David Valles

[New Blog] How to get started in ICS cyber security @david.valles/how-to-get-started-in-industrial-control-systems-ics-cyber-security-a88a341796ab" target="_blank" rel="nofollow noopener">medium.com/@david.valles/… #ICS #cybersecurity #beginner

In the latest @kaptorsecurity post, I share my experience so far applying AI to pentesting tasks. Approaches, architectures, and a few tips for putting together something that actually pays off in cost-benefit terms depending on the context: kaptor.ai/blog/ai-pentes…

Recently performed a Pentest of a hybrid perp DEX. Found several issues, but one critical stood out: a race condition in the close-position logic that turned a 100 USDT position into $3.9M in unauthorized trading volume — leaving bad debt on the protocol. 🧵

L3Harris Technologies @L3HarrisTech gave soldiers a way to detect and jam drones using the radio they already carry. No new hardware — just a software update that turns 100,000-plus fielded radios into counter-drone sensors. Read more: defence-blog.com/l3harris-turns…

Ready to ditch passwords for good, but not sure where to start? In our new blog, @techBrandon introduces #Passkey Path, choose-your-own-adventure guide to transitioning from passwords to passkeys, built for every role in your organization. Read it now! hubs.la/Q04gyKy50

Our team at Armadin had some fun poking at SolarWinds ☀️🌪️ Check out our latest blog: CVE-2026-28297 and CVE-2026-28298, Plus Credential Relaying for Full Domain Compromise armadin.com/blog-posts/pas…

Dropping my recent research on #Kimsuky's #PebbleDash and #AppleSeed clusters — covering some interesting developments around VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, LLM, and the Rust. Full report➡️ securelist.com/kimsuky-apples…

A little talk on what we can learn from implementing LLM architectures from scratch in Python and PyTorch. And how I approach new open-weight models, compare them against reference implementations etc: youtube.com/watch?v=TXzQ7P…

New Post: Mona, tellme - AI-assisted crash triage 🧠 corelan.be/index.php/2026…

Supertonic just killed ElevenLabs. A text-to-speech model that runs entirely on your device. No cloud. No API key. No per-character pricing. 2,700 GitHub stars. 100% open source. MIT licensed. The numbers are wild: → 167x faster than real-time on an M4 Pro → Only 66M parameters → 1,263 chars/sec vs ElevenLabs Flash at 287 → 1,048 chars/sec vs OpenAI TTS-1 at 55 → Runs on a Raspberry Pi. Runs on an e-reader in airplane mode. Reads currency, dates, phone numbers, and technical units correctly without preprocessing. ElevenLabs fails these. OpenAI fails these. Gemini fails these. Supports 11 platforms and 5 languages. Chrome extension turns any webpage into audio in under a second. I've watched on-device models lose to cloud APIs for years. This one doesn't lose. The cloud TTS business just got cooked.

FamousSparrow (aka Earth Estries), a China-aligned Advanced Persistent Threat (APT) group, launched a multi-wave intrusion campaign targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026. With the attack most notably using an evolved DLL sideloading technique in order to override two specific exported functions within the malicious library. Attribution comes from the substantial overlap with the Earth Estries toolset and tradecraft. Such as post-compromise command execution, DLL sideloading, Deed RAT deployment, Mofu-based staging, and Terndoor-style driver-backed behavior. When taken together it gives a intrusion chain that is consistent with FamousSparrow's ecosystem of tools. The operation was characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity. With the initial detection of intrusion dating back to December 25, 2025, when the `w3wp.exe` process attempted to write a malicious web shell into a publicly accessible directory on the Exchange server. Leaving the back doors latent in infected systems after the cleanup. The next stage of the intrusion began with the execution of `C:\TEMP\LMIGuardianSvc[.]exe` (MD5: 0554f3b69d39d175dd110d765c11347a), which sideloaded `C:\TEMP\lmiguardiandll[.]dll`. That DLL initiated the execution chain of a backdoor later identified as `Deed RAT`. With it delivered through a three-component chain that blends seamlessly into the legitimate `LogMeIn Hamachi` ecosystem: • LMIGuardianSvc.exe: Legitimate LogMeIn Hamachi binary (MD5: 0554f3b69d39d175dd110d765c11347a) • LMIGuardianDll.dll: Malicious loader that patches a Windows API and stages the payload • .hamachi.lng: Encrypted Deed RAT payload The second stage occurs later, when `LMIGuardianSvc.exe` continues its normal execution and eventually calls the `ComMain` export. From there, the legitimate service flow leads to a call to `StartServiceCtrlDispatcherW`. Because that API was previously patched during `Init`, the call is transparently diverted into the malicious loader function. The loader then restores the original bytes of `StartServiceCtrlDispatcherW`, ensuring that the hook is removed after use. The `.hamachi.lng` file contains the next-stage shellcode along with the `Deed RAT` payload. It is decrypted using AES-128 in CBC mode with an initialization vector of 16 null bytes. The decryption key is derived from the first 16 bytes of the file, while the remainder represents the encrypted payload. Once decrypted, the shellcode is executed directly in memory, completing the transition from staged components to an active backdoor. This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim's environment. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #APT businessinsights.bitdefender.com/famoussparrow-…

DLL Sideloading & Proxying for Advance Red Team Engagements TL;DR: This blog will introduce DLL Sideloading and Proxying for advance red team engagements for starters. Blog:- zerotracelab.com/blog/dll-sidel… #redteam #windows

APT36 targets entities in Emirates using sheets as C2: file: UAE-India_Strategic_Partnership_Week.iso MD5: b887a7d8449d37fb777695efe550c32f @Threatlabz Campaign: zscaler.com/blogs/security…

Hunting the Behavior Behind npm Supply Chain Attacks derivai.substack.com/p/hunting-npm-…

An SQLi I found in ProfileGrid was disclosed this week. Here's the full writeup and patch review! cryptocat.me/blog/research/…

#how-matches-are-hidden" target="_blank" rel="nofollow noopener">miltinhoc.gitbook.io/malware-dev/re… If you have the time for a solid read I suggest you go over this. And then give Milton a follow on here @miltinh0c

New supply chain threat uncovered CloudSEK TRIAD found an npm campaign using crypto-javascri, a typosquatted package impersonating crypto-js. It steals npm/GitHub credentials, hijacks maintainer accounts, and uses Tor-based C2 to stay harder to disrupt. cloudsek.com/blog/inside-a-…

Why Building Loaders for Yourself Is Easy — and Building for the World Isn’t. shellterproject.com/why-building-l…

In our latest analysis, we dive into CVE-2026-4802, a high-severity vulnerability discovered by our team in Cockpit that allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). Read the full analysis on our blog: hakaisecurity.io/en-cve-2026-48…

Sysdig TRT has uncovered a new C2 technique called NATS-as-C2 that attackers are using to steal cloud credentials and API keys Instead of traditional C2 channels, they use a NATS server as their control infrastructure to blend in and evade detection webflow.sysdig.com/blog/nats-as-c…