UNO Reverse Card: Exposing C2 Operators Through Their Own Logs
Estelle Ruellan
NorthSec 2025 · Day 1 · Salle de bal
Flare CTI analyst Estelle Ruellan presented a structured analysis of infostealer logs in which the infected devices belonged not to ordinary victims, but to the criminals operating the C2 infrastructure. Through four case studies — two with weak OPSEC ("NoobSecs") and two with sophisticated countermeasures ("skip tracer's nightmares") — the talk demonstrates how stealer log analysis can reverse-attribute threat actor identity, infrastructure, and tactics. The talk doubles as a sardonic OPSEC primer delivered as a classroom lecture. ---
AI review
Flare CTI analyst Estelle Ruellan demonstrates how infostealer logs collected from threat actors' own compromised devices enable threat actor attribution, infrastructure mapping, and identity disclosure. Four case studies — two weak OPSEC (NoobSecs) and two sophisticated (skip tracer's nightmares) — including a multi-malware ecosystem operator running concurrent Raccoon, Mystic stealer, PrivateLoader, and Asuka Trojan operations. Framed as a sardonic OPSEC classroom lecture.