Security Review #288

In this post, we detail an evasion technique that simply relies on shellcode fragmentation and reassembling in memory with random delay to confuse on-memory scanning.

We detail the "frame swapping" primitive, a technique to abuse callbacks by chaining multiple invokers (callback hell) and producing obfuscated, CET-compliant call stacks. This can be used to hide real call origines and evade call stack-based detection.

The goal of this post is to explore the nature of polyglot files and the scenarios where they are most effective for discovering vulnerabilities. We will also explore two existing tools which are going to help us create these kinds of files.

We discovered a highly stealthy and persistent intrusion technique utilized to maintain Command-and-Control (C2). The attacker had modified Scheduled Tasks in the environment to use a ComHandler to create and execute a method within a registered Component Object Model (COM), leveraging custom surrogate DLL files for code execution.

In this article, we will first discuss COM technology. Then, we will examine Control Panel items, how adversaries have used them for initial access and persistence, and how these items can be leveraged through a DCOM object to achieve command execution.

We dissect SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on Linux systems, by disassembling the main function and identifying calls to dynamically imported functions based on their addresses. To do so we rely on two powerful tools: LIEF for parsing the ELF format, and Capstone for disassembling the machine code.

We uncover four SAPCAR bugs, where parsing a SAR archive could lead to local privilege escalation. Path traversal in CAR archive extraction (CVE-2025-42970), metadata tampering in signed SAR archives (CVE-2025-42992), extraction can override permissions of current and parent directories (CVE-2025-43001) and memory corruption when parsing crafted CAR archives (CVE-2025-42971).

This article will cover some common persistence mechanisms for malware on Windows systems and relevant examples of various malware families that take advantage of these persistence mechanisms.

Many of the resources in Azure depend on storage accounts and blob storage for hosting things like metadata, session info, or event data. Regardless of the reason, it’s probably a good idea to secure that data in some way, both from the authorization & authentication level but also from the detection side. The goal of this post is to highlight a few attacks and how to detect or defend against them.

We analyze MacSync Stealer's evolution to code-signed, notarized Swift applications that silently download and execute payloads, bypassing traditional macOS security measures.

An unauthenticated local WebSocket server in the CurseForge launcher allowed any website to trigger remote code execution via attacker-controlled JVM arguments.

CVE 20225-6514 is a client-side critical vulnerability in mcp-remote allowing arbitrary OS command execution when connecting to untrusted MCP servers. The attack exploits OAuth dynamic discovery leveraging URL sanitization failure.

This post discusses how the List-Unsubscribe SMTP header can be abused to perform Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks in certain scenarios. Real-world examples involving Horde Webmail (CVE-2025-68673) and Nextcloud Mail App are provided to illustrate the risks.

We discuss the use of the Sec-Fetch-Site HTTP header as a valid option for CSRF protection.

What you see in the code rarely matches what you'll find in the logs. This gap is where most detection efforts fail. This post walks through a systematic approach to bridge that gap, using Impacket's LDAP reconnaissance tools as our test case.

Livewire comes with a critical vulnerability: a dangerous unmarshalling process can be exploited as long as an attacker is in possession of the APP_KEY of the application. By crafting malicious payloads, attackers can manipulate Livewire’s hydration process to execute arbitrary code, from simple function calls to stealthy remote command execution.

In this post, I will focus on the TP-Link Tapo C200 camera and show how I approach firmware analysis these days, now that we have AI. although it is the last firmware I find 4 vulnerabilities: a SOAP XML Parser Memory Overflow, an HTTPS Content-Length Integer Overflow, WiFi Hijacking vulnreability and the capacity to scan nearby WiDFi networks, all without authentication.

We dissect a lightweight Linux backdoor, that is derived from an open-source backdoor called TinySHell, using capa, Capstone and Python to recover RC4-encrypted C2 settings from the malware.

In this second part, I present a new DCOM object that can be used for command execution and potential persistence. This technique abuses older initial-access and persistence methods involving Control Panel items. We'll see how adversaries have used them for initial access and persistence, and how they can be leveraged via a DCOM object to execute commands.

This post walks through a real-world compromise path that started with Veeam and ended with full Domain Admin, highlighting why backup security matters and how defenders can harden their environments.

In this blog post, we present our approach for uncovering vulnerabilities by combining LLM reasoning with static analysis. By layering an LLM on top of CodeQL, we significantly reduce the overwhelming noise of false positives that typically buries security teams.

We uncovered an attack utilizing a ClickFix lure to initiate a multi-stage malware execution chain. This analysis reveals how threat actors use steganography to conceal infostealers like LummaC2 and Rhadamanthys within seemingly harmless PNGs.

In this first article of the series, we showcase the extraction of configuration data from Kaiji, an IoT botnet malware. We provide a straightforward demonstration of how the pipeline operates and how the configuration extraction service interacts with the rest of the system.

A Rust DDoS botnet slipped past every antivirus engine. I captured it on my honeypot, reverse engineered its custom C2 protocol, and built a fake bot to infiltrate the network-now monitoring attack targets and tracking the malware's evolution in real-time.

In this second part, we unwrap QuasarRAT, a popular .NET remote access trojan (RAT), and show how to extract its encrypted configuration out of the binary. We first detail the environment, then construct a Python-based extractor for a clean QuasarRAT sample, then extends the approach to handle an obfuscated build.

In this first part of the series, we explore workload identities and how to discover the various types of service principals within your Microsoft Entra ID tenant.

This last blog of the series focuses on ensuring security processes are sustainable and effective in the long run through automation and continuous monitoring.

We'll delve into another crucial premium feature: Identity Protection for Workload Identities. This capability lets you proactively detect, investigate, and respond to identity-based risks associated with your service principals, further strengthening your defence against compromise.

We review 2 techniques to parse Linux memory dumps using Volatility by either building (slower but educational) or downloading kernel profile.

This blog delves into advanced governance: conducting Access Reviews for privileged service principal assignments and outlining a set of proposed Centre for Internet Security (CIS) benchmark-aligned recommendations tailored for securing your workload identities.

In this second part, we will focus on essential hygiene practices and native controls for workload identities, using the free tier of Microsoft Entra ID.

In this third part, explore the enhanced security capabilities of Microsoft Entra Workload Identities Premium. We will introduce the premium features and dive deeply into configuring conditional access specifically for your service principals.