Panos Gkatziroulis 🦄

magnetar - A EDR bypassing shellcode loader framework for Windows 10 64bit, featuring ETW/AMSI patching, Tartarus Gate, process protection, and more github.com/0xjrx/magnetar

macOS labs in THL just got a real upgrade. We’ve released guided macOS investigation help for supported labs, giving learners better structure while they work through unfamiliar telemetry. This includes: - macOS telemetry orientation - question-level investigation guidance - field and artifact explanations - common mistake callouts - methodology-focused debriefs - better support for learning the workflow, not memorizing answers macOS intrusion investigations need their own muscle memory. You need to understand where process activity shows up, how shell behavior looks, where collection and staging evidence tends to appear, and how to validate the sequence without assuming Windows patterns apply. That is what this update is designed to support. Tomorrow, a new investigation will make that much more concrete! Check out our labs -> threathuntinglabs.com/threat-hunting

Stenloader - Steganography Shellcode Loader github.com/InternetBot/St…

The main reason X changed its algorithm to reduce visibility on posts containing external links (blogs, YouTube videos, etc.) is to push users toward writing more articles and long‑form posts, giving Grok more training data. We end up paying X for visibility, so X profits twice from the same creators.

Poll expires tomorrow, if you can cast your vote that would be greatly appreciated!

@Cyb3rMonk @m19o__ Most of the topics can be learned with an LLM, the only differentiator in my opinion is how to pass real-world experience/use cases in the material and bring the human element.

@ipurple @m19o__ If you are teaching something that can be learned with an LLM, you already lost.

Which format do you prefer for learning technical content in a course?

Working towards a new article about emulation and detection of EntryPoint injection.

@m19o__ I do agree with your comment, interaction is key in learning.

The modern learning experience needs to become far more interactive. Text-heavy courses are losing ground, especially when anyone can now ask an LLM for quick explanations. What will stand out more is strong visual teaching, creative UX, and content that makes people interact, not just read.

@TheEnergyStory Great article, all your points are valid about the industry, the Red Team space, and Threat Intelligence reports.

Have you noticed that those deep-dive stories about complex Windows malware have pretty much vanished, especially in recent years? It feels like the era of "blockbuster" Windows malware has just gone silent, and this blog post tries to give some answers why. r136a1.dev/2026/05/07/whe…

A couple years ago I wrote a blog on Dllhost and what it is actually running. I decided to revisit it this time around from a RE perspective and answer that conclusively. From CLI to the registry value. Read the research - research.nasbench.dev/research/windo… TL;DR - Dllhost is just a wrapper around CoRegisterSurrogateEx. It register but does not execute. Thats a job for combase.dll. Hence why it cannot be used as a LOLBIN directly. There are also additional fun facts in there. Enjoy!

Fridays are for organizing internal SharePoints!

Silencing ETW Threat Intelligence via BYOVD New Medium post. Today I will show you how to disable the ETW Threat Intelligence provider at the kernel level using a vulnerable driver as a read/write primitive @s12deff/silencing-etw-threat-intelligence-via-byovd-c2ba9e3bb072" target="_blank" rel="nofollow noopener">medium.com/@s12deff/silen…

🚨 Cross‑Session Activation is a detection gap hiding in plain sight. 💡 The technique abstract below highlights the minimum viable signals for defenders. 💭 Interesting to know if this technique is part of your threat emulation library. #detectionengineering #purpleteam #blueteam

🚨 Cross‑Session Activation is a detection gap hiding in plain sight. 💡 The technique abstract below highlights the detection opportunities for defenders. 🟣 If you’re conducting purple‑team testing, this technique should already be in your playbooks. #detectionengineering #purpleteam #blueteam

PositiveIntent - Evasive loader for .NET Framework assemblies github.com/depthsecurity/… #redteam

🔥 Took the list below and turned it into a front‑end application built with AI - a lightweight content viewer to monitor blogs by category. ✅Makes browsing research, blogs, and tooling way easier ⤵️

@shenetworks Really sorry to hear this, I am sure you will find something soon!

After not receiving a raise in the four years I’ve worked at BHIS they’ve now decided to reduce my pay by $40k after coming back from maternity leave and moving my role to solely pentesting. So I am looking for a new position effective immediately if anyone has any leads 😇