Doc Dave

Patrick (@patrickwardle/(double-you.io)/@objective_see) closed out the biggest and best #OBTS yet! Deep diving into dynlib hijacking - does it haunt macOS 26 like a ghost from OSX years past, or has Apple finally buried it for good? 👻🪦 TL;DR - It's back baby!😎😱

Tara linkedin.com/in/tara-gould-… from @Darktrace - showed #OBTS how malware devs make simple mistakes! Tara unpacked the rise and messy fall of Cthulhu Stealer — a macOS credential thief undone by greed, bad opsec, and even an exit scam!

Matthais (@helthydriver)/iVerify(@IsMyPhoneHacked)/Dreams of (security.apple.com/research-devic…) - spoke at #OBTS about Hunting iOS malware - flipping the script using Malware Simulation - building fake spyware to reveal real forensic clues! Also an interesting site mythicalbeasts.dfrlab.org

Sharvil (@sharvil) showed #OBTS how Apple’s new FSKit lets you build filesystems in userspace - you can build a pseudo-FS, use it as a honeypot for infostealers and even a hiding spot for malware. DM him if you need help using this as a Canary/tripwire in your environment!

Koh (@tsunek0h)/FFRI talked at #OBTS about reversing Xprotect Remediator, uncovering Swift-based detection logic, OCR-powered malware spotting 🤯, and Apple’s hidden threat intel (hello, TriangleDB (securelist.com/triangledb-tri… ). Koh has excellent slides - i.blackhat.com/BH-USA-25/Pres…

Marie (linkedin.com/in/marie-fisch…) encouraged everyone at #OBTS to enable Apple’s Lockdown Mode - her talk reverse-engineers how it *really* works on OSX 26 - what’s locked, what’s not! Great research building on @blacktop__'s from 2023 at @0x41con. 🔒🍏

Gregor Carmesin (linkedin.com/in/gregor-carm…) from TU Darmstadt showed #OBTS how you can ‘de-mangle’ the magic of Swift’s type metadata, descriptors and naming to make binary analysis actually readable again! #reverseengineer

Christine @x71n3 and JBO (@yo_yo_yo_jbo ) (& Alexia Wilson) from @Microsoft showed #OBTS how Spotlight just got too bright. 😬 They found a macOS TCC bypass (#CVE-2025-31199) that abuses Spotlight to get your private data - locally and remotely - and showed how to detect!

Ian Beer (@i41nbeer) from @Google’s Project Zero spoke again at #OBTS! Zero’ing read-only pages in XNU - possible? Yes! Weaponizing the bug ( #CVE-2025-24203 ) to get root? Yes!!

Sal (@malwarezoo) from @jamf gave an excellent talk at #OBTS of how Apple tracks and revokes malicious apps. But Revoked doesn’t always mean Vanquished! Sal found a Gatekeeper/CDHash weakness that brings blocked apps back to life — no re-signing required. #CVE-2025-43296

Kicking off Day 3 of #OBTS - LiveStreaming at @objectiveseefoundation" target="_blank" rel="nofollow noopener">youtube.com/@objectiveseef… Reminder that the exit event is at the Hotel Melia main pool at 1800!

Zhi Zhou (@codecolorist), whilst pursuing his side-passion of Filmmaking, told #OBTS how he discovered that Apple’s Compressor (part of Final Cut Pro) was harboring an unauthenticated 0-click RCE! It is still vulnerable - keep yer ‘shields up’ until Apple fully fixes!

Olivia (@oliviagalluccii) from @datadoghq entertained #OBTS, showing us how macOS logs everything, diving into ULS, ESF, and TCC.db to hunt threats like Atomic Stealer & XCSSET, and using tools like Consolation3, eslogger, Mac Monitor to catch evil!

Think SUID exploits are dead? Pawel (github.com/GrosQuildu) from @trailofbits showed #OBTS how he cleverly chained four bugs in mDNSResponder/traceroute6/libinfo to get root on macOS (CVE-2025-31222, CVE-2025-30440, CVE-2025-24195) and more

Brandon (@PartyD0lphin) from @crowdstrike talked about many improvements and features in his most awesome opensource tool (Mac Monitor) - ( aka Procmon for OSX ) - & even pushed out version 2 in real-time at #OBTS! Check it out if you haven’t already! github.com/Brandon7CC/mac…

At #OBTS, Wojciech (@_r3ggi) from @SecuRingPL cleverly exposed different flaws in macOS location services, side-channels, leaky apps, and how attackers can track you without zero-days — and gave tips on how defenders can fight back.

At #OBTS, Rousana (@sha17883) from @crowdstrike proposed a new behavior-based approach to classifying grayware — using traits like deception, persistence, monetization, consent, and payload activity — useful for more nuanced, actionable detection!

At #OBTS John McIntosh (@clearbluejar) from @clearseclabs demo’d his pipeline that uses AI, ipsw and ghidriff to auto-extract and diff Apple firmware — rapidly reveals real code changes behind Apple security fixes and to get actionable root-cause intel. Super clever stuff!

Callista Gratz talked about Apple’s “Private Cloud Compute” - it wants to run your AI prompts in the cloud — without seeing them. ☁️🤫 At #OBTS we were treated to a crash course in blind signatures, crypto “games,” & how Apple’s custom auth protocol tries to keep data private

Jonathan Levin (@Technologeeks) gave an intriguing talk at #OBTS on how Apple has turned XNU into a fortress — one acronym at a time. From KTRR → SPRR → TXM → exclaves → conclaves → TPRO (!) He unpacked how Apple's refactoring and locking down the Darwin kernel...and..more