Search:

Last Week in Security (LWiS) - 2025-04-28

TTTracer unmasks sleep obfs (@felixm_pw), GitHub spoofing (@pfiatde), Synology RCE (@ret2systems), netify scraper (@Jhaddix), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-04-21 to 2025-04-28.

News

  • MFA for machines Sponsored - Aembit, the non-human identity and access management company, is announcing the launch of its Identity Federation Hub at RSAC. Designed for DevOps and security teams, this new capability eliminates the operational and security risks of long-lived secrets by enabling seamless workload identity federation across clouds and services – without forcing developers to write custom auth logic. Learn more about Aembit.

Techniques and Write-ups

Tools and Exploits

  • damn-vulnerable-MCP-server - Damn Vulnerable MCP Server.
  • DeviceCodePhishing - This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow when the victim opens the phishing link and instantly redirects them to the authentication page. Capable of bypassing FIDO, even if FIDO is the only authentication method available to the victim.
  • squarephish2 is an advanced phishing tool that uses a technique combining the OAuth Device Code authentication flow and QR codes.
  • Ghosting-AMSI - AMSI Bypass via RPC Hijack (NdrClientCall3) This technique exploits the COM-level mechanics AMSI uses when delegating scan requests to antivirus (AV) providers through RPC.
  • Getting Shells at Terminal Velocity with Wopper - Automate the use of malicious plugins to get shells on Wordpress with Wopper. wopper is the GitHub.
  • PrimeEncryptor - PrimeEncryptor is a flexible Dynamic Shellcode Encryptor designed to generate encrypted shellcode using multiple encryption techniques.
  • Scopify - Scopify is a Python command-line tool designed for penetration testers and bug bounty hunters to quickly gather and analyze infrastructure information (CDN, Hosting, SaaS) for a target company by scraping netify.ai. Developed by @Jhaddix and Arcanum Information Security.
  • logon_monitor - A BOF to regularly check for active users on a target.
  • Chronos - Time-Based Detection and Response for Safety-Critical Real-Time Embedded Systems - EDR Kernel Extension for FreeRTOS.
  • paradox - macos stealer poc.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.