sabotage

Hello community, I will be posting write ups on my new website sabotagesec.com . You can read all my old posts there. Thank you for all the support and love! #cybersecurity #malware #Windows #threatintell

Our latest post on the blog details a Windows EoP courtesy of @filip_dragovic... "Total Recall – Retracing Your Steps Back to NT AUTHORITY\SYSTEM" - mdsec.co.uk/2026/02/total-…

My thoughts are yes, red teaming has got significantly harder over the last few years. The knock on effect is: 1) engagements need more time, 2) teams who don't invest heavily in R&D (either in-house or outsourced) will be left behind, 3) there's less things shared publicly as a consequence, 4) lots of teams have tried to compensate by assuming breach, which as a result has led to less innovation in the IA space However, I disagree that IA is anywhere near dead even targeting the top 1%. The vast majority of our engagements have a large IA component and we're still successful in >75% of cases. Yes the points mentioned are a pita - AWL is a great control, but there's equally a plethora of file formats that support scripting; get creative - Yes MOTW restricts some things - but there's a variety of ways around it if you're creative (and I'm not talking about ISOs 🙄)

Don't do this. Don't make this mistake. Do something cooler. Listen to your peers when they recommend reviewing other peoples research. malwaresourcecode.com/home/my-projec…

One of the new features we built for #Nighthawk customers is HawkEye. This is an AI bot built on Opus 4.5 that uses RAG to ingest all the #Nighthawk documentation, sample profiles, APIs, and sample source code. It's able to help explain features, build profiles, write source code for modules and much much more...

Want to consume Microsoft-Windows-Threat-Intelligence but Antimalware-PPL getting you down? No problem! I will post a blog & POC soon - but this allows you to consume Threat-Intelligence without PPL _and_ w/o any kernel patching/driver loading gymnastics! Only need admin!

Whether you're learning x86 instruction encoding or writing YARA rules, ZydisInfo is an amazing (yet slightly underrated) tool for the job.

Today, we’re releasing watchTowr Labs’ @chudyPB’s BlackHat .NET research, owning Barracuda, Ivanti and more solutions. Enjoy the read as Piotr explains a new .NET Framework primitive, used to achieve pre- and post-auth RCE on numerous enterprise appliances. labs.watchtowr.com/soapwn-pwning-…

New blog by Outflank’s @KyleAvery: Linux process injection leveraging seccomp to inject shared libraries into Linux processes without LD_PRELOAD, ptrace nor elevated privileges. Parent-to-child injection at any ptrace_scope level 💪😎 Tech details here: ow.ly/KwBh50XGvrC

Thank you all for helping me choose the cover for the Go Concurrency book. I didn't expect so much participation, and I really appreciate it! Here's the final version, along with the table of contents.

Low-Level Software Security for Compiler Developers If you ever wanted a textbook-style guide to memory safety bugs, undefined behavior, exploit mitigations, side channels, etc. All in one spot, this free book is it: llsoftsec.github.io/llsoftsecbook/

@5mukx Thx for the shout out mate! :)

an blog by @saab_sec

Function Peekaboo: Crafting self masking functions using LLVM mdsec.co.uk/2025/10/functi…

New Amazon Threat Intelligence findings: Nation-state actors bridging cyber and kinetic warfare aws.amazon.com/blogs/security…

@domchell Didn't know this is how detection worked!!😅. learning something new everyday!

Fully Undetectable🙌 🔥😅

New research from @jdu2600: a clean loader-lock escape using the PEB's PostProcessInitRoutine. Read the analysis and PoC code 📃 preludesecurity.com/blog/escaping-…

@Danukeru @Octoberfest73 @MDSecLabs Because I am using addPreEmitPass() hook which gets initialized before any plugin is loaded. The pass in your project works at the IR level, not touching any backend components directly.

Interested in an alternative approach to sleep masking for you malware? Check-out our latest blog post "Function Peekaboo: Crafting self masking functions using LLVM" by @saab_sec mdsec.co.uk/2025/10/functi…

Nice work @saab_sec 🔥

❗️Blog Alert 💥Crafting maskable functions using LLVM. 🔎In depth coverage of LLVM backend internals. 🔎Tinker with x64 function code stubs and manipulate control flow This time, I am posting it on @MDSecLabs blog😋 #RedTeaming #MalwareDev mdsec.co.uk/2025/10/functi…

@Octoberfest73 @MDSecLabs Lets talk in dm

@MDSecLabs @saab_sec Nice work. Question though, how / why is it safe to use TEB->userReserved fields arbitrarily? I can’t find much on them, but the little I can suggests various user mode DLLs might use these fields at some point so curious if A. That’s true and B. How you handle/mitigate that

@raashidbhatt Thanks for the post, this is my old domain. More stuff to read on new domain sabotagesec.com/category/offen…