publications

2025

1. SideWinder’s Shifting Sands: Click Once for Espionage

   Provecho, Ernesto Fernández, and Phuc, Pham Duy

   Trellix Blog 2025

   HTML
2. The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign

   Phuc, Pham Duy, and Lanstein, Alex

   Trellix Blog 2025

   HTML
3. Unmasking Hidden Threats: Spotting a DPRK IT-Worker Campaign

   Phuc, Pham Duy, and Fokker, John

   Trellix Blog 2025

   HTML
4. From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities

   Choukde, Aniket, Aripirala, Aparna, Kadam, Alisha, Reddy, Akhil, Phuc, Pham Duy, and Lanstein, Alex

   Trellix Blog 2025

   HTML
5. OneClik: A ClickOnce-Based Red Team Campaign Simulating APT Tactics in Energy Infrastructure

   Yturriaga, Nico Paulo, and Phuc, Pham Duy

   Trellix Blog 2025

   HTML

2024

1. Phobos: Stealthy Ransomware That Operated Under the Radar-Until Now

   Tologonov, Jambul, Fokker, John, and Phuc, Pham Duy

   Trellix Blog 2024

   HTML
2. RansomHouse am See

   Phuc, Pham Duy, Keijzer, Noël, Schrijver, Michaël, and Kersten, Max

   Trellix Blog 2024

   HTML

2023

1. The Continued Evolution of the DarkGate Malware-as-a-Service

   Provecho, Ernesto Fernández, Phuc, Pham Duy, Driscoll, Ciana, and Thomas, Vinoo

   Trellix Blog 2023

   HTML
2. Qakbot Evolves to OneNote Malware Distribution

   Phuc, Pham Duy, J.-E., John Fokker, Houspanossian, Alejandro, Kapoor, Raghav, and Thangaraju, Mathanraj

   Trellix Blog 2023

   HTML
3. No More Macros? Better Watch Your Search Results!

   Phuc, Pham Duy, and Kersten, Max

   Trellix Blog 2023

   HTML
4. PhD thesis: Leveraging side-channel signals for IoT malware classification and rootkit detection

   Pham, Duy-Phuc

   INRIA IRISA CNRS Rennes France 2023

   PDF Supp Slides

2022

1. ULTRA: Ultimate Rootkit Detection over the Air

   Pham, Duy-Phuc, Marion, Damien, and Heuser, Annelie

   In 25th International Symposium on Research in Attacks, Intrusions and Defenses 2022

   Abs PDF Code

   Rootkits are the most challenging malware threats against server and desktop systems. They are created by highly skilled actors and are deployed in advanced persistent threat attacks. Lately and even in the future, rootkits will become a real threat to billions of IoT devices. Existing malware detection techniques based on static or dynamic analysis face major shortcomings, which become more apparent when it is necessary to detect threats on IoT devices. In this paper, we propose the ULTRA framework, which can detect rootkits effectively and efficiently by operating outside of the “box” (literary device) with no resource requirement on the target device. ULTRA baits the rootkit to provoke activity, measures electromagnetic emanation with a software-defined radio, preprocesses signals, then detects and classifies rootkit behavior using machine/deep learning techniques. As use cases, we target two IoT devices with MIPS and ARM architectures. The proposed approach achieved promising results with high accuracy for detecting both known and unknown rootkits during the offline learning phase. Our experimental study involves classification of rootkit families and distinct variants, obfuscated rootkits, probe dislocation, benign noise (kernel) activities, and comparison with software-based solutions.

2021

1. Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification

   Pham, Duy-Phuc, Marion, Damien, Mastio, Mathieu, and Heuser, Annelie

   In Annual Computer Security Applications Conference 2021

   HTML PDF Code
2. Poster: Obfuscation Revealed-Using Electromagnetic Emanation to Identify and Classify Malware

   Pham, Duy-Phuc, Marion, Damien, and Heuser, Annelie

   In 2021 IEEE European Symposium on Security and Privacy (EuroS&P) 2021

   HTML PDF

2019

1. GuruWS: A Hybrid Platform for Detecting Malicious Web Shells and Web Application Vulnerabilities

   Le, Van-Giap, Nguyen, Huu-Tung, Pham, Duy-Phuc, Phung, Van-On, and Nguyen, Ngoc-Hoa

   Trans. Comput. Collect. Intell. 2019

   HTML
2. Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques

   Pham, Duy-Phuc, Vu, Duc Ly, and Massacci, Fabio

   J. Comput. Virol. Hacking Tech. 2019

   HTML Code

2018

1. Mac-A-Mal: An Automated Platform For Mac Malware Hunting

   Pham, Duy-Phuc, and Massacci, Fabio

   Black Hat Asia 2018

   HTML PDF Supp Slides

2017

1. New version of mobile malware Catelites possibly linked to Cron cyber gang

   Chrysaidos, Nikolaos, and Pham, Duy-Phuc

   Avast Blog 2017

   HTML
2. Lokibot - The First Hybrid Android Malware

   Gahr, Wesley, Pham, Duy-Phuc, and Croese, Niels

   ThreatFabric 2017

   HTML
3. What is SafeFinder/OperatorMac campaign?

   Pham, Duy-Phuc

   BabyPhD 2017

   HTML
4. Exobot - Android Banking Trojan On The Rise

   Pham, Duy-Phuc, Croese, Niels, and Sahin, Han

   SfyLabs 2017

   HTML

2014

1. Research and Implement Multifunctional Robot Using Omnidirectional Wheels

   Pham, Duy-Phuc, Son, Nguyen Canh, and Mai, Nguyen Thi Phuong

   Proceedings of the 15th International Symposium on Eco-materials Processing and Design 2014