News

• 'You'll never need to work again': Criminals offer reporter money to hack BBC - Why spend the effort on initial access if you can buy your way in? The threat actors claim it has worked for high profile breaches in the past.
• Mic-E-Mouse: Covert Eavesdropping through Computer Mice - Your 20,000 dpi mouse can now be used to record your speech via the vibrations in your desk.
• Red Hat Consulting breach puts over 5000 high profile enterprise customers at risk — in detail - 2.2GB of data including certificates from companies that were customers of Red Hat Consulting has been teased.
• I’ve Written About Loads of Scams. This One Almost Got Me. - Always hang up and call the number yourself. You cannot trust caller ID.

Techniques and Write-ups

• When Azure Relay Becomes a Red Teamer’s Highway - Microsoft's Azure Relay Bridge uses outbound HTTPS to Azure in order to create TCP tunnels "from and to anywhere." The command line tool is written in C# and open source. Creating a DLL with this and then using AppDomain Hijacking could create a very neat persistence technique...
• CVE-2025-59489: Arbitrary Code Execution in Unity Runtime - This is specifically the Android Unity Runtime (used by games like Pokemon Go), and the SELinux restrictions prevents "almost all remote exploitation scenarios." Seems pretty wild that an "app intent" string can include a shared object path to load.
• Taking remote control over industrial generators - Just because the front end application doesn't show anything when "not authenticated" doesn't mean the API won't give up the data.
• Lucid Dreams I: Lucid's First Time Fuzzing - The latest installment of the ever detailed an entertaining fuzzer development series.
• Lenovo DCC: Part 1 - A simple ACL Exploit - A vendor's application allows for privilege escalation in two different ways. Always audit the standard utilities on machines for these kinds of bugs.
• When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise - The more ® and ™️s I see on a software vendor's site, the more confident I am there will be bugs. This article adds evidence to that claim.
• AI Gated Loader: Teaching Code to Decide Before It Acts - Offloading your decision to run a payload or not to a 3rd party LLM and sending telemetry about customer's machines to that 3rd party seems crazy to me. It also means you're embedding an OpenAPI key into your loader (it reads from an environment variable but how is that going to work on target?) that I'm sure a malware analyst would love to put into an endless for loop draining your credits. I see only downsides to this; what am I missing?
• WriteAccountRestrictions (WAR) – What is it good for? - User-Account-Restrictions allows you to modify security settings, and can lead to compromised accounts or even the entire domain. Another Ludus spotting in the wild 😊
• It's Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604) - If you aren't reading every watchTowr report, then you're missing out. Technical, sarcastic, excellent.

Tools and Exploits

• Lenovo-CVE-2025-8061 - PoC for popping a system shell against the LnvMSRIO.sys driver.
• sekken-enum - adws enumeration bof.
• NetworkHound - Advanced Active Directory network topology analyzer with SMB validation, multiple authentication methods (password/NTLM/Kerberos), and comprehensive network discovery. Export results as BloodHound‑compatible OpenGraph JSON. [Looks AI generated]
• watchTowr-vs-Oracle-E-Business-Suite-CVE-2025-61882 - Detection Artifact Generator for Oracle E-Business Suite CVE-2025-61882. Full details in Well, Well, Well. It’s Another Day.
• XRayC2 - AWS X-Ray for Covert Command & Control. Write up at Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control.
• templates-extender - Templates for developing your own listeners and agents for AdaptixC2.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Titanis - Windows protocol library, including SMB and RPC implementations, among others. [I missed this last week despite tweeting about it 🤦‍♂️]
• obex - Blocking unwanted DLLs in user mode.
• OverLAPS - Supporting PoCs and scripts for my talk "OverLAPS: Overriding LAPS Logic".
• Unlock the Power of AI Image intelligence - The demo gif on the homepage is worth a watch. Every image you post is now leaking your location.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.