Talks and presentations

From Unreliable to Trustworthy: Designing LLM-assisted Workflows for Exposing Malware’s Hidden Behaviors

June 15, 2026

Talk, University College London Information Security Seminar, London, United Kingdom

Malware increasingly hides its most damaging behaviors, exposing only a controlled surface to analysis systems. Existing approaches for revealing concealed functionality often rely on expensive path exploration or narrowly targeted heuristics, leaving analysts to manually determine how to expose hidden behavior. Although large language models (LLMs) offer new opportunities to assist malware analysis, directly applying them to reverse engineering tasks frequently produces unreliable or inconsistent results. This talk will cover the development of LUMEN, an LLM-assisted framework that identifies critical decision points that suppress malicious activity and then exposes behaviors hidden from sandbox execution, finding 4x more hidden behaviors in real-world malware than specialized tools…

Zelos: Applying Emulation to Cross Architecture Root Cause Analysis

August 05, 2020

Talk, Black Hat USA 2020, Las Vegas, NV, USA

Zelos (Zeropoint Emulated Lightweight Operating System) is a python-based binary emulation platform that omits the cumbersome setup of virtual machines, yet provides instrumentation capabilities missing in user-space emulation. While it is built on top of the QEMU powered Unicorn CPU emulator, Zelos provides the operating system details required to fully emulate binary execution from loading, down to system calls. We quickly found use for Zelos as a dynamic instrumentation tool that could unpack malware, categorize and report malicious behavior, as well as extract domains from Domain Generation Algorithms (DGA). The myriad of uses we uncovered drove us to develop a plugin system to encourage extensions…