eleven red pandas @bytecodevm

Mohamed Alzhrani's LACUNA Chain combines BYOUD-Gap, the ETW-Ti APC window, win32u's 1,242 NOP gaps, ntdll/kernelbase ghost functions, BYOUD-MF machine-frame RSP teleport, BYOUD-RT runtime calibration and hardware-breakpoint parameter encryption into a six-layer call chain that bypasses every EDR call-stack-based detection layer — verified against Bitdefender and Kaspersky in lab. core-jmp.org/2026/06/lacuna… #pdata #Bitdefender #BYOUD #CallStackSpoofing #CETBypass #EDRBypass #EDREvasion #ETW #ETWThreatIntelligence #Ghidra #GhostFrames #HookChain #Kaspersky #KernelCallbacks #LACUNAChain #NTDLL #RedTeamTechniques #RtlVirtualUnwind #ShadowStack #Syscalls #Sysmon #UnwindMetadata #VEH #Windows11 #WindowsInternals #WindowsKernel

Hello guys، Do you want to Bypass all production EDR ? Read my new research to enjoy in kicking EDRs defenses. 0xmaz.me/posts/LACUNA-C… The proof-of-concept implementation is available at github.com/MazX0p/LACUNA-… #Maldev

Analysis of a Chrome V8 Maglev Phi untagging vulnerability (CVE-2026-4447) kqx.io/post/cve-2026-… Credits @kqx_io #infosec

Excellent high level walkthrough of how LLMs work (@0xkato) 0xkato.xyz/how-llms-actua… #infosec

keyboard_arrow_left Previous keyboard_arrow_right Next

Been exploring WebKit/JSC exploitation and wrote up a step-by-step walkthrough - from a caged OOB bug to cage-free arbitrary R/W with diagrams + a lab you can build. varik.dev/blog/jsc/jsc-e… #WebKit #JavaScriptCore #BrowserExploitation #exploitdev #pwn

A deep technical walkthrough of how Windows on ARM (WoA) discovers, initializes and dispatches interrupts through the Generic Interrupt Controller (GIC) — from MADT/ACPI parsing and per-CPU KINTERRUPT setup, through VBAR_EL1 / ICC_IAR1_EL1 dispatch, all the way to Hyper-V virtual interrupts, the synthetic interrupt controller, VMBus, and VTL 1 Secure Kernel intercepts. Original text by Connor McGarr, reproduced with attribution. core-jmp.org/2026/06/window… #ARMVirtualization #ARM64 #GenericInterruptController #HyperV #Interrupts #KernelDebugging #KernelInternals #LowLevelWindows #MicrosoftWindowsInternals #SecureKernel #VMBus #VTL #WinDBG #WindowsArchitecture #WindowsDebugging #WindowsInternals #WindowsKernel #WindowsonARM #WindowsReverseEngineering

Andy Gill's ZephrSec write-up of an autonomous vulnerability hunting system built around Claude Code and the Model Context Protocol: 8 MCP servers, 300+ tools, a 5-VM Proxmox hunt range, a four-gate hallucination bin, a FAISS-backed RAG knowledge loop, and a bounty-intelligence ROI scorer. Already produced two assigned Go standard-library CVEs (CVE-2026-33809 in x/image/tiff, CVE-2026-33812 in x/image/font/sfnt), a four-stage OEM update-service chain ending in SYSTEM code execution on Windows 11 25H2, and two macOS findings, with multiple Windows LPEs/RCEs/UAFs in progress. Faithful walkthrough with all source assets reproduced. core-jmp.org/2026/06/autono… #AutonomousVulnerabilityHunting #BugBounty #ClaudeCode #CVE #CVE202633809 #CVE202633812 #FastMCP #Fuzzing #GoSecurity #golang/x/image #HallucinationBin #LLMSecurity #MCP #Proxmox #RAG #TokenBurn #VulnerabilityResearch #WCF #Windows1125H2 #WindowsLPE

A full-pipeline walkthrough: build a vulnerable Windows console program, take RIP with a strcpy overflow, then use rop_scanner — a new offline ROP/JOP/syscall/pivot gadget hunter built on Zydis — to source the exact gadgets needed for a CFG-aware, bad-byte-clean ROP chain into VirtualProtect. From source code to popping calc, end to end. core-jmp.org/2026/06/rop-sc… #DEPBypass #ExploitDevelopment #gadgets #PEB #PEBWalking #PositionIndependentCode #ROP #ROP(ReturnOrientedProgramming) #ROPChain #ROPgadgets #StackOverflow #windows #windowsExploit #windowsExploitDevelopment #windowsInternals #windowsSecurityResearch

@Salsa12__ Awesome idea — a reusable Windows DLL gadget scanner is genuinely useful for exploit research, crash triage, and mitigation analysis. Would love to see CFG/CET notes too.

Striga: a deliberately small Python lifter that translates x86_64 instructions to LLVM IR using Capstone and a new set of LLVM Python bindings. Walk-through of the State struct, semantic handlers, control-flow BFS, and the brightening pipeline that round-trips a lifted prologue/epilogue back to a one-line function. core-jmp.org/2026/06/striga… #BinaryAnalysis #Capstone #CodeVirtualization #Compiler #Deobfuscation #IntermediateRepresentation #Lifting #LLVM #ReverseEngineering #x86 #x8664

An independent PoC reliably bug-checks Windows 11 25H2 (26100.8655) by spraying malformed batched virtualisation-mapping messages at bindflt.sys, faulting inside BfValidateShortName at +0x23783. Walk-through, full source code, root-cause analysis, and a hardening checklist. core-jmp.org/2026/06/bindfl… #bindflt #BugCheck0x50 #DenialofService #Fuzzing #KernelBug #KernelDriver #KernelVulnerability #MinifilterDriver #PAGE_FAULT_IN_NONPAGED_AREA #windows #windows11 #windows1125H2 #windowsDriverExploitation #windowsInternals #windowsKernel #windowsKernelVulnerability

Decoy accounts in Active Directory look legitimate at the schema level but cannot fake behavioural history. This walkthrough shows how to read lastLogon = 0 over SAMR as a high-confidence honeypot oracle, with a full sam_honeypot_enum.c implementation reproduced from CYPFER. core-jmp.org/2026/06/huntin… #ActiveDirectory #ActiveDirectorySecurity #DefensiveDeception #DomainController #Honeypot #Honeytoken #Kerberos #lastLogon #LDAP #RedTeamTechniques #RedTeaming #SAMR

keyboard_arrow_left Previous keyboard_arrow_right Next

@_RastaMouse need help? i can

Cognitor v1.0.2 is out. Windows patch-diff research got a serious lab upgrade: - new IOCTL extraction without BinExport - generic ioctl_zap reachability harness - noob vs elevated reachability parsing - prepatch/patched driver A/B swap scripts - crash pull → finding seeds - sidecar coverage audits - IOCTL diffing + CTL_CODE decode - attack-surface ranking - full lab dossier JSON + Markdown handoff github.com/kernelstub/Cog…

🫯 New entry added to the #LOLBAS Project: Proxy execution via system-native scp.exe. Takes any remote destination, doesn't actually have to run an SSH server. 👉 lolbas-project.github.io/lolbas/Binarie… Thanks @BinFault

Synacktiv’s open-source DCOMIllusionist takes James Forshaw’s .NET DCOM deserialization primitive — the same one that seeded the “Potato” family — and turns it into a polished, fileless C# lateral-movement tool. With local admin on both sides, it remotely re-configures the registry to expose a .NET CLSID over DCOM, forces an IManagedObject::GetSerializedBuffer round-trip, and deserialises a payload directly into the target process — in-memory DLL load, cross-session command execution, or NTLM relay via an HTTP gadget, no files on disk. core-jmp.org/2026/06/synack… #NETDeserialization #BinaryFormatter #COM/DCOM #CrossSessionExploitation #DCOMIllusionist #DeserializationVulnerability #EDRBypass #FilelessExecution #IManagedObject #JamesForshaw #LateralMovement #MalwareDevelopment #NTLMRelay #OBJREF #PrivilegeEscalation #Synacktiv #ysoserial

A Quarkslab red team exercise stitches insecure LLM output handling, missing cookie flags and a conversation-sharing IDOR into a single-click admin account takeover — a reminder that LLM-integrated apps still die from boring web bugs once you treat the model output as untrusted HTML. core-jmp.org/2026/06/from-p… #CSPBypass #IDOR #InsecureOutputHandling #JWTSecurity #LLMPentesting #LLMSecurity #Pentesting #PromptInjection #Quarkslab #RedTeaming #XSS

keyboard_arrow_left Previous keyboard_arrow_right Next

Eleven months after RarLab shipped WinRAR 7.13 to fix CVE-2025-8088, two Russia-aligned APT clusters (Earth Dahu / Gamaredon and SHADOW-EARTH-066 / UAC-0226) are still building fresh exploit samples for the path-traversal-via-NTFS-ADS bug. The two groups share an initial access vector and nothing else — one ships memory-resident compiled C++ stealers, the other pushes HTA+VBScript through Cloudflare Workers proxies — and both rely on the same structural failure: WinRAR has no auto-update and isn’t covered by enterprise patch management. core-jmp.org/2026/06/cve-20… #CloudflareWorkers #CVE20258088 #EarthDahu #Gamaredon #GIFTEDCROOK #Infostealer #NTFS #NTFSADS #PathTraversal #Phishing #RussianAPT #SpearPhishing #TrendMicro #UAC0226 #Ukraine #WinRAR

Meeting-room cameras and conference-room tablets are some of the least-monitored, most insecurely-configured attack surfaces in an enterprise. Spaceraccoon (Eugene Lim) walks through an unauthenticated RCE in Aver PTC320UV2 cameras (CVE-2026-26461), a command injection in the Crestron TSW-1060 console’s undocumented HDCP2XLOAD handler, a hardcoded Gingco app password leading to local file disclosure, and a weak DES-crypt admin-password scheme cracked in two seconds with Hashcat. core-jmp.org/2026/06/spacer… #AudiovisualHardware #Aver #ClaudeCode #CommandInjection #ConferenceRoomSecurity #Crestron #CVE202626461 #DEFCON #DESCrypt #firmware #firmwareAnalysis #firmwareReverseEngineering #firmwareSecurity #Ghidra #HardcodedCredentials #Hashcat #IoTSecurity #spaceraccoon #TSW1060

keyboard_arrow_left Previous keyboard_arrow_right Next