Danijel Grah

Attackers don’t need stolen certificates. They only need 8 bytes. By flipping 4 bytes in the PE checksum and 4 in the certificate padding, they generate 2⁶⁴ unique driver hashes while keeping Microsoft’s digital signature valid. Why it matters: - Those 8 bytes sit outside the region Windows verifies. - Every variant looks “signed and trusted.” - Hash-based blocking becomes useless overnight. That’s how TrueSightKiller evolved into 2,500+ signed variants. All trusted by Windows, all capable of killing EDRs in seconds. Check out: magicsword.io/blog/truesight…

And the POC: github.com/rashimo/aipriv

I wrote a short post on AI and offensive security. I looked at how AI is starting to impact pentesting, red teaming, and offensive tooling. What’s real today and what might be coming next. 👉 goneinsec.com/blog/ai-offens… #AI #Cybersecurity #OffensiveSecurity #Infosec

@seanhn @seanhn here is also a nice study arxiv.org/pdf/2512.09882 which complements your research.

Blog post: On the Coming Industrialisation of Exploit Generation with LLMs sean.heelan.io/2026/01/18/on-… TL;DR: I ran an experiment with GPT-5.2 and Opus 4.5 based agents to generate exploits for a zeroday QuickJS bug. They're pretty good at it. Code: github.com/SeanHeelan/ana…

@k1nd0ne great blog post forensicxlab.com/posts/hibernat…. Do you also plan to add support for Windows 11 24H2 ?

New Blog Post: PowerShell Exploits – Modern APTs and Their Malicious Scripting Tactics I’ve just published a new blog where I explore how PowerShell is used in red team operations, especially by advanced persistent threats (APTs), with a focus on evasion. In the blog, you’ll find: - A detailed explanation of AMSI (Antimalware Scan Interface) and how to bypass it with PowerShell - How we can abuse .NET to run PowerShell commands without PowerShell and without getting detected, and how this works - Methods of AMSI memory patching in C with many practical examples and effective public tools like Invoke-Obfuscation - How APTs create their own methods to avoid detection by security tools with practical, effective demonstrations - Practical examples of underused techniques like CLSID hijacking and exploiting lesser-known LOLBins - Introducing PowerLoad3r: An advanced, evasive malicious PowerShell script loader. Read it from here -> bit.ly/40YXheT "All the techniques and tests are done against Kaspersky EDR, so you’ll get real-world demos :)" A special shoutout to @0xNinjaCyclone for inspiration. #redteam #evasion

"This is our world now... the world of the electron and the switch, the beauty of the baud." From the Hacker's Manifesto, aka The Conscience of a Hacker, by The Mentor. First published in Phrack Issue 7, 1986. Loved seeing this in the movie Hackers. phrack.org/issues/7/3.html

We can also use a regular expression to search for *.rdp files in the temporary folders that Outlook uses to detect traces of #MidnightBlizzard / #Nobelium activity 🔍 A short form would be: \\Content\.Outlook\\[A-Z0-9]{8}\\[^\\]{1,255}\.rdp$ Or as string contains combo: \AppData\Local\Microsoft\Windows\ \Content.Outlook\ .rdp ✨ a match means that the file has been opened right from the email attachments I have added that filename IOC to THOR Lite's signature database #L4422" target="_blank" rel="nofollow noopener">github.com/Neo23x0/signat…

🚨 Updated list by @IntelBrokerBF of the companies affected by @Cisco breach: pastebin.com/8vWSscTn

@H4ckManac Hmmm. Hmmm

🚨Data Breach Alert ‼️ IntelBroker, in collaboration with EnergyWeaponUser and zjj, claims to be selling data from a recent Cisco breach. The compromised data reportedly includes GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, certificates, customer SRCs, confidential Cisco documents, Jira tickets, API tokens, AWS private buckets, Cisco technology SRCs, Docker builds, Azure storage buckets, private and public keys, SSL certificates, and Cisco premium products. Several high-profile companies, including Verizon, AT&T, Bank of America, Barclays, British Telecom, Microsoft, Vodafone, and Chevron, are allegedly impacted. Samples have been provided.

With all the linux RCE drama, it's a good time to bring up a neat scoring system that you (may) not have heard of. EPSS is the cool younger brother of CVSS. Patching just 3.5% of all known vulnerabilities covers 67.8% of what is exploited in the wild. Assuming you don't have infinite resources, it theoretically lets you focus on the CVEs that are more actionable.

A security feature that was long overdue - it protects browser cookies with TPM, making them strictly device bound. Device Bound Session Credentials #non-goals" target="_blank" rel="nofollow noopener">github.com/WICG/dbsc?tab=… #Gamechanger

We finally published JarPlant (Java Archive Implantat Toolkit) on GitHub! It's still a work in progress, but it works (mostly). It's a red team tool for injecting malicious code into Java apps and libraries. Use responsibility. github.com/w1th4d/JarPlant

Tunneling TCP via a file, by Fidel Perez-Smith #redteam #maldev github.com/fiddyschmitt/F…

Needed to test something... and I still can't believe this Defender AV / Tamper Protection bypass works :( Sure, you need admin rights to install another AV, but Tamper Protection is supposed to prevent even admins from disabling Defender, right?

How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards wired.com/story/hid-keyc…

BYOVDLL: New Exploit Bypasses Microsoft’s LSASS Defenses securityonline.info/byovdll-new-ex…

Exploitable PoC Released for CVE-2024-38077: 0-Click RCE Threatens All Windows Servers securityonline.info/exploitable-po…

Interesting attack path.. 😈 cc @dotdotdotHorse @offsecdeer/abusing-adcs-ndes-for-privilege-escalation-e4d306c9ca97" target="_blank" rel="nofollow noopener">medium.com/@offsecdeer/ab…