Mar 09 2026 Last Week in Security (LWiS) - 2026-03-09

Ludus 2 (@badsectorlabs), new GOAD lab (@M4yFly), 🍪 hack (@XeEaton), DPAPI + Nemesis (@harmj0y + @tifkin_), iOS exploit kit found (@Mandiant), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2026-03-02 to 2026-03-09.

News

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit - The kit only works on iOS 13-17.2.1 (from 2023), so as always having an up to date device makes you much harder to exploit (and moreso if you have the latest hardware with additional hardware based protections like Memory Integrity Enforcement (MIE)). Pretty impressive there is a kit out there with 23 separate iOS exploits (5 full chains) that all work together nicely. This kit was likely caught as it was being used rather recklessly (a pop up telling users to visit the site on iOS and targeting any user who landed on the page is bold), but consider how many of these kits work on iOS 26 and are currently being used more carefully in targeted attacks. If you may be a target, consider enabling Lockdown Mode. What are the odds this was was the kit sold by the L3Harris executive to Russia?.
Operational issue - Multiple services (UAE) - Does your disaster recovery plan include drones targeting your datacenter? AWS' ME-CENTRAL-1 took direct hits causing massive outages.
Ziff Davis to sell Ookla and Downdetector to Accenture as part of $1.2 billion deal - $1.2B USD for the speedtest.net company?!
[PDF] President Trump’s CYBER STRATEGY for America - A few interesting points in this short document. "We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities." Sounds like contractors are about to get in on some offensive operations. China has been doing this for years. Russia tacitly approves of ransomware groups as long as they don't target Russian speaking countries. I'm not sure why the government is involved in, "supporting the security of cryptocurrencies and blockchain technologies." Wasn't the original point of cryptocurrency to break from government and institutional control? Perhaps Trump wants to secure his own bag. It also states, "America’s cyber workforce... is an asset worthy of great investment and essential to our nation’s economic prosperity and security." And yet across party lines and industry, the verdict is the same: CISA is in trouble.

Techniques and Write-ups

Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE) - This might be the simplest watchTowr post I've ever read. A service running as root and listening on all interfaces will just execute commands without authentication. There are two extra requests to schedule the command but really that's it. PoC: watchTowr-vs-JunosEvolved-CVE-2026-21902.
A scalpel, a hammer, and a foot gun - "What would change in red teaming (or cybersecurity even), if there was no fear of “burning a tool” because of its content tells and behavior was the only meaningful battleground?" Mudge drops the coolest tool so far in the Tradecraft Garden (personal opinion). This ability to on the fly edit compiled binaries has existed in custom tooling on advanced red teams before, but having it built into the flow of PICOs and atomic capability building is awesome. That being said, I'm sure people will start using ised against their own tooling as well. It's that awesome. The video walk through at the end of the post is worth the watch. Rasta (the most prolific poster of Crystal Palace material outside of Mudge himself?) also put out a post: Islands of Invariance.
Beyond Electron: Attacking Alternative Desktop Application Frameworks - You've seen all the XSS to RCE attacks on Electron apps, but how about the newer web-framework-to-app builder, Tauri. While more difficult (and disabled by default), under the right circumstances XSS can be RCE in Tauri as well.
CVE-2026-29000: Critical Authentication Bypass in pac4j-jwt - Using Only a Public Key (CVSS 10) - A simple null check ended up bypassing all auth. These are the kinds of vulnerabilities that the current generation of AI models excel at finding (keeping track of state, tracing flows, checking logic).
Offensive DPAPI With Nemesis - Something to be said for the developers behind DPAPI and Chrome that it takes a 3,000+ word post to explain how to dump credentials from a Browser on Windows in 2026. A few years ago this was all in a SQLite database, unencrypted.
Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643 - This feels like a vulnerability that static source code scanners would find easily; user controlled data into a format string that is used as a SQL query. Classic SQLi.
Using cookies to hack into a tech college’s admission system - Speaking of classic vulnerabilities... this is another blast from the past (early 2000s?).
Customizing C2 Traffic using Advanced Malleable Network Profiles - Conquest is the best open source C2 since Adaptix?

Tools and Exploits

PhantomSec | Advanced Offensive Capabilities Automated - EvadeX Sponsored - EvadeX is an evasion-as-a-service platform for red teams and pentesters who want modern, continuously-updated evasive tradecraft without turning every engagement into an R&D project. Generate highly customizable, low-signature payloads through a simple web workflow so you can tune to the target and stay focused on the engagement. Trusted by teams from small consultancies to the Fortune 10. Get callbacks past EDR today!

Dracarys - New GOAD lab from Mayfly!
sopa - A practical client for ADWS in Golang.
ludus-defender-lab - Ludus range configs and Ansible roles for a Windows security lab pre-staged for MDE and MDI, with a fully misconfigured ADCS installation for detection coverage testing.
vscode-frida - Unofficial frida extension for VSCode.
DLLHijackHunter - Automated DLL Hijacking Detection with Zero False Positives.
ludus_nginx_redirector - This role is designed for use in Ludus ranges to proxy C2 traffic with extensive customization options for routing, rate limiting, and operational security.
CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE - This repository contains a working proof-of-concept exploit for CVE-2026-20127, a critical pre-authentication vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) that has been actively exploited in the wild since 2023.
Speakeasy v2.0.0b1 - The Windows malware emulation framework that executes binaries, drivers, and shellcode in a modeled Windows runtime instead of a full VM got a major update!
vulhunt - Vulnerability detection framework by Binarly's REsearch team
PrivHound - A BloodHound OpenGraph collector that models Windows local privilege escalation as interconnected attack paths.
Maverick - Adaptix C2 agent using Crystal Palace PIC linker and PICO module system

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

enject - Hide .env secrets from prAIng eyes: secrets live in local encrypted stores (per project) and are injected directly into apps at runtime, never touching disk as plaintext.
eden - A PoC UDRL for Cobalt Strike built with Crystal Palace that combines Raphael Mudge's page streaming technique with a modular call gate (Draugr)
unredact - Unredact uses computer vision, font-aware constraint solving, and LLM reasoning to figure out what text is hiding under those black bars. Upload a PDF, and it will detect redactions, calculate exactly which strings could fit based on pixel-width constraints, and let you visually verify guesses with a live overlay.
LTR101 - Getting into Industry in 2026 - Andy updates his "breaking into cybersecurity" post for 2026. Guess what made it in the Resources section this year? Ludus 😎.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.