Jan 05 2026 Last Week in Security (LWiS) - 2026-01-05

News

• North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location - 110ms is really not all that much. Try it yourself. Maybe the "more than" in "more than 110ms" is doing heavy lifting to not give away the threshold? 800ms+ is where something like Mosh really helps.
• This Flock Camera Leak is like Netflix For Stalkers - The easy pivot from camera to personal details shows the power of mass surveillance, and this was a private citizen. Using an exposed Flock camera to stream Flock's response was a nice touch.
• Trump suggests US used cyberattacks to turn off lights in Venezuela during strikes - Cyber is a domain of warfare and it's being used to support actions in the physical world. While Stuxnet may have been the first cyber-physical attack to get media attention, expect every modern military operation to have a cyber component going forward.
• Man boards Heathrow flight without ticket, boarding pass or passport in major security breach - Get this man a job as a physical penetration tester!
• MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know - An information leak in nearly every version of MongoDB reminiscent of Heartbleed could leak sensitive information including credentials. The decision to drop a proof of concept on Christmas Day has been met with backlash.

Techniques and Write-ups

• [PDF] Modern iOS Security Features – A Deep Dive into SPTM, TXM, and Exclaves - 174 pages of detailed technical analysis of iOS security.
• how to hack discord, vercel and more with one easy trick - The B2B SaaS documentation platform (with AI of course) led to cross site scripting across many major platforms.
• Kernel of Doom - A Tiny Linux Kernel to Boot into Doom - An awesome little experiment that will certainly help get DOOM running on even more devices.
• TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy in the Era of AI Assisted Reverse Engineering - Using AI and GhidraMCP three vulnerabilities were found in a TP Link camera.
• Yet Another DCOM Object for Command Execution Part 2 - CPLs were a go to for phishing payloads a while ago as the user could double click them and they would execute and email filters didn't realize they were executable. Now you can use them for lateral movement!
• ORM Leaking More Than You Joined For - With SQL injections becoming more rare, object-relational mapping (ORM) middleware allowing users to search and filter sensitive data can inadvertently leak that data.
• Windows ARM64 Internals: Pardon The Interruption! Interrupts on Windows for ARM - Start your new year with some deep technical Windows ARM64 internals.
• Vectored Exception Handling Squared - A writeup and proof of concept for some research from last June by Crowdstrike on how to modfiy the CONTEXT struct in Windows to set hardware breakpoints without calling SetThreadContext and thus avoiding event tracing for Windows (ETW) logging.
• CVE-2025-43530: Exploiting a private API for VoiceOver - A macOS Transparency, Consent, and Control (TCC) bypass that injects a library into an Apple signed binary (in this case SSH) to bypass security checks and run arbitrary AppleScript that uses Finder for actions. This completely bypasses TCC.
• BOF Cocktails - Using Crystal Palace, Rasta Mouse shows how to implement hooks into existing BOFs with some Aggressor script kung-fu.
• Flare-On 2025 - Write ups for all the Flare-On 2025 challenges.
• The New Chapter of Egress Communication with Cobalt Strike User-Defined C2 - No longer must you proxy your agent communication to a local process on the victim machine, with User-Defined C2 (UDC2) you can create a Beacon Object File (BOF) that integrates into the agent itself.
• Making CloudFlare Workers Work for Red Teams - Conditional Access Payload Delivery (CAPD) is a great term for this category. Cloudflare excells at bot protection and fine grained access policy, so why not use it for payload delivery protection?

Tools and Exploits

• PhantomSec | Advanced Offensive Capabilities Automated - EvadeX Sponsored - EvadeX is an evasion-as-a-service platform for red teams and pentesters who want modern, continuously-updated evasive tradecraft without turning every engagement into an R&D project. Generate highly customizable, low-signature payloads through a simple web workflow so you can tune to the target and stay focused on the engagement. Trusted by teams from small consultancies to the Fortune 10. Get callbacks past EDR today!

• silph - Stealthy In-Memory Local Password Harvester (SILPH) tool: dump LSA, SAM and DCC2 with indirect syscall.
• ludus_ghostwriter - An Ansible Role that installs Ghostwriter on a Linux-based host using ghostwriter-cli and Docker Compose.
• ludus_scorch - An Ansible collection that installs System Center Orchestrator (SCORCH) deployments with optional configurations for security testing.
• scorch - Offensive security toolkit for Microsoft System Center Orchestrator (SCORCH). Single binary, cross-platform, works from non-domain joined systems.
• NeuroSploit - NeuroSploitv2 is an advanced, AI-powered penetration testing framework designed to automate and augment various aspects of offensive security operations. Leveraging the capabilities of large language models (LLMs). [Untested, appears vibe coded]
• EDR-GhostLocker - AppLocker-Based EDR Neutralization.
• mt7622-qemu-vm - QEMU emulation of MediaTek MT7622 PCI driver.
• Rapid7 Velociraptor Directory Traversal Vulnerability - We discussed using Velociraptor as a red team tool in our iscariot-suite, but this exploit potentially allows the takeover of the Velociraptor server, which would then allow an attacker to use Velociraptor as a command and control service across your network.
• crystal-palace-vsc - Language extension for Crystal Palace Specification files. On the VSCode Marketplace here: crystal-palace-vsc
• Remote-BOF-Runner - Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace.
• Sliver v1.6.0 - The best Go C2 framework gets an update. The new memfd features and the total CLI rewrite look interesting.
• Vectored-Exception-Handling-Squared - Vectored Exception Handling Squared.
• FsquirtCPLPoC - PoC for generating bthprops.cpl module designed to be loaded by Fsquirt.exe LOLBin.
• slack-udc2 - Cobalt Strike UDC2 implementation that provides an Slack C2 channel.
• mongobleed - A proof-of-concept exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to leak sensitive server memory.
• Google-Hack-Search - Custom Google search engine dedicated to IT security & hacking stuff. Over 230 high-quality sources.
• tailsnitch - A security auditor for Tailscale configurations. Scans your tailnet for misconfigurations, overly permissive access controls, and security best practice violations.
• SessionView - A portable C# utility for enumerating local and remote windows sessions.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Using TypeScript to Obtain One of the Rarest License Plates - Burp suite and the lack of rate limits combine for this niche "hack" (original definition).
• Handy - A free, open source, and extensible speech-to-text application that works completely offline.
• Krawl - Krawl is a lightweight cloud native deception server and anti-crawler that creates fake web applications with low-hanging vulnerabilities and realistic, randomly generated decoy data.
• How Passkeys Work - Computerphile - A decent high level overview of passkeys you can send to your parents.
• What I Seek Out of a Pentester - Good overview on how to set your self up for success when looking for jobs in offensive security. The base of knowledge is really important in order to make connections quickly.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.