Security Review #247

I explain how I found and removed a backdoor in my Eight Sleep connected bed.

Attackers can use WMI malware for just about anything. Execution, persistence, lateral movement. This guide provides an overview of the main malicious WMI usages and how to detect them.

This article is an attempt to make the best and most comprehensive guide to hacking AI applications. We will learn about current AI models, get comfortable using and steering them, and study the different AI attack scenarios.

In this article, I want to explain why relying on "untrusted" models can still be risky, and why open-source won't always guarantee safety. To illustrate, I built my own backdoored LLM called "BadSeek".

This article explains how to setup a SDR (Software Designed Radios) to both receive and transmit data, and how to use it to perform a rolljam & replay attack against a car remote door opening key.

In this third and final part of the series, we will discuss how we bypassed the fix for CVE-2024-27848, a vulnerability which impacted storagekitd allowing an attacker to escalate their privileges to root. This bypass, dubbed CVE-2024-44210 also allowed full bypass of TCC.

We discuss Earth Preta's latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, and maintain control over compromised systems.

I detail 3 Cross-Site Scripting vulnerabilities (XSS) in SolidJS: one in JSX fragments (CVE-2025-27109), one in metatages (CVE-2025-27108) and one in noscript.

In this blog post we discuss DOMPurify and its misconfigurations. We highlight things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.

I present you quite a sneaky way to force users to press buttons. The most common dangerous button is an OAuth authorization confirmation, where a single press of the 'allow' button could give away your account to some malicious application. Expanding the proof-of-concept with an effective popunder to hide malicious activity, it quickly becomes a convincing attack.

$LogFile is packed with valuable forensic data, storing full details of changes to critical structures like the $MFT, $I30 indexes, $Bitmap, and even the $UsnJrnl itself. This article will explain how it can be used to to track file changes, recover deleted metadata, or reconstruct the timeline of an incident.

The Windows Registry is like the DNA of an operating system - it tracks system configurations, user settings, and most importantly, installed applications. For forensic investigators, this makes the Registry a valuable source of evidence, helping to identify what software has been installed, when it was installed, and even if it has been uninstalled but left traces behind.

For forensic investigators and cybersecurity professionals, tracking which files a user has trusted and enabled macros for is crucial. Microsoft Office maintains a TrustRecords registry key that logs this information. This key provides a long-term record of what documents were trusted, where they were stored, and when the user enabled macros or editing.

Exploring how temporary credentials obtained through AWS Instance Metadata Service can be extracted and used both inside and outside EC2 instances, and analyzing their visibility in CloudTrail logs.

This post recounts a critical flaw I discovered in a particular cloud service that enabled arbitrary account takeovers of all accounts, including administrators. The crux of the issue lay in a custom-coded administration panel that trusted users to not lie about who they were.

In this article, we will discuss what Data Streams are and how we can exploit them in pentesting or red team engagements. Additionally, explore how we can deliver exploits through these systems.

In this first part of the series, we will see how to setup a Flare-VM sandbox.

We explain the fakeCaptcha and ClickFix attacks and detail how they can be detected.

The protected_symlinks feature in the Linux kernel is an essential safeguard against TOCTOU race conditions and symlink-based privilege escalation. This article helps understanding how the protected symlinks feature works, including its limitations.

We detail how the legacy version 2.0.2 of the Truesight driver is exploited to deploy an EDR/AV killer module in its initial stage. It takes advantage of a Windows policy loophole allowing the driver to be loaded on the latest versions of Windows OS.

We detail how to remove electronic devices potted into polyester and eproxy resin compounds.

In the first episode of our series, we dive into Copilot Studio, Microsoft's low-code/no-code platform for building AI agents, and uncover a technique that could allow threat actors to identify exposed agents. We will see how it easily leads to confidential data extraction.

In this second part, I will provide on introduction on how to talk to the containerd using curl, in cases where you dont have access to the ctr tool and cant transfer it in.

I discovered a vulnerability in Sliver C2 teamserver (CVE-2025-27090) allowing attackers to open a TCP connection on the teamserver to an arbitrary IP/port, and read and write traffic through the socket. The consequences of exploiting this vulnerability could be anything from leaking teamserver IPs behind redirectors to moving laterally from the teamserver to other services.

In this article, I will share a tip for those interested in performing a more detailed analysis of the behavior of native methods, with a specific focus on the use of function pointers within the JNIEnv structure.

We investigate several issues in the Linux kernel vsock subsystem (including CVE-2025-21669, CVE-2025-21670, and CVE-2025-21666) that provide valuable insights into race condition bug patterns.

A vulnerability in Cyberhaven's browser extension allows attackers to steal arbitrary cookies when the victim visited and clicked on a malicious website. In this blog post, we will first cover the basics of web browser extensions and their security. We will then investigate the bug and understand how attackers could have abused it.

This article deep dives into an attack chain that begins with a simple CSPT gadget leading us to a self-XSS, which we manage to escalate into a full XSS.

A Step-by-Step Guide to Identifying and Exploiting Misconfigured AWS Buckets

In this article, we're here to talk about an unauthenticated Arbitrary File Read vulnerability we discovered in NAKIVO's Backup and Replication solution (CVE-2024-48248).

This first part of the series will give you an overview of the Xbox 360 system architecture, hypervisor, and security features it uses to prevent the console from being hacked.

In this final part, we will examine a custom-named pipe IPC protocol implemented by Bitdefender Total Security. We will explore how we could use COM hijacking and this custom communication to gain SYSTEM privileges (CVE-2023-6154). Lastly, we will demonstrate how COM hijacking can be exploited to perform a Denial-of-Service (DoS) attack on security products.

This article investigates a relatively new scam scheme. Malicious GitHub repo with all sorts of things - from Roblox and Fortnite mods to "cracked" FL Studio and Photoshop - host malwares that collects data and send them to to some discord server.

This article describes a simple technique that consists in returning specific SMB error codes to make Windows SMB clients fall back to the WebDav HTTP client if the latter is available. This, as a result, allows triggering HTTP authentications from an SMB connection in a multicast poisoning context, opening the door to a more powerful relaying primitive.

I collected three malware samples of different APT groups (SideWinder, Kimsuky, Gamaredon and Sidecopy) and studied their initial attack methods. I also provide YARA detection rules and IoCs.

In this post, we will look at how to start building a simple disassembler for reverse engineering a PE binary file targeting the Intel x86/64 architecture. We will explore two different disassembly techniques, called linear sweep and recursive traversal, highlight some of the weaknesses of these techniques, and identify some solid points with which to begin disassembly.

A common technique used by attackers in containerised environments is exploitation of the container runtime socket to move laterally or escalate privileges. In this first part of the series, we cover how to exploit the containerd socket using the 'ctr' command line tool.

In this part, we will address the concept of least privilege as it applies to Active Directory. Of the three principles of Zero Trust (verify explicitly, least privilege, assume breach), least privilege is the most achievable using native Active Directory features.

This blog explores advanced DNS Zone Transfer pentesting techniques that go beyond traditional strategies and the standard penetration testing playbook.

In this third part, we will cover the details of two vulnerabilities we found based on COM hijacking. The first (CVE-2023-7241) impacts Webroot Endpoint Protect, allowing to leverage an arbitrary file deletion to gain SYSTEM privileges. In the second case, we target Checkpoint Harmony (CVE-2024-24912) and use a file download primitive to gain SYSTEM privileges.

We identified a cluster of at least 16 malicious Chrome extensions used to inject code into browsers to facilitate advertising and search engine optimization fraud. The extensions span diverse functionality including screen capture, ad blocking and emoji keyboards.

In this article, we will learn how to hide shellcode payloads in plain sight by embedding them into image files, such as PNGs, using Python. We will discover how to store embedded images in the resources section of a binary file and extract the hidden payload using C/C++ for stealthy payload delivery and EDR evasion.

In this part, we will address SMB signing, used to ensure message integrity and preventing an NTLM relay attack.