iOS Threat Hunting – Detecting Advanced Malware
Since 2016 Pegasus is well known in the industry as the prime example for mercenary spyware targeting iOS devices. But did you know about Paragon’s Graphite, Quadream‘s Reign, Cytrox’s Predator, Tykelab‘s Hermit or Candiru?
Training Overview
This new and innovative training will enable you to detect a wide variety of iOS Malware. Our forensic-based approach will provide you with a deep understanding of the forensic artifacts left behind by these malware samples and how to detect them through various techniques. Through a combination of hands-on exercises and expert-led sessions, you will develop the skills and knowledge necessary to become a proficient iOS Threat Hunter. Join us in this unique training opportunity that has not been offered before and gain valuable insights into the world of iOS Malware detection and forensics.
Date
12.10.2025 – 14.10.2025
Location
Ibiza Congress Center
Price
3000 € + Taxes
Practice / Theory
40% / 60%
Motivation
When I started my research into iOS Malware there was one prominent statement “iPhones can’t be hacked”. Even back then in 2018 this was not true. Even though we had much less public cases and the OS was much easier to attack. Now in 2025 Apple notified people in 150 countries about targeted attacks. But still only rare cases of such Attacks are uncovered and even less often we see actual samples of Malware or Exploits. This is partly due to threat actors being more stealthy but also due to missing knowledge and limited forensic resources & trainings. With this training I want to share my knowledge and methodology about detecting advanced attacks. I want to help people to get into this space and hopefully together we can detect more and more attacks!
Training Details
This hands-on iOS Forensics Training course is designed to provide participants with advanced skills in the analysis and investigation of iOS devices exhibiting unusual behaviors. Participants will engage in practical exercises using two specially prepared iOS devices on which a security application has detected anomalies. The primary objective is to conduct a comprehensive forensic examination to determine the underlying issues affecting these devices.
Throughout the training, participants will learn to identify Indicators of Compromise (IOCs) and use state-of-the-art forensic tools and techniques to analyze the devices‘ data. They will scrutinize system files, applications, and user data to ascertain whether the anomalies are the result of malicious infections, such as malware or spyware, or if they stem from non-malicious activities like jailbreaking.
The training is structured over three days:
- Day 1 focuses on understanding the security model of iOS, detecting malicious apps, identifying jailbreaks, and gathering forensic data.
- Day 2 is dedicated to detecting both known and unknown attacks using forensic artifacts, such as Backups, Sysdiagnose, Crashlogs and Unified Logs.
- Day 3 completes the sections on unknown attacks and includes a case study on the last known public exploit chain of Pegasus, where participants will dissect and analyze the sample together.
The course will cover key topics including data acquisition, artifact analysis, timeline reconstruction, IOC generation and anomaly detection. By the end of the training, participants will have developed a nuanced understanding of iOS forensic processes and be equipped with the necessary skills to diagnose and address a range of security issues in iOS environments. This training is ideal for digital forensic investigators, security professionals, and anyone interested in mastering the art of iOS forensic analysis.
Day 1
iOS Security Model & Malicious Apps
iOS Security Model & Mitigations
Attacker Model & Attack Vectors
Detection of Malicious Apps + Jailbreaks
Creating a Forensic Artifacts
day 2
Detecting known and unknown attacks
Manual Artifacts Analysis
Automatic Analysis with OpenSource tools
Detecting Unknown Attacks I
Day 3
Pegasus Case Study
Detecting Unknown Attacks II
Pegasus Case Study – Sample Retrieval
Pegasus Case Study – Sample Analysis
Technical Requirements
Participants need to bring a mac with at least macOS BigSur. Participants should bring an iOS device with them but it’s not a prerequisite. A few will be made available by the trainer. The trainer will additionally bring some jailbroken devices. A jailbroken iPhone is not a prerequisite.
Suggested Prerequisites
Students should be familiar with the iOS Operating System in general. Students should be familiar with the concept of Malware. Students should be familiar with the macOS terminal. Students need to be able to install programs on their Mac. Experience in Python and SQL is helpful but not required.
Venue
This in-person training will take place at OBTS v8.0 on October 12-14, 2025. The training will take place at the conference venue at the Ibiza Conference Center, which is close to the conference hotel Melia Ibiza. There are discounted room rates available on the OBTS Website.
Booking
There is only a limited number of seats available at a price of 3000 € + taxes.
You can sign up and pay for the training immediately at:
https://copecart.com/products/40d93082/checkout
In case you are unsure you can also fill out the SignUp form and I will be in touch. Expect an Email from the domains forensics.training or springvillage.de
In case its needed an invoice can be created.
Conference Tickets
Conference tickets are not included in the training and need to be bought separately on the OBTS page!
Training Instructor
Matthias day to day job is to lead the research team and find new detection methods for iOS Malware at iVerify. He has plenty of experience protecting smartphones and tablets from Malware, having worked at two major German infrastructure corporations. He is a seasoned conference speaker and trainer with given talks and trainings at top conferences such as OBTS, HITB and BlackHat. He analyzed multiple iOS samples and spoke publicly about them.
Matthias is passionate about all things related to iOS security. When he’s not playing basketball or games he loves to spend his time learning new things around iOS.
Sign up
In case you are already ready to book you can immediately buy the training here:
https://copecart.com/products/40d93082/checkout otherwise signup here:
Cancellation Policy
You can cancel your booking up to 1 Month before the training starts (September 11th, 2025 – 23:59 CET) and get a full refund minus transaction and processing fees. Later cancellations can’t be refunded. In urgent cases we will try to find a solution with the best outcome for all sides – if possible.
Please note that we remain the right to cancel any book in justified cases at a full refund. The OBTS Code of Conduct applies to any participant.