Necromancer

I’ve released a PoC and a technical write-up for a local privilege escalation vulnerability I discovered last year and reported to Lenovo PSIRT, affecting many gaming laptop brands, including Lenovo, MSI, Thunderobot, and others. github.com/ZeroMemoryEx/C…

@banthisguy9349 @whiteintel_io found he tried to translate this from English to Korean

OSINT Challenge, two Githubs confirmed to be setup by a North Korean Threat Actor. Now the question is whether this is the North Korean himself pictured or a stolen identity. Github's in question github.com/jamesbingham12… github.com/aitalent1212 Thank you @whiteintel_io :)

@smakosh @yezz123 We can go even lower kfta dyal djaj : 300dh lma dyal bir : free internet : 50dh mchrok m3a bzf nas khbz karm: 10dh ( 7to f ma bach yrtab ) srdine : laknti 9rib b7ar sydo kra : camping tent

@yezz123 $200 - 1947.2 dh/month Own nothing be happy

My monthly cost of living in Morocco 🇲🇦 🏘️ 400$ I own, so I do monthly maintenance/cleaning 🥗 700$ I usually don't like to cook, so I eat outside a lot ⚡ 500$ Electricity + Clean Water 🛜 120$ Wifi 🚗 500$ For car Maintenance (Cleaning - Gazoline - Extra retouch) 📦 1500$ Spoilling my self with shopping and gifts 🤸‍♂️ 60$ Gym Subscription 📱 150$ Online Subscription Total: 3,930$/Month ^ 35,900 Moroccan Dirham

@rustdesk @ESET @anydesk @TeamViewer beside that i also found that it was used by several cybercriminal groups, including BlackBasta, as early as 2022.

@rustdesk @ESET @anydesk @TeamViewer No idea, but from my point of view, a threat actor can easily deploy it stealthily, while other remote desktop apps are harder due to the message box that appears when someone tries to connect.

I'm happy to see that @ESET has marked RustDesk as a PUA, but the problem is: why aren't @AnyDesk and @TeamViewer marked the same way? Aren't they also remote access software?

I published a blog post explaining the features of Chaos-Rootkit and how each one works internally. hackandhide.com/chaos-rootkit-…

@0x_alibabas Thanks. didn’t try BaitAndSwitch. when I suggested a redirect policy, it wasn’t an option they said it was incompatible with their SDK. It also took a long time for them to implement a fix, so I gave up testing.

@ZeroMemoryEx Nice post! Did you try to use BaitAndSwitch to bypass FILE_FLAG_OPEN_REPARSE_POINT? In don't understand why companies don't want to set the redirection flag lmao

I’ve released a PoC and a technical write-up for a local privilege escalation vulnerability I discovered last year and reported to Lenovo PSIRT, affecting many gaming laptop brands, including Lenovo, MSI, Thunderobot, and others. github.com/ZeroMemoryEx/C…

write up hackandhide.com/cve-2025-68921

@7N7 Then calls DuplicateHandle with the DUPLICATE_CLOSE_SOURCE option which should close it in the source process allowing you to open it freely and dump everything without the user noticing.

@7N7 2. The last issue was that browser processes open the cookies database file with sharing flags that prevent other processes from accessing it. To bypass that you can enumerate handles until you find the right one via NtQuerySystemInformation

yearly maldev bug in my brain is calling my name

@7N7 If I remember correctly, if the user is already using the browser and you inject the DLL, it closes once creds are dumped. I didn’t look deeply, but I just run the browser with a new profile (since you can’t spawn two instances), headless then inject dll and pull data via RPC.

@7N7 Yeah it’s a lot of effort since you have to handle both ABE and the classic one in ABE some maldevs focus on stealth while others don’t because the browser closes and users notice i can share what I did if you’re interested or you can figur it out yourself if you like challenges.

@ZeroMemoryEx x.com/7n7/status/199… i have seen some stuff already unfortunately. 🫩

@7N7 Damn, too many things waiting for you down there it almost gave me brain damage.

im working on a windows stealer. will be ossed soon like the mac one last year. it is interesting how the most effective method for decrypting browser data nowadays requires you to inject a dll into a browser process itself.

@IntelOpsV3 @dulls I see this is how it started by phishing his friends.😭

Stealer infection logs from Rey @dulls computer showing usernames: rey realsaif@proton.me 0xrey hikki-chan cybero5tdev@proton.me

@AUZombie panel/#scripts

@AUZombie This is their builder. You can see the features since it checks authentication on the client side if you set the response of /api/users to true.

On SalatStealer (aka WEB_RAT) - I noted an interesting use of a service worker to execute panel health checks and rotate through backup panel domains when one goes down to allow the operator uninterrupted access. See thread 🧵

@eversinc33 Great work!!

As a follow up to my last post, here is part II of driver reverse engineering 101, this time about dynamic analysis. We unpack a VMProtected kernel driver and restore its IAT with some emulation. Enjoy:) eversinc33.com/posts/driver-r…

@sixtyvividtails Noted, thanks a lot for the info, really helpful!

@ZeroMemoryEx Kinda true! Hard rule: IRP.AssociatedIrp.SystemBuffer is always either null, or non-paged pool. So one never needs ProbeForRead the SystemBuffer itself (but may need IRP.UserBuffer and IRPsp.Type3InputBuffer). Note "ObjectAttributes->ObjectName->Buffer": gotta Probe all 3 items.

It’s been a while since I posted any updates here, so here’s a recap. I’ve fixed errors and memory leaks, improved error handling, added file restriction and integrity bypass features, and implemented a driver swap for disk and memory for more detail,check github.com/ZeroMemoryEx/C…

@sixtyvividtails Hello @sixtyvividtails, quick question ProbeForRead is only for METHOD_NEITHER not METHOD_BUFFERED right? In METHOD_BUFFERED the I/O Manager already probes and copies the buffer so probing again causes an access violation (you'd be probing a kernel address).

@ZeroMemoryEx Yes, that is correct, try-except should be used; but Probe should also be used. E.g. if user sends -666 as address of ObjectAttributes, try-except won't catch dereference of such address (as it's invalid *ring0* address).