malware Owl

YaraXGUI Improvements HexEditor, Yara Match Table to show all matches found. It supports more tab, yara formatting fixed as well. We can browse for rules and filter files that we want to scan this time. Hex editor is added with the goal to make it more hassle free. Within the hexeditor, we can also apply changes, do basic diffing, mark multiple regions and send to YARA editor. Also included a way to select multiple regions and gaps within each regions can be set a wildcard so we do not need to calculate each size. Can now do disassembly of selected region (capstone), draw basic CFG to do quick checks (maybe for certain obfuscation technique or unique code blocks). Simple parsing for PE and ELF file. Added a wonky and (not-so-reliable) autocomplete (NOT based off parser) but good enough I guess for my workflow). To try the new version: github.com/Owl4444/YaraXG…

Short Writeup on an ExifTool Arbitrary Command Execution Vulnerability that was reported two months back: CVE-2026-3106 securelist.com/exiftool-compr…

Have you noticed that those deep-dive stories about complex Windows malware have pretty much vanished, especially in recent years? It feels like the era of "blockbuster" Windows malware has just gone silent, and this blog post tries to give some answers why. r136a1.dev/2026/05/07/whe…

two years ago people said that coding is dead, now they calling hacking is dead ... My take is probably bug bounty/0day for money is dead, but the joy of understanding something deeply will survive, just like coding as the joy of building things. ( but tbf I think 0day for huge $ will be also survived as well )

Read our technical walkthrough: nebusec.ai/research/v8-ma…

@chompie1337 🤣🤣🤣 Hoping to progress more as time goes by!

malwareOwl was one of the first (and only) people to solve my Windows kernel CTF challenge last year. at the time they had never exploited a Windows UAF before.. very to cool to see their progress in a short period of time 🙂

@phagexr @BZissimopoulos Thankss!

Happen to find CVE-2026-3006 :D TL;DR: A TOCTOU bug. When trying to understand it to implement in a project that I was working on. Kudos to maintainer @BZissimopoulos for swift actions and fixes! The Story: While trying looking for ready made drivers for a project that I am working on, I chanced upon WinFSP. The question I had at the time was whether we could extract some file information using the driver without the need to implement kernel driver. However, as I was reading the implementation in a single screen, I spotted the a common pattern (Multi-fetch of size which is used in ExAllocatePool). After writing an exploit to show crash and fully exploit the driver to get SYSTEM, I was given CVE-2026-3006. The affected driver version can be exploited from Low Integrity CMD as well. Licensees that are using WinFSP or users using any tool that uses WinFSP under the hood are advised to upgrade to the new version of WinFSP! Demo (YouTube): youtu.be/aHV7GEBgy5Q

@stratosberry @BZissimopoulos I do not have a fixed dateline but I aim to write one some time soon.

@malware_owl @BZissimopoulos Technical writeup when?

@babykuteok15 @BZissimopoulos Hi! No PoC is being posted at this point but I will be writing about it some time in the future!

@malware_owl @BZissimopoulos Is it really? How can I get poc or source code?

Here is the advisory by @CSAsingapore: csa.gov.sg/alerts-and-adv…

🚨Kaspersky GReAT has uncovered a compromised installer of DAEMON Tools Lite distributed directly from the official vendor site since April 8, 2026. It successfully uses a valid developer digital certificate. Affected versions: 12.5.0.2421 to current. Read more in the thread below🧵 1/5

Fuzzing to Zero-Day: Pwning V8CTF With TurboFan Type Confusion, CVE-2025-2135 - @zellic_io zellic.io/blog/pwning-v8…

Together with @bzvr_, @2igosha and Anton Kargin, we identified that the DAEMON Tools software has been compromised in a complex supply chain attack since April 8. We see thousands of infections across 100+ countries. If you use DAEMON Tools, run a malware scan immediately! [1/7]

1/2‼️ QuimaRAT v2.0.0, a new cross-platform Java-based RAT, is allegedly being sold on a hacking forum, targeting Windows, macOS, and Linux systems. ⠀ ‣ Threat Actor: QuimaCORE ‣ Category: Malware / RAT Sale ‣ Product: QuimaRAT v2.0.0 ‣ Industry: Cybercrime / Malware-as-a-Service ⠀ The actor is advertising a Java 17 + JavaFX based remote access trojan claiming FUD (Fully Undetectable) output, end-to-end encryption (Mutual TLS + AES-256-GCM), and no Java requirement on target machines. ⠀ What's advertised: ⠀ ▪️ 70+ Windows modules / 44+ macOS & Linux modules ▪️ Surveillance: keylogger, clipboard logger, screenshot/screen recorder, hidden VNC, webcam/microphone capture, hidden browser ▪️ Credential theft: browser recovery (Chromium/Firefox/Edge), email clients, LSASS dump, RDP/VPN credentials, crypto wallet artifacts, token stealer ▪️ Evasion: AMSI bypass, ETW patcher, UAC bypass, Defender/Firewall disable, process hollowing, DLL injection, shellcode loader, rootkit module ▪️ Network: scanner, SOCKS5/reverse proxy, port forwarding, lateral movement, AD enumerator ▪️ Builder output formats: JAR, EXE (Launch4j), BAT, VBS, NATIVE formats with embedded JRE ▪️ ProGuard obfuscation with 15,600+ runtime classes ⠀ Pricing: $200 (1 month) / $400 (3 months) / $600 (6 months) / $800 (12 months) / $2,400 (lifetime)

Infosec community right now…

The ever awesome @NielsProvos dropping knowledge. Vulnerability research with AI is an orchestration thing not a model capability thing at this point. Echoes my sentiments that winning here (defense v offense) is a question of tokens, agents, agility. provos.org/p/finding-zero…

Big changes to Android and Chrome VRP: - focus on high-impact, reproducible bugs with low/no reward for lower impact - big prizes for full chains with some annual limits - PoCs required It’s the end of an era, but the start of a new one. bughunters.google.com/blog/evolving-…

its so insanely cool that we have access to stuff like this