Security Review #250

We identified actors abusing Cascading Style Sheets (CSS) to evade spam filters and detection engines, and track users' actions and preferences.

This article details process Herpaderping, a powerfull security bypass technique that disguises malicious execution by making the process appear different in memory than on disk, confusing security software.

We analyze several new malware samples with unique characteristics: a passive Internet Information Services (IIS) backdoor, a bootkit that uses an unsecured kernel driver to install a GRUB 2 bootloader, and a Windows implant of a cross-platform post-exploitation framework.

You are more likely to get a certificate during ADCS exploitation. However, what are the options for using it? My article about it. Besides the basic ways to get a TGT ticket, you will learn about the ability to intercept encrypted HTTPS traffic, code signing, and even SSH authentication.

CVE-2025-1767 is a Kubernetes security vulnerability in the gitRepo volume type. It can allow users who can create pods with gitRepo volumes to get access to any other git repository on the node where the pod is deployed.

We uncovered a previously unknown brute-forcing infrastructure utilized by Black Basta members. In this article, we provide a technical analysis of the source code of the brute-forcing framework, as well as an overview of the complete attack chain.

Understanding the inner workings of the Android kernel can significantly enhance the work of vulnerability researchers, providing valuable insights into vulnerabilities within the Android operating system.

Cleaning up SID History is an important but often forgotten step. By leveraging CleanupMonster's Invoke-ADSIDHistoryCleanup, you have a safer path to gradually remove stale SID entries, maintain a cleaner Active Directory, and strengthen security.

Firefox cache can be a goldmine of evidence. This cache stores web pages, images, and files locally to improve browsing speed, providing forensic investigators with a window into the user's browsing history and downloaded content.

Web browsers are treasure troves of digital artifacts, often holding crucial evidence in forensic investigations. Among them, Mozilla Firefox stands out with its rich history storage, cookie management, and download tracking.

In this article, we provide a detailed analysis of Windows Sandbox. We explore its features, abusing techniques, forensic investigation methods, and defence strategies.

AnyDesk is a Remote Monitoring and Management (RMM) tool that Threat Actors love to abuse. This article discusses what AnyDesk is, why Threat Actorss love to use it, and how to investigate artifacts associated with the tool.

In this article, we'll explore the native sync options that may allow a threat actor to obtain a local copy of your SharePoint site's contents.

This article details the different flags that are available in TCP packets and summarizes the different detections that can be made based on their usage by malicious tools.

This article will dive into both how threat adversaries (TA) leverage AWS' Simple Notification Service (SNS) and how to hunt for indicators of abuse using that data source.

YARA is an essential tool for security professionals looking to identify and classify malware samples based on textual or binary patterns. This article details what makes YARA so powerful, and how can you start leveraging it in your security workflows.

We uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects. This variant features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. In this blog, we discuss how this variant's different modules work together in achieving the malware's goals.

This article aims to provide a deeper technical understanding of the Elevate Access mechanism, including its underlying implementation, the specific logs where activities are recorded, when you don't need Elevate Access to get the same permissions, and the practical techniques attackers use to leverage it.

A supply chain attack on popular GitHub Action tj-actions/changed-files caused many repositories to leak their secrets. Discover how it unfolded and the steps to mitigate the risk.

We detail the SAMLStorm, a vulnerability that affects the xml-crypto Node.js library (CVE-2025-29775 & CVE-2025-29774). This flaw allows attackers to forge SAML authentication responses. If exploited, this vulnerability could enable full account takeovers across organizations relying on SAML-based single sign-on (SSO).

We found 3 vulnerabilities in Kentico's Xperience CMS: two autentication bypasses, and a post-authentication remote code execution. In this article, we'll take you on our journey that allowed us to build exploit chains to achieve Remote Code Execution against (at the time) fully patched Kentico Xperience CMS deployments.

CVE-2025-24016 is a critical remote code execution (RCE) vulnerability affecting Wazuh, a widely used open-source security information and event management (SIEM) platform. This vulnerability stems from unsafe deserialization of DistributedAPI (DAPI) parameters, allowing an attacker with API access to execute arbitrary Python code on the Wazuh server.

Investigating Bolt, an open-source content management system, we found that temporary files are used insecurely when uploading an avatar from a URL, leading to arbitrary file disclosure (CVE-2025-25599).

In this blog post, we will show you 2 Remote Code Execution vulnerabilities in the Veeam Backup & Response solution, which are based on deserialization gadgets existing in the Veeam codebase. These vulnerabilities can be exploited by any user who belongs to the local users group on the Windows host of your Veeam server.

CVE-2024-10095 is an insecure deserialization vulnerability in Telerik UI for WPF. In this blog post, I'll walk through the entire process, from dissecting the patch to crafting a working exploit.

In this post, we'll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library.

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. This article aims to provide a technical analysis of ClearFake's latest variant, focusing primarily on the interactions with the Binance Smart Chain

In this blog post, I'll break down the technical details of CVE-2024-33452, an HTTP request vulnerability in the OpenResty module of Nginx. I will a review its impact, and the attack scenarios it enables, such as XSS distribution to all web clients, front-end proxy protection bypass, or theft of other users data.

The inventory feature in GLPI is vulnerable to an unauthenticated SQL injection (CVE-2025-24799). By exploiting this vulnerability, it is possible to obtain a valid GUI session, then exploit a local file inclusion vulnerability using the PDF export feature and achieve remote code execution on vulnerable instances (CVE-2025-24801).

We successfully bypassed Windows Defender Application Control (WDAC) and executed our Stage 2 Command and Control (C2) payload using the following techniques: use a known LOLBIN, DLL side-load a trusted application with an untrusted DLL, exploit custom exclusion rule, and finally find a new execution chain in a trusted application that allows C2 deployment.

When a specially crafted .library-ms file containing an SMB path is compressed within a RAR/ZIP archive and subsequently extracted, Windows Explorer automatically parses the contents of this file. Attackers exploit this implicit trust and automatic file processing behavior to leak credentials, which can then be utilized for pass-the-hash attacks or offline NTLM hash cracking.

We provide a technical analysis of a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.

This article details how Azure app proxy pre-authentication set to Passthrough may unintentionally expose private network resources.

The blog post describes how an unquoted search path vulnerability in the Plantronics Hub could result in OpenScape being used to execute arbitrary files under C:\, if incorrect permissions are assigned to that path. This attack also escalates privileges to the local administrator if an administrator starts the OpenScape application.

We will dive into the exploitation of CVE-2024-0402 in GitLab. Like an onion, there is always another layer beneath the surface of this bug, from YAML parser differentials to path traversal in decompression functions in order to achieve arbitrary file write in GitLab.

We provide technical analysis of CVE-2025-0927, an out-of-bounds write vulnerability in the HFS+ driver of the Linux kernel that achieves local privilege escalation. We also define the exploitation strategy and provide a PoC exploit.

This article discusses CVE-2024-54471, a vulnerability in MacOS. It allows unauthorized processes to exploit a specific service, NetAuthAgent, to access sensitive credentials like file server passwords stored in the macOS Keychain.

Jumpserver is an open-source Privileged Access Management (PAM) tool. In this article, we will focus on the authentication bypass vulnerabilities (CVE-2023-43650, CVE-2023-43652, CVE-2023-42818, CVE-2023-46123), which allow attackers to impersonate users and pave the path for exploiting subsequent vulnerabilities.

In this blog, we explore CVE-2024-53991, a vulnerability due to a subtle yet impactful interaction between Rack/Rails and Nginx that can inadvertently expose restricted endpoints. Specifically, we examine how the send_file method, when paired with certain Nginx configurations, can bypass access controls under specific conditions, turning a security feature into a potential attack vector.

Open Redirect vulnerability is a common security flaw that allows attackers to redirect users to malicious websites. This vulnerability occurs when a web application accepts user input for URLs without proper validation or control. This is a step-by-Ssep guide to discover and exploit such bugs.

DGAs generate many domain names dynamically to be communication points for malware, and are a big challenge to cybersecurity. This article explains how DGAs work and how they can be mitigated using advanced detection methods such as DNS traffic analysis, entropy analysis, and machine learning.

In this blog post we explore using Binary Ninja and emulation to address obfuscation implemented by an open source obfuscator named Garble that is used by red team operators and malware authors to inhibit reverse engineering efforts.

Microsoft has recently introduced a new telemetry feature in Defender for Endpoint: Aggregated Reports. This new telemetry provides new opportunities for detecting malicious activities. In this post, I will demonstrate how we can leverage Aggregated Reports to identify C2 beaconing activity.

We are going to create a basic shellcode loader in Lua and embed it into a Rust program. We will then create the same basic shellcode loader in Rust and see how they fair against each other in terms of detection.

This blog post highlights how we as defenders, or cyber-threat intelligence analysts, can exploit certain pitfalls in the way Telegram-based malware operates - in order to compromise C2 communications and disrupt adversaries.

In this article, we're going to be revisiting a tried and true UAC Bypass method that still works just fine, relying on path traversal. We will also review some older ones, now fixed but still interesting to know about: DLL sideloading, trusted folders mocking, and UI access tokens duplication.

In this blog, we will examine what DCOM and ActiveX are, how they work, and the potential security risks associated with using them to run commands remotely through Internet Explorer.