News

• Sam Altman’s Dirty DRAM Deal - We've seen RAM prices absolutely explode in the past two months, and this is why. There are only three manufacturers of DRAM (Samsung, Micron, and SK Hynix), and with two of them making a deal with OpenAI, Micron got slammed by everyone else to get orders so hard it's going to completely exit the consumer memory business and only sell to enterprise customers. Bad time to be a consumer. We're moving to a world of centralized computing and thin clients. I'm still rooting for someone to commoditize the petaflop.
• Architecting Security for Agentic Capabilities in Chrome - The solution for securing "agentic capabilities" (preventing AI mistakes) is to check the first AI with a second AI? It's turtles all the way down!
• A New Anonymous Phone Carrier Lets You Sign Up With Nothing but a Zip Code - "Nothing but a Zip Code" happens to be a "Zip+4" code, a more precise version that usually narrows down the address to < 20 people. How many of your neighbors are signing up for this new phone service? Phreeli is the service. The ability to use eSIMs (no physical SIM card) means that Phreeli never has to know your real shipping address and you can pay with Monero, but remember that your phone still has an unique ID (IMEI) and has to connect to the T-Mobile cell towers.

Techniques and Write-ups

• CVE-2025-55182 – React Server Components RCE via Flight Payload Deserialization - This feels similar to Shellshock (the Bash bug you could trigger on CGI sites via headers), but for React (and uses deserialization instead of function export trickery). Vulncheck has a few samples.
• yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) - McCaulay Hudson lands their first blog post for watchTowr and has gotten the memo on the watchTowr format: snark, memes, and solid technical writeups. These security appliance vulnerabilities always remind me of the chain of firewalls meme.
• Arista NextGen Firewall XSS to RCE Chain - Antother security applicance vulnerability, but this one requires an admin to click a malicious link while logged in to get remote code execution, so less egregious. Still want more enterprise security appliance vulnerabilities? Jon Williams also dropped: Fortinet FortiWeb Authentication Bypass.
• SVG Filters - Clickjacking 2.0 - Clickjacking as a technique is not talked about much any more (thanks to browser security features like X-Frame-Options, and Content Security Policy), but perhaps the nearly turing-complete nature of SVGs will bring it back!
• macOS LPE via the .localized directory - This would be tricky to use operationally. You'd need to be able to write to /Applications and then convince the user to install a vulnerable application. Not impossible, but not immediately operationally viable. Perhaps bundling a vulnerable application in a handler that pre-creates the "exploit" app would work to get initial access + privilege escalation?
• Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl - Microsoft's "Customer Experience Improvement Program (CEIP)" may store useful logs for incident responders, but how it functions, or is even enabled remains opaque.
• sambadc - I have never seen a Samba based directory controller in a production environment, but I'm sure they exist. If you need to attack them, there are some gotchas detailed here.
• Living off the Hypervisor - LOLPROX - Some good Proxmox tradecraft. If you look at the VM names in Andy's examples you'll recognize them as Ludus VMs 😊. Comes with a version for Defenders as well.
• Git SCOMmit – Putting the Ops in OpsMgr - "As a red team operator, while I may not always be conducting the research, I need an environment where I can reliably test all the new tradecraft my team puts out and know how to perform these attacks in real environments. Historically, if you have ever set up something like SCCM, you know how painful some of the installs are, and how many different variables you can introduce during setup that may or may not be representative of real-world installs. Or after so many exploits, you find your lab in a broken state and maybe your snapshot hygiene hasn’t been great lately. These were the exact types of problems I love solving with automation, and my tool of choice for doing this is ansible scripts deployed with my Ludus environment in my home lab." Exactly the use case for Ludus!
• Linux Process Injection via Seccomp Notifier - A novel Linux process injection technique with a few limitations, the biggest being that you can only inject into child processes.

Tools and Exploits

• Ghidra 12.0 - Your favorite NSA open source decompiler got a major version bump.
• OS Watcher v0.3 - Explore Windows evolution from Win95 ➡️ Win11-24H2 (with updates !) and a Registry explorer. File download is disabled, for obvious reasons.
• LibPicoManager - LibPicoManager is a unified PICO management framework that provides centralized control over PICOs in memory, enabling dynamic code loading, runtime PICO substitution, and advanced evasion techniques like sleep masking through a single RWX code block.
• fabricate - An experimental research tool for fabricating GitHub personas with AI-generated repositories.
• csbot - Golang Automation Framework for Cobalt Strike using the Rest API.
• ludus_scom - An Ansible collection that installs a SCOM deployment with optional configurations.
• seccomp-notify-injection - Linux Process Injection via Seccomp Notifier.
• stillepost - Using Chromium-based browsers as a proxy for C2 traffic.
• ADAttributeHound - ADAttributeHound is an OpenGraph extension for BloodHound that exports Active Directory custom attributes as node properties.
• cloudflare-error-page - Cloudflare error page generator. [Great for phishing page decoys]

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Fairy-Law - Compromise or disable EDR security solutions.
• Express yourself and quickly respond to emails with emojis reactions in Gmail - This feels like a feature that can somehow be abused for information gathering, phishing, or the like. If anyone digs into it, please publish your findings and let us know!
• Linux Platform Kit - An open source Linux handheld (in development).
• Amber: A language compiled to Bash. - I've always said if your bash script is over 50 lines it should be written in a better language.
• epsilon - A WASM virtual machine written in Go with 0 dependencies.
• LDAP-Bof-Collection - Collection of many ldap bofs for domain enumeration and privilege escalation. Created for use with the Adaptix C2.
• Coding Trance Music from Scratch (Again ) - "In the beginning there were five notes."

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.