Security Review #276

We address agentic misalignment: the tendency of models to drift into harmful cooperation when placed in adversarial, multi-turn settings (e.g. cooperating with misuse), sycophancy (over-agreeing), or even surprising behaviors like sabotage or whistleblowing. We review attack techniques, models resistance evaluation and what can be done to prevent such attacks.

Cryptographic hybridization is the strategy of choice for a secure transition to the post-quantum era. By combining the proven robustness of current algorithms with the resistance of new standards to the quantum threat, it guarantees optimum protection. In this article, we dissect the concept of hybridization and review the combining signature algorithms.

We explore a novel method for leaking memory pointers remotely - without violating memory safety or relying on timing attacks. The technique hinges on how pointer-keyed data structures behave during serialization and deserialization, particularly in Apple's macOS/iOS environments.

This guide looks at some of the most common command and control (C2) panels: Supershell, HookBot, Chaos RAT, UnamWebPanel, Metasploit, and Mythic. Each one has fingerprints that give it away. Learning to recognize those clues makes it easier to track attacker infrastructure and close off exposure before it's abused.

We investigate a new PlugX variant's features that overlaps with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL sideloading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used.

This blog post introduces a method for automating forensic analysis of VHDX-based user profiles using Velociraptor. The goal is to scale investigations efficiently and reliably without compromising forensic integrity.

In Part 4 of the Hacking Furbo series, we provide a detailed analysis of Furbo devices. Through logging and debugging, we uncovered developer features and exploited two flaws: Denial of Service and an Application Logic Bypass, enabling unlimited trial licenses.

This article is the translation guide between offensive tool output and defender telemetry. For each popular offensive tool, I'll show the attacker behavior that can be observed, the concrete telemetry defenders can collect, example detection rules, quick Sysmon/EDR signatures, and short hunt/search queries you can drop into Splunk/ELK/Graylog.

We analyzed source binaries from the latest activity from notorious LockBit ransomware with their 5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities for Windows, Linux, and ESXi systems.

We identified zero-day exploitation of CVE-2025-41244, a local privilege escalation vulnerability impacting VMware's guest service discovery features. When successful, exploitation of the local privilege escalation results in unprivileged users achieving code execution in privileged contexts (e.g., root).

We detail 4 vulnerabilities in TRUfusion. A pre-auth path traversal allowing to leak local server files (CVE-2025-27222), hard-coded cryptographic key allowing to forge session cookies (CVE-2025-27223), a pre-auth path traversal and arbitrary file write allowing to remotely execute commands (CVE-2025-27224) and a pre-auth sensitive information disclosure of PII (CVE-2025-27225)

I dive into the details of a DCOM lateral movement beacon object file (BOF) that uses the Windows Installer Custom Action server to install and configure an ODBC driver that loads and executes DLLs.

We review the tactics used by Akira double-extorsion ransomware. We detail teh discovery stage, privilege escalation, persistence and C2, lateral movement, evasion, data collection and exfiltration, and encryption in different environments, including Windows and ESXi. We also provide the related IoCs.

Many defenders treat token protection as the ultimate safeguard, confident that as long as tokens are locked down, identities and data are secure. This blog explores the gap between perception and reality, examining why token protection is necessary but never sufficient, highlighting the significant gap, and how dangerous assumptions can render robust defences illusory.

A technical analysis of Gh0stKCP, a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0.

This post explains a phishing technique for FIDO cross-device (hybrid) authentication. An attacker can run an AitM proxy that shows a fake, OS-like QR code prompt in the browser. The attack requires placing one or more Bluetooth beacons within the victim's Bluetooth range.

This article presents a little-known technique for compromising Chromium-based browsers within Windows domains by forcing the loading of arbitrary extensions. When successfully applied, this method results in complete browser compromise.

In this last post of the series, we find insecure Wi-Fi credentials, risky S3 log uploads, long-lived device tokens, and global MQTT activity exposure.

The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute, which can be used to manipulate account and security settings. If misconfigured, the principal with these permissions could, at a minimum, compromise accounts or, at worst, compromise the domain.

We ditch the probe and perform a chip-off on a W25N02KV: dump NAND with XGecu T48 (ECC on), repack squashfs, edit /etc/shadow, reflash, re-solder, and gain persistent root.

I'm looking at how third party IMAP Accounts are handled in the default Gmail application on Android 16, focusing on attachement artifacts.

We detail three major vulnerabilities identified as CVE-2025-23049 in Materialise OrthoView, a medical imaging software used in orthopedic planning: a client-side DICOM (Digital Imaging and COmmunications in Medicine) authentication bypass and authentication flaw and a Remote Command Injection (RCE) via an OS command injection.

Bring Your Own Vulnerable Driver (BYOVD) is a well-known post-exploitation technique used by adversaries. In this series, we will see how to abuse a vulnerable driver to gain access to Ring-0 capabilities. This first post describes in detail the exploitation of vulnerabilities found in a signed Lenovo driver on Windows (CVE-2025-8061).

The main goal of this article is to provide a logical forensic analysis workflow focused on preserving and acquiring data relevant to investigations. We will review different data extraction scenarios, logical extraction techniques and tools, and Full File System (FFS) acquisition techniques.

We identified a permission bypass vulnerability in multiple versions of OnePlus OxygenOS installed on its Android smartphones, across multiple devices. It could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks.

My thoughts and experience in implementing a minecraft server scanner.

A technical overview of Olymp Loader, a Malware-as-a-Service loader designed to execute other malware on victim systems, providing built-in stealer modules, and enabling rapid feature updates and fast attacker adoption.

Technical analysis of AI-based ransomware FunkLocker that heavily misuses legitimate Windows utilities like taskkill.exe, sc.exe, net.exe, and PowerShell apps, disable defenses, and prepare for encryption.

Technical breakdown of a Remote Code Execution vulnerability in Google Web Designer via a malicious Video Ad Template abusing the NinjaShell API.

Next.js is a powerful open-source React framework that enables developers to build fast, interactive, and SEO-friendly web applications. In this article, we'll be diving deeper into the most common server-side request forgery vulnerabilities in targets extensively utilizing Next.js and document (CVE-2025-57822 and CVE-2024-34351) found in Middleware and Server Action.

This is an introductory but practical post on Windows user mode heap internals and exploitation. I cover the basics of Low Fragmentation Heap, Heap Overflow Attack, and File Struct Exploitation in Windows.

This post examines Furbo's Bluetooth Low Energy (BLE) communication, finding vulnerabilities that expose Wi-Fi credentials, enable device resets, and reveal hidden GATT characteristics.

In this second part, we reverse the Android app, hook TUTK Kalay P2P with Frida, capture commands, find token remnants in memory, trigger SSRF to custom.wav, and show a treat-toss DoS.

A single missing authorization check created two severe, high-impact business risks in Langfuse, a leading open-source LLM engineering platform. A subtle flaw in its background job controls allowed any authenticated user to access highly sensitive administrative functions, creating a significant business risk.

Drivers are a common part of every Windows environment, and many of them provide low-level functionality. This blog details how to connect with a default Windows driver or vulnerable driver to bypass Endpoint Detection and Response Tools (EDR), file locks, and access controls, to directly read sensitive files

This is the first post of a series where we will be assessing Furbo, a connected pet monitoring device. We start by detailing the acquisition and teardown of Furbo devices, then explore network traffic, firmware retrieval, and UART access.

In this blog post, we will explain how a libANGLE integer underflow bug can be turned into a powerful primitive that allows us to read the Chrome WebGPU process.

Memory Protection Units (MPUs) play a crucial role in safeguarding against automotive security threats. This blog will review the types of modern MPUs, their functionalities, and detail 2 vulnerabilities we found that allow a privileged attacker to shut off the entire SMPU, giving read and write access to protected memory areas (CVE-2023-48010 and CVE-2024-33882).

Mitel phone firmware analysis lead to the discovery of two vulnerabilities: CVE-2025-47187, an unauthenticated .wav file upload vulnerability, and CVE-2025-47188, an unauthenticated command injection vulnerability. Exploiting them leads to unauthenticated code execution on the phone itself.

Technical breakdown of an XSS vulnerability in Google IDX Workstation.

This article presents a static analyzer based on Binary Ninja engine that walks through a complete uninitialized local variables (ULV) detection workflow - from recovering variables and analyzing how they’re used, to inferring sizes, tracking taints across functions, and filtering out misleading patterns. If an uninitialized read made it into your binary, this process will uncover it.

This blog covers how to root an AVD emulator and a physical Pixel 6. But before we cover those topics, we will review the different components involved and discuss some of the pro/cons of rooting an Android phone.