About the Speaker

Executing malicious shellcode may trigger memory scans by EDR, leading to detection of malware. Sleep masks were introduced to ensure that malware is encrypted in memory while it's idle (sleeping), aiming to prevent that detection. Using sleep masks, malware is decrypted after sleeping, executes commands, and is then encrypted and instructed to sleep again. This ensures that the malware is only briefly visible in memory.

In this talk, I'll introduce **Kong Loader** 🍌, a completely new concept of loading shellcode. Kong Loader prevents malware from being visible in memory *entirely* and *whatsoever*, even while executing commands. For each assembly instruction, Kong Loader decrypts that specific assembly instruction, executes it, and encrypts it again. This means only the currently executing instruction is visible in memory.

It comes with dangerous benefits for offensive security experts, and with new complex challenges for defenders & malware analysts. This talk covers that all.

As reverse engineer & red teamer, Tijme (@tijme) supports in the development of adversary simulation & security testing services. The research he did in the past years mainly focused on (nation-state) adversary tactics, and converting this research into useful tools for TIBER & ART (adversary simulation) engagements. His current and primary professional occupation is his role as Offensive Cyber Security Expert at ABN AMRO Bank.