Ethereal

Anti-virus Artifacts II is out! Besides listing API hooks from Avira, BitDefender, F-Secure, MalwareBytes, Norton, TrendMicro & WebRoot, I have documented their drivers, IRP requests, altitudes, and web traffic sent from the AV. I hope you like it! ♥️ cutt.ly/AV-Artifacts-II

Are you ready to jump into shellcode? Check out the latest windows userland exploitation tutorial in collaboration with @cc_s_training and @corelanc0d3r! We'll be covering the various ways to get to shellcode during the exploit development process! Find the latest tutorial below! youtu.be/UUv2JE6JA0A

I've got a really silly idea for malware. Windows 11 now have Windows.Graphics from the Windows Runtime API. You can use it for taking screenshots. It's supposed to be better than the native WINAPI method because something about GPU rendering stuff, I don't know, I can't remember. Anyway Windows 11 also ships with an OCR library from the Windows-something-something in the WinRT as part of their AI stuff. The point being: I think I can take a fancy screenshot of an application, like Slack, Microsoft Teams, or Discord, using WinRT then use WinRT to OCR it into readable and parseable text from C/C++ It is basically a really convoluted way to do keylogging or espionage, or whatever. For extra flavor, use WinRT to upload the OCRd text to a remote host. Why do this instead of WinHTTP or Windows Sockets? Literally no reason other than curiosity. I have no idea how this would appear under the scope of an EDR. Sometimes you need to try silly things.

Brand new blog post by @streypaws Three Adobe Reader prototype pollution bugs chained into arbitrary file read, first identified by @HaifeiLi of @EXPMON_ Check it out starlabs.sg/blog/2026/04-t…

First blog post in the new series. Just really short and basic as an introductino post. I don't really have a direction in mind for this series, but lets just generate scripts with Claude, and try to find 0days without getting too technical, hehe: patreon.com/posts/blog-0-w…

@8kSec Would love to visit US and meet my online friends there

🌍 Earth Day Giveaway - Learn Mobile or AI Security, On Us One beautiful planet we all share. Let's patch it together. 🌱 To celebrate Earth Day, we're planting 3 free seats 🌱 in any 8kSec Academy course - winner's choice of the whole forest: • Practical AI Security: Attacks, Defenses, and Applications • Practical Mobile Application Exploitation • Offensive Mobile Reversing and Exploitation • Offensive iOS Internals • Offensive Android Internals Explore the catalog → academy.8ksec.io How to enter (zero carbon footprint 🍃): 🌿 Follow us 🌿 Like this post 🌎 Repost to spread the seeds 🌟 Bonus: double your chances! 💬 Comment your favorite place on Earth that you have visited or would like to visit 🌍, and we'll count your entry twice 3 winners sprout on April 27. We’ll DM each winner to select their course.

New Blog Post: How browser exploits actually work on iOS – written for beginners who've never read a browser exploit writeup. We use Google's DarkSword chain as a case study to explain Safari's JIT, the PAC bypass, and how attackers escape the WebContent sandbox. No prior knowledge needed. 8ksec.io/how-browser-ex… Stay updated with @8kSec for more blogs like this

Building an autonomous vulnerability hunting system with Claude Code and MCP blog.zsec.uk/bullyingllms/ Andy Gill (@ZephrFish) #infosec #llm

Added a minimal working PoC for the code injection technique used by the UTILITYBURST implant. github.com/winterknife/EV… P.S. If you think this is kinda lame in 2026, I agree. Remember that Barnaby Jack demonstrated this more than 20 years ago now, and it is still relevant today.

The fuzzer that found project-zero.issues.chromium.org/issues?q=compo… (and a number of issues prior to that as well) is now open-source: crrev.com/c/7580844 It uses pkeys, trap-handling and single-stepping to intercept and mutate in-sandbox reads (see trap-fuzzer.h). Definitely had fun writing it!

Chrome V8 Security Research: A Step-by-Step Introduction to Browser Architecture & Fundamentals PDF:- exploitreversing.com/wp-content/upl…

PatchGuard Peekaboo: Hiding Processes on Systems with PatchGuard in 2026 outflank.nl/blog/2026/01/0…

🚨 New Research Alert: Inside the RedSun Windows 0day A closer look at why this vulnerability exists and how Defender’s own logic enables the system compromise. Read more: cloudsek.com/blog/redsun-wi… h/t @WeirdQuadratic 🐐 #Windows #RedSun #0Day

I just dropped some research: DSCourier and would love for your opinion and to check it out!! It’s a novel post-exploitation technique abusing WinGet’s COM API to execute code through Microsoft-signed binaries. GitHub: github.com/DylanDavis1/DS… Blog: dylansec.com/DSCourier/

New Mimikatz Researchers took an old version of Mimikatz and taught it how to dump credentials from the latest operating systems! The research: @tanrikuluatahan/fixing-mimikatz-sekurlsa-logonpasswords-on-windows-11-24h2-25h2-253e82866197" target="_blank" rel="nofollow noopener">medium.com/@tanrikuluatah… The repo: github.com/tanrikuluataha… #redteam #pentesting

I pointed claude opus at chrome and told it to build a full v8 exploit for discord. A week of back-and-forth pulling it out of dead ends. 2.3B tokens. $2,283 in API costs, and it popped a shell. hacktron.ai/blog/i-let-cla…

Yeah, so basically I'm trying to make my own "ClickFix" but for Windows binaries by abusing the Windows Runtime, Component Object Model, and whatever Windows grants me from a limited user profile (see attached image) I saw some research on Windows Toast Notifications by @ipurple, but their paper and code was in C# and Powershell. Their technique displayed a fake update and directed the user to a website which then did ClickFix So it's like, WindowsClickFix -> ClickFix I said, "wtf? why not just run program there?" It turns out you can, it's totally possible and well documented for something like C#. Making a simple notification on Windows which impersonates Windows Defender and runs a .exe (or whatever) is pretty shrimple. But.... there is a massive asterisk next to shrimple because it requires some* pain and suffering. In extreme summary, need to do registry entries so Windows knows where to send Toast stuff to. In C# or Powershell this is still relatively simple, just kind of annoying. In C, it still isn't too bad. Unfortunately, I am a person who knows only pain. I didn't want to do C#, or .NET, or do anything with WindowsRT the way Windows wants you to. I said, "well, I've done WinRT in C before, why not do this in C?" Why not make something mildly annoying 200% more difficult? It has been a challenge. I decided to do EVERYTHING with the WinRT / COM. I didn't want to make ANY WinAPI invocations omit RoInitialize (technically CoInitializeEx). In the attached image I've successfully impersonated Windows Security. However, "update" doesn't work the way I'd like to. The easiest thing to do in this scenario is trying to abuse a Windows Scheme URI. Unfortunately, WinRT sandboxes and prevents FILE://, and I can't find a URI to abuse to deliver file execution (I tried). I assume the inability to find a Windows URI to abuse for file execution is why the original authors ended up doing ToastNotification -> ClickFix. Making the Toast Notification go to a web domain is extremely easy. You literally can just specify "button go to website ooga booga" and that's it. Because I couldn't find a URI to execute a binary my only option left is using INotificationActivationCallback. Basically, I have to register my malicious code in the registry to receive Toast Notification callbacks. When "Update" is clicked my binary is notified and appropriate action is taken. Again, this is all totally normal functionality, but it's being used for social engineering. The only caveat here is I am trying to do it as painful and convoluted as possible. I have the general layout done... it's just typing out the code and debugging. It's tiring. I also planned on stripping the headers and making the binary as lightweight as possible. Why? I have no idea. It is totally unnecessary and ass backward logic.

In response to CVE-2026-33825 (BlueHammer patch), The RedSun, a new unpatched windows defender EoP vulnerability has been publicly disclosed and can be found here - deadeclipse666.blogspot.com/2026/04/public…

Microsoft has addressed a one-click NTLM leak vulnerability affecting Windows Snipping Tool (CVE-2026-33829), discovered by our researcher Marcos Díaz (@Calvaruga). ➡️ Read the write-up: github.com/blackarrowsec/… ➡️ Microsoft bulletin: msrc.microsoft.com/update-guide/v…

Engineers at Microsoft have been busy. Today they patched 5 LPE vulns I submitted to their bounty program. All found with AI (not Mythos 😛) Cloud Files Mini Filter Driver - msrc.microsoft.com/update-guide/e… Common Log File System Driver - msrc.microsoft.com/update-guide/e… Desktop Window Manager - msrc.microsoft.com/update-guide/e… Desktop Window Manager - msrc.microsoft.com/update-guide/e… Desktop Window Manager - msrc.microsoft.com/update-guide/e…