Security Review #264

In this blog post, I'll present an interesting method to social engineer users into executing OS commands without leaving the browser. I'll be referring to this method as FileFix Attack.

We detail a persistence technique that relies on the RegisterApplicationRestart Windows API call. This essentially hijacks the shutdown process and only requires Shutdown Privileges, which come with essentially every process on Windows, so no administrator privileges needed.

Desktop applications on Windows, Linux, and macOS often handle sensitive information that is not cleared after use. Sensitive information can persist in RAM, making it accessible to anyone with sufficient privileges to inspect memory.

Ubuntu introduced sandbox mechanisms to reduce the attack surface, and they seemed unbreakable. However, after carrying out in-depth research, we found that the implementation contained some issues, and bypassing it was not as difficult as expected. This post will explain how we began our research at the kernel level and discovered a bypass method.

Passkeys promise an elegant, phishing-resistant future, but the journey from smart card to seamless single-click login seems still bumpy. We will build a fully scriptable, software-only authenticator that sails through most real-world WebAuthn flows. At the end of the day, this shows that while the crypto is solid, the surrounding UX and policy checks remain soft targets.

Google reCAPTCHA Enterprise stands out as one of the most advanced bot protection systems in this line-up. It is capable of analyzing user behavior and blocking suspicious activity. Let’s break down what reCAPTCHA Enterprise is, how it differs from versions v2/v3, and why it is so difficult to bypass.

This article explores a technique to bypass Userland based hooks, such as those implemented via LD_PRELOAD by leveraging io_uring, a modern Linux kernel interface for asynchronous I/O. By bypassing traditional libc wrappers, it's possible to evade detection or interference by such malicious userspace mechanisms.

We identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes.

In this post, we will explore how seemingly innocuous leniencies in the parsing of chunked message bodies, particularly in line terminators, can result in request smuggling vulnerabilities in widely-used servers and proxies. I will share new exploitation techniques and payloads, methods for black-box detection, and a few recent vulnerabilities found in well-known HTTP implementations.

How overlooked objects in AD's Recycle Bin can become a goldmine for attackers. In this article, we'll dig into how the AD Recycle Bin works, how attackers can exploit it to gain elevated access, and how defenders can detect and mitigate these risks before they become real threats.

This blog explores three real-world cases - Citrix ADC (CVE-2023-3519), Cisco IOS XE (CVE-2023-20273), and Ivanti Connect Secure (CVE-2024-21893) - where patching alone failed to remove persistent backdoors from edge devices. We detail how these implants worked, how they evaded detection, and how to ethically scan for backdoors left behind.

This article addresses a vulnerability (CVE-2025-48703) that permits an unauthenticated remote attacker to execute arbitrary commands on a CentOS Web Panel server, given knowledge of a valid username.

In this article, I'll walk you through setting up a complete Mythic C2 framework with robust HTTP/HTTPS redirectors, designed to obscure your true C2 infrastructure from direct internet exposure. While initial deployments can be quickly spotted, the techniques we're covering here are a significant leap toward more robust operations.

Google Analytics and marketing tools like HubSpot leave behind tracking cookies on devices, and guess what? These aren’t just marketing gold - they're digital breadcrumbs that we, as forensic investigators, can use to understand a user's activity.

We detail how Account Operators can compromise an Active Directory domain by using Incoming Forest Trust Builders and DnsAdmins to create a trust with TGT delegation enabled.

We detected a surge in ClickFix campaigns, using GHOSTPULSE to deploy Remote Access Trojans and data-stealing malware. This post provides an in-depth analysis of its components, the techniques employed, and the malware it ultimately delivers.

In this final part of the series, we analyze cryptominers and reveal a novel technique to shut down mining botnet campaigns.

This blog post examines the biometric authentication mechanisms implemented in Windows Hello for Business (WHfB). We begin by presenting a comprehensive overview of the authentication process. Following this, we highlight specific components of the procedure targeted in the past by attackers and explain the nature of a recently discovered vulnerability.

We explore the _PyRuntime structure in CPython and demonstrate how to navigate from the _PyRuntime structure down to the current execution frame, extract local variables, and analyze bytecode execution.

An analysis primarily of Kerio Control revealed a design flaw in the implementation of the communication with GFI AppManager, leading to an authentication bypass vulnerability in the product under audit. Once the authentication bypass is achieved, the attacker can cause the execution of arbitrary code and commands.

NTUSER.DAT is a user-specific registry hive that stores configuration information, application settings, and user behavior artifacts. It is essentially a snapshot of a user’s environment and activities. This NTUSER.DAT forensics guide details what NTUser.dat is, its forensic importance, key artifacts, and so much more.

In Go applications, parsing untrusted data creates a dangerous attack surface that’s routinely exploited in the wild. This post contextualizes these unexpected parser behaviors through three attack scenarios that every security engineer and Go developer should understand: (un)marshaling unexpected data, parser differentials, and data format confusion.

This post introduces a four-level maturity framework for designing protocols that can tolerate key compromise, progressing from single EOA control to radical immutability, with practical examples demonstrating multisigs, timelocks, and the principle of least privilege.

Electromagnetic fault injection, or EMFI for short, is a technique used to intentionally introduce faults into electronic systems. By directing high-intensity electromagnetic pulses at a target device, attackers can induce bit flips, crashes or logic errors. In this article, we show a newly discovered fault injection attack on the nRF54L15 microcontroller.

It's difficult to show impact for Server-Side Request Forgery (SSRF) vulnerabilities when you cannot see the full HTTP response. Our research team details a novel technique that allowed for us to leak the full HTTP response, even though the SSRF seemed like it was blind.

We detail the root cause and a simple PoC for CVE-2025-5959, a type confusion vulnerability in V8 in Google Chrome.

We discovered a sophisticated malware infection chain employing a corrupted version of the jQuery Migrate library during a routine investigation that was prompted by unusual online behavior. This blog outlines our comprehensive technical analysis of the infected file, the behavior of the injected malware, and how Parrot TDS was used as a delivery mechanism.

Understanding the chain of RDP-related Event IDs allows defenders to reconstruct session activity, identify unauthorized access, and correlate logins, re-connections, and logoffs. This blog post breaks down key RDP events and presents a timeline-style visualization of an RDP session lifecycle.

In the first post of the series, we will see how attackers can get the first foothold within an organization by exploiting CVE-2025-22855, which allows an attacker to execute arbitrary code on a victim's machine running FortiClient when a user opens a malicious link.

In this second part we will perform an actual buffer overflow using the memory address within a specific function call that we need to load in order to execute the calculator.

We detected a unique tactic combination for bypassing secure email gateways (SEGs). Threat actors have combined a long-lived domain with a unique CAPTCHA page and anti-automated analysis measures. Each technique is effective in hampering automated and manual analysis; however, the combination of techniques demonstrates remarkable sophistication from the threat actor.

Once a user is authenticated through Entra ID, they remain signed in as long as the session is valid. Forcing a fresh sign-in adds an extra layer of security by reducing the risk of session hijacking and token replay attacks. It also prevents attackers from maintaining persistence across services and devices, limiting their ability to move laterally within the environment.

We explain describes how to break Android decompilers like JADX and unpackers like APKTool by carefully corrupting the binary structure of the AndroidManifest.xml file inside an APK.

We identified five security issues in Wire's file-sharing system: incomplete deletion of assets, local persistence of decryption keys after expiration, missing access control for some downloads, ability to infer the client used, and excessive asset retention from Android clients.

We discovered a critical vulnerability in open-vsx.org, the open-source VS Code extensions marketplace. By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX, providing attackers full control over the entire extensions marketplace, and in turn, full control over millions of developer machines.

In this post we follow breadcrumbs sprinkled across the Internet's past in an attempt to understand BPFDoor potential code origin which span almost 20 years ago. We also uncover a fork or early version which appeared in the wild in 2016.

We detail how we exploited a remote code execution (RCE) vulnerability in the Monero forums using a technique called wrapwrap, which abuses PHP stream filters to bypass MIME-type checks.

Recent BPFDoor variants avoid existing detections. In this second part, we will take a look at samples found in significant telecommunications provider breach.

We explore a novel approach to remote process injection that minimizes detection and reduces telemetry. The goal is to perform remote memory allocation, reading, and writing using only the permissions PROCESS_CREATE_THREAD and PROCESS_QUERY_LIMITED_INFORMATION - bypassing more commonly used flags like PROCESS_VM_WRITE and PROCESS_VM_OPERATION.

Cracking passwords at scale requires serious GPU power - and serious money. In this post, I'll show you how I integrated Hashtopolis , a powerful tool for distributed hash cracking; Vast.ai , a platform offering affordable on-demand GPU instances; and Cloudflare Tunnel into a scalable, budget-friendly cracking setup.

Doppelganger is a custom-built tool designed to dump LSASS in modern, heavily defended Windows environments where traditional memory access techniques no longer work. Instead of attacking LSASS directly, Doppelganger uses an advanced strategy: process cloning. In this article we detail how Doppleganger was designed and how it works.

The term "fault injection" refers to a class of vulnerabilities in which attackers deliberately attempt to create error states in systems. These error states lead to abnormal system behavior and can be exploited to circumvent security restrictions. In this article, we show a fault injection attack on the STM32L051 microcontroller.

While Golden SAML attacks are less frequent than other attacks, their impact can be huge, as they can compromise every account in your organization. In this blog, we'll explain how Golden SAML attacks work and what you can do to protect against them, with a particular focus on how they can impact Microsoft Entra deployments.

Brief overview of Map related vulnerabilities in v8. We explores how "Map" objects in V8 JavaScript engine (a.k.a. hidden classes) can be manipulated, mismanaged, or exploited - especially in the context of JavaScript Just-In-Time (JIT) compilers and memory corruption vulnerabilities.

In this first part of the series, we examine cryptocurrency fundamentals, including which mining topologies used by attackers and why.

This second part presents a comprehensive analysis of active campaigns that exploit different mining topologies.

While looking for an API to use with Home Assistant, I found a remote code execution vulnerability in Loftie WiFi-connected alarm clock: the backend infrastructure is open to the public with no meaningful authentication. Worse, the clocks can be remotely updated with unsigned firmware from an arbitrary URL, giving a potential attacker a foothold on over 40,000 WiFi networks.

CVE-2025-3248 is a critical code injection vulnerability affecting Langflow, a popular tool used for building out agentic AI workflows. This vulnerability is easily exploitable and enables unauthenticated remote attackers to fully compromise Langflow servers.

Discover how to exploit the certifried vulnerability easily with bloodyAD.

If you only have access to a valid machine hash, you can leverage the Kerberos S4U2Self proxy for local privilege escalation, which allows reopening and expanding potential local-to-domain pivoting paths, such as SEImpersonate.