News

• Preparing for what’s next: Windows security and resiliency innovations help organizations mitigate risks, recover faster and prepare for the era of AI - A real word salad of a title but some interesting content like, "Sysmon functionality will soon be available in Windows."
• Cloudflare outage on November 18, 2025 - Pretty wild when your outage report contains the phrase, "I would like to apologize for the pain we caused the Internet today." Kudos to Cloudflare for timely and transparent reporting.
• Rust in Android: move fast and fix things - Google is writing more Rust than C/C++ in Android as of this year, and the number of memory safety bugs is decreasing rapidly because of it. Exploitation is going to look very different in just a few years. But don't worry if you're an exploit developer/researcher, just read about the FortiWeb vulnerability below.
• [PDF] Disrupting the first reported AI-orchestrated cyber espionage campaign - This feels like marketing more than an actual threat intel report. No indicators of compromise, and very light on technical details. Now consider, how many campaigns are using models that are either designed for cyber espionage, or are not going to report on Chinese use of them for cyber espionage?
• Google will let Android power users bypass upcoming sideloading restrictions - Was this the plan all along? Announce an unpopular change, then walk it back to the change you wanted in the first place, but now it's seen as a win vs the worse version you initially announced.

Techniques and Write-ups

• When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446) - A path traversal and an authentication bypass in a security appliance? Standard fare sadly.
• "Astral-tokio-tar" / "uv" Arbitrary Write Path Traversal Vulnerability - Not your typical path traversal vulnerability. Some creative use of symlinks to write to arbitrary files.
• Drawbot: Let’s Hack Something Cute! - A good order-from-amazon to hacked journey.
• No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE - More solid Internet-of-Things hacking.
• SupaPwn: Hacking Our Way into Lovable's Office and Helping Secure Supabase - A nice foil to the Anthropic PDF. Here is a model/tool with some very talented hackers doing some legitimate hacking.
• Understanding Cloud Persistence: How Attackers Maintain Access Using Google Cloud Functions - The major cloud providers have so many different services there are lots of ways to maintain access. This one is using Google Cloud Functions to recreate a backdoor account every time it's deleted.
• MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper - A rare post on macOS initial access.

Tools and Exploits

• Introducing HCLI: The Modern Command-Line Interface for IDA - IDA pro gets a new terminal interface. Feels like the first step towards AI-assisted IDA Pro.
• SAMDump - Extract SAM and SYSTEM using Volume Shadow Copy (VSS) API. With multiple exfiltration options and XOR obfuscation. For details see SAMDump - Stealthy SAM Dumping Using VSS and NTAPIs.
• heisenberg-ssc-health-check - Analyzes software dependencies across GitHub repositories to identify security vulnerabilities and health risks in your supply chain.
• Ryujin - Ryūjin Protector - Is a Intel Arch - BIN2BIN - PE Obfuscation/Protection/DRM tool.
• Regstoration - A rust proof of concept to demonstrate registry overwriting via RegRestoreKey using the Offline Registry Library. For more information see: Rehabilitating Registry Tradecraft with RegRestoreKey.
• RegPersist - a BOF implementation of various registry persistence methods.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• itoa - Converts an image to ASCII art.
• MAD-CAT - MAD-CAT (Meow Attack Data Corruption Automation Tool) is a comprehensive security tool designed to simulate data corruption attacks against multiple database systems. The tool supports both single-target attacks and bulk CSV-based attack campaigns, with support for both credentialed and non-credentialed attack scenarios.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.