Mar 16 2026 Last Week in Security (LWiS) - 2026-03-16

News

• Introducing Armadin - Kevin Mandia (of Mandiant fame) is back with a new company. This time he's gone to the dark side and is "building the ultimate attacker."
• Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker - Sounds like Stryker's own device management software (Microsoft's InTune) was used to wipe the devices.
• Investing in Infrastructure: Meta’s Renewed Commitment to jemalloc - Meta un-archived the jemalloc project and, "are committed to continuing to develop jemalloc development with the open source community."
• It’s Official: Wiz Joins Google - It took a year for Google to complete the acquisition of Wiz. Some lawyers must have made out well.
• Meta is killing end-to-end encryption in Instagram DMs - Meta has a negative incentive to support privacy. I'm shocked it was even an option to begin with.

Techniques and Write-ups

• RIP RegPwn - "We kept it internal and used with great success across red team engagements since January 2025." The PoC video shows Windows running in VMware Workstation (I think). How much longer could this 0day have been kept alive if Ludus' testing mode was used for discovery and testing/development, only exposing it on live operations vs the entire development cycle?
• Finding Gadgets Like it’s 2026 - Java deserialization gadget chain finding via LLMs. Very 2026.
• Trust no one: are one-way trusts really one way? - In order for "one way" trust to function, the truing domain must store the password of accounts created in the trusted domain. This allows a domain admin in the trusting domain to laterally move to the trusted domain. Not a new technique, but a new tool to accomplish it: tdo_dump
• Crimes against NTDLL - Implementing Early Cascade Injection - These "hobby" C2 projects are getting pretty sophisticated.
• Extending Conquest using Python Modules - Speaking of advanced C2s, you can now extend Conquest with your own Python modules to create custom commands.
• Decrypting and Abusing Predefined BIOCs in Palo Alto Cortex XDR - Knowing the rules that will trigger an alert in your target's EDR is a huge advantage. The "global whitelist" was a juicy find. Looks like the plain text rules repo is 404ing now though...
• PageJack in Action: CVE-2022-0995 exploit - A new technique (PageJack) for an "old" exploit (CVE-2022-0995) and a cool write up with a PoC!
• The Nemesis 2.X Development Guide - Nemesis is a "one stop shop" backend for red team data collection and "enrichment" and the 2.X release makes it easier to add your own modules (file types, C2 connections, etc.).

Tools and Exploits

• Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) - Looks like someone is taking an interest in telnetd... Needs an ASLR bypass on modern systems, but who is running telnetd on modern systems. Embedded devices are a great target for this sort of thing.
• RegPwn Exploit code for LPE in Windows clients and servers (CVE-2026-24291).
• RegPwnBOF - Cobalt Strike BOF port of the RegPwn exploit by Filip Dragovic (@Wh04m1001) / MDSec ActiveBreach.
• llmchainhunter - This repo contains the design plan and runbook for using Claude Code to search for Java Deserialization Gadget chains.
• coruna - The actual exploits and binaries from last week's Coruna iOS exploit kit.
• Phantom - Phantom is project created to perform loading and executing .NET assemblies directly in memory within an IIS environment running in full‑trust mode. Instead of relying on file‑based approach, it uses reflective loading techniques to inject and run a DLL inside the memory space of the w3wp.exe worker pool process
• BYOUD is a framework for x64 stack spoofing on Windows. It tackles a complete opposite approach from classic stack spoofing, manipulating unwind metadata to hide arbitrary chunks of the call chain in debuggers and EDRs.
• doublepulsar-rs - Rusty DoublePulsar - Cobalt Strike User-Defined Reflective Loader (UDRL) in Rust (Codename: DoublePulsar)
• armory-rs - Rust Beacon Object Files (BOFs) for adversary simulation, threat emulation, security research, and detection engineering. All 115 TrustedSec BOFs ported from C to Rust using the rustbof framework.
• AdaptixC2-Template-Generators - Standalone scaffolding toolkit for AdaptixC2 extender development. Generates ready-to-implement stub projects for agents, listeners, services (optionally with post-build wrapper pipeline), and custom wire protocols -- all compatible with the axc2 v1.2.0 plugin API.
• mcp-windbg - A Model Context Protocol server that bridges AI models with WinDbg for crash dump analysis and remote debugging.
• Outpacket - Tired of impacket? This cheatsheet maps common impacket workflows to their modern alternatives
• Fritter is a heavily modified fork of TheWover and Odzhan's Donut shellcode generator. It generates position-independent shellcode for in-memory execution of VBScript, JScript, EXE, DLL, and .NET assemblies, but with a heavy focus on evasion and signature resistance.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• $75,000,000 Crypto Wallet Bulk Hack - Ultimate proof that physical access == root access. No matter how many secure enclaves or hardware security modules you have, if the attacker is dedicated enough and has physical access, with enough time and resources they can get in.
• fly-brain - Whole-brain leaky integrate-and-fire model of the adult fruit fly, built from the FlyWire connectome (~138k neurons, ~5M synapses). 🤯
• VoiceInk - Voice-to-text app for macOS to transcribe what you say to text almost instantly
• MANPADS-System-Launcher-and-Rocket - 👀
• PLFM_RADAR - Open-source, low-cost 10.5 GHz PLFM phased array RADAR system

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.