Security Review #275

The goal of this article is to examine the most common DNS response record types available to attackers to carry data to a target host. I want to analyze their potential for exploitation, and the specific constraints each presents. Most importantly, I'll emphasize the anomalous patterns that potentially signal abuse of these records, providing you with concrete detection indicators.

We go through the ELA (Error Level Analysis) technique and evaluate how it can be efficiently used to identify deepfake images by evaluating the image quality obtained after compression.

The program less is already considered a Living-off-the-Land Binary, though there is much more to the program that is not widely known within the security space. Specifically its filtering procedure that includes lesspipe.sh and .lessfilter as well as the LESS* environment variables can be leveraged for persistence.

We discovered a critical vulnerability in the Bluetooth Low Energy (BLE) Wi-Fi configuration interface of multiple Unitree robot models including Go2, G1, H1 and B2 series. The vulnerability combines multiple security issues: hardcoded cryptographic keys, trivial authentication bypass, and unsanitized command injection.

This article examines how Model Context Protocol (MCP) tools expand the attack surface for autonomous agents, detailing exploit vectors such as tool poisoning, orchestration injection, and rug-pull redefinitions alongside practical defense strategies.

This article discusses several vulnerabilities (XSS, open redirect, arbitrary files loading) found in Android Webview.

We're going to implement a PE (Portable Executable) loader that downloads a PE file from one a Github repos, then load it directly into a section of memory within the calling process and execute it. We are using Dynamic Execution: load and execute any valid 64-bit PE file from a remote source. Together with usual bypass techniques, it proves efficient at evading EDR detection.

We detail the impact of a NodeIntegration misconfiguration that exposes Electron dekstop applications to an XSS leading to a Remote Command Execution (RCE). We illustrate with the cases of CVE-2020-15174 and CVE-2021-43908, respectively impacting Notable and Visual Studio Code.

In this blog post we dive deep into the security flaws of VBScript's Randomize and Rnd functions, especially when used to generate secret tokens. We identify token generation flaw and seed collisions making it possible for an attacker who knows the approximate time a token was generated to brute-force the seed and recover the token.

We provide details about the key operations performed by the HardBit ransomware: infection, security posture lowering, persistence and encryption.

In this article, I detail an new technique to disable EDR. Instead of using the BYOVD technique to exploit vulnerabilities in drivers pre-installed on Windows, I will use Windows Error Reporting to put the processes of Antivirus into a state of dormancy. All of this is done using user-mode code and does not require any third-party tools.

GrapheneOS is a mobile operating system based on Android implementing a new libc allocator : hardened malloc. This allocator is designed to protect processes against common memory corruption vulnerabilities. This article will explain in details its internal architecture and how security mitigation are implemented from a security researcher point of view.

In this article we are dissecting CVE-2025-10035, a perfect CVSS 10.0 deserialization vulnerability in Fortra's GoAnywhere MFT. When exploited, the vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

I used regex to find a couple of regex vulnerabilities that lead to unauthenticated XSS. In this post, I’ll break down what I meant by regex leading to XSS and how simple regex mistakes can lead to XSS vulnerabilities. It will be illustrated by the analysis of CVE-2025-9512, an XSS in the "Schema & Structured Data for WP & AMP" WordPress plugin.

An overview of blockchain security and attack surface: wallet attacks, protocol vulnerabilities, and audit gaps.

In this article, we present a new technique for performing domain fronting against Google hosted infrastructure. This approach applies to Google's primary services and to customer-facing systems built on Google App Engine. The end result is that we are now able to tunnel traffic through some of the most trusted and widely used infrastructure on the Internet.

We detail the root cause and provide a PoC for CVE-2025-41243, a Spring Environment property modification vulnerability in Spring Cloud Gateway Server Webflux. When exploited, it can lead to Remote Command Execution (RCE).

Recent investigations uncovered how attackers are abusing ConnectWise ScreenConnect (formerly ConnectWise Control) installers to deliver AsyncRAT payloads, leveraging open directories as staging points. This article presents the patterns that surfaced repeatedly across hosts, files, and redirects.

This post breaks down the trust assumptions that make the software supply chain vulnerable, analyzes recent attacks that exploit them, and highlights some of the cutting-edge defenses being built across ecosystems to turn implicit trust into explicit, verifiable guarantees.

We dive into a new piece of malware, dubbed ModStealer, reported to bypass Apple's built-in security, steal user data, and go after crypto wallets.

We have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035. In this second part, we detail observed exploitation and post-exploitation activities and share the IoCs shared within the evidence we received for in-the-wild exploitation.

In this blog post, I'll walk through the process of implementing of well-known and classic technique "Hell's Gate " - a method for making direct Windows system calls by extracting syscall numbers from ntdll.dll - in Zig programming language.

A critical security vulnerability in Notion's AI Agents demonstrates how the combination of LLM agents, tool access, and long-term memory creates exploitable attack vectors for data exfiltration.

We uncover MostereRAT's use of phishing, EPL code, and remote access tools like AnyDesk and TightVNC to evade defenses and seize full system control.

I detail how I applied a firmware dumping technique to bypass RBPCONF (Readback Protection) on nRF51 family MCUs. What makes this bypass interesting is its non-invasive nature. The attack relies only on software manipulation through standard debugging interfaces. The target remains fully functional while its memory is exfiltrated, making the method practical and appealing.

We provide a practical guide to fuzzing the Binder kernel driver using the Linux Kernel Library (LKL). We first explore existing fuzzing efforts using Syzkaller, a state-of-the-art kernel fuzzer, and highlight its challenges for this use case. Then, we dive into how LKL overcomes these limitations and our improvements, such as randomized scheduling.

Ways to turn XSS in a Web Worker into full XSS, covering known tricks and a new generic exploit using Blob URLs with the Drag and Drop API.

We detail how Azure Arc can be identified in environments, misconfigurations in deployment can allow for privilege escalation, an overprovisioned Service Principal can be used for code execution and how Arc can be used as an out-of-band persistence mechanism.

Despite being such a large part of the modern red team arsenal, tradecraft for executing .NET assemblies on a compromised endpoint has remained largely stagnant. In this blog post, we will discuss how red teams can bring their .NET execution harnesses into this decade.

In this blog, I will help you understand the core concepts of how the Havoc C2 framework operates, how to use it, and how to develop BOFs. We will review the installation and launch of Havoc C2, then focus on the concepts and implementation of Beacon Object Files (BOFs).

We detail a vulnerability in the Nortek Linear eMerge E3 allows remote unauthenticated attackers to cause the device to execute arbitrary commands.

In this article, I will explain how to create a secure C2 infrastructure on the AWS cloud. Firstly we will discuss what a C2 infra is, and it's design, ending up in building our own from start to finish.

Device code flow in Entra ID is used by attackers to get access to Microsoft 365 accounts and data or perform device code phishing. However simply block device code flow for all users may not be a valid solution in some organizations. This article details how to create and properly manage device code flow exclusions.

I explore the TP-Link C210 V2 cloud camera and explain how I managed to decrypt the firmware and found 3 vulnerabilities in the bootloader.

We discovered a path traversal vulnerability in ZendTo (CVE-2025-34508). When exploited, this vulnerability allows malicious actors to bypass the security controls of the service to access or modify potentially sensitive information of other users.

This article is an x64dbg tutorial in which reverse engineering malware methodology will be explained and demonstrated.