Armada

Back in May our team discovered a vulnerability in Netgear routers. Check out the writeup here: risk3sixty.com/blog/hardware-…

Watch the full episode here: youtube.com/live/s4I14XhEX… #CyberSecurity #RedSun #TheOperatorView #InfoSec #RedTeam #WindowsSecurity #ZeroDay #ArmadaOps #Microsoft #ResponsibleDisclosure

By the time Defender "cleans" the file, it has already been swapped for a symlink and used to escalate privileges. Your primary defensive tool is the escalation vector. Ground truth exploitation > vendor assumptions. 4/5

Why wait for a 0-day when Windows Defender provides a SYSTEM shell for free? Clip #1 from 'The Operator View' is live. We are breaking down the RedSun TOCTOU race condition that weaponizes your AV. 1/5

The Operator View Apr 2026 - Windows LPE 0-day Vulnerability x.com/i/broadcasts/1…

The RedSun zero-day proved that you cannot patch against bad logical design. We are broadcasting The Operator View live right here on X today at 1:00 PM EST. Nick Swink (@0xC0rnbread ) is performing a deep-dive dissection of the recent Windows LPE 0-day vulnerabilities by Nightmare-Eclipse. Today’s agenda: Full breakdown of the RedSun exploit code. Live demo: Standard User -> NT AUTHORITY\SYSTEM. Why the vendor’s initial dismissal created a crisis for the enterprise. Join us at 1:00 PM EST to see the technical ground truth of the RedSun exploit. Drop your questions in the replies and we will address them live. #CyberSecurity #0day #LiveStream #InfoSec #ThreatIntel #TheOperatorView #Armada #ArmadaOps #RedSun

To defeat Ransomware-as-a-Service (RaaS), you must break the kill chain at its origin. Stop focusing solely on the final payload. Neutralize the initial access vectors and lock down the identity perimeter against infostealers. #Infostealer #Ransomware #CyberSecurity #InfoSec #RedTeam #Armada

By the time the ransom note appears, the catastrophic damage is already done. The encryption is just a noisy exit strategy used for double-extortion. If you are only defending against the encryption phase, you have already lost the data.

Ransomware is not the attack. It is the smoke grenade deployed after the attack is already over. To close our Infostealer series, the Armada team breaks down the operational reality of the Change Healthcare breach. 🧵

You cannot rely on a vendor who dismissed the threat in the first place. Nick Swink (@0xC0rnbread ) will dissect the vulnerability, execute the exploit, and discuss behavioral detection strategies live on Friday, April 24th, right here on X and on Youtube: youtube.com/live/s4I14XhEX… #ZeroDay #MicrosoftDefender #WindowsSecurity #RedTeam #ThreatIntel #RedSun

Because Defender operates with the highest privileges, the malicious overwrite instantly grants a standard, unprivileged user NT AUTHORITY\SYSTEM access. If an attacker has initial access, Defender literally opens the backdoor for them.

1/5 When MSRC ignores a vulnerability report, the enterprise absorbs the blast radius. The RedSun zero-day is actively being exploited in the wild because Microsoft dismissed the researcher who found it. The Armada team breaks down the timeline and the exploit.

A technical overlay replaces subjective opinions with objective data. It continuously tests the environment to validate if those controls actually exist in reality. Stop securing your network based on assumptions. Test the ground truth. #RiskManagement #CyberSecurity #ASM #InfoSec #RedTeam #GRC #Armada #RiskAssessment

Relying solely on interviews creates a massive gap between what leadership thinks is happening and what is actually exposed on the network. To close that gap, organizations must inject a technical overlay—like Attack Surface Management (ASM)—into the process.

A risk assessment built entirely on interviews is just a collection of assumptions. The Armada team breaks down why traditional assessments are failing, and how a "technical overlay" exposes the ground truth. 🧵