Black Hat
,
Cybercrime
,
Events
Also: macOS Naughty or Nice, Cybercrime Karma, Spoofing Legacy Rail Infrastructure(euroinfosec)
•
December 17, 2025
London in December: Early to dark, quick to rain, but also festive – and a mecca for cybersecurity researchers there for the annual Black Hat Europe conference. This year’s 25th annual event featured nearly 50 briefings that touched on everything from hardware hacking to combing infostealer logs for hidden gems.
See Also: Going Beyond the Copilot Pilot – A CISO’s Perspective
Here are three that stood out.
Spoofing Legacy Railway Tech
A pair of Spanish researchers detailed a two-year investigation into the functioning of railway track beacon-based architectures for signaling announcements and automatic braking. The beacons – technically, “balises” – use inductive coupling to relay information to a receiver on a train when it passes overhead, which routes data to a dashboard for the train driver and other systems. The signals can result in a train automatically stopping if its driver exceeds a designated speed threshold or blows through a red light, among other features.
Why study legacy, automatic train signaling systems? Gabriela García, a security engineer at TechFrontiers, said the answer is “because it’s edge infrastructure” that’s often targeted for disruption.
Researchers demonstrated a test setup involving a circle of cardboard they’d cut out from an Amazon delivery box, around which – after a lot of trial and error – they’d wrapped enough wire, but not too much, for their spoofed beacon to be able to send signals at the right frequency.
It worked, as they demonstrated – at least mathematically – on stage. “We proved that an informed attacker can spoof the signaling system,” said David Meléndez, a security engineering and co-founder at TechFrontiers.
To get there, the researchers made use of open-source intelligence. This is not infrequently a way of saying “aggressive Googling,” and in their case featured the discovery of public documents detailing values for European Rail Traffic Management System variables, useful images of the hardware as well as ancient, relatively unguarded blog posts written by individuals apparently involved in originally designing or rolling out the system.
Similar railway signaling systems exist in other countries, including the United Kingdom, which has a much older system that only offers two types of signals: stop and go. By contrast, Spain’s newer system is the most complicated in Europe – but they still spoofed it.
“Spanish nerds have it way more difficult, but Spanish nerds are here,” García said.
Finding Cybersecurity Karma
DoHyun Hwang and HyunPyo Choi, South Korean researchers at Singapore-based StealthMole, obtained ethically sourced logs from information-stealing malware that were freely circulating online on the deepweb and darkweb, including on Telegram channels.
Infostealers grab voluminous amounts of data from a system such as account names and passwords for online services and cryptocurrency wallets, as well as a list of all running processes.
Reviewing the logs, the researchers found “valuable leads in tracking underground criminals” who themselves fell victim to infostealers. Such clues can include active usernames and passwords for well-known hacking forums or cybercrime toolkits in a log, as well as other “criminal conduct indicators.”
Already, the researchers said they found evidence of individuals involved in nefarious activities, including romance scams – based in part on them having many different accounts for the same dating service. In another case, they identified a suspected developer for an illegal ongoing gambling syndicate operating out of Malaysia.
The researchers trained a large language model to help them organize, classify and normalize log information. This approach “improves investigative efficiency and reveals actionable intelligence,” their accompanying research report says, and has reduced the time needed to analyze a large dataset from days to just minutes.
They hope their research might help with cybercrime investigations as it offers “practical approaches to identify potential criminals based on digital footprints within stealer logs.”
Interrogating macOS Malware
The conference interrogated cybersecurity topics such as the general belief that using Macs means living a life largely free from malware.
In fact, two researchers detailed how getting an accurate picture of Mac malware has been complicated by a paucity of public research focused on macOS – especially when compared to Windows and Android – and historic need to use Mac hardware to analyze macOS binaries. Attacks appear to be increasing, including from information-stealing malware and cryptocurrency wallet theft.
“We would look at Reddit and see people screaming for help,” said security engineer Obinna Igbe, who holds a Ph.D. in cybersecurity from the City University of New York.
He and Godwin Attigah, who leads the insider threat program at Airbnb, spent the past 18 months building Malet – for Mac malware dataset – which they said now stands as “the largest public dataset of macOS malware to date,” comprising details of 48,870 malicious binaries and 22,900 “high confidence benign” Mach-O binaries. Of the malicious binaries, 44,457 are undetected by existing Mac antivirus products. The malware includes everything from infostealers and ransomware to backdoors, keyloggers, and hacking frameworks and spyware.
“The gap between when macOS malware is in the wild and getting detected is one of the key observations we have,” Attigah said. To help, defenders can ingest Malet data into their SIEM tool or data lake and search for UUIDs, TeamIDs and symbol hashes that might signal malware.
The researchers debuted katalina, a new, high-performance and cross-platform static analysis tool designed for “processing thousands of binaries per minute on commodity hardware.” For the first time, researchers now won’t need to use Apple hardware to analyze Mach-O binaries.
This effort offers new strategies to help organizations defend their users against Mac malware.
Using a tool such as santa, a macOS open-source security framework that facilitates blocklists and allowlists of binaries – think “naughty” or “nice” – Godwin said administrators can enforce rules designed to block malware by blocking access to known targets, including the Keychain password manager or Chrome cookies. The framework can help arrest common types of attacks targeting macOS that spawn a box deigned to look like a legitimate OS request for a user to enter their password. If a user falls for such a ruse, common in ClickFix attacks, it allows malware to execute.
Knowing what’s naughty or nice and reacting appropriately requires making a list – and thanks to the researchers, the cybersecurity community now has one for the macOS ecosystem.
