Security Review #305

We discovered a vulnerability in RPC architecture that enables an attacker to create a fake RPC server and escalate their privileges.

If you have WriteGPLink on an Active Directory Organizational Unit (OU) and you're on the same network segment as a computer within that OU, you can abuse that permission to link an existing Group Policy Objects (GPO) with a software installation policy and ARP spoof the server it references, resulting in code execution as SYSTEM without modifying SYSVOL.

We achieve consistent exploitation of prompt injections using client-side gadgets: postMessage payloads to a vulnerable iframe, mutual window.opener relationship to confirm success, and automatic retries until the iframe receives the malicious content, ultimately allowing full XSS and data exfiltration.

We documents several macOS living-off-the-land (LOTL) techniques, demonstrating that native pathways for movement and execution remain accessible to those who understand the underlying architecture.

In this article, we're going to ditch TCP sockets entirely and build a C2 implant that communicates over QUIC, an encrypted transport protocol that runs over UDP.

A full technical teardown of FUD Crypt (Cryptor-as-a-Service) and surrounding activity performed by this threat actor

In this second part, we turn to Kerberos and explain how we achieved a full-blown RCE primitive as a domain user, via a completely novel Kerberos authentication coercion technique that abuses discrepancies in how different Windows components handle Unicode characters.

Understanding OAuth app consent in Microsoft Entra ID is fundamental to securing your organization’s identity environment. In this post we see how user consent settings, admin consent workflow, permission classifications, and enterprise application assignment, work together as a complete control framework.

CVE-2026-3854 is an RCE in GitHub's internal git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw, any authenticated user could execute arbitrary commands on GitHub's backend servers with a single git push command - using nothing but a standard git client.

Hands-on walkthrough of Windows PrivEsc fundamentals, with network recon, Defender analysis, AppLocker parsing, and process enumeration. Real command output and the reasoning behind every step.

Technical analysis of CVE -2024 -12053, an arbitrary WebAssembly type confusion vulnerability stemming from a mix-up between the canonical and relative indices of WebAssembly types.

This analysis chronicles a Remcos 7.2.1 Pro variant that demonstrates the evolution of commercial RATs into full-featured surveillance platforms. We'll trace its execution from initial triage through persistence establishment, multi-threaded surveillance architecture, self-termination, and finally its cleartext C2 protocol that exposed the entire operation.

From a security researcher's perspective, microservices introduce entirely new attack surfaces. More services mean more communication paths, internal APIs, tokens, and opportunities for misconfiguration. In this article, I'll walk through three real-world attack vectors that demonstrate how microservices can introduce unexpected security weaknesses.

This analysis covers the abuse of Microsoft's implementation of the OAuth 2.0 Device Authorization Grant (Device Code Flow) in order to acquire account access tokens.

We discovered different ways an untrusted folder can execute arbitrary code in Claude Code before the user is prompted with the trust dialog, allowing for potential compromise when cloning untrusted projects.

AWS Systems Manager and Azure Run Command provide threat actors are attracted by the ability to execute commands with the highest privileges on a host without needing host credentials, providing reliable lateral movement and persistence paths that bypasses traditional network controls entirely.

Technical analysis of VECT 2.0, a ransomware that permanently destroys "large files" rather than encrypting them. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB)

This article documents practical detection opportunities for exploitation associated with REDSUN vulnerability, using public exploit research only as contextual background for the vulnerability.

In this article, I'll walk you through the basics of Kerberos, and use Titanis tools to demonstrate various concepts. Most tools within Titanis directly support Kerberos authentication scenarios (e.g., passwords, PKINIT), so there is rarely any need to manually request a Kerberos ticket with Kerb.

We recently discovered an exposed server that was used for multi-victim exploitation, staging, review, and validation. Claude Code and OpenClaw were used as an operator-side harness supporting exploitation activity and workflow orchestration.

This post covers the story behind kCaddy, a hardened Caddy redirector in front of Evilginx, with header stripping, IP filtering, cookie-based session detection, and custom error handling. How to run it, and a detailed walkthrough of putting kCaddy in front of Evilginx for a hardened phishing deployment.

We discovered a five‑bug chain in Samsung’s Galaxy Store (weak Cloud‑Games signature checks, an unprotected SmartSwitch broadcast receiver, a path‑traversal write primitive, a predictable‑randomness authentication flaw, and a DoS crash in IapReceiver) that lets an unprivileged app arbitrarily write a crafted APK into the Store's shell‑APK location and force its silent installation

Analysis of an Android malware that operates as a multi-stage dropper that installs a secondary payload and establishes persistent command-and-control (C2) communication. It combines native code obfuscation, Firebase-based remote execution, VPN-based traffic manipulation, and WebView-based phishing to systematically harvest sensitive user data.

This two-part blogpost will cover our journey to bypass the mitigations for CVE-2025-33073, which led to the discovery of two new authentication reflection vulnerabilities. In this first part, we will lay the foundation of our research, describe our methodology and disclose the first vulnerability that we uncovered: a trivial local privilege escalation via NTLM reflection.

This post covers the full GoAD setup, SMB host discovery and OSINT-based username generation to kerbrute enumeration and a first successful authentication against a GoAD domain controller. It's the groundwork every Active Directory engagement starts with.

In this second pars, we explore Linux rootkit detection engineering, focusing on the limitations of static detection reliance, and the importance of rootkit behavioral detection.

For investigators, the Windows root path %ProgramData% (commonly C:\ProgramData\) and its subfolders offer a system-level perspective. Analyzing it can uncover historical activity, revealing events from background file transfers and software installations to Wi-Fi connections and security tool detections.

This post presents a practical heap KASLR leak that does not rely on a memory-safety vulnerability. A software-only KernelSnitch side channel plus cross-cache reuse leaks heap KASLR (msg_msg/pipe_buffer) across Linux environments and Android.

We walk through a practical example of DLL sideloading and proxying with VLC's libvlc.dll and show how to build a Rust proxy DLL that forwards all original exports while executing a hidden payload.

Explore reverse engineering a PAX credit card payment machine to run code via processor swap and bypass tamper protection.

RedLotus is an experimental project that shows how a full UEFI bootkit can be written in Rust and used to manually map unsigned drivers during boot. It demonstrates how early boot environments can bypass protections like Driver Signature Enforcement.

This post is a full pipeline walkthrough from a MessageBoxA call all the way to a kernel rootkit doing DKOM process hiding and callback abuse. Dynamic function loading, PEB walking, IAT hooking, process hollowing, DLL injection, shellcode encryption, APC injection all of it, with code.