Jim Saveker

Interlock operators are running Volatility... the defender's memory-forensics tool against their own victims. {windows.hashdump} on a dump file → creds extracted, zero LSASS access. RunAsPPL / Credential Guard don't fire. Interesting finding from the DFIR Report.

@cyb3rops I have been playing with it today and it’s both capable and fast. 70+ tps on my MacBook Pro

Gemma 4 outperforms all other open source models in my cyber security related benchmark set

Claude + Obsidian = 10x usefulness unlocked. Vault goes from static notes to thinking partner overnight. 🤯

I am reasonably reserved with respect to the AI hype train but tmux + Claude agent swarm? Absolute BEAST mode. Got my lead Claude bossing a squad of AI teammates, shared tasks, direct chit-chat via mailboxes, no race condition nightmares. Wow just wow.

This chap is hilarious youtu.be/40SnEd1RWUU?si…

A VS Code extension for a "Clawdbot Agent" was fake; it was actually malware that installed ScreenConnect on a target computer to be used as a remote access trojan! YouTube video walking through the extension source code & Rust-based loader by DLL hijacking: youtu.be/7GS6Xs4hdvg Hat tip to Aikido Security and Charlie Eriksen for catching this thing in the wild -- one of the domains looks to also be hosting a panel for Evelyn Stealer malware, so we reference some other research from Trend Micro and Koi Security as well to note the similarities in the Lightshot EXE and DLL naming & abuse of VS Code extensions for fake AI coding assistants. While I was recording, the extension was changed and updated to a new version in real-time -- so we take a look at both and actually fire off the sample to see it work. ... it didn't work. (???) Looking more closely at the syntax of the extension, even recreating how it is invoked, the logic seemed wrong. Was the whole thing vibecoded? Maybe I missed something, so I need your eyes! (Or your Clawdbot Moltbot Robot Botbot bot "eyes"😜) youtube.com/watch?v=7GS6Xs…

Attackers are now using Microsoft's own App-V scripts as a LOLBin to proxy PowerShell and slip past your defenses. The payload? Amatera infostealer, served via fake CAPTCHA. Microsoft really said "here, have a trusted binary" and threat actors said "don't mind if I do." bleepingcomputer.com/news/security/…

Prohibited at NYC inauguration: Flipper Zero and Raspberry Pi. Permitted: Notebook computers running Kali Linux, cellphones with full pentesting toolchains and SDR apps. Classic security theater: banning specific hobbyist devices while allowing far more capable general-purpose hardware. bleepingcomputer.com/news/security/…

@British_Airways Thank you. Eventually they let us through. The gate agent explained that the cutoff is 4 years old for priority boarding but made an exception for them being 5 years old. It’s very stressful traveling with kids and all their gear.

@saveker Please accept our apologies, Jim. Thank you for feeding this back to us. Priority boarding is usually offered at the gate to those who need it, we're sorry this hasn't been offered to you today. Kaitlin

@British_Airways you are denying me and my two young children priory boarding from London to Austin. This was something we had from Austin to Heathrow. Please have a consistent policy and now it’s really hard boarding with kids. It’s hard enough to travel with kids.

Pushin’ Vibes, not code! suno.com/s/qfLQpaOGvB7b…

With #DGXSpark, my time goes into fine tuning LORAs and NVFP4 quantization instead of debugging the stack. That’s real progress...nicely done #NVIDIA, Bravo!

Graph API: “Trust me bro, here’s global admin.” Actor tokens: “Say less.” CVE-2025-55241: the bug that made every tenant a group project. 😬 bleepingcomputer.com/news/security/…

Threat actors aren’t just recycling old tricks they’re bending them. Fake CAPTCHA, fake Cloudflare Turnstile, disguised MSI’s, Steganography and FileFix-style paths. bleepingcomputer.com/news/security/…

TAG-150 speedrunning malware dev: CastleLoader > CastleBot > CastleRAT in months. Multi-tier C2, Python + C implants, abuse of legitimate services. recordedfuture.com/research/from-…

If you’re not abusing both DNS and ICMP in your RAT, are you even modern malware? gbhackers.com/weaponizing-dn…

@techspence App/binary allow-listing, when paired with strong auth (machine trust cert + WebAuthn key), quietly prevents a lot of bad days. Hugely underrated control imho.

What security control do you think is the most underrated… and why?

UNC6395 abused compromised OAuth tokens from the Salesloft Drift integration to exfiltrate data from Salesforce, including AWS keys/Snowflake creds. So what: SaaS integrations expand your attack surface as much as your own code, but with far less visibility or control. cloud.google.com/blog/topics/th…

Bad actors are straight‑up ghosting your EDR by using Windows internals folks rarely monitor. No SYSTEM, no write‑to‑disk, just NtOpenKeyEx + SeBackupPrivilege + RegQueryMultipleValuesW = creds exfiltration in stealth mode. #Cybersecurity #EDRevasion