About me
Rintaro Koike
小池 倫太郎
Rintaro Koike is a security researcher at NTT Security (Japan) KK, specialising in threat research and malware analysis. He is also the founder of ‘nao_sec’, where he leads threat research initiatives. His work focuses on web-based threats and APT campaigns targeting East Asia. He has delivered more than 30 presentations at over ten international conferences, including Virus Bulletin, Botconf, FIRST and AVAR.
Positions
-
Security Researcher
NTT Security (Japan) KK, 2019–present
-
Security Engineer
NEC Corporation, 2018–2019
Community Activities
-
Committee Member
Anti-Malware Engineering Workshop MWS, 2019–2021
-
Trainer
Security Camp, 2021
https://www.ipa.go.jp/jinzai/camp/2021/zenkoku2021_program_list.html#list_c1
Education
-
BSc in Sciences
Meiji University, 2018
Graduating Class Representative - Delivered a speech at the graduation ceremony on behalf of the undergraduate cohort.
Honours and Awards
- NTT Group Security Principal (2025-present)
- Anti-Malware Engineering Workshop MWS Contribution Award (2020) https://www.iwsec.org/mws/2021/mws20210602.html
- Minister for Internal Affairs and Communications Encouragement Award for Cybersecurity (2020) https://www.soumu.go.jp/menu_news/s-news/01cyber01_02000001_00062.html
- Japan Network Security Association JNSA Special Award (2020) https://www.jnsa.org/jnsaaward/2019/winner.html
- 2nd Place Overall, Anti-Malware Engineering Workshop MWS Cup (2017) https://www.ipsj.or.jp/award/mws-award3.html
- Student Paper Award, Computer Security Symposium (2017) https://www.ipsj.or.jp/award/css-award2.html
- Grand Prize, Security Camp Award (2017) https://www.security-camp.or.jp/event/awardreport.html
- 2nd Place Overall, Anti-Malware Engineering Workshop MWS Cup (2016) https://www.ipsj.or.jp/award/mws-award3.html
- Winner, Anti-Malware Engineering Workshop MWS Cup (2015) https://www.ipsj.or.jp/award/mws-award3.html
Conference Presentations
- Otter encyclopaedia: deep analysis of Otter family VB 2026, Sevilla, [Abstract]
- Unshelling VShell at Scale TROOPERS 26, Heidelberg, [Abstract]
- Attic Shinobi: Persistent Listening for Adversary Fingerprints CARO Workshop 2026, Innsbruck, [Abstract]
- Tracing the Origin: Fingerprints in MSC File for Clustering and Attribution AVAR 2025, Kuala Lumpur, [Abstract]
- Stealth over TLS: the emergence of ECH-based C&C in ECHidna malware VB 2025, Berlin, [Abstract], [Slide], [Paper]
- Broken Seals, Broken Trust: Flaws and Defences in the Certificate Ecosystem FIRST Annual Conference 2025, Copenhagen, [Abstract], [Slide]
- Anti Confiture: An Otter Has A Sweet Tooth SINCON 2025, Singapore, [Abstract]
- Behind the scenes of recent DarkPlum operations JSAC 2025, Tokyo, [Abstract], [Slide]
- P-wave of malicious code signing VB 2024, Dublin, [Abstract], [Slide], [Paper]
- IcePeony with the ‘996’ work culture VB 2024, Dublin, [Abstract], [Slide]
- Unmasking DarkPlum: inside the operations of DPRK’s elite cyber espionage group VB 2024, Dublin, [Abstract]
- Rebrand to X?: SteelClover Cornucopia AVAR 2023, Dubai, [Abstract]
- The rise of malicious MSIX file Hack.lu 2023, Luxembourg, [Abstract]
- FirePeony: A ghost wandering around the Royal Road VB 2023, London, [Abstract], [Slide]
- The rise of malicious MSIX file SANS APAC DFIR Summit 2023, Tokyo, [Abstract]
- GroundPeony: Crawling with Malice HITCON CMT 2023, Taipei, [Abstract], [Slide]
- Detection engineering with Sigma: Defend against APT targeting Japan JSAC 2023, Tokyo, [Abstract], [Slide]
- Into The Silent Night Botconf 2022, Online, [Abstract], [Paper]
- An Order of Magnitude Update Japan Security Analyst Conference 2022, Online, [Abstract], [Slide]
- Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon CODE BLUE 2021, Online, [Abstract], [Slide]
- Where is the cuckoo egg? VB 2021, Online, [Abstract], [Slide], [Paper]
- Operation Software Concepts: A Beautiful Envelope for Wrapping Weapon Kaspersky Security Analyst Summit 2021, Online, [Abstract]
- When you gaze into the Bottle,… Japan Security Analyst Conference 2021, Online, [Abstract], [Slide]
- Operation LagTime IT: colourful Panda footprint VB 2020, Online, [Abstract], [Slide], [Paper]
- Unveiling the CryptoMimic VB 2020, Online, [Abstract], [Slide], [Paper]
- An Overhead View of the Royal Road CPX 360 (CPRCon) 2020, New Orleans, [Abstract], [Slide]
- An Overhead View of the Royal Road Japan Security Analyst Conference 2020, Tokyo, [Abstract], [Slide]
- A Chronicle of Fallout AVAR 2019, Osaka, [Abstract], [Slide]
- nao_sec tools AVTOKYO 2019, Tokyo, [About]
- Finding drive-by rookies using an automated active observation platform VB 2019, London, [Abstract], [Slide]
- Finding Treasures in the ToyBox HITCON CMT 2019, Taipei, [Abstract], [Slide]
- 週末なにしてますか? 忙しいですか? DbDを解析してもらっていいですか? Japan Security Analyst Conference 2019, Tokyo, [Abstract], [Slide]
- 日本からExploit Kitはどのように見えるのか? SECCON Conference 2018, Tokyo, [Abstract]
- EKTotal BlackHat USA 2018 Arsenal, Las Vegas, [Abstract], [Slide]
- Drive-by Download Must Die Japan Security Analyst Conference 2018, Tokyo, [Abstract], [Slide]
Blog Posts / White Papers
- CARO Workshop 2026 登壇レポート https://jp.security.ntt/insights_resources/tech_blog/caro2026/
- WaterPlumが使用するマルウェアStoatWaffleについて https://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware/
- JSAC 2026 登壇発表レポート https://jp.security.ntt/insights_resources/tech_blog/jsac2026/
- VB2025 登壇レポート https://jp.security.ntt/insights_resources/tech_blog/vb2025/
- 37th Annual FIRST Conference 登壇レポート https://jp.security.ntt/insights_resources/tech_blog/first2025/
- WaterPlumが使用するマルウェアOtterCandyについて https://jp.security.ntt/insights_resources/tech_blog/ottercandy_malware_j/
- SINCON2025 登壇レポート https://jp.security.ntt/tech_blog/sincon2025
- WaterPlumが使用するマルウェアOtterCookieの機能追加 https://jp.security.ntt/tech_blog/waterplum-ottercookie
- 第2回 VirusTotal ユーザ会 登壇レポート https://jp.security.ntt/tech_blog/vtuserjp2
- 悪性MSCファイル解析レポート https://jp.security.ntt/resources/MSCfile_research.pdf
- JSAC2025 登壇レポート https://jp.security.ntt/tech_blog/jsac2025
- Contagious Interviewが使用する新たなマルウェアOtterCookieについて https://jp.security.ntt/tech_blog/contagious-interview-ottercookie
- 標的型攻撃グループDarkPlumが使用するAsyncRATの亜種について https://jp.security.ntt/tech_blog/darkplum-asyncrat
- VB2024 登壇発表レポート https://jp.security.ntt/tech_blog/vb2024
- AppDomainManager Injectionを悪用したマルウェアによる攻撃について https://jp.security.ntt/tech_blog/appdomainmanager-injection
- ホワイトペーパー「悪性MSIXファイル大規模調査レポート」を公開しました https://jp.security.ntt/tech_blog/whitepaper-msix
- 悪性MSIXファイル大規模調査レポート https://jp.security.ntt/resources/MSIXfile_research.pdf
- Operation ControlPlug: MSCファイルを使った標的型攻撃キャンペーン https://jp.security.ntt/tech_blog/controlplug
- 悪性MSIXファイルから実行されるIvanLoaderについて https://jp.security.ntt/tech_blog/ivanloader
- AVAR 2023 登壇発表レポート https://jp.security.ntt/tech_blog/avar2023
- Hack.lu 2023 登壇発表レポート https://jp.security.ntt/tech_blog/hacklu2023
- VB2023 登壇発表レポート https://jp.security.ntt/tech_blog/vb2023
- HITCON CMT 2023 登壇発表レポート https://jp.security.ntt/tech_blog/hitcon-cmt-2023
- SteelCloverが使用する新たなマルウェアPowerHarborについて https://jp.security.ntt/tech_blog/102ignh
- Golang マルウェアに対する新たなアプローチ gimpfuzzy の実装と評価 https://jp.security.ntt/resources/gimpfuzzy.pdf
- USBメモリを起点としたFlowCloudを用いた攻撃について https://jp.security.ntt/tech_blog/102id0t
- 改ざんされたWebサイトからGoogle Chromeの偽エラー画面を使ってマルウェアを配布する攻撃キャンペーンについて https://jp.security.ntt/tech_blog/102ic6o
- SteelCloverによるGoogle広告経由でマルウェアを配布する攻撃の活発化について https://jp.security.ntt/tech_blog/102i7af
- Operation RestyLink: 日本企業を狙った標的型攻撃キャンペーン https://jp.security.ntt/tech_blog/102ho8o
- BlackTech 標的型攻撃解析レポート https://jp.security.ntt/resources/BlackTech_2021.pdf
- 標的型攻撃グループBlackTechが使用するマルウェアFlagproについて https://jp.security.ntt/tech_blog/102h7vx
- 日本を標的としたPseudoGateキャンペーンによるSpelevo Exploit Kitを用いた攻撃について https://jp.security.ntt/tech_blog/102gsqj
- 標的型攻撃グループTA428が防衛・航空関連組織に対して使用したマルウェアnccTrojanについて https://jp.security.ntt/tech_blog/102gr6l
- 標的型攻撃グループCryptoMimicの攻撃手法の変化について https://jp.security.ntt/tech_blog/102gpur
- Panda’s New Arsenal Part 3 Smanager https://jp.security.ntt/tech_blog/102glv5
- Panda’s New Arsenal Part 2 Albaniiutas https://jp.security.ntt/tech_blog/102gkfp
- Panda’s New Arsenal Part 1 Tmanger https://jp.security.ntt/tech_blog/102gi9b
- Crafty Panda 標的型攻撃解析レポート https://jp.security.ntt/resources/CraftyPanda.pdf
- 建築業界を狙ったサイバー攻撃オペレーション「kiya」について(続編) https://jp.security.ntt/tech_blog/102g03d
- 〖12/11〗国際カンファレンス(VB 2019、AVAR 2019)での発表の振り返り https://jp.security.ntt/tech_blog/102fvtr
- IcePeony with the ‘996’ work culture https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html
- Building Casper’s Shadow https://nao-sec.org/2024/06/building-caspers-shadow.html
- GroundPeony: Crawling with Malice https://nao-sec.org/2023/08/groundpeony-crawling-with-malice.html
- Exploit Kit still sharpens a sword https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html
- Royal Road! Re:Dive https://nao-sec.org/2021/01/royal-road-redive.html
- An Overhead View of the Royal Road https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
- Say hello to Bottle Exploit Kit targeting Japan https://nao-sec.org/2019/12/say-hello-to-bottle-exploit-kit.html
- Weak Drive-by Download attack with “Radio Exploit Kit” https://nao-sec.org/2019/07/weak-dbd-attack-with-radioek.html
- Steady Evolution of Fallout v4 https://nao-sec.org/2019/07/steady-evolution-of-fallout-v4.html
- Analysis of Fallout Exploit Kit v3 https://nao-sec.org/2019/03/analysis-of-fallout-exploit-kit-v3.html
- In-Depth analysis of new Fallout Exploit Kit https://nao-sec.org/2019/01/in-depth-analysis-of-new-fallout.html
- Hello “Fallout Exploit Kit” https://nao-sec.org/2018/09/hello-fallout-exploit-kit.html
- Analyzing Shellcode of GrandSoft’s CVE-2018-8174 https://nao-sec.org/2018/06/analyzing-shellcode-of-grandsofts-cve.html
- Analyzing GrandSoft Exploit Kit https://nao-sec.org/2018/02/analyzing-grandsoft-exploit-kit.html
- Analyzing Ramnit used in Seamless campaign https://nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html
- Survey of “ngay campaign” https://nao-sec.org/2017/12/survey-of-ngay-campaign.html
- Analyzing KaiXin Exploit Kit https://nao-sec.org/2017/11/analyzing-kaixin-exploit-kit.html
- Seamless localized to Japan https://nao-sec.org/2017/07/seamless-localized-to-japan.html
- Overlooking Decimal IP Campaign https://nao-sec.org/2017/05/overlooking-decimal-ip-campaign.html
- Analyzing Rig Exploit Kit https://nao-sec.org/2017/04/analyzing-rig-exploit-kit-vol1.html
- 日本を標的とした新たなDrive-by Download攻撃キャンペーンPseudoGate https://blog.activedefense.co.jp/2018/08/drive-by-downloadpseudogate.html
- Black Hat USA 2018 Arsenal 登壇レポート https://blog.activedefense.co.jp/2018/08/black-hat-usa-2018-arsenal.html