Nikhith

Last week we acquired UK-based DeceptIQ. DeceptIQ (@deceptiq_) is built by red-teamers with a deep desire to turn the tables on attackers. In our ten years of doing Canary, we’ve never seen such a strong natural alignment. We are super excited to help defenders win, together.

std::vector<bool>

Extremely impressed by the @UIDAI's new website and app. The UI/UX from onboarding to filling an application is completely seamless. Looks like stellar work by @NICMeity & @GoI_MeitY. Who's behind this design and execution? Credit where it’s due! 👏🔥

Any @hackthebox_eu players with Guru / Omniscient rank from India? Please DM. There's something I got for you. #CTF

Someone built a web-based System Design Simulator, where you drag & drop architecture components and actually simulate traffic, failures, latency, and scaling in real time, System design just got way more interactive.

@NinjaParanoid It's all a spectrum 🌈

So, a non-infosec rant - I do not have ADHD, but at the same time I cant sleep for more than 4-4.5 hours a day. If I am not working on BR/research, my motorcycles, or on racetrack, I feel like I am losing my touch. Also, I am not one of those guys who watch stupid "grinding videos". However, I dont think I will ever understand how some people can sleep for 7-9/10 hrs a day and still want more sleep. One of the most difficult questions to answer is, does it matter? Working your ass off, or sleeping too much, being lethargic? Or, maybe its just a state of mind, to each their own... 🤔

Process hollowing isn’t always “unmap and replace.” This post looks at a variant where the original image stays mapped, a second executable is mapped, and execution is redirected. Close enough to matter for defenders. trainsec.net/library/window…

At this point, Cobalt Strike is a worthless platform unless your goal is to emulate 13 year old Albanian ransomware gang members who are themselves using a cracked version of CS. In the real world, of high value targets, a firm that is red teaming them with CS is merely conducting a checkbox exercise. Can we just admit this already?

TLDR (which I don’t recommend, especially with SpecterOps blogs: BOF for WSL without the exe github.com/MayerDaniel/th…

MalwareBytes has an local database on the machine. It is a SQLite database. It contains settings for various properties such as licensing, malware identified, and known-good and known-bad lists. This is standard anti-malware stuff. The database with "ThankYouForChoosingMalwarebytes" is the less interesting database, as it mostly contains settings (this can still be abused though). Regardless, MalwareBytes does a couple of things with this SQLite stuff MalwareBytes establishes a kernel-mode minifilter (mbam.sys). They setup minifilter callback routines to handle events on the system for process creation, process loading, and registry modification (Image 1) In other words, MalwareBytes is notified immediately when a process is created or an executable image is loaded. When a process is created or an executable image is loaded, MalwareBytes has special functionality to temporarily "pause" execution so it can review it. However, this "pause" happens faster than you or I can blink. Computers are fast. The mbam.sys creates an internal record of all processes running. When a new process is loaded it is added to this internal record. When a program is closed, it is removed from the record. It does this so it doesn't accidentally review or "pause" the same process twice. When a program is added to this list, the kernel-mode component communicates with the user-mode component that then signals and connects to a local SQLite database. The SQLite database then does a lookup to determine if the process "paused" is known or unknown (Image 2) However, it should be noted, Image 2 is not the important SQLite instance I am looking for. This is something else MalwareBytes uses (and communicates to with kernel-mode components). The point still stands. If it is known, it communicates back to the kernel-mode component that is it known. If it known, and known to be malicious, MalwareBytes takes action on the program attempting to run and immediately stops execution. If it is known to be good, MalwareBytes marks it internally as "seen" and keeps it in it's internal record. Image 3 is from the internal database they use. It's fairly large and is mostly settings. I still haven't find where the really nice, big, and important dataset they use is. It requires more poking and more sticks.

This blog post provides an in-depth analysis of #Turla's #Kazuar v3 loader and how it tries to slip past modern defenses: • Sideloading via MFC satellite DLLs • Control flow redirection trick (+ POC) • Patchless ETW and AMSI bypasses (+ POC) • Extensive COM usage for registry, file and folder operations (+ partial POC) • Strings encryption (+ IDAPython decryption script) • Including IOCs and Yara rules r136a1.dev/2026/01/14/com…

Based on my article yesterday, a visual breakdown of how threat actors can suppress telemetry by abusing the Windows Filtering Platform. 🖊️ ipurple.team/2026/01/12/edr…

VM escape exploits are S tier, reserved for 4 digit IQ exploit devs

DON’T UPGRADE TO macOS TAHOE DON’T UPGRADE TO macOS TAHOE DON’T UPGRADE TO macOS TAHOE DON’T UPGRADE TO macOS TAHOE DON’T UPGRADE TO macOS TAHOE DON’T UPGRADE TO macOS TAHOE

A critical vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks, including Next.js (CVE-2025-66478). All users should upgrade to the latest patched version in their release line. nextjs.org/cve-2025-66478

@gergely_kalman @theevilbit Somehow someway it feels like XPC in action but I can't prove it yet

0day time: Here's a user to root LPE on macOS. I found it accidentally during our research with @theevilbit. This is not the bug that scares me btw, this one makes me laugh

Woah, really neat and the references mentioned in this sum up what you really need to look at for "traditional" tradecraft.

Canva ♥️

TERABYTES OF FORENSIC TEST IMAGES HUNDREDS OF CTFs dfir.training/downloads/test… #DFIR #CTF