This pretty much sums up the situation: an in-memory (!) JavaScript-based (!) webshell gets implanted into a vulnerable React server with a single(!) POST request and leaves zero(!) trace in logs or on disk. Someone used that POC, successfully injected the shell and still

"Offense and defense aren't peers. Defense is offense's child." - @JohnLaTwC We built an LLM-powered AMSI provider and paired it against a red team agent. Then, @0xdab0 wrote a blog about it: https://t.co/jnCNIlYBII A few observations from the experiment: >>> To advance, we

Combined with Browser Cache Smuggling to deliver a custom stager, this can fly under the radar. Used Sliver C2 as the final phase.

ClickFix is becoming one of my favorite initial access vectors. Just reproduced an attack scenario mimicking the fake Windows Update technique used by real threat actors today. Screencast video with explanation is here:

Hunting for EDR-Freeze

Think NTLM relay is a solved problem? Think again. @elad_shamir breaks down why it remains one of the easiest, and most effective, attack paths in AD environments. Read more from @helpnetsecurity ⤵️

CVE-2025-59287 is being actively exploited. Update Windows Server Update Services now to reduce risk of a threat actor achieving remote code execution with system privileges. See our Alert for details ➡️ https://t.co/t5xpDWjSWS #Cybersecurity

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

93 custom queries of 189 in total at the Bloodhound queries site: https://t.co/axF5Ik2f4J The last Bloodhound update also has a new user interface for the queries menu.

I spent some time exploring browser cache smuggling, where visiting a webpage can lead to malware delivery. Surprisingly, it is possible to execute Chrome’s original cache file without renaming it, while also achieving persistence. More details below: https://t.co/rFrcKyuh31

New Pixnapping Attack: allows any Android app without permissions to leak info displayed by other apps exploiting Android APIs and a hardware side channel (CVE-2025-48561) Pixnapping is not fixed and probably affects all Androids. PoC: Not available yet. Steal 2FA codes 👇

Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM. https://t.co/GC5wA2y3EO

Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl ! Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode. https://t.co/761G96JDF1

Had a hard time finding a Python script to calculate AES Kerberos keys for AD accounts so made a Python port of Get-KerberosAESKey.ps1 https://t.co/87d1h39kpd

Best Citrix Breakout ever. You can only download .ica files that provide access to certain local applications but breakout out of these applications is not possible? Just modify the .ica file before starting it and remove The InitialProgram= value -> Full Citrix Session! 🤓

I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it

👀Turns out MS-EVEN can do a lot more than NULL auth: In addition to leaking environment variables, it is possible to coerce authentication from arbitrary logged on users* 🤯 *If you are willing to trigger Windows Defender.

What makes Consensus Hong Kong the year's most important event? Listen to what our attendees say. This is where East meets West, where deals are made, and where the global digital asset ecosystem connects. Hear their stories, and get your ticket to be part of the action in 2026.

Tainting logs coming from ETW providers? Absolutely! In many cases it can be done from an unelevated process in userland, depending on security descriptor set on ETW_GUID_ENTRY (taken from registry). Impact? Sending fake events on behalf of almost any ETW provider, including

Now that there are tons of these and I can never find them when I need them, thanks @Oddvarmoe for showing me all the LOLS https://t.co/wOCqXRgRoc

Blog for ToolShell Disclaimer: The content of this blog is provided for educational and informational purposes only. https://t.co/gT0aoKXkig #SharePoint #ToolShell