Asia-24-Camastra-FromBYOVDtoa0dayUnveilingAdvancedExploitsinCyberR_DiNoSEj.pdf (2 MB)

A Black Hat Asia briefing abstract describes a recruiting-themed intrusion that delivered an ISO file through email attachments, malicious links, and WhatsApp Web messages after a victim received a job offer. The attack chain used undocumented loaders to inject an undocumented RAT, moved from earlier BYOVD-style tradecraft to an admin-to-kernel zero-day in a default Windows driver, and added an upgraded rootkit for stealth. The rootkit removed kernel and registry callbacks and disabled security tools from AhnLab, Microsoft Defender, and CrowdStrike, making the case relevant to tracking advanced recruitment-scam tradecraft without adding actor attribution not present in the excerpt.