Search:

Last Week in Security (LWiS) - 2025-07-28

VMware Tools LPE (@justbronzebee), Adaptix C2 0.7 (@hacker_ralf), Ludus MCP (@__Mastadon), SOAP(y) (@_logangoins), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2025-07-21 to 2025-07-28.

News

Techniques and Write-ups

Tools and Exploits

  • LudusMCP - Model Context Protocol server for managing Ludus lab environments through natural language commands.
  • penguin - PENGUIN (Personalized EmulatioN Generated Using Instrumented Analysis) takes a target centric approach to rehosting using a precise and tailored specification of the rehosting process. [The description is underselling this tool, you can take arbitrary embedded firmware and get it up and running in an emulator with two commands.]
  • [X] Any domain user can BSOD a 2025 Domain Controller - "This does not meet Microsoft's bar for immediate servicing." 🫠
  • AdaptixC2 v0.7 - My current favorite open-source C2 got a new release, and v0.7 brings a scripting language to allow programatic control of the C2!
  • Mistwalker - Create Entra Global Admin accounts from On-Prem.
  • RAIWhateverTrigger - Local SYSTEM auth trigger for relaying - X.
  • wambam-bof - A Cobalt Strike BOF that extracts access tokens from .tbres files. This BOF locates DPAPI-encrypted blobs stored in .tbres files, decrypts them in the current user context using CryptUnprotectData, and extracts the access token. This BOF is opsec safe and could be used as an alternate to office_tokens BOF.
  • ratnet-rs - Rust port of RatNet, an anonymity network designed for mesh routing and embedded scenarios.
  • Crystal-Loaders - A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • sinister-vsix - Blog/Journal on how to backdoor VSCode extensions.
  • DarkLnk - Build sneaky & malicious LNK files.
  • hyprnote - Local-first AI Notepad for Private Meetings.
  • canine - Power of Kubernetes, Simplicity of Heroku.
  • copyparty - Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps.
  • s3grep - CLI tool for searching logs and unstructured content in Amazon S3 buckets.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.