ShmooCon ends 20-year run with tears, malware and electronic fun

The final ShmooCon was held this past weekend (Jan. 10-12) in Washington, D.C., capping 20 years of the East Coast's leading hacker conference.

The late-night sessions at the hotel bar had a bittersweet element, with lots of hugs, reminiscences, and piano sing-alongs involving hearty choruses of large men with very large beards. The line for T-shirts was especially long as each of the 2,000-odd attendees aimed to commemorate the occasion in their preferred sizes and colors.

I was struck by how young many of the attendees seemed, as well as how many women there were in the crowds that rushed past on their way to the next talk.

ShmooCon organizers Heidi Potter and Bruce Potter reserve many spaces for students while making regular tickets harder to get than Taylor Swift concert seats, with the result that graybeards like me don't dominate ShmooCon the way we do some other hacker cons.

Many people who couldn't get a conference ticket came anyway to join "lobby-con," taking over the bar and lobby area of the normally buttoned-up Washington Hilton, site of the annual White House Correspondents' Association dinner and the 1981 assassination attempt on President Reagan.

Lobby-con is where friendships are made, plots and pranks hatched, and cybersecurity careers advanced by introductions and conversations over drinks and nerdy jokes.

It’s just time

ShmooCon is coming to an end because, as Heidi Potter explained during the closing ceremonies, she'd rather go out on a high note than watch the conference either dwindle in attendance or get too big to manage.

Potter said she'd always planned to end it when she turned 50 but gave ShmooCon an extra year due to the 2021 conference being cancelled by COVID.

She and her husband Bruce Potter, a cybersecurity veteran who's worked for Booz Allen Hamilton and Expel among other companies, recently formed Turngate, which makes software that analyzes SaaS logs for anomalous data and events. (Turngate had its own booth area in ShmooCon's small exhibit hall, but there was nothing indicating the conference organizers were behind it.)

Heidi Potter said organizing and running ShmooCon had been a full-time job for half of every year, and a part-time job for the other half. Now that the couple's three sons are grown — and longtime ShmooCon attendees have watched them grow up — it's simply time for she and Bruce to let it go. There are no plans to sell the conference or pass it on to another party.

Misty eyes aside, there were plenty of interesting and occasionally scary presentations during the "official" part of ShmooCon 2025. Some were directly connected to cybersecurity, others indirectly so, and a few were just fun.

Here's some of what we saw over the weekend. We'll add further reports in the coming days.

Turning the tables on the bad guys, part I

Infosec professional Carl Vincent, aka Vyrus, explained how he found a way to spy on malware users without breaking privacy laws. He gave his presentation remotely instead of in person because he and his family were under mandatory evacuation orders due to the ongoing Los Angeles wildfires. (As of Saturday morning, their house was still standing.)

Vincent detailed how he built a fork of Mimikatz, a Windows password extractor widely used by both penetration testers and cybercriminals, called go-mimikatz that was designed to evade detection by antivirus software. He posted it on GitHub, the well-known online software repository.

But Vincent didn't tell anyone that about four years ago, he added a hidden "back door" to go-mimikatz that secretly collected information about anyone who modified the software, including their username, Internet Protocol (IP) address and system environment, as well as taking screenshots of the user's screen.

He got away with it for more than a year because the backdoored go-mimikatz didn't send the collected data anywhere. Instead, it was just folded into the source code in encrypted format. Whenever a modified version of go-mimikatz was uploaded to the online malware catalog VirusTotal, Vincent could download the sample and retrieve the collected information.

If he had sent the collected data over the internet and stored it elsewhere, Vincent explained, that would have crossed a legal red line. But because the data was wrapped into the code itself, and was then submitted to VirusTotal by modifying user, it was legally permissible.

So what did Vincent find?

Vincent said that after about a year of this, a Chinese user figured out what he was doing and left comments on GitHub that the go-mimikatz software was spying on users.

"I issued an update to my own codebase removing the backdoor," Vincent said. "Go-mimikatz still works, although I haven't updated it in a while."

Turning the tables on the bad guys, part II

Montreal-based security firm Flare sent three speakers to ShmooCon to discuss information-stealing malware that purloins passwords and other sensitive information, as well as the ecosystem that's grown up around it.

The operators of infostealer malware often sell or even give away the "logs," the data they've stolen from users, which means security researchers can download and analyze it.

"How many of you have saved credentials in your browser?" asked Flare Chief Marketing Officer Eric Clay. Most of the audience members raised their hands.

"How many of you have downloaded cracked software?" he added, with a slightly smaller share putting its hands up. 

"So you're all infected," Clay said.

He explained that infostealer malware steals all the information saved in your browser, including saved passwords, browsing history, and session cookies, the latter of which can be reused to evade multi-factor authentication (MFA).

It also looks for Word and Excel documents, text files, PDFs, and KeePass password-manager files — anything that may hold information that can be reused by attackers.

Some infostealers can even steal the cryptographic "seeds" from browser-based generators of temporary one-time passwords used in MFA, allowing the crooks to generate their own accurate TOTPs to break into accounts.

The most desired credentials are those to cryptocurrency or other financial accounts, but even Netflix credentials can be resold.

"Stolen credentials remain immensely popular," said Olivier Bilodeau, a principal researcher at Flare. "Thirty-one percent of all breaches over the past 10 years used them."

In a separate presentation, Flare threat researcher Estelle Ruellan detailed how operators of infostealer malware often themselves become infected.

The resulting infostealer logs, which show up on Telegram and in malware marketplaces, often detail exactly what's on many infostealer command-and-control (C2) servers.

Because the Flare researchers know the hostnames and IP addresses of many C2 servers, they were able to comb through infostealer logs and spot data from servers operating in Iran, Italy, Ukraine, the Netherlands and Hong Kong.

One interesting infected server belonged to an operator the Flare researchers called the "Malware Maestro," as he or she orchestrated a symphony of malware that worked together, each building on the capabilities of the previous one.

The PrivateLoader downloader would make made initial access, Ruellan explained, and then the Mystic malware would move laterally through an infected system. The Raccoon Stealer data-gatherer then stole information and sent it to the C2 server. Lastly, the Asuka malware would deliver Trojans to maintain control and install persistent backdoors.

In the earlier session, Bilodeau and Clay explained how to minimize your chances of having your data stolen by infostealers:

IT administrators, they said, should:

Turning up the noise and lights

It wouldn't be a proper ShmooCon without a proper amount of audience-participation silliness, and former National Security Agency Cybersecurity Director Rob Joyce was there to bring it.

Political and national-security reporters know Joyce as one of the U.S. government's former top hackers as well as a Trump White House security advisor and a liaison to Britain's GCHQ signals-intelligence agency.

ShmooCon attendees know him as the guy who at the 2018 conference showed them how to build a very impressive computer-controlled home Christmas-lights display.

Joyce has been spotted in the audience at ShmooCon since then, and this past Friday he returned in triumphant form. In the goodie bag given to every attendee was a plastic battery-powered LED light wand, and Joyce had everyone in the audience turn them on and hold them up.

He then played Queen's "We Will Rock You" over the PA while every light wand, remotely controlled from Joyce's laptop, flashed in time to the music.

As he had done with his Christmas lights, Joyce explained how to obtain, program and control the light wands (they’re about $2 apiece in bulk), as well as the technical details of how the wands worked and their microcontrollers. It might be worth getting some for kids’ birthday parties.

Joyce also challenged conference attendees to create a script that would natively control the light wands from a Flipper Zero, a controversial hacking toy that's popular among infosec professionals. Do so, he said, and he promised some "NSA swag."

All of Joyce's light-wand resources, plus captured data that lets Flipper Zeros replay other devices' scripts, can be found at https://lightsatshmoo.free.nf/.

Asked by someone in the audience how much he had spent on his Christmas-lights display, Joyce responded, "I worked at NSA and I know how to keep a secret."

"Also," he added, "my wife listens to these talks."