Duy Phuc Pham

I am a threat intelligence expert and malware researcher with a track record of leading advanced investigations. My main interests include malware reverse-engineering, intelligence threat hunting, and side-channel analysis with deep learning.

Staff threat intelligence analyst and malware researcher at Advanced Research Center (ARC) - Trellix
PhD, EMSEC team, IRISA & INRIA
MSc, Cyber-security — University of Twente & University of Trento
BA, Business Administration — Hanoi University of Science and Technology
Engineering degree, Mechatronics — Institut polytechnique de Hanoï
Founder of CTF team BabyPhD

Awards

Airbus Security Challenge (CYBER IN Toulouse) — 1st place, 2021
SILM Security of Software & Hardware Interfaces CTF — 1st place, 2019
Mandiant/FireEye Advanced Reverse Engineering 1,2,3,5,6,9,10 — winner, 2024, 2023, 2022, 2019, 2018, 2016, 2015, 2014
Batterii Web Penetration Testing — bug bounty award, Oct. 2016
Black Hat Europe — student scholarship, Aug. 2016
KTH Royal Institute of Technology — EIT Digital summer school (Future Cloud), Jul. 2016
EIT ICT School — excellence scholarship (€30,000) in Security & Privacy, Apr. 2015
BKAV WhiteHat Contest 08 — 1st place (BabyPhD team), Feb. 2015
Hanoi University of Science and Technology — Young Scientific Research 1st prize, Jul. 2013

Memberships & service

USENIX Security Artifact Evaluation Committee 2022
CHES Artifact Evaluation PC 2021
International Symposium on Information and Communication Technology Program Committee 2022
Quarterly security livestreaming roundtable of BabyTalk (2020–present) 3 2 1

news

Feb 4, 2026	New research: APT28’s Stealthy Multi-Stage Campaign Leveraging CVE-2026-21509 and Cloud C2 Infrastructure.
Feb 3, 2026	New research: The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign.
Nov 12, 2023	My talk record: The Wolf in Sheep’s Clothing: How Cybercriminals Leverage OneNote for Stealthy Malware Delivery at code.talks Hamburg 2023 has been published.

selected publications

ULTRA: Ultimate Rootkit Detection over the Air

Pham, Duy-Phuc, Marion, Damien, and Heuser, Annelie

In 25th International Symposium on Research in Attacks, Intrusions and Defenses 2022

Abs PDF Code

Rootkits are the most challenging malware threats against server and desktop systems. They are created by highly skilled actors and are deployed in advanced persistent threat attacks. Lately and even in the future, rootkits will become a real threat to billions of IoT devices. Existing malware detection techniques based on static or dynamic analysis face major shortcomings, which become more apparent when it is necessary to detect threats on IoT devices. In this paper, we propose the ULTRA framework, which can detect rootkits effectively and efficiently by operating outside of the “box” (literary device) with no resource requirement on the target device. ULTRA baits the rootkit to provoke activity, measures electromagnetic emanation with a software-defined radio, preprocesses signals, then detects and classifies rootkit behavior using machine/deep learning techniques. As use cases, we target two IoT devices with MIPS and ARM architectures. The proposed approach achieved promising results with high accuracy for detecting both known and unknown rootkits during the offline learning phase. Our experimental study involves classification of rootkit families and distinct variants, obfuscated rootkits, probe dislocation, benign noise (kernel) activities, and comparison with software-based solutions.
Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification

Pham, Duy-Phuc, Marion, Damien, Mastio, Mathieu, and Heuser, Annelie

In Annual Computer Security Applications Conference 2021

HTML PDF Code
Mac-A-Mal: macOS malware analysis framework resistant to anti evasion techniques

Pham, Duy-Phuc, Vu, Duc Ly, and Massacci, Fabio

J. Comput. Virol. Hacking Tech. 2019

HTML Code