Security Review #271

In this blog post, we'll detail how attackers can exploit image scaling on Gemini CLI, Vertex AI Studio, Gemini's web and API interfaces, Google Assistant, Genspark, and other production AI systems. We'll also explain how to mitigate and defend against these attacks, and we'll introduce Anamorpher, our open-source tool that lets you explore and generate these crafted images.

This blog discusses the different elements that make up a ClickFix campaign - from the arrival vectors it comes with to its various implementations - and provides different examples of threat campaigns we've observed to further illustrate these elements. We also provide recommendations and detection details to surface and mitigate this threat.

Chromium based browsers have shifted from using the user’s Data Protection API (DPAPI) master key and started using Application Bound encryption primitives to protect cookie values. Threat actors can still steal a user’s cookies via custom extensions, enabling the remote debugging port, calling the DecryptData COM function, or recreating the Application Bound decryption process as SYSTEM.

We'll be discussing how and why threat actors use Scheduled Tasks to maintain persistence: it works, it's native to Windows, and doesn't require a 0-day. We will also detail how threat actors abuse Windows Scheduled Tasks, and how to detect malicious tasks in your investigations.

In this article, I will present how to exploit a process protected by PPL to interact with other protected system components, which cannot be accessed by a normal process without the support of Windows drivers (even if you have SYSTEM or TrustedInstaller privileges). After that, I will experiment with using an existing PPL program on Windows to overwrite the service file of Windows Defender.

In this second part of the series, we'll dive into real-world cases of postMessage exploitation, starting with simple mistakes and progressing to more complex scenarios.

This comprehensive article explores ten critical authentication domains, examining both insecure implementations that create vulnerabilities and secure-by-design approaches that form the foundation of enterprise security. Each domain includes advanced concepts, real-world attack scenarios, defensive strategies, and practical code examples for security architects and engineers.

We detail a new technique to trick the Delinea URL Handler and enforce the trigger of a software update, downloading and running an MSI from an arbitrary location. This technique bypasses the patch for CVE-2024-12908.

We are exploring the SpAIware attack against Windsurf Cascade, which allows memory persistent data exfiltration.

This blog post examines a campaign where Microsoft Teams was used as the initial social engineering vector to distribute a PowerShell-based payload. We will analyze the initial access mechanism, unpack the payload's functionality, and provide key indicators of compromise to aid defenders in detection and response.

Technical analysis and detection methodology for CVE-2025-43300, a critical 0-click RCE vulnerability in Apple's DNG image processing.

We'll dissect a real-world, Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file. The payload isn’t hidden inside the file content or a macro, it's encoded directly in the filename itself. Through shell command injection and base64 encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger.

Alignment refers to the practice of placing data or code at memory addresses that are multiples of a specific value, typically a power of 2. This blog post explores how alignment is represented and managed as C++ code is transformed through the compilation pipeline: from source code to LLVM IR, assembly, and finally the object file. We'll focus on alignment for both variables and functions.

AWS Kiro was vulnerable to arbitrary command execution via indirect prompt injection. In particular two attack paths that enabled this were identified: allowlisting arbitrary Bash commands and adding malicious MCP servers.

When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LDAP, then execute tooling through the SOCKS5 proxy to complete LDAP- related objectives completely off-host.

When a chat conversation is poisoned by indirect prompt injection, it can result in the exposure of GitHub tokens, confidential files, or even the execution of arbitrary code without the user's explicit consent. In this blog post, we'll explain which VS Code features may reduce these risks.

Device enrollment restriction feature is based on device ownership prevents attackers from enrolling a fake device into Intunes and doing bad things. Since many organizations have this restriction configured, I investigated possible bypass techniques and, as a result, I identified several methods to bypass the restriction, spoof device ownership and get persistent access to Intune.

Cline, a popular AI coding agent, is vulnerable to data exfiltration through the rendering of markdown images from untrusted domains in the chat box.

We have observed a new loader, QuirkyLoader. The multi-stage infection begins with an email delivering an archive that contains three key components: a legitimate executable, an encrypted payload and a malicious DLL. Leveraging DLL-sideloading technique, the malware loads, decrypts and injects the final payload into its target process.

In this part of the series, I will introduce you to tools that allow you to find running RPC servers on a system, and we will also touch on some RPC server security issues.

In this post, we will walk through the entire journey to replicate the single-request chain from authentication bypass to remote code execution (RCE) in Microsoft SharePoint: sharing resources and tips for setting up a SharePoint target, preparing a debugging environment, and walking step-by-step through debugging and code review.

In this blog post, I'll explain postMessage vulnerabilities in modern web applications and share 10 real-world findings. The first part will cover the essential concepts needed to understand cross-origin communication

This post will explore and explain in detail how there can be data spill between connected tools during Deep Research. The research is focused on ChatGPT but applies to other Deep Research agents as well.

We provide a technical analysis of the Silver Fox APT which involves the abuse of a previously unknown vulnerable driver, amsdk.sys to terminate protected processes (PP/PPL) associated with modern security solutions, allowing EDR/AV evasion. The final payload delivered in all observed samples was ValleyRAT, a modular Remote Access Trojan.

We look into the Windows clfs.sys driver vulnerability (CVE-2025–29824) that allows attackers to escalate privileges within the operating system.

We detail how a feature implemented more than a decade ago in AION MMO turned out to be vulnerable to code execution in a surprisingly simple way.

We provide a technical analysis of Bqtlock, which is operating under a Ransomware-as-a-Service (RaaS) model. It leverages a range of anti-analysis techniques, including string obfuscation, debugger detection, and virtual machine evasion, to avoid detection and analysis.

In this blog post, I’ll share a new, simple approach I developed that successfully bypasses almost all EDRs I’ve tested while extracting Windows secrets and credentials. We'll discuss how they are stored, how they are usually extracted, how EDR detect extraction techniques, and how we can bypass such detections.

Using KQL to detect the Manualfinder/PDF Editor malware campaign. A widespread campaign using Google Ads to deliver infostealers and other malware.

We analyze Cornflake.V3, a backdoor written in JavaScript or PHP that retrieves payloads via HTTP. Supported payload types include shell commands, executables and dynamic link libraries (DLLs). It collects basic system information and sends it to a remote server via HTTP. It has also been observed abusing Cloudflare Tunnels to proxy traffic to remote servers.

This post demonstrates an end-to-end indirect prompt injection attack leading to a compromise of Manus' dev box, a powerful, easy to use, autonomous agent.

The full chain of a pen-test exercise against Azure-hosted services, from enumeration to RCE through credential theft and pivoting.

This is the story of a journey to create a reverse shell shellcode. I started to explore the concept of an in-memory shellcode loader using APIs from the Wininet.h library, became interested in using only x64 assembly, leading me to make it PIC friendly. Furthermore, I also wanted to include the use of syscalls to help reduce detection at the EDR layer.

We detail an uXSS vulnerability in Opera browser which allows to leak URLs of other origins and get user private info. Chaining with another OAuth trick we were able to takeover all accounts on the web which uses OAuth.

This blog provides a comprehensive technical deep dive into PipeMagic's internal architecture, modular payload delivery and execution mechanisms, and encrypted inter-process communication via named pipes.

Imagine a malicious instruction hidden in plain sight, invisible to you but not to the AI. This is a vulnerability discovered in Windsurf Cascade, it follows invisible instructions. This means there can be instructions in a file or result of a tool call that the developer cannot see, but the LLM does.

Mythic's browser scripting provides tons of flexibility that operators can tailor to their unique needs to best analyze the data provided to them, beyond raw text output. Developers can further enable the operator experience by ensuring the agents are designed around using structured data in message responses.

A critical vulnerability has been discovered in the Python-Future module that allows for arbitrary code execution through the unintended import of a file named test.py. This vulnerability (CVE-2025–50817) affects python-future, a widely-used module that helps maintain compatibility of legacy code with the latest Python features.

We demonstrate how the way credentials are processed can lead to a known risk when tasks with different privilege levels share the same EC2 host. This cross-task credential exposure highlights the inherent risks of relying on per-task IAM scoping and task execution boundaries when workloads share the same EC2 instance, and it underscores why Fargate offers stronger isolation.

When running containers on Amazon ECS using EC2 instances, there's a lot happening under the hood on each host. In this first part of our deep-dive, we'll explore how ECS on EC2 works - focusing on the ECS agent, the IAM roles and credential delivery mechanism, and where the boundaries (and lack thereof) lie between tasks on the same host.

In this blog, I'll discuss our exploit we developed to get remote code execution on the Synology TC500 smart camera using a format string vulnerability. In the end, we weren’t able to use the exploit, but it was an interesting case study in exploiting format string vulnerabilities.

Dopamine is a semi-untethered jailbreak for iOS 15 and 16. In this blog post, we'll walk through what it means to compile Dopamine from source, why you'd want to do it, and the insights it.

In this final part of the trilogy, we will get rid of the main thread in our rootkit and will be implementing a "threadless" (of course you can not execute code without a thread, but threadless in the sense of not having a looping thread) user-to-kernel communication that is essentially immune against most detections of this kind.

In this blog, we'll explore the different phases of a social engineering penetration test. We will examine how to craft and deliver a successful social engineering attack. Involved in this effort will be a focus on how to perform reconnaissance, design an effective ruse, and then deliver it to your target.

This first part of the series covers the fundamentals of WMI and how to track back WMI activity to the WMI provider host process (WmiPrvse.exe), the executable responsible for executing WMI activity.

We walk through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I use the PS_ScheduledTask WMI class as an example and how when an instance of this class is created the COM method ITaskServices:NewTask is invoked.

In this last part we look at what happens after the COM method ITaskServices:NewTask.