Back by popular demand, LABScon, the premier invite-only threat intelligence conference from SentinelLABS, returns for four days of immersive talks, hands-on workshops, and off-the-record sessions.
Now in its fourth year, LABScon brings together the world’s foremost cybersecurity minds to share cutting-edge research and advance collective understanding of the evolving threat landscape. Hosted in Scottsdale, Arizona, from September 17–20, this year’s event features an exceptional lineup of speakers and thought leaders.
A full schedule of the event is now available here. In this post, we put a spotlight on some of the most hotly-anticipated presentations we’ve got lined up for LABScon 2025. As with previous years, we’ll be releasing videos of some of the most popular talks in the weeks ahead, so bookmark the SentinelLABS home page, follow us on your favorite social media platform (LinkedIn, X, Bluesky), or sign up for the SentinelOne weekly email digest (eyes right →) to find out when the talks that catch your eye are publicly released.
Plunging the Internet Toilets: The Illicit Economy Enabling High-Tech Harassment, Stalking and Sextortion in the Stratosphere
SpyCloud Labs’ Trevor Hilligoss and Aurora Johnson bring us a deep dive into ‘internet toilets’: toxic online communities where netizens can dox their enemies and exes and collaborate with others to conduct aggressive cyberbullying and harassment campaigns. Focusing on Chinese online cesspools, Hilligoss and Johnson show how these Chinese internet toilets have strong similarities to western doxing communities and sadistic harm groups. More broadly, the presenters argue that digital gender-based-violence acts as a core motivator and monetary driver of cybercrime across the globe.
Internet toilet users often purchase data and technical services to enable targeted harassment and stalking. The speakers go over some of the tools and services marketed to doxers, stalkers, and harassers on Chinese darknet marketplaces across three main categories: personal data lookup services, which are often serviced by corrupt insiders with positions in public security and technology companies, digital harassment tools such as SMS bombardment services, and sexploitation tools like AI nudify apps.
Because some of this activity occurs on monetizable social media platforms, harassers and internet toilet admins can also get paid simply for making popular posts that get a lot of engagement. In many cases, this doxing and harassment escalates to physical violence and has even driven victims to suicide.
Honeypots and Hostile Takeovers: A Field Guide to Organizational Arbitrage
Not all compromises happen at the endpoint. While technical compromise is well understood, behavioral compromise enabled by social engineering, organizational dysfunction, and misaligned incentives remains a threat vector ripe for exploitation. Kristin Del Rosso (DEVSEC) walks through a methodological means of recognizing patterns that lead to cultivated insider threats, where actors exploit gaps in organizational visibility, policy exceptions, or social dynamics to gain influence, access, or placement.
Through anonymized case studies involving honeypotted executives, attempted hostile internal takeovers, and corporate espionage efforts, this talk dissects how subtle signals such as behavioral changes, relationship mapping, and broken enforcement norms can reveal growing security debt inside an organization. It will also show how technical instrumentation often misses this layer entirely unless designed with these dynamics in mind.
Kristin offers a practical framework for identifying organizational arbitrage, enforcing security culture, and separating malicious insiders from “move fast” employees, before a network compromise ever occurs.
How to Bug Hotel Rooms
Do you travel with expensive stuff? Do you like feeling safe about leaving your expensive stuff in your hotel room? Have you ever had anything stolen out of your room, or discovered someone has gained access to your room while you weren’t there? What about…other rooms? Maybe not EXACTLY a hotel room? Phobos Group’s Dan Tentler has presented on securing hotel rooms in the past, but now with Home Assistant, Z-Wave devices, Co2 sensors and mmWave radar, it’s become a whole new game.
In this talk, Dan shares his full travel security system. Using Home Assistant to automate things makes it incredibly easy to create rules to send alerts, turn lights on or off, make sounds, take pictures or anything else Home Assistant is capable of, but who knew it could be deployed tactically? Millimeter wave radar units can see through walls, which makes for a uniquely interesting development: like, who is lurking outside your room, or even in the room next door.
Dan’s presentation covers the basics of how all this equipment works, including a brief introduction to Home Assistant, deployment methodologies, how it can be used and future considerations – up to and including manufacturing and selling kits for deployment.
Your Apes May Be Gone, But the Hackers Made $9 Billion and They’re Still Here
Last year, crypto thefts hit $9.32 billion—more than half of all cybercrime losses. North Korea just pulled off a $1.5 billion heist from a single exchange. Meanwhile, most security professionals still think crypto is just magic internet money for buying NFT monkeys.
Andrew Macpherson’s talk is for the crypto-skeptical security professional who’s tired of hearing about “blockchain” and shows why crypto security is 90% the same Web2 skills you already have—phishing, social engineering, API abuse—just with irreversible consequences and way better attacker ROI.
Beginning with a practical crypto primer covering the essentials, the talks explains how blockchains work, what wallets actually do, and why stablecoins matter. Then, Andrew dives into the current threat landscape: who’s stealing what, how OFAC sanctions work in a pseudonymous world, and why traditional threat intel is failing miserably at tracking crypto crime.
Most importantly, the presentation shows what makes crypto security uniquely interesting: immutable code, irreversible transactions, and attackers’ monetary wins that can’t just be rolled or clawed back. Threat actors range from nation-states to teenage hackers, the attack surface spans everything from smart contract logic to social engineering, and the defensive tooling is still being invented.
Come for the massive heist stories, stay because you realize this is an unexplored frontier with its own unique problems. By the end, you’ll understand why crypto security attracts both sophisticated attackers and curious defenders—not for the hype, but because it’s a different kind of security challenge worth understanding.
LLM Malware In the Wild
Large language models (LLMs) are now part of mainstream software‑development workflows, but they have also become a powerful new tool for adversaries. Over the past year, the presenters wrote a multi‑provider YARA rule that hunts for hard‑coded OpenAI and Anthropic model credentials inside files uploaded to VirusTotal. The rule triggered on fully‑weaponised binaries and scripts that outsource key stages of the attack chain to commercial AI services.
In this talk, SentinelLABS’ Gabriel Bernadett-Shapiro and Alex Delamotte unpack what they found. The presentation walks through multiple malware families that embed real API keys and offload tasks such as phishing‑email generation, victim triage, code‑signing bypasses and on‑device payload generation to commercial LLMs.
Gabriel and Alex explore how LLM‑powered malware changes the defender’s problem space: static signatures fail because the malicious logic is produced only at run‑time; network inspection is harder because calls look identical to legitimate use; and prompt engineering itself becomes an adversarial discipline.
The talk assumes no prior machine‑learning background, and focuses on concrete reversing and detection workflows that analysts can reproduce with open tools, along with a discussion of where the ecosystem is heading and recommend policy changes providers could enforce today to make malicious LLM usage dramatically more expensive.
The Elephant in Many Rooms: Orange Indra’s Consistent Hunt for Access in the Asia Pacific Region
Within the ecosystem of espionage-oriented threat actors, there is often an unspoken hierarchy of intrusion sets; China-based, Russia-based, Iran-based, and North Korea-based threat actors are often regarded as being both tactically and strategically more relevant to Western organisations versus others.
In this talk, PwC’s Jono Davis shines a light on one of the less-discussed threat actors, introducing an intrusion set PwC assesses to be based in South Asia and have observed since at least 2024 conducting substantial credential phishing activity across the Asia Pacific region and beyond.
This is a threat actor PwC has dubbed Orange Indra (currently not aligned to any open-source nomenclature), responsible for campaigns targeting defence and government entities of countries that align with foreign policy objectives of the country it is based in.
In using Orange Indra as an example, Jono highlights the tools, techniques, and procedures (TTPs) of a prolific, efficient threat actor, alongside a strategic overview of the South Asia more broadly as it pertains to the wider Asia Pacific, and the potential near-future conflicts for regional hegemony.
Finally, this talk provides a platform to emphasise the strategic imperative for organisations, analysts, and the wider intelligence community to pay attention to threat actors emanating beyond the “Big 4” outlined above.
Do You Have a Chinese Spy in Your Home?
Hundreds of thousands, if not millions, of Chinese cameras, alarms and security systems have backdoors, and are designed to be ready to spy on you out of the box. Destined for the dumpster, most of these devices are designed to be unmaintainable.
Delivered by a sophisticated shadow supply chain that bypasses regulatory scrutiny supplying fake FCC, CE and UL certification, these devices are carefully laundered through online shopping platforms like Amazon and even high street shops.
In this talk, Silas Cutler (Censys) and Marc Rogers (nbhd.ai) present their analysis of the devices and current understanding of present backdoors. Additionally, this talk will cover past and ongoing efforts to hold transgressors accountable.
Auto-Poking The Bear – Analytical Tradecraft In The AI Age
Analytical tradecraft and shared standards have transformed Cyber Threat Intelligence from a niche discipline into a collaborative industry-wide research endeavor. Researchers and analysts now routinely build on each other’s work, creating a foundation of trust and shared methodology.
AI is disrupting this ecosystem, as we increasingly delegate data preparation, analysis, and entire workflows to AI assistants. Doing so will make us more productive, but not without cost. While you may trust your own AI-assisted analysis, can you trust another researcher’s prompts/agent process? As questions about reliability and transparency persist, we will need to adapt our research methodology and develop a new joint understanding of the promises, pitfalls, and probabilities inherent in AI-assisted work.
Dreadnode’s Martin Wendiggensen and Brad Palm tackle these challenges through a concrete case study, presenting their own LLM-based agentic system, developed to analyze Russian internet data leaked by Ukrainian cyber activists. The speakers walk through the system’s architecture and demonstrate its performance across tasks ranging from simple data collation to sophisticated analytical workflows to track adversaries.
Along the way, they outline how to understand the promises and limitations of this technology and more importantly, how to communicate them transparently to other researchers and audiences in order to maintain transparency and accountability for published products.
Hacktivism and War: Malicious Activism and Nation-State Fronts in Times of Conflict – A Clarifying Discussion
SentinelLABS’ own Jim Walter explores how malicious hacktivist activity is being strategically leveraged by nation-states and mercenary groups to obscure intent, destabilize targets, and weaponize public narratives. Through technical case studies and geopolitical analysis, Jim’s talk examines how these actors blend ransomware, data leaks, DDoS, and psychological operations under activist façades—creating significant challenges for attribution, response, and long-term threat modeling.
Combined with a review of existing and still highly-prolific traditional hacktivist groups and their role in the current landscape, this presentation offers to bring some much needed clarity to a very murky and confusing landscape.
Simulation Meets Reality: How China’s Cyber Ranges Fuel Cyber Operations
Between late 2024 and early 2025, the United States government issued indictments or sanctions against three Chinese information security firms – i-SOON, Sichuan Silence, and Integrity Tech – alleging their support for or links to malicious cyber groups targeting US government and critical infrastructure systems.
In their research, Mei Danowski (Natto Thoughts) and Eugenio Benincasa (ETH Zurich) found that all three companies serve as a key seedbed for nurturing China’s offensive cyber talent with cyber range services, which train cybersecurity professionals through “attack-defense live-fire” (攻防实战) exercises. Alongside hacking contests and crowdsourced bug bounty programs, attack-defense live-fire exercises are one of the primary mechanisms leveraged by the Chinese government to enhance its cyber capabilities, with support from a rapidly growing private cybersecurity industry with more than 4000 products and services providers.
This presentation focuses on the development of attack-defense exercises and commercial cyber ranges in China, areas that have received relatively little attention to date.
The talk examines how this ecosystem is shaping China’s offensive cyber capabilities and discusses 120 companies identified as providers of attack-defense exercises and cyber range services.
CamoFei Meets the Taliban
SentinelLABS’ Aleksandar Milenkoski and Insikt Group’s Julian-Ferdinand Vögele team up once again to bring you a unique talk on CamoFei, a threat actor that overlaps with ChamelGang (aka TAG-112, Evasive Panda), and which sets itself apart within the landscape of China-linked APT groups through a dual-track operational model that blends traditional cyber espionage with disruptive activities.
The group continues to target high-profile entities of strategic interest to Chinese intelligence, including Tibetan and Taiwanese organizations, while simultaneously engaging in operations that suggest influence or destabilization objectives, often layered with plausible deniability.
As of early 2025, CamoFei remains highly active, expanding its reach across a diverse set of governmental and private-sector targets in Southeast Asia, Europe, and the Middle East while adopting new tactics and techniques. Its recent compromise of Taliban networks in Afghanistan, which coincided with a suspected hack-and-leak influence campaign targeting the Taliban itself, points to a possible evolution toward hybrid operations that merge technical intrusions with geopolitical narratives.
While the shift remains unconfirmed, it reflects the broader challenge posed by the increasingly blurred lines between espionage, influence operations, and cybercrime, making attribution and intent analysis more difficult.
As multiple CamoFei victims exhibit signs of concurrent compromise by other Chinese-nexus groups, the case underscores a broader analytic challenge, namely, that overlapping intrusions within the same victim environments complicate attribution and intent analysis, raising important questions about coordination, operational autonomy, and competition within the broader Chinese threat ecosystem.
