av_eip

We tested 9 LLMs on real-world #malware triage and static unpacking tasks, using only #Malcat’s MCP server. We compared not only their results, but also their speed and cost. Full write-up: malcat.fr/blog/benchmark…

Good read ! "The Corporatization of Intelligence" was bound to happen sooner than later. In fact one of the first firms I worked in used to scorn at people writing blogs and giving their threat intel for free. With the rise of AI, this sentiment is only going to get stronger 😉

Together with @bzvr_, @2igosha and Anton Kargin, we identified that the DAEMON Tools software has been compromised in a complex supply chain attack since April 8. We see thousands of infections across 100+ countries. If you use DAEMON Tools, run a malware scan immediately! [1/7]

claude-red is a curated library of offensive security skills designed for the Claude skills system. Each skill is a structured SKILL.mdfile that primes Claude with expert-level methodology for a specific attack surface from SQLi to shellcode, EDR evasion to exploit development. Resource: github.com/SnailSploit/Cl…

LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy. So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it? We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs. Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses. The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces. The arms race just shifted.

Infosec industry effectively created its own nemesis by putting out open source and free knowledge base articles/repositories for the AI models to train on.

@championswimmer @abhi9u 🤣

@abhi9u It is safe if you cut it the way you have shown in the AI-generated image though..... 🫣

Yesterday, I came across the mechanical turk equivalent of computer science and software engineering where top AI companies are hiring part-time engineers for writing problems and solutions to train AI models. A very sophisticated way to cut the branch you’re sitting on.

New Video: Build your own LLM dynamic analysis lab 🦔🎥 ➡️ AI debugs and unpacks with x64dbg ➡️ AI can access powershell terminal youtube.com/watch?v=QrWzRg…

Your smart TV is taking screenshots of your screen every 15 seconds. Not a guess. Not a theory. A peer-reviewed study by researchers at UC Davis, UCL, and UC3M tested it. Samsung TVs: every minute. LG TVs: every 15 seconds. Even when you're just using it as a monitor. Here's how to turn it off for every brand:

Finally got some breathing room, so here's a quick recap of the cyber side of IR/US ongoing war: 1. Right after the first strikes by US, within the first hours, multiple popular (pro regime) news agencies and outlets were compromised at the same time. Legitimate looking news contents were injected to the front page, aimed at degrading morale of pro-regime force by typical PSYOPS tactics. Sites were quickly taken down and restored. 2. Shortly after that, BadeSabaa (Prayer time app), a popular mobile app with 30+ Million installations (from Iranian app store) was hijacked and used to send push notifications to users. This time the target audience was mostly army members, calling them to surrender and join the people, if they want to survive. This app is an interesting pick, not just because it has a high number of downloads. Users of the app are particularly religious people and have higher chance to be also pro-regime and within body of the army. One important but seemingly ignored fact about this app is that it requests location access to operate. It's safe to assume most users allow that for more accurate prayer time results. It's also safe to assume that, if the app backend is compromised enough to allow sending push notifications, it's safe to assume that any telemetry logs and data from the app would be also compromised. Correlating telemetry with unique device ID for that large user base can be (ab)used in many different and interesting ways! Not that it has been the case. * Rumors circulated that EITAA, an Iranian popular messaging app, was also taken down and no longer accessible. That turned out to be just a rumor as I verified. 3. Iran internet went in full blackout mode again. Not that this had anything to do with a cyber operation. Initially starting from MCI and expanding to the entire country within a day. Like in previous case, there are still a small fraction of hosts that remain accessible from outside, but if you have been logging previous round's data and compare it with current one, you might notice interesting discrepancies ;) This is likely a multi-reason effort to contain exposure of impact of strikes, possible denial of service to smaller drones (which turned out a failed assumption and attempt during IR/IL war too) and finally to have a veil over any potential aggression towards upcoming unrests and protests by people in the streets. 4. During second day of strikes, Iranian national TV's Channel 3 satellite streams (IntelSat) were hijacked (2nd time since recent protests) and videos of Trump and Netanyahu speeches were broadcasted instead. Again, expected PSYOPS move considering the situation. Other covert operations have been also in progress, which I guess we might be hearing about them (or not) in near future. I will be occasionally updating this as a thread, if more notable cyber attacks takes place.

@joshwoodward @securityshell Was this app vibe-coded using Gemini itself to meet the 100 day deadline ? 🙃

Introducing Gemini on Mac. We heard your feedback. We recruited a small team. They built 100+ features in less than 100 days. 🤯 100% native Swift. Lightning fast. Let us know what you think!

@TuringAlex @Xlab_qax Don't think it is VMProtect. Seems like the binary uses a modified UPX packer with custom ELF section names .eDM0 and .eDM1 in place of the standard UPX0/UPX1 sections.

🚨#APT41 Just spotted a fresh #Winnti #ELF backdoor f1403192ad7a762c235d670e13b703c3— 0 detections on VT and packed with VMProtect. 📸One of the #C2 "ai.qianxing[.]co" is clearly impersonating our company’s domain. They’re getting bold.🤣#IOC Happy hunting 🍷@Xlab_qax

As India’s ban on Chinese CCTVs kicks in today, do take a moment to read our investigation into how leaked CCTV clips from theatres and hospitals are being sold on Telegram for as little as Rs 1,500. These are intimate videos of couples making out at theatres to

The FLARE team now freely distributes its quality reverse engineering and malware analysis educational content at github.com/mandiant/flare…. Launched with: - Malware Analysis Crash Course - Go Reversing Reference - Intro to TTD

🚨 Active supply chain attack on axios@1.14.1. The latest version pulls in plain-crypto-js@4.2.1 -- a brand-new package that didn't exist before today. Socket's AI analysis flags it as a malicious obfuscated dropper: runtime deobfuscation, dynamic execSync loading, payload staging to temp/ProgramData directories, and post-execution artifact deletion. Consistent with supply chain malware. We're still investigating. If you use axios, pin your version and audit your lockfile.

Cognitive warfare 🔥 Exhibit A 👇

The recording of my first Binary Cartography webinar is now public: Agentic Reverse Engineering: How AI Agents Are Changing Binary Analysis Topics: keygenning, cracking & anti-tamper removal Recording: youtube.com/watch?v=DZcDaX… Slides/code/samples: github.com/mrphrazer/bina…

"geopolitics" starter pack

@halvarflake There are other countries which hold US debt too. (Japan, Europe and petrodollar economies among the biggest). China also doesn't "finance" the US debt out of benevolence. It has no other way to park its trade surplus and continue its economic growth.

... the US just prints money to repay the debt, the creditors *will* have paid for it. In the event of a US-China conflict, we also have one country fighting another using equipment financed by borrowing from the adversary. Modern finance is truly glorious.

An interesting thought experiment: The US spends a lot of money on it's military capabilities, largely financed by debt from abroad. It would like other countries to stop freeloading. But if the USD devalues vs other currencies or if the US defaults on debt repayments, or if ...