Quang Vo

I’m proud to share that I finally passed CRTL 🔥 #redteam #maldev

CrystalKit x Gargoyle lospino.so/blog/gargoyle-…

We just launched @Vigolium a high-fidelity vuln scanner in Go, fully open source Built it to stop drowning in false positives: ⚡ 250+ native scan modules, low-noise by design 🔍 AI agents that thoroughly audit traffic + source code 🛠️ CLI · Beautiful UI · traffic ingestor Want your app to have proper security audit? Give it a try at github.com/vigolium/vigol…

@0day_ninja So glad I could help! btw some other excellent resources for doing real world binexp I’d recommend - Vulnerabilities 1001 & 1002 by @XenoKovah p.ost2.fyi/courses/course…

🇸🇦 🇮🇷 𝗡𝗲𝘄 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁 𝗺𝗮𝗹𝗶𝗰𝗶𝗼𝘂𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗿𝗲𝗽𝗼𝗿𝘁: 𝟭,𝟯𝟱𝟬+ 𝗖𝟮 𝗦𝗲𝗿𝘃𝗲𝗿𝘀 𝗠𝗮𝗽𝗽𝗲𝗱 𝗔𝗰𝗿𝗼𝘀𝘀 𝟵𝟴 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿𝘀 Over a three-month window, we mapped more than 1,350 active C2 servers operating across 98 infrastructure providers in 14 Middle Eastern countries, covering telecoms, shared hosting, and VPS environments. 👉 Read the full report: hunt.io/blog/middle-ea… Here's what the data shows: → A single telecom carrier accounts for nearly 72% of all detected regional C2 activity, most of it tied to compromised customer endpoints rather than provider-level abuse → C2 infrastructure makes up over 96% of all observed malicious artifacts in the region → Tactical RMM leads the malware family breakdown with 92 unique C2 IPs, followed by Keitaro TDS (71) and Acunetix (38) → The malware mix covers a wide range of attack types - IoT botnets (Mozi, Hajime, Mirai), remote access tools (AsyncRAT, Sliver, Cobalt Strike), active scanning (Acunetix), and phishing infrastructure (Gophish, Keitaro TDS) → Campaigns in the dataset include Eagle Werewolf espionage operations, the DYNOWIPER destructive campaign targeting Poland's energy sector, and RondoDox botnet exploitation infrastructure on Iranian hosting The main takeaway is that malicious infrastructure in the region is not evenly spread. A small set of providers keeps showing up across unrelated campaigns and malware families, which is where the tracking value is. Provider-level visibility is what lets defenders get ahead of that pattern, rather than reacting to individual indicators that rotate daily. Full breakdown, including infrastructure observables, HuntSQL queries, and campaign examples, is in the report 👇 hunt.io/blog/middle-ea…

This remind me of good old ‘22 and ‘23 research about google SSRF Cloud metdata

About ZionSiphon dti.domaintools.com/research/threa…

Can LNK files ever be trusted? ⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself. 🐬 wietzebeukema.nl/blog/trust-me-…

If you’re not up to speed with the risks of malicious vscode extensions, just a reminder, we blogged about this 3 years ago - mdsec.co.uk/2023/08/levera… @MDSecLabs

@zeroxjf Codex don’t reject you or you joined the Cyber program ?. My experience with Codex is I spend half the time try to convice it that i’m making the world a better place

Wild that this experiment alone has already shaken out 2 macOS kernel bugs, including a real memory corruption path and controlled write primitive. Still validating impact but strong signal. All this just from pointing Codex at Calif's short article & screenshot of the PoC video!

A sophisticated and multi-layered attack by the threat actor tracked by Microsoft as Storm-2949 demonstrates how a single compromised cloud identity could lead to a full-scale organizational breach. msft.it/6015vTlm7 Relying on social engineering and abusing legitimate administrative tools, Storm-2949 moved laterally across cloud resources and endpoints without using traditional malware, quietly exfiltrating large volumes of sensitive data. This stealthy attack underscores the importance of strong identity protections, least-privilege access, and unified visibility across environments. Read the latest Microsoft Defender Research blog for guidance on detecting and containing multi-stage attacks before they escalate.

Our security research team discovered a pre-authentication arbitrary file read as root in cPanel (CVE-2026-29205) — a path traversal in cpdavd that we made exploitable by abusing Dovecot's + alias handling to create attacker-controlled directory names on disk. We've updated cpanel2shell-scanner to cover both issues. Writeup and tool in replies. 👇

Oasis Security reported a targeted intrusion against multiple Malaysian government bodies using bespoke Python tooling for internal enumeration and data exfiltration, active webshells, and undisclosed C2 infrastructure with a C# beacon and Python control… oasis-security.io/blog/malaysian…

Kazuar (Secret Blizzard) is a highly sophisticated malware family. #MIRAGE takes a deep dive into its modular P2P botnet and how it enables covert, persistent access 👀 microsoft.com/en-us/security… #cybersecurity #reverseengineering #microsoft #infosec #malware #threatintel

A sophisticated, state-sponsored intrusion observed in early 2026 appeared to be a standard Chaos ransomware attack. Forensic analysis has since unmasked it as a false flag attempt, linking the incident to the Iranian APT #MuddyWater. More in a new blog: r-7.co/4tiWod0

Stop Being Weird — Life After Call Stack Spoofing Under CET bigbingus.com/posts/stop-bei…

Always a fan of his work memn0ps.github.io/doublepulsar-a…

Dropping my recent research on #Kimsuky's #PebbleDash and #AppleSeed clusters — covering some interesting developments around VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, LLM, and the Rust. Full report➡️ securelist.com/kimsuky-apples…

@chompie1337 @haxor31337 Congratsss !!!!!

not a bad return on a 1 month Claude code max sub 😏

FamousSparrow (aka Earth Estries), a China-aligned Advanced Persistent Threat (APT) group, launched a multi-wave intrusion campaign targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026. With the attack most notably using an evolved DLL sideloading technique in order to override two specific exported functions within the malicious library. Attribution comes from the substantial overlap with the Earth Estries toolset and tradecraft. Such as post-compromise command execution, DLL sideloading, Deed RAT deployment, Mofu-based staging, and Terndoor-style driver-backed behavior. When taken together it gives a intrusion chain that is consistent with FamousSparrow's ecosystem of tools. The operation was characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity. With the initial detection of intrusion dating back to December 25, 2025, when the `w3wp.exe` process attempted to write a malicious web shell into a publicly accessible directory on the Exchange server. Leaving the back doors latent in infected systems after the cleanup. The next stage of the intrusion began with the execution of `C:\TEMP\LMIGuardianSvc[.]exe` (MD5: 0554f3b69d39d175dd110d765c11347a), which sideloaded `C:\TEMP\lmiguardiandll[.]dll`. That DLL initiated the execution chain of a backdoor later identified as `Deed RAT`. With it delivered through a three-component chain that blends seamlessly into the legitimate `LogMeIn Hamachi` ecosystem: • LMIGuardianSvc.exe: Legitimate LogMeIn Hamachi binary (MD5: 0554f3b69d39d175dd110d765c11347a) • LMIGuardianDll.dll: Malicious loader that patches a Windows API and stages the payload • .hamachi.lng: Encrypted Deed RAT payload The second stage occurs later, when `LMIGuardianSvc.exe` continues its normal execution and eventually calls the `ComMain` export. From there, the legitimate service flow leads to a call to `StartServiceCtrlDispatcherW`. Because that API was previously patched during `Init`, the call is transparently diverted into the malicious loader function. The loader then restores the original bytes of `StartServiceCtrlDispatcherW`, ensuring that the hook is removed after use. The `.hamachi.lng` file contains the next-stage shellcode along with the `Deed RAT` payload. It is decrypted using AES-128 in CBC mode with an initialization vector of 16 null bytes. The decryption key is derived from the first 16 bytes of the file, while the remainder represents the encrypted payload. Once decrypted, the shellcode is executed directly in memory, completing the transition from staged components to an active backdoor. This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim's environment. #ThreatIntel #Cyber #CyberSecurity #CyberSecurityNews #APT businessinsights.bitdefender.com/famoussparrow-…