🏆 humbled. Mussy here — honored to be named Influencer of the Conference alongside Dave @forensicdave 🙏 But let’s be real: this belongs to you all from #OBTS. No researchers → no talks → no demos → no clips → no post → no prize. Full stop. Massive love to Andy @andyrozen

The #OBTS community is simply incredible!! 😍 From trainers & speakers to students & attendees, you made this the best #OBTS yet 🙏🏽 Photos, recordings & slides coming soon!

Funbye, Ibiza. ✈️🌊 Nearly half a decade of #OBTS 🍏—not just events, but chapters. Grateful to Andy & Patrick, the organizers, every talker, and all attendees who kept the bar high and the door open. We leave the island; the momentum comes with us. See you at the next chapter…

We came up with the idea to name the next Mac malware a HEDGEHOG 🦔 @patrickwardle 🥰 #OBTS @objective_see

exit(); event — but with a smile. Sea breeze, full notebooks, zero dull moments. Huge thanks to the organizers — Andy @andyrozen & Patrick @patrickwardle — for a flawless sail, the talkers for turning research into moments, and the attendees for the questions, laughs, and

🔐 Security bulletin — After “Dylib Hijacking: Dead or Alive?” Verdict: alive (with fewer hiding spots). Patrick Wardle @patrickwardle walked us from the OG research to macOS 26, then proved on stage that sloppy search paths, loose rpath habits, and mis-bundled PlugIns still open

Patrick Wardle @patrickwardle just dropped a live dylib hijack: “normal” app + planted lib → instant code exec & persistence. Dead or alive? Still kicking. ⚡️ #OBTS 🍏

🪧 WANTED: dylib hijacking — Dead or Alive? Last talk of the conf and the one-and-only Patrick Wardle @patrickwardle is back on stage to settle it. First spotted by a younger Patrick years ago, macOS got tough with mitigations… but is the hijack a corpse or a comeback kid on

⚠️ Recall notice: “GTA 6 early-access” downloads on macOS—contaminated with Cthulhu Stealer. 🎮🐙 Lure hit gamers/crypto, then imploded when the crew’s OPSEC failed and the admin pulled an exit scam. Tara Gould traced it end-to-end with OSINT + RE—how hype became theft, then

🎙️ True-Crime: Cyber Edition — OopsSec: The Short-Lived Campaign of Cthulhu Stealer macOS creds heist targeting gamers & crypto (2023–early ’24) 🕹️💸 Plot twist: the crew’s own admin (“balaclavv”) pulled an exit scam, and sloppy OPSEC (hardcoded creds, misconfigured servers)

🛰️ After-Hunt Debrief — “Placeboed Apples” (iOS spyware detection) Hunter: Matthias Frielingsdorf @Helthydriver | #OBTS 🍏 Objective: turn chaotic iOS forensic dumps into a huntable map for Pegasus-class spyware. Tactic: build a harmless malware simulator that reenacts real

🔴 LIVE at #OBTS 🍏 — Placeboed Apples @Helthydriver spins a harmless iOS malware simulator (Pegasus-style)… and the phone lights up its own forensic hotspots. Chaos → checklist. Hunt smarter.

🗂️ HUNT ORDER — iOS spyware detection (“Placeboed Apples”) Situation: iOS has no ESF hooks; you’re staring at massive forensic dumps. Mission: find spyware fast. Execution: build a malware simulator that imitates real families (incl. NoClip) → run it → watch which DBs/paths

After FSKit: Sharvil Shah @sharvil spun a userspace filesystem that’s both stage and spotlight—bait folders go out, snitch paths call out snoops in real time—then flipped it to ask if malware could hide on the same set. Net: it can (if you’re not watching), but today’s playbook

Throwback to Spain — 4 years ago at #OBTS 🍏 I met Sharvil Shah @sharvil ; today he’s back like clockwork, leveling us up again. Talk: Exploring FSKit: Writing Filesystems for Fun, Profit, and Defense (…and Evasion?) FSKit = Apple’s userspace filesystem kit: build a pseudo-FS,

Post-talk snapshot — XUnprotect (XProtect Remediator) We walked in thinking “just YARA.” Walked out with: • a Swift DSL (Result Builders) spelling out XPR’s rules, • sneaky OCR checks catching Gatekeeper-bypass antics on screen, • Apple-only intel—with TriangleDB fingerprints,

Greg — thank you! 🙏 Trying to keep the cuts as sharp as the 0-days. Marie absolutely torched the stream — Lockdown Mode with receipts. 🔥🤯 #OBTS 🍏

🔐 DECLASSIFIED // XUnprotect — macOS XProtect Remediator decoded (live at #OBTS 🍏) | Koh Nakagawa @tsunek0h Findings: • Not “just YARA.” XPR’s detections live in a custom DSL built with Swift Result Builders (SwiftUI vibes, but for rules). • Stripped Swift binaries? Cracked

Book Signing Alert — Patrick Wardle @patrickwardle , The Art of Mac Malware: Vol II — Detection Today at #OBTS 🍏, the only signatures we’re excited about are the ones on your title page (the other kind still catch malware 😉). Bring/Buy your copy, snag the ink, and swap a quick