IR, Forensics, Security, MTB'ing!
Joined September 2009
- Tweets 315
- Following 999
- Followers 584
- Likes 91
Photos and videos
17 Oct 2025
Patrick (@patrickwardle/(double-you.io/)/@objective_see) closed out the biggest and best #OBTS yet!
Deep diving into dynlib hijacking - does it haunt macOS 26 like a ghost from OSX years past, or has Apple finally buried it for good? 👻🪦
TL;DR - It's back baby!😎😱
2
11
2,022
17 Oct 2025
Tara linkedin.com/in/tara-gould-1… from @Darktrace - showed #OBTS how malware devs make simple mistakes! Tara unpacked the rise and messy fall of Cthulhu Stealer — a macOS credential thief undone by greed, bad opsec, and even an exit scam!
1
3
1,428
17 Oct 2025
Matthais (@helthydriver)/iVerify(@IsMyPhoneHacked)/Dreams of (security.apple.com/research-…) - spoke at #OBTS about Hunting iOS malware - flipping the script using Malware Simulation - building fake spyware to reveal real forensic clues! Also an interesting site mythicalbeasts.dfrlab.org/
6
13
2,213
17 Oct 2025
Koh (@tsunek0h)/FFRI talked at #OBTS about reversing Xprotect Remediator, uncovering Swift-based detection logic, OCR-powered malware spotting 🤯, and Apple’s hidden threat intel (hello, TriangleDB (securelist.com/triangledb-tr… ). Koh has excellent slides - i.blackhat.com/BH-USA-25/Pre…
4
20
2,567
17 Oct 2025
Marie (linkedin.com/in/marie-fische…) encouraged everyone at #OBTS to enable Apple’s Lockdown Mode - her talk reverse-engineers how it *really* works on OSX 26 - what’s locked, what’s not! Great research building on @blacktop__'s from 2023 at @0x41con.
🔒🍏
2
13
4,393
17 Oct 2025
Gregor Carmesin (linkedin.com/in/gregor-carme…) from TU Darmstadt showed #OBTS how you can ‘de-mangle’ the magic of Swift’s type metadata, descriptors and naming to make binary analysis actually readable again! #reverseengineer
2
7
1,344
17 Oct 2025
Christine @x71n3 and JBO (@yo_yo_yo_jbo ) (& Alexia Wilson) from @Microsoft showed #OBTS how Spotlight just got too bright. 😬
They found a macOS TCC bypass (#CVE-2025-31199) that abuses Spotlight to get your private data - locally and remotely - and showed how to detect!
1
6
21
3,772
17 Oct 2025
Sal (@malwarezoo) from @jamf gave an excellent talk at #OBTS of how Apple tracks and revokes malicious apps. But Revoked doesn’t always mean Vanquished! Sal found a Gatekeeper/CDHash weakness that brings blocked apps back to life — no re-signing required. #CVE-2025-43296
7
19
2,364
17 Oct 2025
Kicking off Day 3 of #OBTS - LiveStreaming at youtube.com/@objectiveseefou…
Reminder that the exit event is at the Hotel Melia main pool at 1800!
2
8
1,367
16 Oct 2025
Zhi Zhou (@codecolorist), whilst pursuing his side-passion of Filmmaking, told #OBTS how he discovered that Apple’s Compressor (part of Final Cut Pro) was harboring an unauthenticated 0-click RCE! It is still vulnerable - keep yer ‘shields up’ until Apple fully fixes!
4
25
2,480
16 Oct 2025
Olivia (@oliviagalluccii) from @datadoghq entertained #OBTS, showing us how macOS logs everything, diving into ULS, ESF, and TCC.db to hunt threats like Atomic Stealer & XCSSET, and using tools like Consolation3, eslogger, Mac Monitor to catch evil!
2
7
34
28,902
16 Oct 2025
Think SUID exploits are dead?
Pawel (github.com/GrosQuildu) from @trailofbits showed #OBTS how he cleverly chained four bugs in mDNSResponder/traceroute6/libinfo to get root on macOS (CVE-2025-31222, CVE-2025-30440, CVE-2025-24195) and more
4
37
9,462
16 Oct 2025
Brandon (@PartyD0lphin) from @crowdstrike talked about many improvements and features in his most awesome opensource tool (Mac Monitor) - ( aka Procmon for OSX ) - & even pushed out version 2 in real-time at #OBTS! Check it out if you haven’t already! github.com/Brandon7CC/mac-mo…
7
28
2,353
16 Oct 2025
At #OBTS, Wojciech (@_r3ggi) from @SecuRingPL cleverly exposed different flaws in macOS location services, side-channels, leaky apps, and how attackers can track you without zero-days — and gave tips on how defenders can fight back.
4
15
1,865
16 Oct 2025
At #OBTS, Rousana (@sha17883) from @crowdstrike proposed a new behavior-based approach to classifying grayware — using traits like deception, persistence, monetization, consent, and payload activity — useful for more nuanced, actionable detection!
3
14
1,690
16 Oct 2025
At #OBTS John McIntosh (@clearbluejar) from @clearseclabs demo’d his pipeline that uses AI, ipsw and ghidriff to auto-extract and diff Apple firmware — rapidly reveals real code changes behind Apple security fixes and to get actionable root-cause intel. Super clever stuff!
8
19
7,591
16 Oct 2025
Callista Gratz talked about Apple’s “Private Cloud Compute” - it wants to run your AI prompts in the cloud — without seeing them. ☁️🤫 At #OBTS we were treated to a crash course in blind signatures, crypto “games,” & how Apple’s custom auth protocol tries to keep data private
3
10
1,456
16 Oct 2025
Jonathan Levin (@Technologeeks) gave an intriguing talk at #OBTS on how Apple has turned XNU into a fortress — one acronym at a time. From KTRR → SPRR → TXM → exclaves → conclaves → TPRO (!) He unpacked how Apple's refactoring and locking down the Darwin kernel...and..more
1
5
32
4,481