BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//bsidesluxembourg-2026//talk//PHH3EJ
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-bsidesluxembourg-2026-PHH3EJ@pretalx.com
DTSTART;TZID=CET:20260508T144000
DTEND;TZID=CET:20260508T152000
DESCRIPTION:This report presents the first documented analysis of Cross-Cha
 in TxDataHiding (XCTDH)\, a novel command-and-control technique employed b
 y DPRK-linked threat actors in cryptocurrency theft operations. The attack
  leverages multiple blockchain networks—TRON and Aptos as decentralized 
 pointer systems\, and Binance Smart Chain (BSC) for encrypted payload stor
 age—to create virtually untraceable\, takedown-proof malware infrastruct
 ure.Discovered during investigation of a malicious GitHub repository used 
 in fake job recruitment campaigns\, this technique represents a significan
 t evolution from previously documented blockchain-based C2 methods. Unlike
  Etherhiding (which stores payloads in smart contract storage)\, XCTDH emb
 eds malicious code within blockchain transaction input data across multipl
 e chains\, retrieved via standard RPC calls that are indistinguishable fro
 m legitimate cryptocurrency traffic.The attack chain begins with social en
 gineering through fraudulent job postings\, progresses through weaponized 
 repositories containing heavily obfuscated JavaScript\, and culminates in 
 multi-stage payload delivery that evades modern EDR solutions. At an opera
 tional cost of approximately $1 USD\, attackers establish resilient infras
 tructure that can dynamically update payloads\, automatically failover bet
 ween blockchain networks\, and resist traditional takedown efforts—all w
 hile appearing as legitimate crypto wallet activity.This analysis details 
 the technical mechanisms\, attribution indicators linking the campaign to 
 DPRK operations\, economic asymmetries favoring attackers\, and the strate
 gic implications of blockchain-based C2 for the future threat landscape.
DTSTAMP:20260412T024932Z
LOCATION:Main Stage
SUMMARY:XCTDH Cross-Chain Transaction Data Hiding: Cyber Espionage and OPSE
 C Encounters - Ellis Stannard
URL:https://pretalx.com/bsidesluxembourg-2026/talk/PHH3EJ/
END:VEVENT
END:VCALENDAR