Ellis Stannard
Ellis Stannard is a part-time security researcher and core member of the Ransom-ISAC (Information Sharing and Analysis Center) initiative, where he contributes to collaborative threat intelligence efforts focused on ransomware and advanced persistent threat (APT) campaigns.
Sessions
The ransomware ecosystem thrives in the shadows of fragmented intelligence and siloed expertise. Defenders do the hard work — forensic timelining of incidents, tracing cryptocurrency flows, reverse engineering payloads, negotiating with threat actors — yet that knowledge rarely travels far beyond the individual or organization that earned it. Ransom-ISAC's L.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) initiative was built to change that. This talk introduces L.O.C.K. S.T.A.R. as a community-driven recognition framework designed to surface, validate, and amplify the work of ransomware researchers and practitioners across eight critical domains — and explores how structured knowledge sharing can become one of our most powerful weapons against ransomware.
This report presents the first documented analysis of Cross-Chain TxDataHiding (XCTDH), a novel command-and-control technique employed by DPRK-linked threat actors in cryptocurrency theft operations. The attack leverages multiple blockchain networks—TRON and Aptos as decentralized pointer systems, and Binance Smart Chain (BSC) for encrypted payload storage—to create virtually untraceable, takedown-proof malware infrastructure.Discovered during investigation of a malicious GitHub repository used in fake job recruitment campaigns, this technique represents a significant evolution from previously documented blockchain-based C2 methods. Unlike Etherhiding (which stores payloads in smart contract storage), XCTDH embeds malicious code within blockchain transaction input data across multiple chains, retrieved via standard RPC calls that are indistinguishable from legitimate cryptocurrency traffic.The attack chain begins with social engineering through fraudulent job postings, progresses through weaponized repositories containing heavily obfuscated JavaScript, and culminates in multi-stage payload delivery that evades modern EDR solutions. At an operational cost of approximately $1 USD, attackers establish resilient infrastructure that can dynamically update payloads, automatically failover between blockchain networks, and resist traditional takedown efforts—all while appearing as legitimate crypto wallet activity.This analysis details the technical mechanisms, attribution indicators linking the campaign to DPRK operations, economic asymmetries favoring attackers, and the strategic implications of blockchain-based C2 for the future threat landscape.