S3cur3Th1sSh1t

This year it happened. What started as a spare time hobby and fun project became a commercial product for the Offensive Security community. I founded a company, @MSecOps . And this company will sell a Packer to Red Teams or Pentesters. (1/x) 🔥

Backdooring existing executables or DLLs for stealthy payload execution? With version 1.7.0 of RustPack, this can be easily done in a few seconds. We live-debug/trace the execution flow in the target executable to find a suitable backdoor position at runtime, instead of patching the entry point. 🤠 Even Frontier LLM models analysing the output executable with reversing tools at hand and one task - determining whether the target is benign or malicious - will tell you this is benign. 🔥 We work hard, you get the best possible evasion! #redteam #ost #pentest #maldev

I've been pushing out some new features and functionality over at redteam.community and one cool thing that you might appreciate is: past conference talks. I don't know about you, but I've always thought it was such a pain in the ass to track them all down. Obviously, you could search online, or check out YT (if you could remember the con handle), etc. Nothing was ever consolidated in one central place. So, I'm trying to fix that. I don't have _every_ video, but I do have a lot... currently over 8000 indexed. I've wired it up so that the master list of conference pulls from cons on the Industry Conferences page (industry_conferences.json). In the schema, every con has a URL field and Past Conference Talks leverages that. Every day a cron harvests more and more videos from the con pages. And what I really like is that you can watch all of the past talks in-line without leaving the site or the page. Additionally, and maybe my 2nd favorite feature, is how speakers are extracted from the videos and/or matched against the con's official website to create "social chips". These pink chip exist all throughout the site and map back to a social directory on the site that regularly syncs with all the major social sites where infosec folks hangout (x, mastodon, Linkedin, bluesky, twitch, etc (with follower counts(APIs anyone?!)). The linkages are actually pretty cool because you can effectively click on a speaker/instructor/trainer from anywhere on the site where you see a pink chip and be able to see another con they have spoken at, a course they might teach, or content they create on their YouTube channel. It's not all completely and fully wired up yet, but much of what I've described works today. As time allows, I'm going to continue to extend and expand the "social" feature of the site and continue to add more sections. As always, if you have any ideas, bug reports, or feedback, just lmk. Happy to chat!

In my latest blog "Now You See Me: AADGraphActivityLogs" I explore the newly released Azure AD Graph logs and demonstrate how you can detect tools like ROADtools and AADinternals that rely on this API and have been under the radar for defender so far. cloudbrothers.info/en/aadgraphact…

Where did all my Github Copilot tokens go the last ~2-3 months? They all went here: multiplayer-snake.com Grab your team mates and pause a bit for fun! 🫡

@cyb3rops This is where all my copilot tokens flew into the last months: multiplayer-snake.com 🤘🔥

Can we please use vibe coding for what it was probably meant for? Non-serious coding work Small visualizations, weird integrations, gamified tools. Like IDA Pro, but I can walk through the function graph in Roblox, Doom or Age of Empires That’s where vibe coding makes sense to me. Build something funny, break it, throw it away, no one has to maintain the codebase for 7 years. More of that, please

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io

@domchell @checkymander @HackingLZ Update on that. It will only work on systems with .NET Core 8.0 installed unless the whole dependencies are shipped. So yeah I need some more research here :-)

@ShitSecure @checkymander @HackingLZ core isn't part of a default install as far as i'm aware - would be curious to know how you're loading it?

If you’re into Impacket you might want to checkout Titanis. Perhaps it’s more opsec safe 🤷‍♂️ github.com/trustedsec/Tit…

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them.

Our first Blog post is live, Introduction to RustPack 🔥 msecops.de/blog/posts/rus… More to follow in the future for sure!

@vokaysh Nope not yet.

@ShitSecure have we tried the new gemma for this kind of stuff?

Making progress with an autonomous local Pentest LLM pipeline - using Qwen3 27b it's finding and verifying real vulnerabilities and creating a full report including Management-Summary already for us. 🧐 Better than many web vulnerability scanners as it even found e.G. IDOR.

@_sehno_ No

@ShitSecure Have you tested Opencode or Hermes-agent with this model?

@Janberk_Besgul Yes thats big part of the overall picture for the Web Pentest in this case.

@ShitSecure So LLM reads the requests and responses from burp with custom extension and find vulnerabilities from there Did I understand right?

@107cwk I dont think its a replacement to humans at all. Its running in parallel as helper. Imagine it as a "classic" scanner on steroids.

@ShitSecure Economics question - how much does a price of an LLM need go to up (either for token, or GPU rental/purchase) for this to be no longer viable compared to paying a human your normal rate?

@TurvSec Lots of context injection with guidance, compression in between and logging to make sure nothing is missed and all checks are done properly around the LLM as backend.

@TurvSec Im fiddling around with different models that match the hardware we currently have for testing autonomous LLM Pentest proof of concepts and this was just released and looked promising. 🙂 The model is unmodified the frontend is custom with different MCP Servers.

@Janberk_Besgul Multiple MCP servers for different tasks in this case. And a custom burp extension to connect it with the ongoing pentest and the findings there.

@ShitSecure Is it verifying or finding with using a docker pentest image or mcp for using pentest tools? Or using playwright to find it manually?

@R4ven4rc This is fully custom nothing public full stack self developed. In this case a local LLM but choosing different backends such as cloud providers would in theory also be possible.

@ShitSecure Are you using a custom stack, Claude or Hermes?

CVE-2026-31431 a/k/a CopyFail > Linux LPE > Description sounds like AI slop > Exploit is legit > Impacts every Linux kernel from 2017 - Now > Proof-of-concept released > It's Wednesday? copy.fail

@real_Donwor @SkelSec @x33fcon Its always being recorded.

@ShitSecure @SkelSec @x33fcon If you get it recorded for the unfortunate of us who can’t attend it would be amazing!

Anyone interested in what you need for proper loader development in 2026? My talk for @x33fcon was accepted, so I'll take about Malware again. 🔥 It's a unique talk and will only be held there this year! Hope to see some of you in Poland. 😎