Gabriel

Welcome home Reid, Victor, Christina, and Jeremy! 🫶 The Artemis II astronauts have splashed down at 8:07pm ET (0007 UTC April 11), bringing their historic 10-day mission around the Moon to an end.

Mr. Titus Tech is correct. cpuid-dot-com is indeed delivering malware right now. As I began poking this with I stick I discovered this is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly. The C2 domain present in one of the binaries is a clear IoC. This is the same Threat Group who was masquerading FileZilla in early March, 2026. They've been busy.

Releasing GodPotatoBOF: Cobalt Strike BOF used to perform privilege escalation by exploiting the SeImpersonate privilege. OPSEC safe alternative to the .NET version. Based on the original GodPotato PoC by BeichenDream. github.com/incursi0n/GodP…

THE ARTEMIS II ECLIPSE. April 6, 2026. Totality, beyond Earth. From lunar orbit, the Moon eclipses the Sun, revealing a view few in human history have ever witnessed. Photo: NASA

Earthset. The Artemis II crew captured this view of an Earthset on April 6, 2026, as they flew around the Moon. The image is reminiscent of the iconic Earthrise image taken by astronaut Bill Anders 58 years earlier as the Apollo 8 crew flew around the Moon.

2026 is 25% complete.

Today is another package-lock.json appreciation day! - Make sure you always commit your project with the package-lock.json file. It is the ONLY version locking enforcement mechanism. - Use npm ci instead of npm install. The first one will work ONLY if package-lock.json exists. - If you need to update or pull new packages, use the --min-release-age flag (available since npm v11.10.0) to make sure you only install updates, which are at least 7 days old: npm install --min-release-age=7 Or hardcode this setting into your .npmrc file: min-release-age=7 There will be more malicious updates to popular npm packages in the future, driven by supply chain attacks. It's just the beginning. Thankfully, they will be caught in the first 24 hours. The npm ecosystem is broken by design. Adapt and act accordingly. Stay safe out there!

LOLEXFIL Living off the land Data Exfiltration method lolexfil.github.io

ZeroTrust Workshop is now available on the web instead of in an Excel sheet. Last week, Microsoft announced the updated, 🚀brand new ZeroTrust Workshop. Most of us used the Excel sheet with our customers. We hoped to see this Excel sheet on the web, like the ZeroTrust Assessment. Now, I just want to give a big thanks to ✨Tarek Dawoud and @merill . Of course, there are many great people behind this, but unfortunately, I do not know their names. Once you complete a few of them, you'll see the score and how much is left to meet the ZeroTrust. Report before you complete anything Try it 👉 zerotrust.microsoft.com

New NetExec module: mssql_cbt🔥 Relaying to MSSQL can be a hidden gem when you are out of options. The only protection against relaying to MSSQL is to enforce Channel Binding Tokens (CBT). Thanks to @Defte_, NetExec now has a module that checks whether this CBT is required.

2026 is 22% complete.

How many sign-in logging bypasses can Azure Entra ID contain? At least 4.

meet VMkatz, github.com/nikaiw/VMkatz

Reduce your Intune Admins and use intune rbac and restricted admin units. Segregate device management into groups to decrease the blast radius. Treat Intune Admins like Global Admins. Require PIM with approvals. I've been saying this since before it was popular. As unpopular as this may sound right now, Microsoft is not to blame. They wrote about how to do all this in their documentation, but nobody does it. You have to keep in mind that it could have been a Global Admin too. In that case, the situation is even more dire. The vast majority of orgs are still hybrid. If the compromise was of the on-prem AD, not much you can do because you can pivot to an Intune Admin's device and use the APIs. This is why your EDR should be throwing high alerts when admin machines stop checking in and you should validate visibility on those machines. Managing admin machines is really really hard. Admins write code, run scripts, and look like they are compromised all the time when they're not.

New post on the MDSec blog and another Windows EoP.... RIP RegPwn - mdsec.co.uk/2026/03/rip-re… Saying goodbye to a much loved EoP, by @filip_dragovic

If a Global Admin gets compromised, it should be treated like a scorched earth scenario. The possibilities for backdoor are endless, especially if they disabled the audit logs.

Group policy remains the best security control ever invented with no close second.

GraphSpy: A Hacker's Tooling Deep Dive, video demos with the creator @RedByte1337! 🤩 Keanu shows me the wild things you can do for post-exploitation in Entra ID -- even adding a physical security key for persistence and a ton of other tricks 🤯 Video: youtu.be/qEtoKC32UoE

When you "hit a wall" in something you are trying to learn, it's typically just a massive debt of unlearned prerequisites that are finally being called due.

There's a toxic culture coming out of the AI industry that keeps trying to get us not to think. The message is everywhere. Don’t read the code, just vibe-code. Don’t try to understand all the text, just let AI summarize it. Don’t bother educating yourself, it’s too late. Don’t worry about the errors. Trust that everything will be fixed in the next version. The theme is the same. Don’t think too hard. Just keep swallowing the slop.