REcon 2025

June 27-29, 2025 · Montréal, Canada · 15 talks

The world's premier reverse engineering conference. Single track, 600 attendees, highest signal-to-noise ratio in the industry. If it's on the REcon schedule, someone did the work.

→ See editor’s top picks at REcon 2025

• Breaking Legacy Routers: 5 Zero-Days via Reversing and Hardware Hacking — Danilo Erazo

  End-of-life does not mean end-of-risk. In this talk, independent security researcher Danilo Erazo presents five previously undisclosed zero-day vulnerabilities discovered in legacy fiber optic (ONT) r

• Breaking Mixed Boolean-Arithmetic Obfuscation in Real-World Applications — Tim Blazytko, Nicolò Altamura

  Mixed Boolean-Arithmetic (MBA) obfuscation is one of the most mathematically sophisticated code-protection techniques in use today — turning a trivial expression like `X + Y` into a sprawling tangle o

• QuickShell: Sharing is caring about an RCE attack chain on Quick Share — Or Yair

  Google's Quick Share — the AirDrop equivalent for Android and Windows — turned out to harbor a chain of vulnerabilities serious enough to achieve unauthenticated remote code execution on a victim's Wi

• Attacking modern software protection with Dynamic Binary Instrumentation — Holger Unterbrink

  Modern software protections—anti-debugging routines, anti-tamper checks, VM detection, code obfuscation, and self-modifying code—were once the exclusive domain of sophisticated malware. Today they are

• Call, Crash, Repeat: Hacking WhatsApp — Luke McLaren

  With roughly two billion active users worldwide, WhatsApp is the most widely deployed end-to-end encrypted messaging platform on Earth. Its ubiquity makes it both an attractive target for adversaries

• Reverse Engineering Patch Tuesday — John McIntosh

  Every month, Microsoft releases a batch of security updates on Patch Tuesday — and every month, the security community is left squinting at a list of CVE identifiers with partial, incomplete, or entir

• Abusing Domestic EV Chargers through Bluetooth and USB — Riccardo Mori, Robin David

  Electric vehicle (EV) adoption surged 25% worldwide in 2024, but the charging infrastructure expanding alongside it has not kept pace with basic security expectations. At REcon 2025, Quarkslab researc

• A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit — Bill Marczak, Daniel Roethlisberger

  In mid-2024, Citizen Lab researchers Bill Marczak and Daniel Roethlisberger stumbled onto something unusual on VirusTotal: an old sample of NSO Group's Pegasus spyware, calibrated to a specific victim

• Unveiling RIFT: Advanced Pattern Matching for Rust Libraries — Andreas Klopsch

  Rust has become a favored language for malware authors. Its memory safety guarantees, performance characteristics, and single-binary output make it attractive for everything from ransomware to nation-

• WinpMem: Volatility's driver that lets malware volatilize — Baptiste David

  When an organization detects a compromise, the first responder's instinct is to reach for memory forensics tools — capture a RAM dump, feed it to Volatility, and reconstruct what the attacker did. Thi

• HyperVinject: Making Virtual Machine Code Injections as Simple as Process Injections — Andrei Lutas

  HyperVinject makes VM code injection as accessible as process injection by abstracting Bitdefender's hypervisor introspection technology into a familiar API.

• The Finer Details of LSA Credential Recovery — Evan McBroom

  Windows Local Security Authority (LSA) credential recovery has been a cornerstone of post-exploitation tradecraft for years, but the field's public knowledge base has a critical gap: the gap between t

• My Adversary Emulation Goes to the Moon… Until False Flag — Antonio Villani, Silvio La Porta, Giulio Barabino

  "Adversary emulation" has become a marketing term rather than a technical discipline, and RETooling came to REcon 2025 to make that case sharply. In a talk that blended red team philosophy, LLVM inter

• A Disassembler for ROM Recovery — Travis Goodspeed

  Mask ROM recovery — photographing a chip's die, identifying row and column lines, and reading out the physical bit array — gives you the bits in physical order. Getting from physical bits to executabl

• Breaking Obfuscated .NET Malware with Profiler-Based Dynamic Binary Instrumentation — Lars Wallenborn, Steffen Haas, Tillmann Werner, Lindsay Kaye

  .NET malware is increasingly obfuscated with commodity protectors that embed runtime integrity checks—checks that detect and defeat the standard analyst trick of calling string decryption functions di