Aug 18 2025 Last Week in Security (LWiS) - 2025-08-18

News

• [X] Malicious Cursor extension drains wallet - Editor extensions are still the wild west, and this is not the first and will not be the last malicious extension uploaded to OpenVSX and promoted as legitimate.
• APT Down - The North Korea Files - Someone got access to an alleged North Korean APT's workstation and Virtual Private Sever (VPS). They were kind enough to dump the files and write it up. This data is a gold mine for threat intel analysts.
• Hyundai: Want cyber-secure car locks? That'll be £49, please - Charging customers for security updates on high end physical products is a new one.

Techniques and Write-ups

• [PDF] GhostShot: Manipulating the Image of CCD Cameras with Electromagnetic Interference - The maximum demonstrated distance was 1 meter, but very cool research on how you can trick a digital camera to show detailed images with specialized electromagnetic interference.
• HKLMSYSTEMSetupsMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy - Static, hardcoded, universal encryption keys just add a step for attackers, they don't actually protect anything. This is another research article and tool release enabled by Ludus.
• CVE-2024-30088 Pwning Windows Kernel @ Pwn2Own Vancouver 2024 (Plus Xbox) - New drivers == new vulnerabilities.
• ReVault! When your SoC turns against you… deep dive edition - What if the security chip in your laptop was actually a backdoor? This research into the Dell ControlVault shows what is possible when the dedicated security hardware is compromised.
• Should Security Solutions Be Secure? Maybe We're All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256) - A simple command injection, as root, in "the backbone of your security operations team and is your ultimate defense against attacks." I wish it was surprising.
• Machine Account Takeover with LsaStorePrivateData() - A good alternative to getting machine account credentials when you're a local administrator but don't/can't dump LSA.
• Juicing ntds.dit Files to the Last Drop - The Golden dMSA Attack, full support for Local Administrator Password Solution (LAPS), and the ability to extract trust passwords and BitLocker recovery keys have been added to DSInternals.
• Pantheon Introduction: A Guide and Script Collection for Mythic Eventing - A repository containing eventing automation which include reconnaissance, persistence location, and credential preparation scripts
• Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication - Microsoft uses nested app authentication (NAA) for many applications. Access and refresh tokens for select applications, such as administrator portals, can be exchanged for tokens to other applications with a brokered request to authentication endpoints.
• Impacket Developer Guide. Part 1. RPC Deep Dive - Ever feel overwhelmed about contributing or modifying the impacket project? Start here!
• Training Specialist Models: Automating Malware Development - The future is here. Payload development now includes LLM that make decisions and modifications when going up against certain EDRs at a specific point in time. Imagine a pipeline where Ludus, LLMs, automation, Multiple VMs/OS types, and multiple EDR technologies are all working together to generate a payload that works when you need it to.
• HTTP/1.1 must die: the desync endgame - This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials. Biggest takeaway here: HTTP/1.1 is insecure. Here is an example of PayPal learning this lesson.
• Breaking Into Your Network? Zer0 Effort. - DEF CON 33 Overview - Teased in the last edition of LWiS, this post covers the bugs disclosed at DEF CON in popular zero trust network solutions. It includes a link to the full talk given at DEF CON as well!
• DEFCON33 - Turning Microsoft's Login Page into our Phishing Infrastructure - Keanu Nys - Phish using the legitimate Microsoft Login page? Say less. Awesome DEFCON33 Talk. Highly practical is todays landscape.

Tools and Exploits

• hashcat v7.0.0 - Lots of updates including hash-mode autodetection, docker build support, Apple Metal GPU support, AMD HIP support, Argon2 and Summary algorithm support, and much more.
• IRvana - Slaying multi-language LLVM IR with obfuscation passes to achieve JIT execution.
• dump_kerberos_tickets - Dump Kerberos tickets.
• nimpersonate - Impersonate Windows tokens in Nim.
• Meow Meow Kitty Cat Meow Meow - A new project from @vxunderground. "Insert" will hide your payload in a BMP, "Pspsps" extracts payloads from BMPs, and "Loader" is a loader with dynamic syscall resolution that extracts a payload from a BMP and executes it in memory.
• ludus_badblood - Outfits your ludus AD domain with BadBlood info.
• rre-burp - Burp extension for Recursive Request Exploits (RRE) — DEF CON 2025.
• Azure-AppHunter - Azure AppHunter is an open-source tool created for security researchers, red teamers and defenders to help them identify excessive privileges assigned to Service Principals.
• turnt - A tool designed for smuggling interactive command and control traffic through legitimate TURN servers hosted by reputable providers such as Zoom.
• oauthseeker - A malicious OAuth application that can be leveraged for both internal and external phishing attacks targeting Microsoft Azure and Office365 users.
• glato - GitLab Attack TOolkit. [Not to be confused with gato - GitHub Actions Pipeline Enumeration and Attack Tool.]
• ChromeAlone - A tool to transform Chromium browsers into a C2 Implant.
• janus-framework is a powerful Go library for chaining security tools together to create complex, reusable workflows that can run at scale. It provides a uniform interface for connecting disparate security tools, enabling automation of multi-step security processes.
• gpoParser - gpoParser is a tool designed to extract and analyze configurations applied through Group Policy Objects (GPOs) in an Active Directory environment.
• CVE-2025-50154 - POC for CVE-2025-50154, a zero day vulnerability on windows file explorer disclosing NTLMv2-SSP without user interaction. It is a bypass for the CVE-2025-24054 Security Patch.
• restless-guest - An offensive toolkit for restless guests #DEFCON33.
• EntraGoat - A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack challenges.
• RPC-Racer - Toolset to manipulate RPC clients by finding delayed services and masquerading as them.
• Dispatch - Evasive Payload Delivery Server & C2 Redirector.
• BamboozlEDR - A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
• JamfHound - JamfHound is a python3 project designed to collect and identify attack paths in Jamf Pro tenants based on existing object permissions by outputting data as JSON for ingestion into BloodHound.
• NotSoSmartDeploy - POC to decrypt SmartDeploy encrypted credentials.
• AzureStrike - An HTA Application which builds Azure (Entra) Scenarios for Red Team Simulations.
• sauron - Fast context enumeration for newly obtained Active Directory credentials.
• spearspray - Enhance Your Active Directory Password Spraying with User Intelligence.
• GREtunnel-scanner - This is a GRE PoC code for Talks: From Spoofing to Tunneling: New Red Team's Networking Techniques for Initial Access and Evasion.
• C4 - Cross Compatible Command and Control.
• defcon33_silence_kill_edr - DC33 workshop: "Putting EDRs in Their place"
• WinRAR-CVE-2025-8088-PoC-RAR - WinRAR 0day CVE-2025-8088 PoC RAR Archive.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• thorium - A scalable file analysis and data generation platform that allows users to easily orchestrate arbitrary docker/vm/shell tools at scale.
• VxLAN-Scanner - This is a VxLAN PoC code for Talks: From Spoofing to Tunneling: New Red Team's Networking Techniques for Initial Access and Evasion.
• Pantheon - Community Eventing and Scripting examples.
• Certify 2.0 Certify has been updated to 2.0 and it includes a much needed update. Nearly twice the amount of ADCS tradecraft has been introduced since the initial release.
• TameMyCerts - Policy Module for Microsoft Active Directory Certificate Services.
• bloatware-pwn - LPE / RCE Exploits for various vulnerable "Bloatware" products.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.