sh4des

RDP bitmap cache artifacts revealed the threat actor opening the Veeam Backup & Replication console, reviewing backup jobs, tape & storage infrastructure — and removing backups from the configuration database. Full report 👇 thedfirreport.com/2025/12/17/cat…

Dear Windows users, Hyprland will never be available on Windows because Windows does not deserve the greatness of Hyprland. Switch to Linux. Or BSD. Or an OS that respects you, as a person :)

Hello, This social media profile is now the largest cybersecurity-related profile on Xitter. It has passed @SwiftOnSecurity. What does this mean? Well, as the top influencer I am carrying the weight of the world on my shoulders. This is a very serious role. I'm basically a superhero. First, I will begin pushing my new cybersecurity course. It will be somewhere between $200 - $500. It will not be formally recognized by any institution or employer. Additionally, it will be poorly developed and half-assed. I will lie and say it will help you get a job (it won't). Second, I will begin pushing cryptocurrency coins which I will say are going to solve some opaque problem in cybersecurity. I'll make something up, like, "this coin will prevent DHCP DNS cluster fraud". It won't make sense. When someone questions it I will immediately deflect blame or call them bad names. Third, I will travel to every major cybersecurity conference. Each talk I give will not be technical. My talks will primarily revolve around my experiences, and wisdom, or something. I will pretend to be an old sage filled with knowledge, things you could literally never understand. In actuality, I can barely send an e-mail. Thank you for the love and support. I look forward to rug pulling all of you.

Reversing a Microsoft-Signed Rootkit: The Netfilter Driver - Reverse Engineering Attempts. Author: ⁦⁦@Splintersfury⁩ Great detailed write-up. If anyone interested in driver reversing, do check his work out. 🫡🔥 splintersfury.github.io/mal_blog/post/…

Chat, I've done it. I've managed to get Windows Sockets (Winsock) functionality working by communicating directly with AFD (Ancillary Function Driver for WinSock) by IO control codes AND used it with HTTPS by using SSPI (Microsoft Security Support Provider Interface). By doing this, this completely eliminates the need for WININET or WINHTTP for malware payloads. It also removes the weird telemetry and ETW stuff present in Winsocks, WININET, and WINHTTP. My code is still in a debug state at the moment, but I'll eventually release a non-fucked-up version (no SYSCALLs, no position independence) so people can look at it, study it, or review it. Currently this is only supports GET requests for simple pages (not even file downloads...). However, I'm having so much fun with this I think I am going to expand on it to do the following: - HTTPS authentication - HTTPS upload - HTTPS download - ??? I'll make it all open source, non-crazy, in a format people can copy pasta and have fun with it. I'll also probably make a fork where it's the crazy schizo version. I hope all my malware development friends, reverse engineer friends, and anime friends, look at it and appreciate it. This is some of my favorite code I've written and I think it has a lot of applicability to Red team engagement. Conversely, it also offers insight to defenders on detecting this sort of functionality.

Update on the NTLM reflection attack: ctjf discovered that SMB signing enforcement does NOT protect against the NTLM reflection attack🛡 Cross-protocol relaying is still possible, even with mitigations in place. Only patching your system fully mitigates the vulnerability! 1/4🧵

A client walked in today shaking. Said his laptop was "whispering" his name. I thought he was crazy. Or maybe it was just a hardware glitch. I was wrong. I fired up CORTEX-V9 to run a heuristic scan. What it found gave me chills. 🧵 (Video Included)

During a mobile device forensic examination, GPS coordinates were successfully extracted from WhatsApp messages. These coordinates were linked to specific conversations found in the device’s message database. The recovered location data was then verified using Google Maps and Google Street View. I targeted my friend MUSA. The misconception out there is that you need to jailbreak an iPhone before getting vital data; I’m sorry but is wrong. There are ways to get concrete data aside jailbreaking. This is an iPhone 16 pro with a 26.1 firmware which has not been jailbroken. The screenshots below document the extraction process, the coordinates recovered, and the real-world locations corresponding to those coordinates. On 28 September 2024 at 12:18:07 UTC, a WhatsApp message that was received in the conversation with my friend“Musa Trillionaire” was marked as seen and contained embedded location metadata showing latitude 55.75583° and longitude 37.6173°. - Google Maps Verification (Shown in Screenshot 2) Entering the coordinates 55°45′21.0″N 37°37′02.3″E (which converts to the same numeric coordinates) in Google Maps places the location within: 1. Tverskoy District, Moscow, Russia(Plus Code: QJ48+8WM) Google Street View imagery (dated September 2014) shows the location as part of Red Square, with the buildings and open plaza visible in the screenshot. - Satellite Map Confirmation (Shown in Screenshot 3) Satellite view confirms that the coordinates fall exactly at: 1. Voskresenskiye Vorota (Resurrection Gate) 2. Near the State Historical Museum 3. At the entrance of Red Square, Moscow This is corroborated by the red marker positioned over the historical gate structure. Extracting GPS locations from WhatsApp messages is important for investigators because it provides accurate, timestamped information about a device’s location at a specific moment. Additionally, GPS data helps establish a clear timeline of events, allowing investigators to track a person’s movements and compare them with other evidence such as CCTV footage, phone records, or travel logs. Over time, multiple GPS points can reveal travel habits, meeting locations, or behavior patterns that may be relevant to the case. Overall, this type of digital location data is a powerful investigative tool because it connects communication activity to real-world locations and contributes to building a comprehensive, accurate picture of events.

VMware Workstation guest-to-host escape (CVE-2023-20870/CVE-2023-34044 and CVE-2023-20869) by Alexander Zaviyalov (@NCCGroupInfosec) nccgroup.com/media/b2chcbti… #infosec

A very big hashcat rules collection with 455 rulesets: github.com/ibnaleem/rules/ Spreadsheets with benchmarks on how these rules score: 🟢docs.google.com/spreadsheets/d… 🟢#gid=1952927995" target="_blank" rel="nofollow noopener">docs.google.com/spreadsheets/d…

@vxunderground @ddd1ms

It is time for our first giveaway. We're giving away a Librem 14 from Purism. It's a fancy expensive $1,400+- laptop. Requirements: - Follow @ddd1ms on Xitter - Comment below Librem is a pro-privacy laptop that unironically comes with a fuckin' kill switches for mic, bluetooth, camera. It has Intel Management engine disabled. It runs PureOS, with app sandboxing, adblocking, tracking protection, etc. This laptop is basically a privacy nerd laptop. It also comes with a bunch of NSA stickers, HOPE (Hackers on Planet Earth) stickers, FBI Most Wanted stickers, etc. I forgot to ask for the specs on the laptop, but I'll get that stuff later on. Attached image is the laptop he'll mail to your home.

Imagine receiving a normal WhatsApp message from someone… and later discovering that the message secretly contained their exact location, even though they never shared it. That’s exactly what happened during a recent forensic extraction I performed on my iPhone 12 Pro Max. During the analysis, I found a I decided to pick a message I received from @RedHatPentester, on 3rd September 2025 at 7:11 AM. Nothing unusual at first glance just a regular text. But deep inside the message metadata, the phone had silently logged: @RedHatPentester exact location at the moment he sent that message. He didn’t share it intentionally. I didn’t request it. Yet the device recorded it automatically. This was extracted directly from my own phone, meaning: If your location is turned ON while chatting on WhatsApp, your exact location can be extracted from someone else’s device if theirs undergoes forensic imaging. Most people have absolutely no idea this happens. But this was only the beginning. Also, every single file created on the device, ie: photos, videos, screenshots, recordings had the exact location of where I was when that file was created. The phone automatically logged precise GPS coordinates for each media file. This means investigators can determine where you were at the exact moment you took a picture, recorded a video, captured a screenshot, or created any media on the device. This level of metadata helps reconstruct movements, timelines, and behaviors with incredible accuracy. The extraction revealed far more than hidden location data and remember, this phone was NOT jailbroken. Here’s what else was recovered: 1. Full Synchronized Accounts & Passwords The extraction pulled: •URLs •Usernames •Passwords •Stored login metadata Basically, every synchronized password ever used on the device all recovered without jailbreak. 2. Complete Application Logs & Histories Every installed application had: ✔ Detailed logs ✔ Usage history ✔ Internal data ✔ Metadata Even apps considered “secure” or “encrypted” still left behind recoverable traces. 3. Full WhatsApp Data, Including Group Histories WhatsApp revealed more than most users realize: •Full history of every group ever joined •Date each group was created •Who created it •Date I was added •Group metadata even after you exit the group This is critical in investigations because a suspect cannot deny belonging to a group when the device itself retains: 📌 Creation date 📌 Creator identity 📌 Join date 📌 Participation timeline Even if they left the group years ago. 4. Message-Level Location Metadata The iPhone logged exact sender locations at the moment messages were typed and sent just like what happened with @RedHatPentester message. Most people never see this. Investigators do. Why This Matters Every phone tells a story. Every app keeps footprints. Every message carries more than text. This extraction proves that even without a jailbreak, investigators can discover: ✔ Locations ✔ Passwords ✔ Group associations ✔ Message histories ✔ Detailed app activity ✔ Metadata most users never realize exists Digital devices rarely forget even when the user does.

#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/6

Our research team took @AIatMeta LLaMA-8B, quantized it with QLIP using post-training int8, applied SmoothQuant, and used pre-defined compiler-compatible NVIDIA configs. Why do this? Up to 2× fewer weights and 3.6× faster on one GPU. Try it with our simple Jupyter Notebook.

A Pro-Iranian hacktivist group, APT-Iran, used RDP access to exfiltrate data and deploy LockBit Black ransomware samples to encrypt files. In a separate incident, the threat actor claimed to have compromised the Israel Ministry of Health’s network by exploiting an F5 BIG-IP vulnerability.

A little blog post I put together based around a talk I gave @BSidesLondon this year. We have had some easy access into client networks using the Cloudflared binary & when it is used in conjunction with Cloudflare Warp it can be just 1 command w/out ssh. labs.jumpsec.com/bring-your-own…

PYSA/Mespinoza Ransomware ➡️TTR 7.5 hours ➡️Koadic and Empire for C2 ➡️7+ Credential Access techniques ➡️ADRecon, APS, quser, arp, and nltest for Discovery ➡️RDP and PsExec for Lateral Movement ➡️Files exfiltrated ➡️PYSA ransomware for Impact Report link ⬇️

You can now jailbreak your AMD CPU! 🔥We've just released a full microcode toolchain, with source code and tutorials. bughunters.google.com/blog/542484235…

The key to securing Active Directory is being proactive about hardening policy, remediating underlying weaknesses and applying the principle of least privilege to the environment before a cyberattack. By reducing the paths from standard non-privileged users to privileged users, organizations give themselves the best chance of preventing Active Directory compromise. Weaknesses and misconfigurations within environments could allow threat actors to target Active Directory to gain access to privileged credentials and control of critical data and systems. These misconfigurations in Active Directory could often be an artifact of legacy services or other technical debt in corporate networks and can remain unknown to defenders until they are leveraged in a cyberattack. This month marks the 25th anniversary of Windows 2000, and many organizations have instances of Active Directory that are nearly that old. That is a lot of time for privileged access to accrue in the form of group memberships, service accounts, Access Control Lists (ACLs), security policies and other sensitive settings. Thus, it is important for organizations to regularly assess their environment and pursue a least privileged posture by revoking any elevated access that is not required. Additionally, taking steps such as disabling legacy authentication and communication protocols will raise the price of entry and deter attacker looking for an easy target. Active Directory compromise often starts with the compromise of a regular non-privileged user. Threat actors then use this account to perform reconnaissance against Active Directory, to find the shortest path to a Domain Admin or equivalent account. Some threat actors use open-source tools such ADRecon and BloodHound, or even built-in commands to enumerate the directory such as 'net user' or 'net group'. Nation-state actors and cybercriminals such as Peach Sandstorm, Octo Tempest, and others target weaknesses in security policy and other misconfigurations in Active Directory to obtain privileged credentials to achieve their goal, whether espionage, data theft, or even ransomware. Microsoft expert @reprise_99 shared key learnings on securing Active Directory based on Microsoft Incident Response engagements here: msft.it/6016UhVVy Microsoft Unified Support customers also have access to on-demand assessment tools for Active Directory that provide an analysis of critical workloads and predict and prescribe helpful next steps to improve and optimize the health of their environment. msft.it/6017UhVVJ Learn more about how to better secure Active Directory in this blog series by Jerry Devore about Active Directory hardening: msft.it/6015UhVVH