Caphaw - the advanced persistent pluginer

Wednesday 24 September 15:00 - 15:30, Green room.

Micky Pun Fortinet
Neo Tan Fortinet

   This paper is available online (HTML, PDF).

Often identified by its capabilities of spreading through Skype and injecting bank pages, Caphaw, also known as Shylock, has been a low-profile, yet persistent player on the botnet scene since 2011. This is a rare botnet that was released with complete functionality - standing in stark contrast to most botnet malware that is released prematurely into the wild. The intricately designed code structure, together with various obfuscation and anti-sandbox techniques, made it difficult for analysts to build a complete profile of its malicious behaviour.

In this presentation, we will discuss the technical aspects of handling anti-reversing strategies devised by the malware writer and evaluate how Caphaw's 'pluginer' capability could position itself as a robust APT player in the future.

Micky Pun

Micky Pun

Micky Pun is a malware researcher at Fortinet Canada. She received her Bachelor's degree in computer engineering from Simon Fraser University. She has worked as a malware analyst for three years since graduating. Her main tasks include malware/packer analysis and detection creation. Pun's current research focus is on vulnerabilities and exploits.


Neo Tan

Neo Tan

Neo Tan has over four years experience of professional software development and three years experience of malware reverse engineering. He is a Team Lead in the AntiVirus MVRT department at Fortinet Inc. His research interests include exploits, custom packers and botnets.



We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.