News

• [PDF] Disclosure of Cyber Security Breach and Data Exfiltration through DOGE Systems and Whistleblower/Witness Intimidation - A senior DevSecOps Engineer at the National Labor Relations Board ("NLRB") details what he saw as DOGE was granted access to NLRB systems. The evidence looks damning, whomever did these actions had high privileges, was exfiltrating a lot of data, and besides disabling logging, was pretty sloppy (smash and grab vs stealth). The use of correct credentials of a DOGE account from Russia (blocked by Geo-rules) just 15 minutes after the account was created is very strange. If we assume Russia had/has an active implant that pulled the credentials from a DOGE employee that created the account or was sent the credentials, why would they attempt to use them from Russia? The mix of high-level and amateur tradecraft doesn't make sense, but it wouldn't be the first time a Russian cyber actor forgot to turn on their VPN; it does happen. For a more editorialized version of the story, see: A whistleblower's disclosure details how DOGE may have taken sensitive labor data.
• CISA extends funding to ensure 'no lapse in critical CVE services' - MITRE, a non-profit federally funded research and development center, created and has maintained the Common Vulnerability and Exposures (CVE) database for 25 years. They sent a letter on 2025-04-15 that stated their funding would expire the next day. This is highly unusual, as government contracts not set to have their "option periods" (additional years) funded are notified well in advance. As the letter was making headlines, late the night of the 15th CISA apparently "executed the option period" (funded at least one additional year). While technically you can wait until midnight of the day the contract expires to extend it, it's highly unusual. If MITRE hadn't sent the letter that caused headlines, would the funding have come? Either way, there is now a new CVE Foundation that may be able to take over if MITRE does lose funding.
• La Liga: Blocking of Cloudflare IPs in Spain - The Spanish La Liga football league blocked Cloudflare IPs to prevent Spanish citizen from streaming football matches. The issue is, over 20% of the internet sits behind Cloudflare, so blocking all of Cloudflare's IPs took down a good chunk of the internet for Spain during football matches. This is a good reminder of why technically competent advisors are needed for government agencies and enforcement. Cloudflare is taking legal action to stop the blocking.

Techniques and Write-ups

• [X] A thread on "extremely sophisticated phishing" - The use of Oauth application grants to spoof a subpoena notice from Google is genius. The email reads "Google Legal Support was granted access to your Google Account" where "Google Legal Support" is the name of the attacker's Oauth app. This is 10/10 out of the box thinking. The attacker actually re-used a legitimate email Google sent, and just re-sent it via a few intermediaries to the victims. How does it work? Short answer: Email is hard. Long answer: see this technical breakdown.
• CVE-2025-24054, NTLM Exploit In The Wild - An NTLM leak was seen emailed to multiple targets. While SMB traffic should be blocked at the enterprise firewall from leaving an organization, it isn't always. CVE-2025-24071_PoC is a tool to create a PoC.
• The Hidden Risk: Compromising Notepad Cowriter’s Bearer Tokens - With Microsoft shoving Copilot into everything, not even notepad is safe.
• Cross-Site WebSocket Hijacking Exploitation in 2025 - Same origin policy (SOP) doesn't apply to websockets, so browsers have to implement their own defenses. This post looks at what is possible today with WebSocket hijacking in different browsers.
• Control Flow Hijacking via Data Pointers - Write better loaders with fewer calls to VirtualProtect using data pointers to get start the execution of your loaded shellcode. It was also released as a BOF: - DataInject-BOF.
• CVE-2025-21299 and CVE-2025-29809: Unguarding Microsoft Credential Guard - "Insufficient validation of the Kerberos krbtgt service name within the TGT can lead to a bypass of credential guard, and therefore extraction of a primary TGT from the host that should otherwise be prevented."
• Watch Your AI! Using Replit AI to Mask Your C2 Traffic - "3rd Party C2" is the best kind of C2.
• Recovering Metadata from .NET Native AOT Binaries - Native AOT binaries are C# binaries that are pre-compiled to machine code vs the standard just-in-time (JIT) compilation of C# binaries. This makes them difficult to reverse engineer (i.e. all the normal tools don't work). This post explores the problem and introduces ghidra-nativeaot - Ghidra .NET Native AOT Analyzer Plugin.
• Code execution inside PID 0 - If you've ever wanted code execution inside of System Idle Process, this post is for you.
• 300 Milliseconds to Admin: Mastering DLL Hijacking and Hooking to Win the Race (CVE-2025-24076 and CVE-2025-24994) - A low privilege user can trigger the install of the "Mobile devices" webcam functionality in Windows 11, which causes a DLL the user has write permissions on to be loaded by a SYSTEM process. It gets tricky because the DLL is loaded first as the user, and then as SYSTEM immediately after, making it a bit of a race condition. Clever use of WinAPI hooks with Detours solved that and made it reliable.

Tools and Exploits

• VECTR - A service container for Mythic C2 for interacting with SRA's VECTR.
• waiting_thread_hijacking - Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread.
• koneko - Robust Cobalt Strike shellcode loader with multiple advanced evasion features.
• FriendlyFireBOF - A BOF that suspends non-GUI threads for a target process or resumes them resulting in stealthy process silencing.
• SourcePoint v4.0 - The popular C2 profile generator for Cobalt Strike has been updated to support the latest Cobalt Strike features.
• bincrypter - Pack/Encrypt/Obfuscate ELF + SHELL scripts.
• After days of struggle, my emulator now runs in the browser - 🤯 web assembly is getting wild. Source: emulator.
• go-buena-clr - Good CLR Host with Native patchless AMSI Bypass.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• trufflehog-explorer - a user-friendly web-based tool to visualize and analyze data extracted using TruffleHog.
• dAWShund - Putting a leash on naughty AWS permissions.
• cloud-snitch - Easy-to-use map visualization for AWS activity, inspired by Little Snitch for macOS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.