2026-05-07 –, Building D/room 1, Workshops and Detection Engineering village
Linux packers and loaders represent a blind spot in modern cybersecurity defenses. By compressing, encrypting, and obfuscating executable code, these tools enable fileless, in-memory execution that bypasses traditional detection mechanisms entirely.
This presentation dissects the hARMless ARM64 ELF packer/loader to reveal sophisticated evasion techniques: multi-layer page encryption, CRC32 integrity verification, and direct ARM64 syscall invocation. We expose critical security gaps where EDR solutions lack Linux visibility, static analysis fails against packed payloads, and memory-resident execution defeats forensic recovery. The bad news? Traditional EDR solutions are practically blind on Linux, static analysis can't keep up with modern packers, and memory-only execution makes forensics a nightmare. The good news? Well...let's see it together
This presentation examines Linux malware packers and loaders as sophisticated evasion techniques that pose significant challenges to modern cybersecurity defenses. Malware packers compress, encrypt, and obfuscate executable code, while loaders execute the original malware directly in memory, enabling fileless execution that bypasses traditional detection mechanisms. The research includes a case study of the Lazarus APT group's ThreatNeedle malware, demonstrating real-world implementation of multi-stage deployment with in-memory execution capabilities. A practical analysis of the hARMless ARM64 ELF packer/loader system illustrates key technical components including multi layer encryption, CRC32 integrity verification, and direct ARM64 syscall implementation. The presentation reveals critical security implications: traditional EDR solutions have significant detection gaps on Linux systems, static analysis proves insufficient against packed malware, and memory-based execution complicates forensic analysis. Defensive strategies require implementing syscall-level monitoring, deploying behavioral analysis capabilities, and maintaining comprehensive logging for effective threat detection and response. Attendees will understand how modern malware evades detection and discover practical defensive strategies including syscall-level monitoring, behavioral analysis, and comprehensive logging for effective threat detection and response.
Massimo Bertocchi is a Threat Hunter and Detection Engineer based in Zürich, specializing in advanced malware analysis, covert channel research, and offensive security tooling. He holds dual Master's degrees in Cybersecurity from KTH Royal Institute of Technology (Stockholm) and Aalto University (Finland), where his thesis on Microsoft Teams covert channels received international recognition and was subsequently published by Compass Security. His groundbreaking research identified and exploited multiple covert C2 channels within Microsoft Teams (achieving exfiltration rates up to 90KB/s) demonstrating critical vulnerabilities in cloud-based business communication platforms that bypass traditional network monitoring. This work represents the first comprehensive analysis of covert channels in enterprise collaboration tools and has influenced detection strategies across the industry.