News

• DOGE’s .gov site lampooned as coders quickly realize it can be edited by anyone - "So far, it's clear that DOGE has gained access to data systems at the Centers for Medicare and Medicaid Services, the US Agency for International Development, the Department of Veterans Affairs, the Department of Education, and the US Treasury. And most recently, DOGE got software approval to potentially transfer 'vast amounts of data' out of the Department of Labor’s systems." What a time to be a foreign cyber actor. Perhaps DOGE doesn't know that USA Spending already exists and even has an API and full database downloads? Archive.org has captures of the defacement (may take a few seconds to load): Example 1, Example 2.

• Detect shadow AI hidden in the apps you build or use Sponsored - NowSecure offers a comprehensive suite of automated mobile app security and privacy testing solutions, penetration testing, and training services to reduce risk. Trusted by many of the world’s most demanding organizations, NowSecure protects millions of app users across banking, insurance, high tech, retail, healthcare and government. Talk to a specialist to understand your AI risks.

Techniques and Write-ups

• Modding the Gulf of Mexico Back - Regardless of your feelings on the name of a body of water, this video has some great client-side web hacking.
• [PDF] SysBumps: Exploiting Speculative Execution in System Calls for Breaking KASLR in macOS for Apple Silicon - Speculative execution comes for Apple Silicon. Patched in macOS 15.2. PoC: SysBumps.
• Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108) - The complexity of nginx reverse proxying to an Apache server, which then internally redirects to itself, combined with a simple authentication on/off header that is fully trusted lead to an authentication bypass via path confusion. While each individual part of the chain is "secure" the way they are combined leads to a critical vulnerability.
• Don’t Ghost the SocGholish: GhostWeaver Backdoor - Fake update popups deliver formstealer malware. Ludus was used in the analysis. Curious how Ludus Enterprise can help your analysts? Get in touch!
• You've Got Malware: FINALDRAFT Hides in Your Drafts - A solid malware tear down, with the interesting feature being C2 via email drafts in Outlook online using the Microsoft Graph API using an embedded token (not the compromised user's account). "3rd party C2" is heating up as network defenders get better.
• Leaking the email of any YouTube user for $10,000 - Some very creative hacking here. Setting the recording title to 2.5 million characters so the notification never got sent was great.
• Patch-Gapping the Google Container-Optimized OS for $0 - Detailed use-after-free exploit in the Linux kernel with a proof of concept. I believe this is CVE-2025-21700.
• The Key to COMpromise - Downloading a SYSTEM shell, Part 3 - More COM hacking, this time against Webroot Endpoint Protect and Checkpoint Harmony to gain SYSTEM privileges.
• First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200) - Looks like some older protocols allowed for the simple (?) bypass of USB restricted mode on iOS < 18.3.1? Does the user have to have "Switch Control" enabled for this to work? The Apple announcement makes it sound like that is not the case.

• 2025 IT Risk and Compliance Benchmark Report release Sponsored - Hyperproof, a trusted platform for operationalizing compliance and risk management, has released its 6th annual IT Risk and Compliance Benchmark Report. Based on insights from 1,000 IT and GRC professionals, the in-depth report contains insights on trends shaping the GRC space in 2025. See the report.

Tools and Exploits

• ChgPass - is a Windows standalone executable tool that allows you to change the password of user/computer accounts in Active Directory (AD) via MS-SAMR protocol. This tool can be used when you have the necessary permissions on the objects but need a simple way to set passwords using a standalone exe command line. More info: Changing Windows Passwords in the Most Complex Way.
• captaincredz - CaptainCredz is a modular and discreet password-spraying tool.
• ARM64_AmsiPatch - With the rise of ARM64 as an emerging architecture for Windows on ARM devices, there is an increasing need to understand and adapt low-level techniques traditionally used on x86_64 systems to this new platform. This repository demonstrates how AMSI (Antimalware Scan Interface) patching can be translated to ARM64, showcasing the fundamental differences and similarities in opcode manipulation between x86_64 and ARM64 architectures.
• WebcamBOF - Webcam capture capability for Cobalt Strike as a BOF, with in-memory download options.
• susinternals - A python implementation of PSExec's native service implementation.
• wpprobe - A fast WordPress plugin enumeration tool.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• PowerCrypt - The best powershell obfuscator ever made.
• Stifle - .NET Post-Exploitation Utility for Abusing Explicit Certificate Mappings in ADCS.
• ashirt-server - Adversary Simulators High-Fidelity Intelligence and Reporting Toolkit.
• ashirt - It records your screenshots and code, then lets you upload to ASHIRT.
• aterm - It records your terminal, then lets you upload to ASHIRT.
• Playable3DMaze - A playable version of Microsoft's old 3DMaze screensaver from Windows 9x.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.