Last Week in Security (LWiS) - 2026-03-30
ποΈβ€οΈπ€ Ludus MCP/Skills (@badsectorlabs), Grapefruit π± security suite (@CodeColorist), 2 Citrix NetScaler posts (@AlizTheHax0r + @_mccaulay), π BIOS bypass (@craigsblackie), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2026-03-24 to 2026-03-30.
News
- Apple Now Sending Critical Security Alerts to iPhones Running iOS 17 and Earlier - With multiple exploit kits appearing in the wild the past few weeks, it looks like Apple is taking a new step to get older OSs up to date. Apple recently stated, βWe are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device.β They've also stepped up their game in regard to the on-screen camera indicator.
- Introducing Cobalt Strike Research Labs - You can now upgrade your Cobalt Strike subscription with "cutting-edge, ready-to-use research tooling for Cobalt Strike, including custom UDRLs, Sleep Masks, UDC2 channels, and post-exploitation capabilities."
- The Wyden Siren Goes Off Again: We'll Be βStunnedβ By What the NSA Is Doing Under Section 702 - "I strongly believe that this matter can and should be declassified and that Congress needs to debate it openly before Section 702 is reauthorized. In fact, when it is eventually declassified, the American people will be stunned that it took so long and that Congress has been debating this authority with insufficient information."
- FBI director Kash Patelβs personal email breached: Iran-linked hackers leak private photos, resume - Looks like the classic data breach password reuse. Expected for most people, pretty embarrassing for the FBI director. How is there not a process to make sure these people at least enroll in the free Advanced Protection Program?
Techniques and Write-ups
- The Sequels Are Never As Good, But We're Still In Pain (Citrix NetScaler CVE-2026-3055 Memory Overread) - "Citrix advises that the vulnerability is only exploitable if the appliance is 'configured as a SAML IDP'. This is a cursed configuration to begin with, and we can think of no appliance more poorly-suited to the task of being an IdP than this class of network device." π€£
- Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2) - A GET request returns kilobytes of arbitrary memory from an unpatched Citrix NetScaler. Session IDs show up rather quickly, leading to authentication bypass.
- Disabling Security Features in a Locked BIOS - From locked BIOS to SYSTEM shell, this post shows what can be done with physical access and a willingness to flash a chip.
- Leveling Up Secure Code Reviews with Claude Code - The "Educational Mode" prompt is neat. The latest generation of models is good enough that you can treat it like a very persistent coworker. What's crazy is that these tools only get better from here (lookout for Claude Mythos).
- Audio Steganography in Supply Chain Attacks - The supply chain attacks from last week had some interesting WAV audio files that hid the payloads in the sound. Props for creativity!
Tools and Exploits
- ludus-mcp - MCP server for managing Ludus cyber ranges.
- ludus-skills - AI agent skills Ludus cyber ranges.
- Open-source mobile security testing suite - The "Grapefruit" mobile testing tool is back!
- emulat3 - Step through PE functions or shellcode instruction-by-instruction (amd64).
- scion - Run multiple agents in parallel β each in its own container, with its own workspace, collaborating on your code or project files simultaneously.
- 8FC8_Patcher - Patcher for Dell 8FC8 suffix UEFI written in Python.
- red-run - Security assessment toolkit for Claude Code.
- KrakenHashes v2.0.0 - RBAC, SSO, priority based scheduling, passkey support, and more in this big update of the distributed password cracking system.
- BridgeHead - Native C++ access to Active Directory over ADWS, no .NET, no WCF, no HTTP stack.
- trustme - BOF to impersonate TrustedInstaller via DISM API trigger and thread impersonation.
- NOFILTER-NFEXEC - Havoc C2 BOF β WFP kernel-space SYSTEM escalation + command execution with indirect syscalls, patchless AMSI/ETW bypass, and return address spoofing.
- CustomLoadImage - Stealthy .NET assembly loading using AssemblyNative::LoadFromBuffer.
- QuicFuscate - Efficiency-centric, anti-censorship QUIC/HTTP/3 VPN protocol with adaptive FEC and SIMD-accelerated AEAD.
- homelable - Self-hosted homelab infrastructure visualizer β interactive network diagram with live status monitoring.
- InfraGuard is a Command & Control Redirection Proxy and Manager which protects your Red Team Infrastructure against threat attribution.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- raptor - Raptor turns Claude Code into a general-purpose AI offensive/defensive security agent. By using Claude.md and creating rules, sub-agents, and skills, and orchestrating security tool usage, we configure the agent for adversarial thinking, and perform research or attack/defense operations.
- Don't Kill My Pretty RSS Feed - Pour one out for XSLT.
- kernel-hack-drill - This is a playground for the Linux kernel exploitation experiments. Only basic methods. Just for fun.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.