✈️ The #Fokusek team is officially on the move!
Tibi & Mussy are heading to #OBTS v8.0 – Objective by the Sea 🌊 in Ibiza 🇪🇸
Can’t wait to connect with the brilliant minds shaping the future of Apple security, macOS, and iOS research.
#ObjectiveByTheSea#OBTSv8#AppleSecurity
The #OBTS community is simply incredible!! 😍
From trainers & speakers to students & attendees, you made this the best #OBTS yet 🙏🏽
Photos, recordings & slides coming soon!
We met @sharvil here at #OBTS 4 years ago; today felt like a clean git merge: different commits, same repo.
Here’s to familiar faces and future builds. 💻🤝✨
From Maui 🌺 to Ibiza 🌴, the best reunions aren’t in the schedule—they’re in the smiles you recognize from across the hallway track. Badge scans turned into bear hugs, stickers became passport stamps, and the “see you online” finally cashed in IRL. Grateful for every familiar face—cheers, @L0Psec 🍻
#OBTS 🍏 keeps the people part legendary.
🎯 AFTER-ACTION REPORT — BYOB: Bring Your Own Blackbox
Lead: Colson Wilhoit @DefSecSentinel
Outcome: macOS 26 “Tahoe” native Linux containers + Docker = a trench coat for C2/tools; host ESF/EDR watches the sidewalk while the op rides inside the pod.
Demo: containerized evasion, clean and quiet.
Countermoves: container-aware telemetry—map host↔cgroup/PIDs, flag privileged runs, surprise vNICs, odd-hour spins, unsigned images, sneaky mounts. Ship rules to SIEM/EDR.
Takeaway: Not just cool—operational. Only at #OBTS 🍏 do you leave with a playbook, not a teaser.
🎟️ Late Show Wrap — Day 1 (Part II) @ #OBTS 🍏
As the Ibiza lights drop, the heist crew takes a bow:
🕵️ The Spy — BlueNoroff’s Clues (Presenters: @stuartjash and @birchb0y)
Process injection, Objective-C keyloggers, DPRK tradecraft unmasked — plus how to spot it and stop it.
🔧 The Locksmith — Unpacking the iOS Sandbox (Presenter: @yarden_ha )
A retired decompiler resurrected, rules decoded, research gets turbo: the sandbox finally speaks human.
⌚ The Illusionist — Trust me, I’m an Apple Watch (Presenter: Nils Rollshausen)
A forged Watch wins trust, then pulls receipts: pairing tricks, private data paths, defenses included.
📡 The Analyst — From Bits to Behavior (Anje Knottnerus)
C2 “randomness” isn’t: callbacks, jitter, tempo—OSQuery + Filebeat turn stats into night-vision.
📦 The Quartermaster — BYOB: Bring Your Own Blackbox (Colson Wilhoit @DefSecSentinel )
Docker now, Tahoe’s native Linux containers next—evasion in a box, with a container-aware playbook to hunt it.
Only at #OBTS 🍏 do you get a spy film, a magic act, a stats lab, and a container ship—all in one sunset.
Brains buzzing. Notebooks heavier. See you tomorrow.
We opened the iOS sandbox like a museum vault—carefully, layer by layer—and found the rulebook written in runes. So @yarden_ha revived an old decompiler (dev CPR 🫀🛠️), added modern iOS support, and turned noise into readable signals. Now the policies aren’t “mystery beach sand,” they’re a map you can navigate: what’s allowed, what’s fenced, why that API says “no.” Research → faster. Insights → deeper. Clarity → finally. Only at #OBTS 🍏 do tools get resurrected and upgraded in one talk.
KAPOW! 💥 The sandbox didn’t fall—it got decoded.
@yarden_ha resurrected the tool, buffed it to 2025 specs, and captioned the rules like speech bubbles for security nerds.
Result: faster triage, smarter calls, happier brains.
Origin story? #OBTS 🍏. 🦸♂️📖
Trust me, I’m an Apple Watch.
Today that wasn’t a slogan—it was a disguise.
Nils Rollshausen rolled up to the walled garden dressed as the gardener’s wrist:
not smashing gates, imitating them—protocol cosplay so good even the gate blushed.
Bluetooth got pick-pocketed at Layer 2,
the OSI elevator was speed-run to Floor 7,
and the Watch whispered “it’s cool, they’re with me,”
while data tip-toed out wearing a fitness band and a grin.
No drama, just craft: reverse the secret handshakes, mimic the vibe, exfil like it’s a cool-down lap.
If your threat model didn’t include “wearables with VIP wristbands,” it does now.
#OBTS 🍏 isn’t a conference, it’s a magic show where the trick is explained and repeatable.
Add the presenter, hit post, watch timelines blink.
⌚️⚡️ House lights up, wrists still buzzing. “Trust me, I’m an Apple Watch” just closed and Nils Rollshausen basically convinced the bouncers they were on the guest list—proprietary Watch protocols decoded, Bluetooth sweet-talked at the metal, OSI stairs sprinted, and the data walked out the front door wearing a step counter. No smash-and-grab—impeccable mimicry. This is why #OBTS 🍏 hits: you don’t just watch the trick; you leave ready to run it in the lab. Save this for your threat model. 🧭📶🧪🚪
🕵️♂️ Noir-mode live from #OBTS 🍏 — From Bits to Behavior with Anje Knottnerus.
In the glow of macOS logs, the quiet ones talk:
consistent callbacks (the clingy ex that pings on the minute),
jitter (a metronome with a hangover),
patterns that swear they’re random… until stats say “gotcha.”
Bits → behavior → busted.
OSQuery is the wiretap, Filebeat is the courier, and the C2 can’t help leaving statistical shadows on the sidewalk.
This is the #OBTS 🍏 effect: we don’t chase packets—we read their alibis.
POSTCARD FROM IBIZA 📬
#OBTS 🍏 check-in: From Bits to Behavior just wrapped and the room’s still buzzing.
Presenter: Anje Knottnerus
Heuristics weren’t “math”—they were a bouncer with a spreadsheet:
the “I’m random, promise” C2 that always calls back at suspicious o’clock? flagged.
the jitter with a fake mustache? stripped.
the “quiet… then oddly regular” pattern? spotlighted.
OSQuery ran the door list, Filebeat handled CCTV, and stats turned macOS logs into tell-all body language.
Cool factor = watching a detective solve the case without a single signature—just tempo, gaps, and rhythm.
Add this to your hunt playbook and thank #OBTS 🍏 later.
🎖️ SITREP: BYOB — Bring Your Own Blackbox
Presenter: Colson Wilhoit @DefSecSentinel
Intel: macOS 26 “Tahoe” adds native Linux containers. Adversaries are already abusing Docker; tomorrow they cruise Tahoe—ESF/EDR see the host, the action lives in the pod.
Live drill: containerized C2 + tools = stealth commute.
Counterplay: make telemetry container-aware—map host↔cgroup/PIDs, flag privileged runs, unsigned images, odd-hour spins, surprise vNICs, and sus mounts.
Verdict: if your SIEM ignores containers, you’re fighting fog.
Only at #OBTS 🍏 do you get the op-order and the antidote.
North Korea pulled up to #OBTS — but not on the guest list 🇰🇵💻
In BlueNoroff’s Clues brought by @birchb0y & @stuartjash , we walked through a full DPRK-linked intrusion, and the tactics were as sneaky as you’d expect:
💉 Process injection
🧠 Objective-C keyloggers
🎣 Surgical tradecraft straight out of the APT playbook
And the twist?
One of the presenters casually rolls in wearing Blue Love Fairy camo, like the malware had its own K-drama merch drop 💙 Love it!
Spy vibes, shellcode, drip.
Only at OBTS do you get North Korean APTs… and fashion moments worth reverse engineering. 🔍🔥
The talk is over, but the impact is still syncing… thank you @iamevltwin 📲
The Power of Powerlogs at #OBTS just unlocked a whole new way to understand Apple devices — not with exploits, but with insight.
Turns out, your iPhone, Mac, Vision Pro (even your Apple TV 👀) have been quietly keeping logs… and they’ve got a lot to say.
600+ tables worth of info, ready to answer:
📱 What were you running?
🌐 What network were you on?
And many more…
It’s like your Apple devices are speaking — and Powerlogs is the language.
Only at OBTS do diagnostics become digital conversations. 🧠🔍🍎
Midway through Day 1 at #OBTS and we’re already questioning reality.
What have we learned so far?
🎧 Sound can break out of a sandbox (thanks Dillon & CoreAudio)
🕵️♂️ macOS malware has a real identity crisis — and ML + MITRE just called it out
📱 Your Apple devices have been whispering Powerlogs secrets this whole time
☕️ CVEs now come with oat milk, straight outta Starbucks
We came for insights.
We stayed for the live demos, brain-melting bugs, and elite hallway chats.
The sun’s still up. The next drops are coming.
This isn’t a conference. This is OBTS. 🌴💻🔥
@patrickwardle@andyrozen@objective_see@jbradley89@theevilbit@gergely_kalman@dillon_franke@osint_barbie@iamevltwin
The biggest 0-day at #OBTS isn’t on any CVE list…
It’s the friendships you never saw coming. 💻🤝
Sharvil Shah @sharvil and I met at OBTS 4 years ago.
Fast forward to today… and somehow it feels both like no time has passed and everything has changed.
Before & after. Now & then.
Same minds. New chapters.
That’s the real payload OBTS delivers — human connection.
Hope next year we add Antonio Piazza @antman1P back to the mix
Frank Abagnale @frankabag had Leonardo DiCaprio @LeoDiCaprio .
macOS malware has… @osint_barbie 🕵️♂️😩
But today at #OBTS, we saw Catch Me If You Scan — and DiCaprio would’ve been proud.
Instead of chasing malware manually, the team turned the table with:
🤖 Machine learning magic
🧠 MITRE-enhanced logic
🕷️ Custom SWARM tech
Malware samples? Clustered.
Threat types? Predicted.
False positives? Filtered.
Only at OBTS can you go from cyber memes to machine-classified malware families — and walk out with real solutions.
Think you know your Apple device?
Think again.
At #OBTS, The Power of Powerlogs just revealed that inside every iPhone, Mac, TV — even Vision Pro — there’s a hidden treasure trove of over 600+ beautifully structured tables waiting to tell a story - Created and narrated beautifully by @iamevltwin 📊✨
✅ What apps you’ve opened
✅ Network behavior, system state, and more
All tucked neatly in a sysdiagnose — not spooky, just seriously useful.
It’s privacy-conscious logging… with forensic superpowers. 🧠🔍
Only at OBTS do we turn diagnostics into digital storytelling 🔦