TBA

Traditional AV testing methodologies are rapidly becoming obsolete in the face of emerging AI-powered cyber threats. In 2020, we demonstrated how AI, specifically Reinforcement Learning (RL), could enable ransomware to evade anti-ransomware defenses by autonomously identifying stealthy file encryption strategies. After approximately 600 training iterations, our RL-based agent learned how to encrypt files in a target folder without triggering detection mechanisms [Adamov & Carlsson, EWDTS 2020; AMTSO 2021].

While initially theoretical, such AI-enhanced malware is no longer speculative. The release of large language models (LLMs), beginning with ChatGPT in late 2022, has dramatically accelerated adversarial innovation. By early 2024, joint reporting from Microsoft and OpenAI confirmed that nation-state threat actors were actively leveraging LLMs for reconnaissance, scripting, and social engineering in the preparatory stages of cyberattacks.

Most notably, in July 2025, CERT-UA reported a groundbreaking cyber operation by APT28 (a.k.a. Fancy Bear / Forest Blizzard), in which the attackers operationalized an LLM (Qwen 2.5-Coder-32B-Instruct) to generate system commands on the fly. The attack utilized a Python-based tool, LAMEHUG, which issued reconnaissance commands and harvested sensitive documents autonomously, bypassing traditional AV signatures and behavior-based detection [CERT-UA, 2025].

These developments reveal the necessity to come up with a new testing approach for AI-powered cyberattacks. We will examine the shortcomings of current anti-malware test protocols, present a taxonomy of AI-driven attack techniques, and discuss a new testing approach designed to evaluate AV solutions under conditions involving AI-powered malware. By showcasing real-world examples such as APT28’s use of LAMEHUG, we aim to highlight the urgent need for industry-wide adaptation of AV testing to meet the next generation of cyber threats.

This presentation examines the alarming rise in sophisticated malware specifically designed to disable Endpoint Detection and Response (EDR) systems. Neutralizing the defense is a critical phase in modern multi-staged attacks that allows threat actors to operate undetected.
Based on incident response encounters we observed that threat actors use a wide variety of EDR evasion techniques. We can categorize these approaches into three major tiers: publicly available tools from open repositories like Github (e.g., Backstab, EDRSilencer, EDRSandBlast); repurposed components of legitimate security software (TDSSKiller, GMer, Huorong HRSword, Comodo Killswitch); and the custom-built solutions like AuKill and EDRKillShifter.
Each category presents unique defensive challenges—while custom solutions can be freely detected, repurposed legitimate software requires more nuanced approaches to avoid false positives and industry backlash. Yet, we have to handle those situations as well.
Our defensive methodology implements multiple protection layers that leverage contextual information, event timelines, and environmental factors. We combine static detections, behavioral protection, and reputation systems into meta-detections that correlate seemingly benign events to identify and block sophisticated attacks.
The presentation provides an insider's view of this ongoing security cat-and-mouse game, featuring real-world case studies that demonstrate our defensive strategies against various EDR killer types. Security professionals will gain practical insights into identifying and mitigating these critical threats that often precede major security breaches.

The rapid adoption of artificial intelligence solutions across enterprise environments has created an urgent need for comprehensive validation methodologies that address both functional capabilities and security vulnerabilities. This presentation presents a structured framework for validating AI solutions, with particular emphasis on multi-agent systems that are increasingly central to cloud-native architectures and enterprise workflows.

In the last year we have seen an increase in established security vendors adding AI assistants to their suite of products. Alongside this, a small industry of bespoke AI Security Assistant designed to help businesses. How can you measure the benfit they bring to a business? We've interviewed SOC analysts and business owners to seek the "right" answer. Evaluating security products is an expensive endeavour that a lot of business cannot afford. The promise of analysts being more efficient and reducing alert fatigue get thrown around. What are the metrics you can look at as an independent tester to give value to both enterprises and vendors alike?

Independent testing is meant to be impartial; but how independent is it, really?

In an industry where vendors pay for tests, influence test scopes, and use results for marketing, questions about bias and transparency are not just valid, they're necessary. This roundtable invites open discussion on one of the most sensitive topics in the testing ecosystem: the hidden dynamics that shape what gets tested, how it’s tested, and which results get highlighted (or buried).

We’ll explore:
• Should vendors have any say in what gets tested?
• What happens when testers rely financially on the companies they’re evaluating?
• Do transparency declarations and methodologies go far enough, or are they just window dressing?
• Can AMTSO or other bodies enforce standards for independence and disclosure?

We’ll also ask whether existing transparency efforts are enough to build trust with consumers, media, and regulators, or if it’s time to raise the bar.

This isn’t about finger-pointing. It’s about recognizing where the system falls short and asking: can we afford to keep pretending everything is fine?

Whether you’re a tester, vendor, or observer of the industry, this is your chance to join a long-overdue conversation.

Review of recent AMTSO activities and achievements, summaries of current projects and working groups, open discussion of issues and challenges in testing, planning for future projects and activities.

Online

The Anti-Malware Testing and Standards Organization (AMTSO) Real-Time Threat List (RTTL) is a collaborative platform that aggregates fresh malware and URL samples from over 15 security vendors. Designed to reduce sample bias in third-party efficacy testing, RTTL also offers a unique opportunity to generate high-quality, real-time threat intelligence; especially for those who contribute and gain access to the feed.

This presentation explores how RTTL can be elevated from a sample-sharing service to a dynamic intelligence source by integrating it with the Triage sandbox. Triage specializes in malware configuration extraction and supports over 200 config dumping utilities, enabling the identification of C2 infrastructure, malware hosting URLs, FTP credentials, SMTP credentials, and more. Its robust tagging system further enhances sample classification by malware family, variant, and behavior.

Over the past year, more than 350,000 RTTL samples were detonated in Triage, revealing valuable insights into execution success rates, IoC enrichment frequency, and broader malware trends. This session will present key findings from this analysis and demonstrate how RTTL submissions can be transformed into actionable threat intelligence.

A key goal of this talk is to highlight the value of contributing to RTTL, not only to access enriched IoCs but also to improve the overall quality of the service. By showcasing the intelligence Triage can extract, the presentation aims to encourage broader vendor participation and explore potential collaboration models, including a donation of Triage services in exchange for enriched IoC feeds or a community investment in Triage to enhance RTTL’s impact.

Utilizing the AMTSO Test Harness as a Backbone for RTTL Enrichment and Zero-Day Detection.

As the Real-Time Threat List (RTTL) continues to evolve as AMTSO’s central platform for sample and threat intelligence sharing, this workshop invites contributors, testers, and conference representatives to shape its next chapter. We will explore how RTTL can better serve the cybersecurity community through enhanced data-driven capabilities, contributor transparency, and expanded telemetry insights.

Key discussion points will include:
- CERT Needs: Understanding the CERT’s request for trend-based intelligence - such as threat vectors, clustered behaviours, and APT mapping - rather than raw samples.
- Contributor Expectations: What motivates contributors to share? How can RTTL improve visibility, feedback loops, and recognition?
- Data Expansion: Opportunities to enrich RTTL with metadata, telemetry pipelines, and vendor-mapped threat trends
- Design Roadmap: Preview of upcoming features including feed-level watchdogs, submission sorting, and machine learning-based quality checks

This session will be interactive and forward-looking, aiming to define a roadmap that balances operational efficiency with strategic intelligence value. All participants are encouraged to bring ideas, use cases, and feedback to help shape RTTL’s future.

Consumer cyber safety is rapidly evolving, with humans increasingly becoming the primary attack surface. In today’s online environment, users face a constant barrage of scams that are growing in sophistication. Keeping up with the changing tactics of threat actors is a challenge even for experienced users, and traditional security solutions are often not enough to prevent manipulation through social engineering.

This presentation introduces a user-centric threat advisory tool designed to bridge this gap. Acting as standalone anti-scam feature and a second-opinion assistant, it helps users interpret potentially dangerous content such as suspicious messages or websites by offering clear, contextual explanations. Rather than replacing existing endpoint protection, it complements it by enhancing user awareness and supporting better decision-making in real time.

We will explore the core functional elements of the tool and evaluate its potential to reduce the impact of impersonating scams and social engineering attacks, an area where traditional AV solutions can struggle.

A key question raised is whether AI-driven solutions can operate effectively on their own, or whether human expertise remains essential to ensuring accuracy and usability. The presentation will examine how the combination of expert input and AI that goes beyond traditional detection methods by knowing context and/or analyzing the intent across SMS, email, and web can improve threat interpretation and user trust, particularly in edge cases where nuance matters.

Finally, we will touch on the implications for testing methodologies. When human interaction significantly influences the outcome, how should such tools be evaluated? This remains an open question, and the audience will be invited to contribute their perspective after the session.

The Joker toll fraud family is one of the well known Android malware families. For more than six years they have been sending malicious apps to the Play Store during which time they have become very proficient at hiding their code and behavior from app analysis systems. They quickly adapt to Google detection infrastructure improvements and constantly change their behavior.

For one variant in particular it was identified that the actors were using newly registered domains and never reusing them for other apps. It is extremely hard to discover such domains because they use different registration details and domains have meaningful names sometimes. However we discovered a flaw in their infrastructure that allowed us to quickly identify new apps before they are distributed to users.

In this talk we'll cover common tactics used by the Joker toll fraud family and go in depth on a flaw we discovered wherein the Joker threat actors would spin up new back end infrastructure making use of default configurations to service new app campaigns. Through this flaw we have been able to develop an early detection mechanism leveraging Censys APIs which allows us to identify new Toll Fraud apps in almost-real-time, and prevent the publication of malicious apps to the Play store to protect Android users.

TBD

Artificial intelligence is no longer just a tool for defenders. It’s a decisive force multiplier for attackers. A new adversary class is emerging: the AI.Attacker. Autonomous agents capable of reconnaissance, planning, and execution at machine speed. Unlike traditional threats, these systems adapt, self-learn, and scale campaigns beyond human operational limits. What once took days or weeks in the intrusion kill chain: recon → resource development → delivery → exploitation, can now collapse into minutes.
Yet this speed also exposes their Achilles’ heel: the pre-attack phase. Before execution, AI.Attackers require accurate, timely intelligence to map targets, identify vulnerabilities, and prepare infrastructure. This is the best, and often only, moment to disrupt them.
This talk presents real-world examples of AI-driven recon, resource development, and exploitation, then introduces a live demo of “AI.Attacker Recon and Exploitation Prevention” a technique and tooling suite that detects and prevent hostile AI reconnaissance. Attendees will leave with a forward-shifted defense model and practical tactics to prevent AI reconnaissance, tipping the balance before the first shot is fired.

Why have cybercriminals rely so heavily on .NET for malware development? This talk explores how .NET has quietly become one of the most abused languages or frameworks. With built-in support for dynamic compilation and in-memory execution, .NET offers attackers easy usage and flexibility for crafting modular, evasive malware. While existing .NET code is widely reused there is also a growing underground market of “Protector-as-a-Service” tools fueling the rapid adoption of .NET across cybercrime operations.

This talk dives into the internals of .NET from a malware analyst's perspective to later explore how protectors—far beyond simple packers—enable advanced evasion and anti-analysis techniques. We’ll show how this poses a unique challenge for sandboxes and automated pipelines, which fail to scale when facing threats that require deeper, context-aware analysis beyond basic runtime execution.

To ground this in the real world, we’ll analyze Roboski (also known as TicTacToe), a .NET bitmap-based loader that is simple, effective, and indeed everywhere. Despite being years old, it still sneaks under the radar and is widely reused in the wild, serving as a key delivery tool for next-stage payloads.

This talk will blend threat research with malware internals, sharing actionable techniques to improve detection and dive deep into what’s hiding inside today’s .NET malware.

TBD