the outset, the speaker suspected lateral movement or a supply chain attack. However, detailed log analysis revealed that configuration data pointing to the legitimate application’s update server had been tampered with, redirecting the application to a malicious update destination. Analysis of multiple cases uncovered a common pattern: the issue only reproduced when the affected systems were connected to a specific home network. This finding indicated that the root cause was not the endpoint itself, but the surrounding network environment. Further investigation—leveraging endpoint sensors and custom scripts—revealed that a suspicious IP address had been configured on the cache DNS server referenced by the home router. As a result, DNS responses were poisoned, causing specific domains to resolve to a fake update server. The application then downloaded malicious configuration data, leading to malware delivery and execution.
As countermeasures, the use of trusted DNS servers via full-tunnel VPNs was emphasized, along with adoption of DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) to mitigate DNS hijacking, and strengthened endpoint detection and monitoring. The session concluded that incident analysis yields valuable intelligence when attention is paid not only to observable outcomes, but also to the structural characteristics of the attack and the adversary’s intent.
Knife Cutting the Edge: Dissecting a Gateway Surveillance & MitM Framework
Speaker: Chi-en “Ashley” Shen (Cisco Talos)
Chi-en “Ashley” Shen examined how routers and other edge devices have become critical targets in surveillance and espionage campaigns. The session analyzed a framework capable of inspecting and manipulating traffic directly on gateway edge devices. As this session was classified as TLP:RED, further details are omitted here.
The Return of Old Forces: Revealing New Campaigns Connected to a Missing Cyber Mercenary Firm
Speaker: Joseph Chen (Trend Micro)
Presentation Materials (English)
Joseph Chen examined activities attributed to “Earth Lusca” and “Earth Krahang,” both reportedly linked to the Chinese company i-Soon. The company drew significant attention in February 2024 after internal documents were leaked, suggesting involvement in espionage activities and possible ties to government entities. Although activity from the associated groups appeared to subside following the leak, operations may have resumed in 2025.
The “PONDSNAKE” campaign, first detected around October 2024, targeted government organizations as well as financial institutions, including insurance and securities firms. Initial access was achieved through exploitation of vulnerabilities in public-facing servers or via spear-phishing emails. After gaining access, the operators deployed SnakeC2, NEOBEACON (which abuses OneDrive and the Microsoft Graph API for C2), Cobalt Strike, VShell, and SoftEther VPN. Based on shared characteristics—such as the use of SnakeC2 variants and the abuse of compromised government websites—the activity was assessed with medium-to-high confidence as attributable to Earth Krahang.
The “WILYCODE” campaign, identified around May 2025, targeted government agencies, educational institutions, and hospitals. It primarily exploited vulnerabilities in public-facing servers, including React2Shell (CVE-2025-55182). The group also utilized open-source hacking tools and executed Cobalt Strike and VShell via HyperBro Launcher. While overlaps such as HyperBro Launcher usage and similarities in C2 profiles were identified, many of the observed TTPs were common. As a result, attribution to Earth Lusca was assessed with low confidence.
Chen concluded that when legacy tools are reused alongside newly introduced elements, attribution should be based on multiple independent lines of evidence rather than single indicators.
Attribution in Action: A Case Study of an Incident Involving Multiple Activity Clusters
Speakers: Hiroaki Hara and Doel Santos (Palo Alto Networks)
Presentation Materials (English)
Hiroaki Hara and Doel Santos presented a case study in which three distinct activity clusters were operating concurrently within a single organization. A step-by-step attribution methodology grounded in observed facts was described.
One cluster, “CL-STA-1048,” employed tools such as RawCookie, EggStreme Loader, Gorem RAT, and Masol RAT. Although potential links to known groups such as Earth Estries were considered, attribution was assessed with low confidence.
Another cluster, “CL-STA-1049,” initiated activity using Hypnosis Loader via DLL proxy sideloading and subsequently deployed tools such as FluffyGh0st. Tool overlap provided strong evidence linking this cluster to “Unfading Sea Haze.”
The “Stately Taurus” cluster involved tools including HIUPAN, USBFect, PUBLOAD (spread via USB), and CoolClient variants. Although a direct execution chain between PUBLOAD and CoolClient was not confirmed, similarities in obfuscation techniques suggested codebase-level connections.
A framework separating source reliability from information credibility in attribution assessments was introduced. The trend of “Premier Pass-as-a-Service,” in which multiple APT groups collaborate closely in coordinated operations, was also highlighted, underscoring the importance of regularly reviewing internal attribution processes.
Ghost in Your Network: How Earth Kurma Stays Hidden and Exfiltrates Your Data
Speakers: Nick Dai and Sunny W. Lu (Trend Micro)
Presentation Materials (English)
Nick Dai and Sunny W. Lu shared findings on the APT group “Earth Kurma,” which targets government and telecommunications sectors in Southeast Asia. Initial compromise typically begins with vulnerable web servers, followed by reconnaissance and lateral movement. Multiple toolsets are selectively deployed depending on the environment to maintain persistence and evade detection.
For persistence, combinations of rootkits, backdoors, and loaders are used. “MMLOAD” relies on reflective loading for staged deployment. “KRNRAT” injects a user-mode agent into svchost.exe to maintain memory-resident execution. “MORIYA” incorporates new injection methods and EDR evasion techniques. Additionally, a Cisco Webex variant of “DOWNBEGIN” abuses multiple meeting rooms as distinct C2 channels.
For data exfiltration, PowerShell is used for collection and compression while legitimate cloud services such as OneDrive (ODRIZ), Dropbox (SIMPOBOXSPY), and Cisco Webex (SIMPOWEBEXSPY) are leveraged to reduce visibility. Distributed file systems are also used for both deployment and exfiltration.
As countermeasures, they recommended monitoring cloud communications by unauthorized applications, analyzing large internal data transfers and anomalous network paths, and preventing the installation of untrusted drivers.
Continuous Evolution of Tianwu's Pangolin8RAT and Custom Cobalt Strike Beacon
Speaker: Naoki Takayama (Internet Initiative Japan Inc.)
Presentation Materials (English)
Naoki Takayama reported on the continued evolution of “Pangolin8RAT” and a custom Cobalt Strike Beacon associated with the Chinese-linked APT group “Tianwu.”
Using a sample submitted to VirusTotal in September 2025 as a starting point, Takayama outlined an execution chain in which legitimate processes such as regsvr32.exe load “CoreX Loader.” The loader decrypts data embedded in its resources using XOR and AES before ultimately loading Pangolin8RAT into memory.
Pangolin8RAT is designed with plugin-based extensibility in mind, allowing its functionality to be expanded through additional modules. Takayama explained that the malware minimizes forensic artifacts by deleting logs and certain data after a system reboot, making it more difficult to trace. He also highlighted several communication-related characteristics, including abuse of Nutstore’s WebDAV service, the use of uniquely structured cookies in HTTPS communications, and manipulation of Host headers to conceal the underlying C2 infrastructure. In addition, recent evolutions aimed at detection evasion were discussed. These include strengthened string obfuscation, suppression of RTTI, and a mechanism that XOR-encrypts configuration data when specific processes are detected.
On the Beacon side, improvements such as integrating BOFs for sleep masking and changes to configuration encoding were observed. Remnants of legacy C2 information in headers provided operational clues regarding development and deployment practices.
Takayama noted that activity has continued since 2022, with indications that operations may have intensified again around October 2024. He emphasized the importance of continuous monitoring through the sharing of YARA and Sigma rules as well as IoCs.
Incident Response at the Edge: Unmasking the Massive Exploitation of Ivanti
Speakers: Greg Chen and Sharon Liu (TeamT5)
Presentation Materials (English)
Greg Chen and Sharon Liu examined widespread exploitation campaigns targeting VPN and gateway products such as Ivanti Connect Secure (ICS), with a focus on incident response methodologies for edge devices. They reported identifying at least 170 compromised devices across 25 regions, with significant concentrations in Japan, Taiwan, South Korea, and the United States. The operation involved intrusions associated with the SPAWN malware suite.
They outlined investigative challenges specific to Ivanti Connect Secure, including encrypted system partitions, GUI-centric management that limits log visibility, and overreliance on vendor-provided integrity check tools. To address these limitations, they demonstrated vendor-assisted remote debugging, offline analysis via decrypted disk images, and SSH console validation in controlled lab environments. When identifying suspicious binaries, they recommended supplementing integrity hash comparisons with additional indicators such as anomalous timestamps, differences between static and dynamic linking, and ELF metadata analysis.
They explained that the attack chain began with CVE exploitation, followed by deployment of the in-memory backdoor “TextDoor,” persistence via the SPAWN malware suite, and credential theft through “DebtTheft.” They emphasized the importance of protocol analysis and network signatures in identifying previously unknown compromises, particularly when integrity checks may have been bypassed.
Infrastructure-less Adversary: C2 Laundering via Dead-Drop Resolvers and the Microsoft Graph API
Speakers: Wei-Chieh Chao and Shih-Min Chan (Cycraft)
Presentation Materials (English)
Wei-Chieh Chao and Shih-Min Chan presented a case involving a Chinese state-sponsored actor targeting Taiwanese government agencies and the manufacturing sector. They described infrastructure-agnostic tradecraft, in which dedicated infrastructure is avoided by abusing legitimate communication platforms for C2 operations.
In the incident they analyzed, the attackers gained initial access via phishing, escalated privileges by exploiting AD CS misconfigurations, conducted lateral movement, and deployed remote access infrastructure such as SoftEther VPN. For C2 communications, they leveraged the Microsoft Graph API, C2 servers hosted behind Cloudflare, and compromised public websites functioning as “dead-drop” resolvers. They also highlighted a technique in which AD logon scripts were temporarily modified to distribute malware across endpoints before being restored to their original state to evade detection. They analyzed three malware families: GRAPHBROTLI and GRAPHRELOOK, which repurpose Microsoft Graph and Outlook APIs for C2 communications, and RCREMARK, which communicates with C2 servers hosted behind Cloudflare and retrieves commands embedded in HTML comments for execution.
They assessed that short-lived configuration changes and abuse of legitimate infrastructure reduce the effectiveness of blocklist-based defenses. They emphasized the importance of protecting and monitoring logon scripts, as well as closely inspecting cloud service API traffic and web access patterns.
Konni’s New Arsenal: Unmasking GSRAT in North Korea-linked APT Operation
Speakers: Takuma Matsumoto and Yoshihiro Ishikawa (LAC Co., Ltd.)
Presentation Materials (English)
Takuma Matsumoto and Yoshihiro Ishikawa analyzed attacks leveraging “GSRAT,” an AutoIt-based RAT observed since February 2025 and attributed to activity associated with the North Korea-linked threat actor “Konni.” In May 2025, they reported that the attackers conducted a spear-phishing campaign targeting organizations related to domestic financial institutions. In this campaign, the attackers impersonated affiliated companies and distributed malicious links.
In the observed infection chain, victims received spear-phishing emails that led them to download ZIP archives containing shortcut (LNK) files disguised as documents. When the LNK file was executed, an obfuscated script ran and displayed decoy content to the user while simultaneously downloading and extracting additional payloads. The infection then proceeded through VBS and BAT scripts, which ultimately launched AutoIt. Persistence was achieved by registering the malware in the Startup folder and creating scheduled tasks. The compiled AutoIt script containing GSRAT then communicated with its C2 server, enabling remote control of the compromised host.
The speakers also outlined characteristics of AutoIt, noting its capabilities for Windows GUI automation and API invocation, as well as its ability to be compiled into standalone executables with minimal dependencies, making it relatively lightweight. They introduced encoding techniques observed in recent samples, including the widely seen EA06 format, and explained associated extraction methods. GSRAT transmits a victim-specific identifier generated from host information along with version data to its C2 server and provides core backdoor functionality such as remote shell access, file upload and download, enumeration, deletion, and execution. Variants were observed incorporating modifications such as JSON-formatted communications and the introduction of custom delimiters.
Finally, the speakers outlined the indicators linking GSRAT to Konni. These included the transition from Custom Lilith RAT to GSRAT and distinctive infrastructure operation patterns observed across campaigns. They also summarized recommended defensive measures. These include using YARA and Sigma rules for detection, monitoring persistence mechanisms with Autoruns and EDR solutions, and restricting AutoIt execution through AppLocker or WDAC based on code-signing information.
Conclusion
This installment covered the presentations delivered on the first day of JSAC2026. The next issue of JPCERT/CC Eyes will continue with highlights from Day 2.
Tomoya Kamei
(This article was machine-translated and manually reviewed.)
