malware Owl

Unveiling the details of Windows VTL2, despite its absence in the MSDN documentation. 🤔 #hyperv #windows #virtualization howknows.github.io/roooot.github.…

@0x_Vivek @tom_doerr It does have a limitation which is that there can be tons of nodes which hangs the tab. To deal with that then, we will need to divide and conquer and deal with it without the visualizer tool XD

@tom_doerr this looks insane actually. been spending way too much time staring at minified chunk files lately trying to figure out what they do. visual ast mapping is definitely the right approach here.

Visually reverse engineer obfuscated JavaScript github.com/Owl4444/jsdeob…

@thecyberdevhq Except it crashes many times a month suddenly XD

@malware_owl Always the first thought anytime the system faults. Either a potential vuln or something wrong somewhere.

For many times now, laptop kept crashing (either security check error or heap based error) ... Thinking that there might be a vulnerability. E.g., Realtek driver based text in seemingly overflowed buffer, and many else. Was hopeful but it turns out it was likely a RAM bit-flipping hardware issue XD Here is one of the interesting ones (Bit flip, corrupting LIST_ENTRY when freeing kernel mem)

save your exclude list in a file and use -O to load it. Most syscalls are noise (futex, ioctl, mmap) Filter them out and you only see file access + network the real RASP detection logic. frida-strace -D device -f App -O File.opts --limit 1000

For anyone dealing with RASP protected apps, frida-strace is now your first step. Trace the syscalls, find what the app checks, hook those specific functions, bypass. No more guessing. Frida 17.8.0+, kernel 6.1+ required. #Frida #MobileSecurity #AppSec

Coruna exploits have been repurposed into a jailbreak.

行了，别支支吾吾了，这道题的提问就到此为止吧。 你先停一下，看看你提交的这份 WriteUp。这份 exp 脚本写得非常漂亮，ROP 链构造得滴水不漏，连栈帧平衡都做得极其完美。但是，刚才我仅仅是让你解释一下这里为什么要用 pop rdi，你竟然连参数传递的基础调用约定都答不上来？还有前面那道 Web 题，你能构造出那么复杂的反序列化 POP 链，结果我问你魔术方法是怎么触发的，你支支吾吾半天，大脑一片空白？ 大家都是搞技术的，别在这里自欺欺人了。你这两天的入队考核题，根本就没有经过你自己的大脑思考吧？全程都是把伪代码和题目描述喂给大模型，然后把生成的 payload 复制粘贴过来的，对不对？ 你是不是觉得自己很聪明，以为在这个时代，能用大模型跑出 Flag 就可以拿来当敲门砖了？我告诉你，你这种态度，不仅是对面试的敷衍，更是对 CTF 这三个字的侮辱！ 你认清现在的现实了吗？ 你能做的那些常规题，AI 能做，而且几秒钟就能甩出完美的解答；你不能做的那些复杂逻辑和底层逆向，AI 照样能做！ AI 知识库里装的那些冷门架构、底层协议、编译原理，你不会，你连听都没听过！ 你现在唯一会的，就是把报错信息复制下来，粘贴给 AI，然后当一个没有任何感情、也没有任何思考的“大模型肉体搬运工”！ 你连最基础的代码为什么能跑通都不知道，知其然而不知其所以然。遇到稍微变个种、加点 AI 没见过的混淆、或者断网打线下 AWD 的时候，你就是一个废人！ 那么请问，那我到底要招你来干什么？！ 我是要招一个能打硬仗、能和顶尖黑客拼思维博弈的网络安全研究员！如果只是为了让大模型做题，我不会自己写个 Python 脚本，拉个几百线程直接对接 API 自动化跑吗？脚本的响应速度比你快一万倍，还永远不会累，我为什么要浪费战队宝贵的工位和资源，去招一个只会按 Ctrl+C 和 Ctrl+V 的人？

Speakeasy emulator v2b1 is here! 🚀 Massive upgrade thanks to @williballenthin. Modernized codebase using Unicorn 2. Now handles complex multi-stage unpacking and deep system introspection. API traces on par with sandbox analysis. github.com/mandiant/speak… pypi.org/project/speake…

Coruna - iOS exploit kit - JavaScript. 28 modules, 500+ XOR strings decoded, 6,596-line teardown. PAC bypass, JIT cage escape, PACDB hash forgery. post first, technical analysis looks better on github, link on-site) github.com/Rat5ak/CORUNA_… github.com/Rat5ak/CORUNA_…

claude code has a hidden setting that makes it 600x faster and almost nobody knows about it by default it uses text grep to find functions. it doesn't understand your code at all. that's why it takes 30-60 seconds and sometimes returns the wrong file there's a flag called ENABLE_LSP_TOOL that connects it to language servers. same tech that powers vscode's ctrl+click to jump straight to the definition after enabling it: > "add a stripe webhook to my payments page" - claude finds your existing payment logic in 50ms instead of grepping through hundreds of files > "fix the auth bug on my dashboard" - traces the actual call hierarchy instead of guessing which file handles auth > after every edit it auto-catches type errors immediately instead of you finding them 10 prompts later also saves tokens because claude stops wasting context searching for the wrong files 2 minute setup and it works for 11 languages

I decided to try out agentic coding/reversing, so I’m releasing a project that assists with reverse engineering in both Binja and IDA Pro. It’s an agent, not an MCP, that support multiple providers, it has some interesting features such as code exploration github.com/buzzer-re/Riku…

The repo I am sharing contains JS files, shellcode blobs and mach-o files containing the implants github.com/matteyeux/coru…

props to @trailofbits - this repo is insanely good: github.com/trailofbits/sk…

One of our engineers just did a detailed writeup for one of his Google kCTF kernel exploits. The bug is 20 years old and has been there since Linux 2.6.12! open.substack.com/pub/calif/p/a-…

CVE-2026-3102 A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component P… cve.org/CVERecord?id=C…

In this scenario, I let loose idasql+Codex CLI on a malicious C++ EXE and let it tell me how it works, write a report, find embedded keys, IOCs, rebuild the sources, etc. Basically just vibe RE. Barely touched IDA UI, only to verify and navigate a bit.

It’s been some time. This is interesting because I was thinking about an old n-day and began to wonder if there were other variants and sure enough, there is!

Kaspersky GReAT researcher @malware_owl discovered CVE-2026-3102 — a command injection vulnerability in ExifTool (≤13.49) on macOS. A crafted image file with malicious metadata can trigger arbitrary code execution. Update to v13.50 now! #Kaspersky #GReAT #Cybersecurity #VulnerabilityResearch #OpenSource #InfoSec #macOS