Kevin.m

‼️An iOS exploit and C2 integrated attack panel called "iExploit Lab v1.0" is being advertised on a popular cybercrime forum, targeting iOS 13 through iOS 17.2.1 for $15,000. ‣ Threat Actor: OnarDev ‣ Category: Exploit / Tool ‣ Name: iExploit Lab v1.0 ‣ Target: iOS 13 to iOS 17.2.1 ‣ Developer: Zero Bound Workshop team iExploit Lab is a visualized attack panel integrating C2 operations based on recent research on high-risk iOS vulnerabilities. It is not a traditional remote control tool but instead attacks iOS systems when a user visits a link via Safari. Attack stages: ▪️ Stage 1 - Browser Attack (Stage1 terrorbird / Stage1 cassowary) ▪️ Stage 2 - PAC Bypass (Stage2 seedbell) ▪️ Stage 3 - Kernel Privilege Escalation (Stage3 Variant A / Stage3 Variant B) Capabilities: ▪️ Break through system isolation and access all data on device ▪️ Theft of cryptocurrencies and bank information ▪️ Integrated HTTP vulnerability web server and C2 remote control server ▪️ Attack link auto-generated after server startup ▪️ Link delivered via social engineering, AirDrop, or other methods (one-click via Safari) ▪️ Connected device management panel ▪️ Operator console with real-time logging The panel UI is in Chinese with a 5-step operational workflow: modify configuration, start services, set up connection, wait for callback, and control device. The actor notes that the two iOS 26 versions have already been patched. Proxy mode is available for earning dividends.

Another new/distinct bug in AJPG driver 💀 At this rate my whole timeline will just be panic logs

Today we’re announcing something new in offensive security: the first AI system for novel vulnerability class discovery. An architecture built to discover undocumented exploit-building behaviors and previously unknown novel attack vectors that can later yield zero-days across real-world targets. The Search for AGI through Security is here. Read more: pwn.ai/blog/the-searc…

Turns out that given enough MCP tools for undetected process R/W without frida/hooking, Opus was able to oneshot an undetected ESP for PUBG mobile in a few hours :) Will write it up some time, definitely a new era in the anti-cheat cat & mouse game

For everyone who cares, Lara now has the 3 App Bypass fully working! github.com/rooootdev/lara

One part of using AI to find vulns is I literally find so much stuff I lose track at times. CVE-2026-20687 was issued in response to an AppleJPEGDriver UAF I found, but I just rediscovered a derivative of that initial bug in a harness I built, and it’s still present in iOS 26.4.1

We identified a serious security vulnerability in an SDK, use by many wallets. Read about it here: microsoft.com/en-us/security…

LightSaber (iOS 18) v0.0.93 - new features: • bypass 3-app limit for free dev accounts (re-run after each set of 3 apps) • MobileGestalt patcher (use caution, no computer required) • syslog script for live USB chain debugging (example log in repo) zeroxjf.github.io/lightsaber

For everyone who cares, Lara now has the 3 App Bypass fully working! github.com/rooootdev/lara

iOS 18-18.7.1 and iOS 26.0 - 26.0.1 Full Root Access Exploit github.com/rooootdev/lara

iOS 18.6 exploit . Full root access github.com/rooootdev/lara

I made a USB-Clawd who gets my attention when Claude Code finishes a response

Apple's bug bounty portal is such a poorly coded mess (how ironic) that I completely missed getting a second CVE credited with iOS 26.3!

For those interested: CVE-2026-20637 — AppleSEPKeyStore UAF github.com/zeroxjf/CVE-20… CVE-2026-20687 — AppleJPEGDriver UAF github.com/zeroxjf/CVE-20…

Frankly, I'm appalled by the prospect of LLMs taking offensive security research jobs from honest, hard-working fuzzers

This is either brilliant or scary: Anthropic accidentally leaked the TS source code of Claude Code (which is closed source). Repos sharing the source are taken down with DMCA. BUT this repo rewrote the code using Python, and so it violates no copyright & cannot be taken down!

I received a suspicious email with a weird link yesterday. My first thought was this is yet another phishing attempt, albeit well-tailored. I was wrong: researchers with whom I shared this email told me I was targeted by a very recent DarkSword attack used by the GRU. If I were to click the link in that email, my phone would be compromised — without entering any passwords or doing anything else. Fun fact: the attack would be launched only if I would access the link using an iPhone registered in Lithuania (which is indeed my case). Luckily, I didn’t click. Beware! Technical details about this exploit and how to stay protected: cloud.google.com/blog/topics/th…

After much trial and error, proud to show off tweak injection on iOS 18; possibly for the first time ever? DarkSword injection into SpringBoard on iPhone 15 Pro Max running 18.6.2 🎉

Important PSA: DarkSword websites that were previously dormant are now showing activity again. If you downloaded the DS payloads for research, take extra care to verify you have stripped any remote calls to the various domains, (which even then is no guarantee of safety).

Part II analysing the Coruna 'buffout' WebKit exploit - getting R/W using a fake JSArray youtube.com/watch?v=4bWaI4…