Wednesday 14 October 11:25 - 12:25, Small Talks room
Alexander Adamov (Blekinge Institute of Technology, NioGuard Security Lab) & Anders Carlsson (Blekinge Institute of Technology)
This research is motivated by over 15 years of teaching and developing malware analysis education grounded in real-world malware. The first version of the malware analysis course was introduced at Kharkiv University of Radio Electronics (Ukraine) in 2010 and later adopted by Blekinge Institute of Technology (Sweden) in 2014 [1, 2], as well as by several other universities in Ukraine and the EU. The course has also been used in training programs for law enforcement and cyber forces [3]. Since then, the course has evolved significantly, particularly through the inclusion of real malware samples obtained from Russian nation-state cyberattacks (e.g. Sandworm, EmberBear, CozyBear, Gamaredon) [4-7]. A defining characteristic of the course has always been its reliance on authentic malware rather than artificial samples, enabling students to study real adversary tradecraft and attack artifacts. In 2021, this educational approach was extended by applying reinforcement learning (RL) to simulate ransomware attacks [8], demonstrating the potential of adaptive methods for cyber attack modelling. Today, the emergence of generative AI and LLM reasoning, along with RL, creates an opportunity to move beyond static post-incident analysis toward interactive, adaptive, real-time adversary modelling in a cyber range environment.
This talk explores how state-sponsored APT groups can be revived as AI-powered digital twins through the combination of generative AI and reinforcement learning. The result is a shift beyond static ATT&CK playbooks toward adversary modelling that can reason, adapt, and respond in real time within a controlled cyber range.
[1] Malware Analysis course, 7,5 ECTS at Blekinge Institute of Technology https://www.bth.se/english/education/coursesandcoursepackages/malwareanalysis75credits.4.4d3280a019c933afee31e57f.html
[2] Professional Master in Information Security (PROMIS), https://promisedu.se/
[3] CyberUA: Specialised trainings for Ukrainian law enforcement on live data forensics and Windows malware investigations, Council of Europe's Cybercrime Program Office (C-PROC), Polish Police Academy, 14-18 July 2025, https://www.coe.int/en/web/kyiv/-/cyberua-specialised-ecteg-trainings-for-ukrainian-law-enforcement
[4] Adamov A, Carlsson A, Battlefield Ukraine: finding patterns behind summer cyber attacks, https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-battlefield-ukraine-finding-patterns-behind-summer-cyber-attacks // Proc. of the 27th Virus Bulletin International Conference, Madrid, Spain, 4-6 Oct 2017 – Appendix: Last-minute presentations, pp. 4-5.
[5] Adamov A, Russian wipers in the cyberwar against Ukraine, https://www.virusbulletin.com/conference/vb2022/abstracts/russian-wipers-cyberwar-against-ukraine/ // Proc. of the 32nd Virus Bulletin International Conference, Prague, Czech Republic, 28-30 Oct 2022 – P. 96-102.
[6] Adamov A, Turla and Sandworm come filelessly, https://www.virusbulletin.com/conference/vb2023/abstracts/turla-and-sandworm-come-filelessly/ // Proc. of the 33rd Virus Bulletin International Conference, London, UK, 4-6 Oct, 2023, pp. 509-510.
[7] Adamov A., Carlsson A. The Attribution Story of WhisperGate: An Academic Perspective. https://www.virusbulletin.com/conference/vb2025/abstracts/attribution-story-whispergate-academic-perspective/ // Proc. of the 35th Virus Bulletin International Conference, Berlin, 24-26 September 2025.
[8] A. Adamov and A. Carlsson, "Reinforcement Learning for Anti-Ransomware Testing," 2020 IEEE East-West Design & Test Symposium (EWDTS), 2020. Available: https://www.researchgate.net/publication/346942881_Reinforcement_Learning_for_Anti-Ransomware_Testing
 |
Alexander (Oleksandr) Adamov Dr. Alexander (Oleksandr) Adamov is the Founder and CEO of NioGuard Security Lab (nioguard.com), a cybersecurity research laboratory. With over 20 years of experience in cyber attack analysis, gained through his work in the antivirus industry, he has taught cybersecurity at universities in Ukraine (nure.ua) and Sweden (bth.se) for the last 15 years. His laboratory focuses on applying AI and machine learning to solve cybersecurity problems. NioGuard Security Lab is a member of the Anti-Malware Testing Standards Organization (AMTSO). Dr. Adamov regularly speaks at major cybersecurity events, including the Virus Bulletin Conference, OpenStack Summit, UISGCON, OWASP, and BSides.
|
 |
Anders Carlsson Dr Anders Carlsson is a senior lecturer and researcher at Blekinge Institute of Technology (BTH), Sweden, and an honoured professor at Kharkiv National University of Radio Electronics (KhNURE), Ukraine. With over 30 years of experience in computer security, network security, and digital forensics, Dr Carlsson brings deep expertise shaped by both military and academic service. He began his career as a computer engineer and lieutenant-commander in electronic warfare in the Royal Swedish Navy's submarine forces. He later earned his Ph.D. in network security at KhNURE. Dr Carlsson has contributed extensively to international collaboration in cybersecurity education, including leading roles in EU projects such as ISEC-I, ISEC-II, BAITSE, and ENGENSEC, focusing on training law enforcement and harmonizing cybersecurity curricula across Europe. He is also the author of two books: Educating the Next Generation MSc in Cyber Security and Cyber Security for Next Generation Experts. |
Back to VB2026 conference page
Register your interest for VB2026