News

• FBI stymied by Apple’s Lockdown Mode after seizing journalist’s iPhone - "Because the iPhone was in Lockdown mode, CART could not extract that device." ([PDF] court filing ). However, the use of biometrics allowed the FBI into her work computer, "when she applied her index finger to the fingerprint reader, the laptop unlocked." While convenient, biometrics should not be used if you're a potential target of device seizure. It would be interesting if there was a "distress finger" feature that could be used to prevent any future biometrics from working. Map this to your index finger but actually unlock with your middle or ring finger.
• [YouTube] Search Party from Ring | Be A Hero In Your Neighborhood - This ran during the Super Bowl in the US (~8M USD cost). I wonder if the marketing team had a big debate over using puppies vs children and the pros and cons of each to sell an omnipresent surveillance dystopia. Recall that Ring Employees Illegally Surveilled Customers and Ring and Flock Safety have partnered and that Ring cameras are part of Amazon Sidewalk (the mesh network Amazon built to keep cameras online).
• Iran's internet is returning - but not for everyone - "Looking at web traffic data, the patterns suggest a full restoration of internet access in Iran may never occur." In 2026 the internet is a utility like water and power. I suspect a regime denying it's people access will result in regime change.
• Red Macros Factory Is Joining OST (And So Am I!) - Congrats @mariuszbit! Forta is assembling a super team.
• Microsoft Gave FBI Keys To Unlock Encrypted Data, Exposing Major Privacy Flaw - If you sign in with a Microsoft account, you sync your Bitlocker keys to Microsoft. Senator Ron Wyden said in a statement to Forbes that it is “simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users' encryption keys.”

Techniques and Write-ups

• The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit - China (allegedly) hacked the Notepad++ update servers and selectively targeted users with a malicious update.
• Discovering Negative-Days with LLM Workflows - The big threat actors are already doing this for both open and closed source projects. At what point does your threat intel team have to be come a vulnerability development shop just to keep up?
• Automating GOAD and Live Malware Labs - Ludus being used on the official Elastic Labs blog, really cool to see.
• Pickling the Mailbox: A Deep Dive into CVE-2025-20393 - Python 2.6 struct.pack with format ‘B’ silently truncates overflows instead of throwing an error like Python 3 does. This allows an authentication bypass and a CVSS score of 10.0.
• Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) - "Any bash script > 50 lines should be written in something else." - Me, every time I write a long bash script. "The PoC request appeared in a dream" and not your honeypot? Sure 😉.
• On the Coming Industrialisation of Exploit Generation with LLMs - "I would encourage you to pick the most interesting exploitation related problem you can think of, spend as many tokens as you can afford on it, and write up the results. You may be surprised by how well it works." Code: anamnesis-release - Automatic Exploit Generation with LLMs.
• Unveiling Voidlink – a Stealthy, Cloud-Native Linux Malware Framework - A neat looking Linux remote access tool. Surprised with that level of sophistication it calls directly back to a command and control server vs using a "third party" service to launder the data and appear legitimate (see next item).
• Weaponizing Whitelists: An Azure Blob Storage Mythic C2 Profile - "3rd party C2" is my favorite kind of C2. Don't use this with an Azure account you care about, if threat intel finds you they may nuke your account.
• Who’s on the Line? Exploiting RCE in Windows Telephony Service - Legacy, obscure systems almost always house some vulnerabilities. This vulnerability requires the the Telephony Application Programming Interface (TAPI), to be in server mode, which you will likely never see.
• On the Clock: Escaping VMware Workstation at Pwn2own Berlin 2025 - Some advanced heap exploitation along with a timing-channel leak to reduce the randominies of Windows 11 heaps and ensure a good exploit make this a really interesting read.
• The Islands of Invariance - Mudge added a Yara rule generator to Crystal Palace, has he gone to the blue side!? Not quite, but the robust testing of Yara rules in this post puts him ahead of many blue teams. He also released a major overhaul to Crystal Palace in the bin2bin post that include the +regdance, +blockparty, and +shatter options as well as support for the -O1 optimization level in MinGW.
• Advisory - Check Point Harmony Local Privilege Escalation (CVE-2025-9142) - AmberWolf drops another VPN client vulnerability. Finding the unregistered but allowed domain must have been a rush!
• Unauthenticated RCE in NetSupport Manager - A Technical Deep Dive - The heap graphics in this write up were excellent. NetSupport Manager is a "remote monitoring and management solution" (remote desktop replacement) so getting access to the controller means access to all the managed machines.
• Windows Internals: Check Your Privilege - The Curious Case of ETW's SecurityTrace Flag - Connor does what he does best and dives deep on Event Tracing for Windows (ETW) and finds an undocumented way to consume events from ETW providers which require Antimalware-PPL, like the valuable Microsoft-Windows-Threat-Intelligence, without running as Antimalware-PPL, having a kernel driver, or patching the kernel via WinDBG. He was nice enough to drop ThreatIntelligenceConsumer - Demonstrates consuming from a SecurityTrace ETW session by consuming from the Threat-Intelligence ETW provider without a driver or PPL privilege.
• The State of Art in Red Team is whatever you want to believe - Red Teams are islands, and you have no idea what the other top red teams are doing because there is no incentive to share the truely useful stuff.
• 1.4 Billion user records exposed by insecure Firebase instances in top Android apps - Firebase has always been a massive foot-gun. The easy solution gets used, and most apps never notice that any user can read/write their entire database.
• Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM - SCCM in bloodhound is awesome. No more hoping the organization used hostnames that indicate SCCM or digging through LDAP data to find it! This research led to two CVEs: MSSQL and SCCM Elevation of Privilege Vulnerabilities.
• remotely unlocking an encrypted hard disk - You've maybe seen wireguard-initramfs but this post uses tailscale.
• Task Failed Successfully – Microsoft’s “Immediate” Retirement of MDT - Retiring a product instead of fixing vulnerabilities is a choice. Another Ludus powered finding.

Tools and Exploits

• PhantomSec | Advanced Offensive Capabilities Automated - EvadeX Sponsored - EvadeX is an evasion-as-a-service platform for red teams and pentesters who want modern, continuously-updated evasive tradecraft without turning every engagement into an R&D project. Generate highly customizable, low-signature payloads through a simple web workflow so you can tune to the target and stay focused on the engagement. Trusted by teams from small consultancies to the Fortune 10. Get callbacks past EDR today!

• ConfigManBearPig - PowerShell collector for adding SCCM attack paths to BloodHound with OpenGraph.
• embbridge - ADB-like device bridge for embedded systems. Shell, file transfer, and firmware dumping for forensics and research.
• uart-push - Like scp, but over UART serial connections.
• TopazTerminator - Just another EDR killer.
• lcre - Wrapper RE tool for CLI.
• Erebus - Erebus is an Initial Access wrapper for the Mythic Command & Control Server. It utilizes multiple techniques to equip the operator with the right tools, for the right job.
• Google Groups Reconnaissance Tools - A suite of Go tools for discovering and analyzing publicly accessible Google Workspace groups. These tools help security professionals identify groups with overly permissive settings during authorized security assessments.
• remnux-mcp-server - MCP server for using the REMnux malware analysis toolkit via AI assistants.
• the-one-wsl-bof - One WSL BOF to rule them all.
• AutoPtT - Automated Pass-the-Ticket (PtT) attack. Standalone alternative to Rubeus and Mimikatz for this attack, implemented in C++ and Python.
• AddUser-SAMR - Create local administrators with the SAMR API (lowest-level technique). Implemented in C#, Python, Rust and Crystal.
• DuplexSpyCS - A Remote Access Tool developed in C#, enabling complete control of a remote Windows machine, designed for legitimate remote administration and security testing of Windows systems.
• fawkes - Fawkes is my attempt at a Mythic C2 Agent.
• shannon - Fully autonomous AI hacker to find actual exploits in your web apps. Shannon has achieved a 96.15% success rate on the hint-free, source-aware XBOW Benchmark.
• agscript_middleware - Run CobaltStrike aggressorscript over TCP.
• BloodBash - A Bloodhound alternative. BloodBash will ingest the same files bloodhound does but no server is required to use this tool. It's great for quick AD enumeration.
• skills - Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows.
• beignet - MacOS Shared Library to Shellcode Loader.
• Cobaltstrike_BOFLoader - open source port/reimplementation of the Cobalt Strike BOF Loader as is.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Antide's Law - "If it's unclear what a cyber-security company is doing, what they're doing is pretty clear (exploits/capabilities)."
• What AI Security Research Looks Like When It Works - This is a marketing post, but the fact that curl accepted multiple vulnerabilities from their scanner instantly gives it credibility. Are we seeing AI powered automated vulnerability discovery that is better than any single human and scalable with money/chips/power instead of very hard to find talent? Probably very close. Are defenses at the same watershed moment? I haven't seen it. Should we be concerned about this imbalance? Yes.
• Owning a $5M data center - Cool to see a company reject the cloud and build their own AI datacenter.
• Incident Report: CVE-2024-YIKES - This feels too real.
• HolyGrail - BYOVD hunter to help prioritize windows drivers worth manual analysis.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.