HaxRob

A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out. The Android grid connect app has 500k+ downloads. Let’s take a quick look! 🧵 (1/n)

@0xmadvise Cool - nice to see more content published around this technique. haxrob.net/hiding-in-plai…

Hello, i wrote a blog on one of the modern persistence techniques in Linux using the unshare syscall. Enjoy reading @0xmadvise/rJPLNLRwlx" target="_blank" rel="nofollow noopener">hackmd.io/@0xmadvise/rJP…

@itsalexvacca A technical deep dive: haxrob.net/onavo-facebook…

@TheHackersNews The group-ib report seems to have omitted one of most important details: hashes of the sample(s) ....

🔥 A hacker gang planted a 4G Raspberry Pi inside a bank’s ATM network—bypassing firewalls to install a rootkit called CAKETAP. It spoofed PIN checks, hid processes, and aimed to trigger fraudulent withdrawals. Details you should know ↓ thehackernews.com/2025/07/unc289…

Facebook once bought a VPN app for $120M and turned it into a surveillance tool that spied on 33M+ users' entire phones for years. This app helped Zuck buy WhatsApp for a whopping $19B and break Snapchat's encryption. Thread

@haxrob Cool! Related (a paper we wrote recently): arxiv.org/abs/2506.07827

Really interesting ways here to hide files and other activity on Linux.

@e__soriano Nice one - creative use within user space rootkits. I have just referenced your paper in the appendix of the post under 'related research'.

A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇

Full writeup including mitigations, threat hunting and other detection ideas.👇 (7/7) haxrob.net/hiding-in-plai…

This method can be utilized to perform process masquerading.. Here an implant appears to be running from /usr/sbin/auditd but it's actually 'fileless'. No '(deleted)', no ':memfd', no '/dev/shm', no ptrace, no LD_PRELOAD. Just stealth. (6/7)

Forget compliance by severity color, how about compliance by emoji happiness level? #systemd, stay classy. 🙃

Security researcher @haxrob released a two-part technical breakdown of BPFDoor, a Linux-targeting malware tied to past APT campaigns. The analysis includes insights on recent variants observed this year. haxrob.net/bpfdoor-past-a… haxrob.net/bpfdoor-past-a…

Great blog posts and updates on latest BPFDoor changes by @haxrob BPFDoor - Part 1 - The past: haxrob.net/bpfdoor-past-a… BPFDoor Part 2 - The Present: haxrob.net/bpfdoor-past-a…

A writeup of this content can be found in a two part series: (22/x) haxrob.net/bpfdoor-past-a…

Newer samples can be found to have the authentication password as a salted MD5 hash. github.com/haxrob/bpfdoor… can extract the hashes from samples and generate the respective hashcat command. Here are a few cracked ones. Those that identify victims are not included. (21/x)

Newer variants of the #BPFDoor has an interesting modification made that avoids detections looking for processes with raw sockets. The kernel reports SOCK_DGRAM rather then rather loud "SOCK_RAW". Here we have a sample found in the recent SKT telco breach. (1/20)