APT41: A Dual Espionage and Cyber Crime Operation
Foundational Mandiant research into a prolific group conducting state-sponsored espionage alongside financially motivated activity.
$ codex
› tell me about Chi-en Ashley Shen
沈祈恩 is a cybersecurity researcher and technical leader from Taiwan 🇹🇼, currently at Cisco Talos, with APT and threat-intelligence experience at Google TAG and Mandiant, plus global conference and women-in-security leadership.
沈祈恩 is a cybersecurity researcher and technical leader from Taiwan 🇹🇼, currently at Cisco Talos, with APT and threat-intelligence experience at Google TAG and Mandiant, plus global conference and women-in-security leadership.
SECURITY RESEARCH // ASHLEY SHEN
01 / UPCOMING EVENTS
Panel · July 20 · 15:30
With Julian-Ferdinand Vögele · Aug 31 · 09:50
With Julian-Ferdinand Vögele · Oct 14 · 17:00
02 / RESEARCH
A multi-stage stager combining a Lua interpreter with Rust-compiled libraries, layered anti-analysis and region-specific execution gates.
Read the analysisFoundational Mandiant research into a prolific group conducting state-sponsored espionage alongside financially motivated activity.
A seven-implant Linux gateway-monitoring and adversary-in-the-middle framework.
Hack-for-hire actors, channel hijacking and cryptocurrency scams traced to Russian-language forums.
63 vulnerabilities, an exploited Windows Kernel flaw and associated Snort coverage.
Extending the Diamond Model to represent multi-actor intrusion chains and relationships.
A taxonomy for financially motivated, state-sponsored and opportunistic initial access groups.
Following a compromise from the LAGTOY backdoor to a Cactus ransomware handoff.
A systematic analysis of offensive-AI capabilities across research and expert practice.
Analysis of a lingering V8 type-confusion vulnerability in WeChat’s WebView component.
ShadowPad, Cobalt Strike and a tailored loader in a government-affiliated compromise.
Two infection chains using LNK and HTA files to target government agencies.
Expanded targeting and an additional SFX RAR infection chain attributed to SneakyChef.
Astaroth, Mekotio and Ousaban delivered through high-volume malicious email campaigns.
Discovery and analysis of a customized Gh0st RAT variant in targeted campaigns.
RATVERMIN, QUASARRAT and infrastructure with a potential link to the Luhansk region.
A framework for detecting weaponized Office OpenXML documents used in APT attacks.
A historical community profile recognizing my malware-analysis and threat-intelligence work.

Expert interview cited on restrictions affecting Chinese researchers and East Asian security-conference ecosystems.
A systematic analysis of offensive AI across academic research, security briefings, public perspectives and expert knowledge.
Independent regional context on China–Japan cyber activity, including a dedicated Icefog/Dagger Panda analysis.
03 / SPEAKING
Jan 25 · 1:00–1:20 p.m. ET · Disco In The Dark
Presentation · Jan 22 · 10:40–11:20
Solo briefing · Sept 17–20 · on-site only
Aug 22 · 17:30 SGT · recorded session
Leadership panel with Valentina Palmiotti, Kymberlee Price and Natalie Silvanovich
International Conference on Cyber Conflict · May 27–30
With Vitor Ventura · May 9
Mar 15 · 10:50–11:20
Solo briefing · Sept 18–21
Mobile surveillance, infrastructure pivots and mercenary attribution · May 9
Cloud-service abuse and botnet infrastructure
Oct 16 · 14:35
Workshop · with Steve Su
Threat research briefing
Oct 1 · panel
Campaign tracking and malware evolution · authored slide deck
Technical Track · Oct 9 · archived event page; original player offline
Oct 10 · 13:30 · presentation deck
Revealing threats in the shadow · with Oleg Bondarenko
APT attacks targeting financial institutions
With Moonbeom Park · presentation deck
Leveraging threat-intelligence platforms to defend against cyber attacks
How we rescued and secured an APT target
The APT malware favored in cloud services · with Belinda Lai
Lessons learned from hundreds of cyber-espionage breaches
04 / MEDIA
Leading women in cybersecurity at Black Hat USA 2025.
Open on YouTube ↗︎
BLACK HAT ASIA · 2020Day One Locknote & Key Takeaways
CONFIDENCE 2019 · SAME TALK, FULL RECORDINGInto the Fog: The Return of ICEFOG APT
BLACK HAT ASIA · 2018Nation-State Moneymule’s Hunting Season
EXACT 24:55 PLAYER OFFLINE
FIREEYE CYBER DEFENSE SUMMIT · 2019Into the Fog — archived FireEye session page
TROOPERS · 2016Let’s Play Hide and Seek in the Cloud









05 / PODCASTS
12 EPISODES · 2020—2021 · 中文
I created this series to open up the world of hackers, threat research and practical security for a Mandarin-speaking audience.
資安工程師突然想開 podcast? 追駭客也是一種工作?07 / GALLERY
08 / COMMUNITY
Taiwan’s first information-security community for women.
A Swiss security community for FINTA.
Reviewing and shaping security-research programming.
Supporting strong technical content for Taiwan’s security community.
09 / EXPERIENCE
CISCO TALOS
Emerging threats, nation-state operations, financially motivated crime and spyware campaigns.
THREAT ANALYSIS GROUP
Hunted zero-day exploits used in the wild and tracked botnet activity.
Tracked APAC threat groups and co-authored major research on APT41 and ICEFOG.

TAIWAN
Focused on targeted attacks, malware analysis and emerging cyber-espionage activity in APAC.
06 / SOCIAL MEDIA
Social
media.
“Literally every prompt I gave to Fable… does CVP even matter?”
AI SAFEGUARDS · SECURITY RESEARCH ↗︎“Finished the iOS RE training with @naehrdine at @offensive_con and it completely exceeded my expectations… Highly recommend it to anyone interested in iOS security.”
IOS REVERSE ENGINEERING · OFFENSIVECON ↗︎Literally every prompt I gave to Fable… does CVP even matter?
@ashl3y_shenI’m honored to join the “Civil Society on the Digital Frontline: Facing Digital Threats Together” panel remotely.
Chi En (Ashley) S.🔥 NEW research published: We uncover DKnife, a China-nexus gateway-monitoring framework that intercepts network traffic and delivers malware via routers and edge devices.
@ashl3y-shen.bsky.socialReflections from OffensiveCon: moving from defensive threat intelligence into practical iOS reverse engineering, fuzzing and exploit research.
LINKEDIN · OWN POST, NOT A REPOST ↗︎