eleven red pandas @bytecodevm

@Salsa12__ Congrats!

Today I'm launching 0x12DarkSandbox, my biggest project to date🥂🥂 Built for offensive security professionals who want to understand not just whether a payload is detected, but exactly how and why it gets caught 0x12darksandbox.net More info here: medium.com/@s12deff/0x12d…

keyboard_arrow_left Previous keyboard_arrow_right Next

Runs 40+ Active Directory attacks natively on Linux github.com/ADScanPro/adsc…

Very cool research done by my mate Marcos 🙌 nccgroup.com/research/async…

UEFI bootkits are no longer theoretical. BlackLotus. HybridPetya. CosmicStrand as demonstrated by the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" by @matrosov Researchers demonstrated the same class of technique against VBS enclaves, the most isolated execution environment Windows offers. Hooked GetVariable(). Intercepted BlLdrLoadImage(). Injected into hvax64.exe before VBS initialised. Owned the VM-exit handler at ring -1. Read and wrote VTL1 enclave memory directly from the hypervisor. If your threat model stops at ring-0, it stops too early. Full PoC included. tulach.cc/using-vbs-encl… tulach.cc/from-firmware-… Author: @tulachsam #Malware #Infosec #ReverseEngineering

keyboard_arrow_left Previous keyboard_arrow_right Next

cr3ghost @cr3ghost

2 days ago

This is the type of malware game hackers build to bypass kernel anti-cheat. The same techniques can be used by malware authors to evade EDRs. A UEFI bootkit that injects into Microsoft's own Hyper-V at ring -1 before the OS even loads (easier than building a custom hypervisor

keyboard_arrow_left Previous keyboard_arrow_right Next

5 62 343 31K 310

Gained two CVEs this week. National Instruments ships on every defense contractor, chip fab, NASA test stand, and national lab in the country. their core kernel driver nipalk.sys is EV signed and valid through 2027. arbitrary physical memory read/write with zero authentication. CVE-2026-8035. CVE-2026-8036.

Walk-through of Lukas Maar’s page-level use-after-free in the Linux kernel’s QAIC (Qualcomm AI Accelerator) DRM driver: the missing VMA boundary check in qaic_gem_object_mmap leaves stale page-table entries pointing at compound-page memory the kernel has already freed; reclaim the underlying order-3 page as a pipe_buffer slab and the dangling user mapping turns into an arbitrary kernel-physical read/write primitive, which the exploit chains via init_task lookup into a clean root. core-jmp.org/2026/06/qualco… #AIAccelerator #DRMDriver #KASLR #KernelDriver #KernelDriverExploitation #KernelDriverVulnerability #KernelExploitation #KernelUAF #LinuxKernel #LinuxKernelExploitation #LinuxKernelSecurity #LocalPrivilegeEscalation #mmap #pipe_buffer #PrivilegeEscalation #QAIC #Qualcomm #UseAfterFree

A BadUSB-ETH device can silently create a rogue network interface on locked PCs, capture NetNTLM hashes, expose real-time logs over Wi-Fi, and enable remote access, showing why USB whitelisting and strict physical security controls matter. core-jmp.org/2026/06/social… #Hardware #NetNTLM #ntlmrelay #Pizero #wifi

keyboard_arrow_left Previous keyboard_arrow_right Next

Leaker — Passive Credential Leak Discovery Across Multiple Breach Sources 💀💥 When investigating exposed credentials, checking one breach database is rarely enough. Leaker aggregates results from 12 different leak intelligence sources into a single tool, helping researchers uncover leaked emails, usernames, domains, phone numbers, and credentials faster. 🔍 Search by email, username, domain, keyword, or phone number ⚡ Aggregates data from IntelligenceX, DeHashed, Snusbase, LeakCheck, Hudson Rock, ProxyNova, and more 🧹 Built-in deduplication removes duplicate results across sources 📊 JSONL output for automation, pipelines, and OSINT workflows 🌐 Proxy support, rate limiting, credential verification, and local SQLite caching included A useful addition for OSINT analysts, threat intelligence teams, and bug bounty hunters performing breach exposure investigations. 🔗 github.com/vflame6/leaker #OSINT #ThreatIntelligence #CyberSecurity #ThreatHunting #BugBounty #OpenSource #InfoSec

Walk-through of Xyrem's reversing.info analysis of Valorant’s Vanguard Guarded Regions: how Vanguard hides game state behind a private "shadow" PML4 entry that’s only swapped in when one of its own whitelisted threads is on the CPU, the SwapContext hook that drives the swap, and how a cheat can rebuild the same primitive with its own kernel driver to expose hidden game memory after thread whitelisting. core-jmp.org/2026/06/revers… #AntiCheat #AntiCheatArchitecture #CheatDevelopment #CR3 #GuardedRegions #KernelAntiCheat #KernelDriver #KernelDriverReverseEngineering #KernelExploitation #Paging #PML4 #ReverseEngineering #RiotVanguard #ShadowMemory #SwapContextHook #Valorant #WinDBG #WindowsKernel #WindowsReverseEngineering

keyboard_arrow_left Previous keyboard_arrow_right Next

Walk-through of Jack Halon's "Utilizing Syscalls in C# — Part 2" post: building a direct-syscall NtCreateFile PoC in C# .NET 3.5, extracting the syscall stub from ntdll in WinDbg, mapping it as executable memory with VirtualProtect, invoking it through a P/Invoke delegate, and verifying via Process Monitor that the call goes straight to the kernel without touching ntdll's NtCreateFile prologue. core-jmp.org/2026/06/red-te… #NET #C# #DefenseEvasion #DirectSyscalls #EDR #EDRBypass #EDREvasion #NativeAPI #NtCreateFile #PInvoke #ProcessInjection #RedTeaming #SharpSploit #Syscalls #SysWhispers #WinDBG

keyboard_arrow_left Previous keyboard_arrow_right Next

Yeah, so pretty much this guy is releasing an exploit in solidarity with Nightmare Eclipse guy. He said he notified GitHub about the exploit 60 minutes before releasing this paper. I don't do web stuff, and I'm not a VSCode nerd, so I'm confused by the underlying technologies. If you're a stinky GitHub and VSCode nerd maybe you'll understand. tl;dr click github dev, github dev opens editor, in github dev editor have javascript, javascript does shortcuts automatically. github treats javascript shortcuts as real human input, or something. use javascript shortcut stuff to automatically install vscode extension. the vscode extension steals your data tl;dr tl;dr user clicks 1 link, 1 click steals all data from your github blog.ammaraskar.com/github-token-s…

Bring Your Own RWX Region DLL (BYORWXDLL) New Medium post, today we are exploring a technique I call Bring Your Own RWX Region DLL, inspired by the well-known BYOVD (Bring Your Own Vulnerable Driver) medium.com/@s12deff/bring…

Huntress reveals an unpatched Windows search: URI handler flaw that can leak Net-NTLMv2 hashes with a single link click. The bug mirrors a patched Snipping Tool CVE, but remains without CVE, fix, or clear servicing path. core-jmp.org/2026/06/one-cl… #CredentialTheft #CVE #EndpointSecurity #MSRC #NetNTLMv2 #NTLMCoercion #NTLMRelay #Phishing #SMB #ThreatResearch #UnpatchedVulnerability #URIHandler #WindowsSearch #Windowssecurity

keyboard_arrow_left Previous keyboard_arrow_right Next

A practical, layer-by-layer walkthrough of modern Windows defense evasion for red team operators: the architecture of Microsoft Defender, three generations of AMSI bypass (classic patching, hardware breakpoints, AMSI Write Raid), ETW silencing, AppLocker bypass with built-in LOLBins, and how to stitch them into a working kill chain — plus what blue teams can still detect. core-jmp.org/2026/06/bypass… #AMSI #AMSIBypass #AMSIWriteRaid #AMSIScanBuffer #AppLocker #DefenseEvasion #EDREvasion #ETW #ETWBypass #ETWThreatIntelligence #HardwareBreakpoints #LOLBins #MITREATT&CK #PowerShell #ProcessInjection #RedTeaming #ReflectiveDLLInjection #SleepObfuscation #WindowsDefender

keyboard_arrow_left Previous keyboard_arrow_right Next

A walk-through of zolutal’s revival of the 2017 Project Zero “native_write_cr4” trick on a modern Linux kernel with CR Pinning enabled. The post identifies a tiny window between the CR4 write and the fixup, uses KProbes to land inside it via a control-flow hijack, and chains two arbitrary-call primitives to register a probe and trigger it — ending in user-mode-style shellcode running in ring 0. core-jmp.org/2026/06/two-sh… #ControlFlowHijacking #CRPinning #KASLR #KernelExploit #KernelExploitation #KernelROP #KernelShellcode #KProbes #LinuxKernel #LinuxKernelExploitation #LocalPrivilegeEscalation #PrivilegeEscalation #ROP #shellcode #SMAP #SMEP #x8664

keyboard_arrow_left Previous keyboard_arrow_right Next

A walk-through of NVISO Labs’ first Kernel Karnage post: writing a small Windows kernel driver, locating the undocumented PspCreateProcessNotifyRoutine callback array through disassembly, and patching the EDR’s registered callback out of it. Covers the User/Kernel-space architecture, PatchGuard, kernel-debugger setup, the three-byte opcode bug that caused a BSOD, and a Mimikatz demo with callbacks on and off. core-jmp.org/2026/06/kernel… #callbacks #DefenseEvasion #DriverDevelopment #EDR #EDRBypass #EDREvasion #kernel #kernelCallbacks #kernelDebugging #kernelDriver #Mimikatz #PatchGuard #ProcessCreationCallbacks #RedTeaming #SSDT #WinDBG #WindowsKernel

Bypassing Windows Defender and AMSI: A Practical Guide to Defense Evasion for Red Teams codeby.net/threads/obkhod…

Bypassing Linux kernel CR pinning to execute shellcode by placing a KProbe in the native_write_cr4 instruction gap. blog.zolutal.io/two-shot-kerne… #Linux

Sysprep.exe UAC Bypass via AppID Hijack New Medium post, today we will see another UAC bypass technique through Sysprep.exe approaching the AppID Hijack technique! medium.com/@s12deff/syspr…