Security Review #311

June 12, 2026

Once a new technology starts rolling, if you’re not part of the steamroller, you’re part of the road.

— Stewart Brand

Starred Articles

Let's talk about encrypted reasoning

I investigate "encrypted reasoning" blocks in Claude and OpenAI LLM APIs. These are opaque, signed ciphertexts containing a model's hidden chain‑of‑thought which can be replayed across sessions and leak information via size or timing side‑channels.

Oops, I Weaponized the Database: Abusing AI Features in SQL Server 2025

In this article we demonstrate how new native AI features in Microsoft SQL Server 2025 can be weaponized to provide a practical channel for data exfiltration and C2 transport within the database engine itself.

BYOVD and Looting LSASS in the Modern EDR Era

In this article, we will be uncovering the internals of kernel driver vulnerabilities and how to leverage them via the BYOVD (Bring Your Own Vulnerable Driver) method to eventually run pypykatz. We will use kernel access to disable PPL for the LSASS process and then proceed to dump the process to disk, XOR'ing it beforehand so it avoids detection by popular EDR solutions.

New Articles

Auditing GitLab - Part 2: The CI/CD Kill Chain

In this second part, we introduce GoGatoZ - a purpose-built Go tool for GitLab CI/CD security auditing that can perform and automate the entire CI/CD kill chain - and point it at gitlab.com and run three large-scale scans.

The Detection & Response Chronicles: Covert Operations Through QEMU

In this blog post, we take a look at different ways that QEMU can be abused by adversaries to deploy virtual machines that contains and executed malicious payloads. This approach enables them to maintain covert access and bypass host-based detection from AV and EDR solutions.

How to respond to an incident in Kubernetes - Part 3: AKS

AKS does not enable Kubernetes-level audit logging by default. In this article, we review the key components to be enabled at cluster creation to provide necessary incident response data.

Living Off The Land

We review some unexpected PowerShell commands we leverage for enumeration purpose from a compromised system.

Why is my shellcode being corrupted?

We explore the illusion GDB creates in Linux Binary Exploitation, uncovering issues with breakpoints and stack memory behavior in this detailed analysis.

EDRChoker: Choking The Telemetry Stream to Bypass Defenses

In this article I present a technique for interfering with the client–server connection of an EDR through Policy-based QoS (pacer.sys) to set throttling on EDR agents, causing them to always time out, effectively blocking them

Hacking Google with A.I

We detail a dozen of vulnerabilities found in Google's infrastructure components. We also provide the design of the AI automation we setup to scan the 1,500 APIs calls, using about 3,600 different keys.

A Long-running BOF Component Contract

In this post, we’ll walk through the broad ideas behind the concept of Asynchronous PICOs design. And, I’ll then walk-through Long-running BOFs which is a demonstration of some Asynchronous PICO ideas but using a component contract.

Technical Analysis of MLTBackdoor

Technical analysis of MLTBackdoor, a new malware family that provides post-exploitation capabilities on demand and likely used by an initial access broker for ransomware attacks.

The Click that shouldn’t have worked: RCE via clickjacking in Internet Explorer

We detail a series of chainable flaws in Internet Explorer's legacy WebBrowser control that let an attacker with a modest XSS foothold (often on a localhost‑served app) auto‑download and execute malicious code, ultimately achieving remote code execution without needing extensive user interaction.

How attackers are gaining access to LLM inference

This post covers five routes threat actors use to reach LLM inference without paying for it: buying offensive models on underground forums, using front-end models using 3rd party LLM service that allows paying in bitcoin, using free-tier or keyless public APIs, hunting for leaked API keys in developer artifacts, and exploiting self-hosted LLM servers left open on the internet.

Popping Root on UniFi OS Server: Unauthenticated RCE...

We detail the vulnerabilities leading to a full unauthenticated RCE chain in UniFi OS Server that lands a root shell in one request, exposing networks, doors, and cameras.

Securing CI/CD in an agentic world: Claude Code Github action case

We discovered that Anthropic’s Claude Code GitHub Action could expose CI/CD workflow secrets when AI agents process untrusted GitHub content, including issue bodies, pull request descriptions, and comments.

Unauthenticated RCE as QSECOFR via IBM i Management Central

We discovered and developed an exploit for a pre-authentication remote code execution vulnerability in IBM i Management Central (MGTC). The vulnerability allows an unauthenticated attacker to execute arbitrary CL commands as QSECOFR – the root-equivalent profile on IBM i – by abusing the MGTC packet protocol on port 5555.

Canonical Multipass Forensics 101

We investigate into how the Canonical Multipass app stores its virtual machines in Windows. We will first provide a brief refresher on Multipass, then focus on the 3 locations where we can find relevant artifacts.

Hardening Intune - Part 2: The Implementation Guide

In this second part of the series on Intune hardening, we provide an implementation guide for 11 controls. We will walk through the configuration path, decision points, and a validation test so you can confirm it is working. These controls are organized in the order they should b eimplemented during a hardening engagement.

Prompt Engineering for Security Agents with GEPA

We explains how to apply the GEPA (Genetic‑Pareto) optimisation framework - using measurable reward scores, actionable side‑information, and Pareto‑frontier selection - to automatically refine the prompt of a web‑CTF agent, resulting in a modest but consistent boost in solve rate, efficiency and speed across multiple challenges.

Shai-Hulud: Miasma

This article dissects Misama, a highly modular, anti‑analysis‑aware JavaScript worm that harvests credentials, exfiltrates them via stealthy GitHub repos, and spreads through package registries, GitHub Actions, and AI‑enabled development environments.

Building an Indirect Prompt Injection Workflow

This post covers how I used OpenAI’s Codex to automate the generation, testing, and refinement of indirect prompt injection payloads against an agentic system using Sonnet models on Amazon Bedrock.

Still Recent

MAD Bugs: Finding and Exploiting a 21-Year-Old Vulnerability in PHP

This is the story of how we found a new unserialize use-after-free in a code path that has been vulnerable since PHP 5.1, built a local exploit that bypasses disable_functions with no /proc access and no hardcoded offsets, then turned it into a remote exploit.

Exploiting Qualcomm's QAIC Kernel Driver

I detail a vulnerability in a Linux v6.18 kernel. It leaves behind a dangling page-table entry and therefore creates a page-level use-after-free scenario that can be leveraged to get a physical arbitrary read/write primitive I use for privilege escalation.

Oldies but Goodies

Auditing GitLab - Part 1: Public Gitlab Projects on Internal Networks

In this first part of the series, we talk about plundering self-hosted GitLab instances on internal networks - cloning public repos, running Gitleaks, and combining it all into a nice spreadsheet of secrets.

Unearthed Arcana

Debugging Windows Isolated User Mode (IUM) Processes

In this blog post we discuss how to debug Windows' Isolated User Mode (IUM) processes, also known as Trustlets, using the virtual TPM of Microsoft Hyper-V as our target.