codeneverdies @codeneverdies

Continuing to update and improve our website over the next few weeks.

I wanted to address the speculation about the recently introduced Device Bound Session Credentials (DBSC) security feature in Google Chrome. Does it help increase the security of session cookies against infostealer malware and MFA phishing? The feature has been available and enabled by default since the Chrome 146 update (April 2026), if you're running Windows with a hardware-backed TPM security module (macOS support is coming in future updates). DBSC allows the browser to upgrade session cookies from long-lived to short-lived, requiring the browser to refresh them approximately every 10 minutes to maintain access to the user's account. > Does DBSC prevent account takeover by threat actors using a stolen session cookie obtained from the user's browser via infostealer malware? Yes (kind of). The extracted session cookie will be valid for up to 10 minutes from the time it is extracted. The attacker will be unable to maintain long-term access to the user's account. Still, the timeframe may be sufficient, for example, to exfiltrate the inbox if the attack is automated. The attacker cannot refresh the short-lived session cookie because it requires the private key (stored in the TPM) assigned to the account to sign the challenge. The malware cannot access the private keys stored in the TPM. > Does DBSC prevent account takeover by threat actors during a phishing attack? No. Servers need to provide legacy support for the browsers that do not yet support DBSC. By default, the server registers and sends a long-lived session cookie to the browser. If the server supports DBSC, it will announce the DBSC API endpoint URL in the `Secure-Session-Registration` HTTP header of the response packet that contains the long-lived session cookies. Only after the short-lived session cookie is registered via the DBSC API endpoint is the long-lived session cookie invalidated. When the attacker removes the `Secure-Session-Registration` HTTP header retrieved from the server during a phishing attack, the browser will continue using long-lived session cookies and assume the server does not support DBSC. In short, removing that HTTP header while proxying traffic during a phishing attack allows the attacker to maintain long-term access to the user's account using the stolen long-lived session cookie. I hope I've managed to clear up some confusion. On a related note, you will soon be able to simulate phishing attacks against Google Workspace accounts (and other websites) that bypass DBSC and MFA protections using Evilginx Pro with the Phishlets 2.0 update.

Xavier Rivera @XavierRiveraX

7 days ago

Google Chrome is rolling out device-bound session credentials to all users. Session cookies get cryptographically tied to your device, so stolen cookies can't be replayed from a different machine. Attackers who exfiltrate your cookie database get nothing usable.

104 319 4K 504K 902

GTA cheat service Atlas Menu hacked as attacker alleges screenshot spying theregister.com/security/2026/…

Thousands of GTA V Players Have Been Exposed After Cheat Service Has Been Hacked A GTA V cheat service called Atlas Menu has reportedly been hacked, exposing data linked to around 64,000 user accounts. The person behind the breach claims they gained full access to Atlas Menu’s systems and leaked the database online. This means user information tied to the service could now be in the hands of others.

keyboard_arrow_left Previous keyboard_arrow_right Next

Upgrading all of GH's website software until 11PM tonight. Website will be offline or locked during that time.

📅3 New Courses Coming to GH in 2026: 🥇Anticheat Development Course 🥈Devirtualization Course 🥉Rust Game Hacking Course Sneak Peak: LLVM IR Fundamentals | DEVIRT 102C

How Kernel Anti-Cheats Work: A Deep Dive into Modern Game Protection s4dbrd.github.io/posts/how-kern… Author: @s4dbrd #Kernel #Anticheat #windows

🏆 Steam Overlay Hook 🎮 Drop Overlay.dll into IDA Pro 🔍 Search For DirectX Strings 🕵️ Find SwapChain::Present vTable 💉 Inject our DLL & swap the pointer 🔗youtu.be/z7zUMieOO98

🕵️ Hooking BaseThreadInitThunk Monitoring the Windows thread initialization process can expose hidden DLL injections. Learn to hook BaseThreadInitThunk to audit the entry points of new concurrent code blocks before they have a chance to execute. 👉 youtu.be/KzD_nc5B_8w

@vxdb Here bro: gibliz.taile5d4a8.ts.net/downloads/ I mirrored his work on my personal home server. Take that, Microsoft 🖕🏻

My macOS anti-cheat is coming together. With the APIs of a Security Extension, I have a stable way (no kernel extension) to monitor cheating TTPs and report them securely to a backend. I built it game-agnostic, so it works everywhere. Finally a solid anti-cheat for macOS :D

keyboard_arrow_left Previous keyboard_arrow_right Next

Wrote a blogpost about how you can use the Windows server 2003 source code as a red teamer to make your tools look less like tools. I also go over and map out the main/important files and practical examples of using it to augment MS-*/RFC specs: abdulmhsblog.com/posts/useingth…

Does Vanguard physically damage hardware? No. Does this impact hardware or software in any ways unrelated to Riot’s games? No. The IOMMU security protection does not impact hardware, and would only impact the ability of players using DMA cheat devices to play our games. Are normal players affected? Players not using DMA cheat hardware are unaffected. Why target DMA cheats? DMA-based cheats are among the most sophisticated forms of cheating because they attempt to bypass traditional software detection by accessing memory directly through external hardware. I’m affected by this. How do I fix it? To continue cheating in other titles with this device, you may simply disable IOMMU in BIOS in the same place that you enabled it. Of course, you still won’t be able to play our games with these cheat devices enabled. Why did Riot joke about “bricking” PCs? We didn’t. The “paperweight” comment was about VALORANT cheat devices that no longer work in VALORANT. No hardware is being damaged and no other functionalities are impacted.

All the people citing legality have no idea how this works, the sensational bullshitters like Pirat_Nation as well. It’s an IOMMU block, that is it. If you don’t know what that is: Google. - intel.com/content/dam/de… - blog.3mdeb.com/2020/2020-07-0… You’re not going to suddenly have things on your PC stop working. The DMA device will stop working until you remove it. It will operate normally if you put it on a PC that doesn’t have the block. Never seen so many sweats worked up about something they couldn’t even explain with a gun to their head.

Hi vx-underground is 7 years old, as of 2 days ago. I forgot my own website birthday. Some of you who found vx-underground as early to mid teenagers are now adults. Some of you who found vx-underground while attending university are now in the work force. Some people who follow this account have unfortunately passed away. Some followers have been arrested. Some followers have already been released from prison. Some of you (including myself) have had children. A lot has changed over the past 7 years. The only thing that hasn't really changed is the website: free malware source code, samples, and papers, forever. Thank you for letting me serve the community. It has been a pleasure. I look forward to serving all of you for another ... unknown duration of time, probably a long time, I don't know. I'm not sure how long I'll do this, but I'm already 7 years deep.

🛠️ Object Callback Hooking to Bypass Kernel Anticheat This tutorial teaches how anti-cheats use ObRegisterCallbacks to deny handle requests and how to intercept them, modify them and bypass the protection. 👉 guidedhacking.com/threads/be-han…

Everyone losing their minds over the Visual Studio Code payload hitting GitHub. The research was published on @MDSecLabs site in 2023! Red Teams have used this on assessments for ages!! Microsoft knows all of this and didn't bother to fix it!!! IT'S BEEN IN INITIAL-ACCESS FRAMEWORKS FOR YEARS!!!! mdsec.co.uk/2023/08/levera…

If you’re not up to speed with the risks of malicious vscode extensions, just a reminder, we blogged about this 3 years ago - mdsec.co.uk/2023/08/levera… @MDSecLabs

🛠️ Reverse Engineering Pay Cheat Drivers Deconstruct a kernel-mode driver capable of "bypassing" older versions of Easy Anti-Cheat and BattlEye. 👉 guidedhacking.com/threads/revers…

We’re happy to announce that our EDR Internals & Development training is now in its final stages of development. Over the past several months, an enormous amount of work has gone into building this highly technical & detailed training. The course covers the internals of modern EDR from both user-mode and kernel-mode perspectives, including techniques like syscall hooking, filesystem minifilters, ETW telemetry, memory scanning, kernel callbacks, process instrumentation callbacks, call stack tracing, and anti-tampering mechanisms. The course concludes with building a limited yet functional custom EDR agent and we test it against several malware techniques to gain practical experience with detection engineering and EDR internals. This huge undertaking would not have been possible without @GigelV41464 who dedicated countless hours to analyzing different EDR products, building custom implementations, analyzing internal mechanisms, and documenting the techniques with excellent depth and clarity. The official launch date is scheduled for June 15, 2026 but starting today, we're opening access to an early bird discount of 20% for a limited time. EDR Internals & Development: maldevacademy.com/edr-course