Indirect Syscall + Google Gemini AI = Bypass Microsoft Defender.
#edr_bypass
#edr_evasion
#malware_development
#maldev
@ZwLowLevel
https://youtu.be/Qhk2JEuWj2k?si=sZcJu6MLIInWVRTc
YouTube
Indirect Syscall + Google Gemini AI = Windows Defender Bypass (Merry Christmas)
Be better than yesterday -
Revisiting an old video published approximately 8 months ago and it was being picked up by Windows Defender. This video demonstrates a quick and straight-forward XOR encryption/decryption routine to supplement the shellcode loader…
Revisiting an old video published approximately 8 months ago and it was being picked up by Windows Defender. This video demonstrates a quick and straight-forward XOR encryption/decryption routine to supplement the shellcode loader…
VectoredOverloading in Rust
It works by manipulating the load of a legitimate DLL using Hardware Breakpoints (HWBP) and Vectored Exception Handling (VEH) to change the DLL section object on-the-fly.
It works by manipulating the load of a legitimate DLL using Hardware Breakpoints (HWBP) and Vectored Exception Handling (VEH) to change the DLL section object on-the-fly.
#malware_development
#maldev
#malwaredev
@ZwLowLevel
https://github.com/Whitecat18/Rust-for-Malware-Development/tree/main/VectoredOverloading
GitHub
Rust-for-Malware-Development/VectoredOverloading at main · Whitecat18/Rust-for-Malware-Development
Rust for malware Development is a repository for advanced Red Team techniques and offensive malwares & Ransomwares, focused on Rust 🦀 - Whitecat18/Rust-for-Malware-Development
How phishing spreads malware against Ukraine
This article looks at a new wave of threats linked to a service-based model for distributing malware, which is already being used against Ukrainian organizations.
This article looks at a new wave of threats linked to a service-based model for distributing malware, which is already being used against Ukrainian organizations.
#malware_spreading
#malware_campaing
#malware_analysis
@ZwLowLevel
HackYourMom
How phishing spreads malware against Ukraine - HackYourMom
Forwarded from Source Byte
Backdoor code found in Trust Wallet browser extension, causing theft of tens of millions of dollars in assets
A new backdoor code was added to version 2.68 of the Trust Wallet cryptocurrency wallet's browser extension, which sends users' mnemonic phrases to attacker servers. Due to the automatic update mechanism, the impact was widespread. On Christmas Day, December 25th, attackers began transferring funds, and according to current estimates, more than tens of millions of dollars in assets have been stolen. The latest version 2.69 has now removed the backdoor code.
🔥1
Microsoft Is Finally Killing RC4
https://www.schneier.com/blog/archives/2025/12/microsoft-is-finally-killing-rc4.html
https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication
Schneier on Security
Microsoft Is Finally Killing RC4 - Schneier on Security
After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows. of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the…
CVE-2025-7771: Exploiting a Signed Kernel Driver in a Red Team Operation
#exploit_development
#windows_internals
#windows_kernel
@ZwLowLevel
https://xavibel.com/2025/12/22/using-vulnerable-drivers-in-red-team-exercises/
Inyección de Shellcode en Windows: Guía Práctica Paso a Paso
Guia práctica en español para entender los fundamentos de la inyección de procesos en Windows.
Guia práctica en español para entender los fundamentos de la inyección de procesos en Windows.
#malware_development
#maldev
#malwaredev
@ZwLowLevel
MalGhost
Inyección de Shellcode en Windows: Guía Práctica Paso a Paso | MalGhost
La inyección de shellcode es una de las técnicas fundamentales en investigación de seguridad y desarrollo de malware. Esta guía te proporcionará tanto el conocimiento teórico como las habilidades prácticas necesarias para dominar esta técnica.
Forwarded from Freedom Fox 🏴☠
Please open Telegram to view this post
VIEW IN TELEGRAM
Forwarded from 1N73LL1G3NC3
MongoBleed (CVE-2025-14847) - Unauthenticated Memory Leak PoC
A flaw in the zlib library enables attackers to leak sensitive data from MongoDB servers, the attacker can send the payload, without authentication, as the bug is exploited on the network level.
Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered.
Blog: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
Dork:
Affected versions:
A flaw in the zlib library enables attackers to leak sensitive data from MongoDB servers, the attacker can send the payload, without authentication, as the bug is exploited on the network level.
Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered.
Blog: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
Dork:
Shodan: product:"MongoDB"
HUNTER: product.name="MongoDB"
ZoomEye Dork: app="MongoDB"
Affected versions:
8.2.0 to 8.2.2
8.0.0 to 8.0.16
7.0.0 to 7.0.27
6.0.0 to 6.0.26
5.0.0 to 5.0.31
4.4.0 to 4.4.29
4.2.0 and later
4.0.0 and later
3.6.0 and later
HeapHunter
A unique technique that leverages the inner working of C++, specifically Pure Virtual Functions and Abstract Classes, to hijack AMSI without patching any RX in a .text section memory.
A unique technique that leverages the inner working of C++, specifically Pure Virtual Functions and Abstract Classes, to hijack AMSI without patching any RX in a .text section memory.
#malware_development
#malwaredev
#amsi_bypass
@ZwLowLevel
https://github.com/Yair-Men/HeapHunter
GitHub
GitHub - Yair-Men/HeapHunter: Unique technique for bypassing AMSI
Unique technique for bypassing AMSI. Contribute to Yair-Men/HeapHunter development by creating an account on GitHub.
To sign or not to sign: Practical vulnerabilities in GPG & friends
#binary_exploitation
#exploitation
@ZwLowLevel
https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i#t=146
media.ccc.de
To sign or not to sign: Practical vulnerabilities in GPG & friends
Might contain zerodays. https://gpg.fail/
From secure communications to software updates: PGP implementations such as *GnuPG* ubiquitous...
From secure communications to software updates: PGP implementations such as *GnuPG* ubiquitous...
Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
This is the big one. Their social login API at
This is the big one. Their social login API at
/member/auth/thirdLogin doesn't verify OAuth tokens. It just accepts an email and a Google ID directly from the client.#web_security
#pentesting_web
@ZwLowLevel
https://bobdahacker.com/blog/petlibro
Bobdahacker
Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks
How I found critical vulnerabilities in Petlibro smart pet feeders allowing complete account takeover via broken OAuth, access to anyone's pet data, device hijacking, and private audio recordings - and how they're still leaving the auth bypass active for…
Have you tried turning it off and on again?
The article explains why the classic advice “turn it off and on again” is still effective in modern computing. It argues that software failures are inevitable due to system complexity, and restarting often clears temporary states, bugs, or resource issues. Rather than treating this as a weakness, the author suggests that software should be designed to fail gracefully and make recovery — such as restarting or reinstalling — simple and reliable.
The article explains why the classic advice “turn it off and on again” is still effective in modern computing. It argues that software failures are inevitable due to system complexity, and restarting often clears temporary states, bugs, or resource issues. Rather than treating this as a weakness, the author suggests that software should be designed to fail gracefully and make recovery — such as restarting or reinstalling — simple and reliable.
@ZwLowLevel
https://eblog.fly.dev/onoff.html
DNGerousLINK: A Deep Dive into WhatsApp 0-Click Exploits on iOS and Samsung Devices
The spyware attack targeting WhatsApp, disclosed in August as an in-the-wild exploit, garnered significant attention. By simply knowing a victim's phone number, an attacker could launch a remote, zero-interaction attack against the WhatsApp application on Apple devices, including iPhones, iPads, and Macs. Subsequent reports indicated that WhatsApp on Samsung devices was also targeted by similar exploits.
The spyware attack targeting WhatsApp, disclosed in August as an in-the-wild exploit, garnered significant attention. By simply knowing a victim's phone number, an attacker could launch a remote, zero-interaction attack against the WhatsApp application on Apple devices, including iPhones, iPads, and Macs. Subsequent reports indicated that WhatsApp on Samsung devices was also targeted by similar exploits.
#binary_exploitation
#exploitation
#android_malware
@ZwLowLevel
https://media.ccc.de/v/39c3-dngerouslink-a-deep-dive-into-whatsapp-0-click-exploits-on-ios-and-samsung-devices
media.ccc.de
DNGerousLINK: A Deep Dive into WhatsApp 0-Click Exploits on iOS and Samsung Devices
The spyware attack targeting WhatsApp, disclosed in August as an in-the-wild exploit, garnered significant attention. By simply knowing a...