Security Review #303

How one Commit Broke Obfuscation: A blog post exploring the role of compilers and optimizations in the field of obfuscation and de-obfuscation.

In this article, we prove that once arbitrary code execution lands inside a process, most of the “hardened Linux” playbook turns into expensive theater. Noexec, MAC policies, filesystem controls - all bypassed in userspace with zero kernel involvement.

This article discusses how legitimate machine learning infrastructure can be abused for payload delivery, in-memory staging, and EDR evasion on Windows 10/11.

How we replaced a Falco sidecar with an embedded eBPF sensor, built a five-stage event pipeline, and learned the hard way why namespace scoping matters for enforcement.

We detail the BlueHammer exploit, a Windows zero-day leveraging Defender's update process to escalate privileges, remaining unpatched.

A deep dive into Google's NTLMv1 rainbow tables. We delve into these tables and explain how they are structured and how they can be used to recover NT hashes from NTLMv1 responses.

A technical analysis of Mirax, a sophisticated Malware-as-a-Service (MaaS) offering, specifically targeting Android devices. It integrates advanced Remote Access Trojan (RAT) capabilities and enhances its operational value by turning infected devices into residential proxy nodes.

In this article, we present a succinct analysis of the vulnerability CVE-2025-4802, which affects the GNU project's implementation of libc, This vulnerability allows statically linked ELF binaries that execute dlopen() to load arbitrary libraries via the LD_LIBRARY_PATH environment variable on a SUID binary, leading to privilege escalation.

This post delves into the abuse of WinGet as a LoL binary. Instead of calling winget.exe, we invoke the WinGet Configuration engine directly through its COM API, completely removing the CLI process from the execution chain. The result is arbitrary code execution inside a Microsoft-signed process with no winget.exe, no powershell.exe, and no cmd.exe in the process tree.

We analyze a widespread phishing campaign leveraging the device code authentication flow to compromise organizational accounts at scale. This campaign demonstrated a higher success rate, driven by automation and dynamic code generation that circumvented the standard 15-minute expiration window for device codes.

We identified a command injection vulnerability in Geutebruck security cameras that allows authenticated attackers to execute arbitrary commands as root through the web interface. The root cause is unsanitized user input being passed into a sed script.

One zero-byte QUIC packet is enough to desynchronize HAProxy's backend connection pool and smuggle HTTP requests across unrelated users -- even users on a completely different frontend protocol.

Threat actors exploit MSBuild.exe to execute arbitrary code without explicitly leaving malware on disk, and covertly perform additional actions in the post-infiltration phase. In this article, we will introduce how the attack technique utilizing MSBuild works, look at actual attack cases, and suggest countermeasures.

Overview of a phishing-as-a-service platform exploiting Microsoft’s Device Code OAuth flow at scale, then weaponizing stolen tokens with AI-powered email intelligence to automate business email compromise.

We found a flaw in h3 handling of the Transfer-Encoding header. Send 'ChunKed' instead and you get request smuggling.

We review the Master File Table from a DFIR standpoint. We will walk through what it is, what it contains, and how you actually use it.

We uncover escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments.

We uncovered a fail-open regression in Apache Tomcat's cluster encryption that turns a one-line code change into unauthenticated Remote Code Execution (CVE-2026-34486). The flaw lies in a previous patch leading to unconditional deserialization of attacker-controled bytes.

Installing software with curl | sh is a bad habit - unfortunately common nowadays. This is an attack vector exploited through malvertising. The article describes what happens when someone blindly installs a tool from a sponsored website.

This post covers the AD fundamentals every pentester needs locked in: domains, trees, forests, the Domain Controller as crown jewel, Kerberos SSO, multi-master replication, and why even a low-privileged domain account is worth more than it looks.

In this post we walk through multiple vulnerabilities in both NSIS (Nullsoft Scriptable Install System) and Zscaler Client Connector for Windows, demonstrating how these can be combined to escalate privileges from a standard user to SYSTEM.

jq is a great tool for parsing JSON data. But DFIR professionals often apply jq differently from the typical examples you see written for developers.

This blog post details the EvilTokens PhaaS operations on Telegram and the administration panel capabilities leveraged by affiliates, including AI-augmented features that significantly facilitate BEC fraud.

A vulnerability in RAGFlow allows low-privilege authenticated users to execute arbitrary code on instances using Infinity for chunk storage. In this article, we walk through the discovery, and exploitation of the vulnerability.

Creating shellcode manually, starting with simple functions like displaying a message box, until creating a custom reverse shell.

Walking through the malicious WAV and PNG file formats used by TeamPCP to hide a cred-stealer inside the compromised telnyx Python SDK, from 010 Editor to IDA Free.

I pointed Claude Opus at Discord's bundled Chrome and asked it to build a full V8 exploit chain. A week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about 20 hours of me unsticking it from dead ends. It popped calc.

In this article, we will cover several exploitation techniques to identify price manipulation (also referred to as 'formula injection') vulnerabilities in e-commerce targets.