JSAC2026 -Workshop/Lightning Talk Session/Panel Discussion-
In this article, we continue our overview of the sessions at JSAC2026. We focus on the Workshop sessions, Lightning Talk sessions, and the Panel Discussion in this report.
[Workshop 1]
Leveraging EML Analyzer to Triage Malicious Email Messages During Incident Response
Speaker: Manabu Niseki; Michał Praszmo, CERT Polska
Manabu Niseki and Michał Praszmo focused on the analysis and triage of malicious emails, first reviewing email architecture and attack techniques, and then introducing practical analytical methods using real email samples.
In the first half, they outlined fundamental email specifications such as the Internet Message Format and MIME, and explained how emails are delivered across systems and how to interpret the “Received” headers. They also covered authentication technologies including SPF, DKIM, and DMARC, clarifying their respective roles, limitations, and what analysts should verify within actual email headers.
In the second half, they conducted hands-on analysis using EML Analyzer, an open-source tool that parses EML and MSG files and visualizes structured data such as headers, message bodies, attachments, and URLs.
Participants used EML Analyzer to perform CTF-style exercises, submitting analysis results based on tasks such as:
- Identifying the Message-ID
- Determining the subject of the original message referenced in an NDR (Non-Delivery Report)
- Calculating the SHA256 hash of a PDF attachment disguised as a quotation request
- Identifying the source host IP that relayed the email to a Microsoft Outlook environment
- Identifying the FQDN of the host that executed a ClamAV malware scan
- Extracting the Envelope FROM (Return-Path) from debug headers
- Identifying the sender’s client IP address from X-Headers
- Identifying the attacker-controlled C2 server used in a Roundcube XSS attack
- Determining the original sender’s full email address based on traces of conversation hijacking
- Analyzing modifications that caused DKIM verification failure and identifying the original body hash
- Identifying the mechanism by which the received email passed SPF validation
- Determining the abuse report destination when an @gmail.com email fails DMARC validation
[Workshop 2]
Advanced Malware Reverse Engineering: Dealing with Anti-Analysis Techniques from Scratch
Speaker: Mark Lim, Palo Alto Networks, Inc.
Mark Lim guided participants through a hands-on reverse engineering workshop focused on bypassing anti-analysis techniques observed in real-world malware.
The workshop analyzed two malware families:
- Guloader: a multi-stage dropper
- Gremlin: an infostealer
Participants analyzed a multi-stage attack scenario in which Guloader acts as the initial access vector and ultimately deploys and executes Gremlin, conducting their analysis with the full attack chain in mind.
The session progressed step by step, beginning with analysis of VBS files and PowerShell scripts, moving to shellcode analysis, and ultimately addressing control flow obfuscation implemented through Vectored Exception Handlers (VEH). After each hands-on phase, Mark provided detailed explanations of the underlying mechanisms and analytical techniques, reinforcing both conceptual understanding and practical skills.
He also detailed the tools and scripts used throughout the analysis, allowing participants to systematically learn practical reverse engineering techniques.
[Workshop 3]
Re:birth the fidb: Reverse Engineering the .NET AOT Malware
Speaker: Akihiro Yoshitake; Akihiro Kida; Akihiro Jin, NF Laboratories Co., Ltd.
This workshop was designed to enable beginners to systematically and practically learn analysis techniques for malware compiled with .NET Native AOT (Ahead-of-Time), which has recently begun to be observed in the wild.
Traditional .NET malware typically retains IL code and extensive metadata, making analysis with decompiles such as dnSpy relatively straightforward. In contrast, binaries compiled with Native AOT do not contain IL code and significantly reduce metadata, rendering conventional .NET malware analysis approaches insufficient. The workshop addressed practical strategies for overcoming these Native AOT-specific challenges.
In the first half, the speakers compared conventional .NET binaries (including IL) with Native AOT-compiled binaries, explaining their internal structures and characteristics. They demonstrated how Native AOT binaries can resemble C++ native binaries and how static linking of standard libraries greatly increases the volume of code subject to analysis.
They then introduced signature-based triage techniques to address this complexity. Through hands-on exercises using Ghidra and IDA Pro, participants learned how to identify functions derived from standard libraries and narrow down relevant code for analysis. By leveraging Ghidra’s Function ID and IDA Pro’s FLIRT signatures, participants confirmed substantial improvements in code readability.
In the latter half, they examined the Dehydrate / Rehydrate mechanisms used during Native AOT compilation and demonstrated techniques to restore string literals and object metadata that are often lost in static analysis. Using a Ghidra plugin, participants performed hands-on exercises to statically reconstruct compressed metadata and Frozen Objects without dynamic analysis, significantly improving code readability.
[Lightning Talk Sessions 1]
HoldingHandsRAT Attacks Against Japanese Companies
講演者:Speaker: Toshiki Takeuchi, NEC
Toshiki Takeuchi analyzed HoldingHandsRAT attacks targeting Japanese companies, drawing on observed phishing emails and malware behavior.
HoldingHandsRAT has previously been used in campaigns targeting Taiwan, Japan, and Malaysia. He presented a case observed in May 2025, in which Japanese-language phishing emails targeted Japanese organizations. Based on PDB paths and runtime behavior identified during analysis, he demonstrated similarities with publicly available HoldingHands source code.
In one example, attackers disguised the phishing email as a business notification titled “Notice of Salary System Revision” and attached a ZIP archive. The archive contained a password-protected executable file along with a text file listing the password. Protecting the executable with a password likely aimed to evade detection by security products.
He further noted that some malware samples used in the campaign carried digital signatures suspected to have been stolen from legitimate companies. Additionally, multiple domains with similar naming patterns were registered around the same period, many resolving to IP addresses within Japan.
[Lightning Talk Sessions 2]
Dangerous Co-Tenants in Hosting Services
講演者:Speaker: Takayuki Tomatsuri, NTT Security Japan Co., Ltd.; Ryosuke Togashi, NTT DOCOMO BUSINESS, Inc.
Takayuki Tomatsuri and Ryosuke Togashi examined security risks arising from shared email infrastructures in rental servers and hosting services, illustrating their points with concrete examples.
Although rental servers offer ease of use, they frequently involve shared IP addresses and mail-sending infrastructure among multiple tenants. They highlighted how such shared environments do not always align well with sender authentication technologies such as SPF and DMARC. In particular, because SPF relies on source IP addresses, it may fail to distinguish spoofed emails sent by other tenants within the same IP range.
They also explained that when service providers and customers share the same mail infrastructure, attackers may be able to send emails impersonating the provider. Since the provider’s SPF record authorizes certain IP addresses, malicious tenants may effectively leverage those same IP addresses. In such environments, even properly configured SPF and DMARC settings may not fully prevent spoofing.
As one method to assess this risk, they introduced an approach that compares SPF records of providers and tenants. While external parties cannot easily determine the internal configuration of rental services, correlating publicly available DNS SPF records can help infer whether tenant-usable IP addresses are included in the provider’s SPF record, thereby indicating potential spoofing risk.
[Lightning Talk Sessions 3]
Efficient Phishing Site Hunting with TOAMI, IKESU, and CHOKA: Browser Extension Integration for Streamlined Operations
Speaker: Yuichi Tsuboi, NTT DOCOMO BUSINESS, Inc.
Yuichi Tsuboi introduced the browser extension TOAMI and its companion tools IKESU and CHOKA, which were developed to support analysts engaged in phishing site investigations.
TOAMI assists analysts investigating suspicious URLs and outputs phishing detection results as structured logs.
IKESU visualizes logs generated by TOAMI through a GUI, enabling listing, searching, and sorting. Designed around the concept of managing logs as “fish in a holding tank,” the tool operates entirely within the browser.
CHOKA builds on detection results selected in IKESU and supports the creation and submission of abuse reports.
These tools address the substantial burden associated with manually conducting in-depth phishing site investigations. Because such investigations require significant resources and advanced expertise, operational efficiency and standardization are critical. By integrating TOAMI, IKESU, and CHOKA, Yuichi presented a vision of streamlining the workflow from detection and analysis to takedown, thereby accelerating phishing site mitigation.
[Lightning Talk Sessions 4]
Deceiving Developers: Abusing Legitimate GitHub Repositories to Deliver Malware
Speaker: Theo Webb, GMO Cybersecurity by Ierae, Inc.
Theo Webb analyzed a campaign in which attackers abused legitimate GitHub repositories to distribute malware targeting developers, explaining the techniques, background, and impact.
The attack combined malvertising with GitHub’s repository structure. Attackers forked a legitimate repository and created a commit that modified the download links in the README. This commit could be displayed under a URL that appeared to belong to the official repository, allowing victims to view it in a format nearly identical to the legitimate page.
The attackers promoted a link to the malicious commit through advertisements using keywords such as “GitHub Desktop.” Victims who clicked the advertisement were taken to the modified README page and downloaded the installer from the altered link. On Windows systems, this resulted in the execution of malware including HijackLoader, while on macOS systems, it led to infection with AMOS Stealer.
Theo highlighted structural factors enabling the attack. GitHub allows fork-derived commits to appear under URLs resembling those of official repositories, and in some cases, commits remain accessible even after forks or accounts are deleted, complicating tracking and complete removal. He also demonstrated how anchor links within README files can bypass certain warning mechanisms on GitHub.
He concluded by emphasizing defensive measures, including verifying the default branch of official repositories and downloading installers from the Releases page or the vendor’s official website rather than directly from README links.
[Lightning Talk Sessions 5]
Unmasking Houken: Advanced TTPs and Detection
Speaker: Ruth Ng, PricewaterhouseCoopers Hong Kong
Ruth Ng examined the division of labor in modern state-sponsored cyber attacks, focusing particularly on the role of Initial Access Brokers.
As the presentation included a substantial amount of TLP:RED information, further details cannot be shared publicly.
[Lightning Talk Sessions 6]
Monitoring Domestic Mobile Line Contracts Used by Overseas Investment Scams and Similar Fraud Schemes
Speaker: yumano
yumano presented research evaluating the effectiveness of SMS-based identity verification by analyzing mobile phone numbers abused in overseas investment scams and similar fraud schemes.
He described efforts to collect mobile numbers actually used in romance scams and to investigate their contract status and duration.
By analyzing contract status over approximately ten months before and after the fraudulent activities, he reported a pattern in which lines were contracted shortly before the scam operations and terminated soon after their completion.
These findings suggest that attackers may acquire large numbers of mobile phone numbers for authentication purposes within short periods. As a result, it was pointed out that SMS-based identity verification alone may not provide sufficient protection against fraud.
He also emphasized the importance of verifying contract status prior to account registration and rapidly sharing information about mobile numbers used in fraud cases to prevent further damage.
[Panel Discussion]
Security Incidents of 2025 Highlighted by the JSAC2026 Review Board
Speaker: CFP Review Board
(Rintaro Koike, NTT Security Japan Co., Ltd.; Minoru Kobayashi, Internet Initiative Japan Inc.; Shota Nakajima, Cyber Defense Institute, Inc.; Yu Nakatsuru, Fujitsu Limited; Yusuke Niwa, ITOCHU Corporation; Hiroaki Hara, Palo Alto Networks, Inc.; Steve Su, Google LLC; Shusei Tomonaga, JPCERT/CC)
The CFP Review Board members reflected on major security incidents of 2025 and discussed the cases that drew their particular attention.
Although the discussion featured lively exchanges among the board members, many details fall under TLP:RED and therefore cannot be shared publicly.
Conclusion
At JSAC2026, selected sessions were recognized for their outstanding contributions.
The Excellent Presentation Award (formerly the Best Speaker Award) was determined based on participant survey results, recognizing the session that received the highest “Excellent” (very satisfied) rating.
The Special Recognition Award was decided through deliberation by the CFP Review Board.
The presentations that received the Excellent Presentation Award and Special Recognition Award are as follows:
<Excellent Presentation Award>
Title: Re:birth the fidb: Reverse Engineering the .NET AOT Malware
Speaker: Akihiro Yoshitake; Akihiro Kida; Akihiro Jin, NF Laboratories Co., Ltd.
<Special Recognition Award>
Title: Unmasking the CoGUI Phishing Kit, the Major Chinese Phishing-as-a-Service Targeting Japan
Speaker: TeamDonut Shadow Liu, Lime Chen, Albert Song
Finally, we would like to take this opportunity to express our sincere appreciation to everyone who participated in JSAC2026 and to all readers of this report.
Yuki Yano
(This article was machine-translated and manually reviewed.)
