Security Review #295

Windows' primary mechanism for shortcuts, LNK files, is frequently abused by threat actors for payload delivery and persistence. This blog post introduces several new LNK file flaws that, amongst other things, allow attackers to fully spoof an LNK's target. It also introduces lnk-it-up, a tool suite that can generate such deceptive LNK files, as well as detect anomalous ones.

This post analyzes the evolution of endpoint evasion techniques from 2020 to 2025. It covers BYOI, BYOVD, DLL hijacking, service tampering, and other sophisticated methods attackers use to bypass EDR and AV. Real-world ransomware cases and vendor impact are discussed, along with defensive insights.

This article introduces a prompt injection taxonomy, providing structure and context to help the community better understand what "prompt injection" really means and how these techniques work in practice.

Skills introduce common threats, like prompt injection, supply chain attacks, RCE, data exfiltration... This post discusses some basics, highlights the most simple prompt injection avenue, and shows how one can backdoor a real Skill from OpenAI with invisible Unicode Tag codepoints that certain models, like Gemini, Claude, Grok are known to interpret as instructions.

The Windows Registry - particularly its hives, transaction logs, and timestamps -provides the most reliable evidence of system activity on Windows 10/11. In this article, we highlight the most forensic‑valuable keys and explain how to correlate them to attribute actions to specific users and devices.

A comprehensive red team guide to Initial Access: Payload Development , HTML Smuggling, Phishing, AitM/MFA Bypass, Password Spraying, Exploiting Public-Facing Applications, Vishing, Physical Access, Supply Chain attacks with real-world APT case studies.

Technical analysis of a log poisoning vulnerability in OpenClaw within the WebSocket handler including PoC, exploitation scenarios, and security best practices for AI assistants.

We discovered a buffer overflow vulnerability within the authentication daemon of an High Performance Computing (HPC) cluster, Munge. This article will provide details about the exploit, as well as some understanding about how High Performance Computers work in general, and give a quick overview of Slurm and Munge.

Kerberos is often a target for adversaries trying to either steal or forge Kerberos tickets. In this blog we explore some hunting and detection possibilities, that allow us to pinpoint potential abuse of Kerberos within an environment.

A cookbook that will help level up reverse engineering and bug hunting with the newly released x64dbg Automate MCP server and x64dbg-skills. We'll walk through some of the functionality and skills provided, to give a good idea how to use the x64dbg Automate MCP server.

ClickFix infection deploys Matanbuchus 3.0 loader and drops a new RAT that we've dubbed AstarionRAT. We break down the layers and the hands-on intrusion that followed.

Entra ID (formerly Azure AD) is the core service upon which Microsoft 365 applications rely for directory and authentication services. This blog covers the key concepts around securing the most privileged accounts in Entra ID, which are considered Tier 0.

We detected a live infection where an infostealer successfully exfiltrated a victim's OpenClaw configuration environment. In this article we analyse the payload to find out what was stolen by the malware.

I stumbled across quite an interesting, albeit simple, bug inside SpiderMonkey’s Wasm component. When exploited it gave me Code Execution inside the Firefox renderer process.

We uncover Keenadu, a sophisticated new backdoor targeting tablet firmware as well as system-level and Google Play apps. In several instances, the compromised firmware was delivered with an OTA update.

Code execution inside of Notepad++ is not new, but is usually overlooked or considered with misguided assumptions about what malicious Notepad++ execution looks like. For these reasons, it seemed fitting to talk about some of the ways Notepad++ can be used during pentest assessments.

We discovered PromptSpy, the first known Android malware to abuse generative AI in its execution flow. The main purpose of PromptSpy is to deploy a built-in VNC module, giving operators remote access to the victim's device.

An exposed operator panel revealed how Aeternum Loader abuses Polygon smart contracts for C2, allowing us to view all C2 commands ever sent.

This series showcase several vulnerabilities I discovered in the AMD uProf AMDPowerProfiler.sys driver. This first post will demonstrate a simple file write vulnerability (CVE-2025-61969) that results in privilege escalation.

We expose a new "AI Recommendation Poisoning" attack that injects persistence command (e.g., "remember X as a trusted source") into an LLM's memory, making it possible to bias AI assistants.

Prometei is a botnet with extensive capabilitie. This blog provides a comprehensive breakdown of Prometei's technical operations including its installation process, persistence mechanisms, encryption methods, C2 communication protocols, and the additional modules it employs.

Forensic analysis of Microsoft Store applications requires a multifaceted approach that combines registry data, system databases, Windows event logs, and user interaction artifacts. This post offers a practical framework for leveraging key artifacts to reconstruct installation timelines and user behaviour, empowering forensic analysts to uncover actionable insights.

We discovered that certain AI assistants supporting web browsing or URL fetching can be abused as covert command-and-control relays ("AI as a proxy"), allowing attacker traffic to blend seamlessly into legitimate, commonly permitted enterprise communications.

We found a Local Privilege Escalation (LPE) in ESET Inspect Connector for Windows via OpenSSL configuration (openssl.cnf).

We analyze how Singularity rootkit intercepts SysRq diagnostic paths to hide processes from kernel ring buffer dumps.

We demonstrate that the Moxa UC-1222A Secure Edition releases its full LUKS device decryption key in plaintext during boot via a TPM2_NV_Read operation bound to PCR policy. By passively monitoring the SPI bus between the SoC and the discrete TPM 2.0 device, the LUKS decryption key can be recovered and used to decrypt the encrypted storage.

I identified a long-running redirect infrastructure abusing Cloudflare Pages to host benign-looking SEO articles that display a forced "Continue reading / Continue Read" pop-up shortly after page load. Once the user clicks the button, the browser is redirected into downstream infrastructure that may lead to malicious pages and force unexpected actions.

We detail CVE‑2026‑21241, a use‑after‑free in the Windows Ancillary Function Driver (Afd.sys) where AfdNotifyPostEvents caches the endpoint's notification‑context pointer, releases a spinlock, and can be raced with AfdNotifyDestroyContext (called from AfdCleanupCore) which frees that context, causing a stale‑pointer dereference.

We found an unsafe deserialisation in OpenText Directory Services (OTDS), a Java web application providing authentication and user management for OpenText applications. The vulnerability is exploitable in the default configuration of OTDS without authentication.

A pre-auth SSRF in TRUfusion Enterprise (CVE-2025-32355) allows external attackers to reach internal-only services via a misconfigured reverse proxy. This SSRF can be chained with the default password trubiquity and an additional path traversal vulnerability in the WsPortalV6UpDwAxis2Impl service (CVE-2025-59793 ) to achieve pre-auth remote code execution.

Technical analysis of a ClickFix campaign delivering Cuckoo Stealer through fake Homebrew typosquat domains. Includes infrastructure pivots, HuntSQL queries, C2 details, persistence, and more.

PeckBirdy is a sophisticated JScript-based C&C framework used by APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and government entities.

In this article we will see how to use Antimalware Scan Interface (AMSI) to speed up the analysis of malicious scripts, and how it helps skipping the deobfuscation steps and retrieving IOCs more effectively.

Technical analysis of CVE-2025-61922 leading to zero-click account takeover in PrestaShop Checkout.

Deep technical analysis of CVE-2026-25049: How type confusion bypassed n8n's security patch and why TypeScript types aren't runtime security boundaries.

In this blog we will work on TP-Link TL-WR841N router, and go from 0 (sealed router) to reversing the u-boot by physically extracting the firmware as well as analyzing internal binaries and potential vulnerabilities.

In this first part of the series, we will be discussing a classic buffer overflow without any memory protections such as DEP or ASLR.

We perform manual analysis of Cobalt Strike Shellcode with Ghidra. We will identify function calls and resolve API hashing mechanism.

Data Execution Prevention (DEP) is a memory protection mechanism that prevents code from being executed in areas of memory used to store data such as the stack and heap. In this part, we will write a buffer overflow that is able to bypass DEP protection.

Structured exception handling (SEH) is a Windows mechanism for dealing with hardware and software exceptions using a data structure called a linked list. In this second part, we will write a buffer overflow that overwrites the SEH to redirect the execution flow of the program.

In this third part, we will address egghunters, short pieces of assembly code which are safely able to search the Virtual Address Space (memory) for a signature or an "egg" which is a short string signifying the beginning of a larger payload.