Analysis of BlueHammer: LPE Exploiting Windows Defender Updates
BlueHammer is dangerous not because it uses a simple bug, but because it chains together several legitimate Windows components in a clever and unexpected way. It tricks trusted features into exposing sensitive system information without relying on obvious malware behavior. Specifically, the exploit abuses Windows Defender’s signature update mechanism, the Volume Shadow Copy Service (VSS), the Cloud Files API, and a Time-of-Check to Time-of-Use (TOCTOU) race condition to read the system's SAM database.
https://www.coresecurity.com/blog/analysis-bluehammer-lpe-exploiting-windows-defender-updates
BlueHammer is dangerous not because it uses a simple bug, but because it chains together several legitimate Windows components in a clever and unexpected way. It tricks trusted features into exposing sensitive system information without relying on obvious malware behavior. Specifically, the exploit abuses Windows Defender’s signature update mechanism, the Volume Shadow Copy Service (VSS), the Cloud Files API, and a Time-of-Check to Time-of-Use (TOCTOU) race condition to read the system's SAM database.
https://www.coresecurity.com/blog/analysis-bluehammer-lpe-exploiting-windows-defender-updates
❤4🔥3👎1
A Race Within A Race: Exploiting CVE-2025-38617 in Linux Packet Sockets
#CVE-2025-38617 is a use-after-free vulnerability in the Linux kernel’s packet socket subsystem, caused by a race condition between packet_set_ring() and packet_notifier(). The bug has existed since Linux 2.6.12 (2005) and was fixed in kernel version 6.16. It allows an unprivileged local attacker — needing only CAP_NET_RAW, obtainable through user namespaces — to achieve full privilege escalation and container escape.
https://blog.calif.io/p/a-race-within-a-race-exploiting-cve
#CVE-2025-38617 is a use-after-free vulnerability in the Linux kernel’s packet socket subsystem, caused by a race condition between packet_set_ring() and packet_notifier(). The bug has existed since Linux 2.6.12 (2005) and was fixed in kernel version 6.16. It allows an unprivileged local attacker — needing only CAP_NET_RAW, obtainable through user namespaces — to achieve full privilege escalation and container escape.
https://blog.calif.io/p/a-race-within-a-race-exploiting-cve
🔥3❤1
The State of MicroVM Isolation in 2026, Your Container Is Not a Sandbox
The microVM ecosystem was battle-tested long before agentic AI created the demand. Now it's thriving, diverse, and moving fast. This post covers every VMM, the shared Rust crate ecosystem, a dozen AI sandbox platforms and honest trade-offs.
https://emirb.github.io/blog/microvm-2026/
The microVM ecosystem was battle-tested long before agentic AI created the demand. Now it's thriving, diverse, and moving fast. This post covers every VMM, the shared Rust crate ecosystem, a dozen AI sandbox platforms and honest trade-offs.
https://emirb.github.io/blog/microvm-2026/
👍2
MOIS Linked MOIST GRASSHOPPER / Homeland Justice / KarmaBelow80 / Handala Hackers / Campaigns and Evolution
The evidence examined across this analysis spanning U.S. government reporting, private-sector threat intelligence research, passive DNS and infrastructure enrichment, and longitudinal review of archived web and Telegram content supports a high-confidence assessment that the personas Homeland Justice, Karma, and Handala do not represent discrete or ideologically independent hacktivist groups. Rather, they constitute a coordinated, MOIS-aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles.
https://dti.domaintools.com/research/mois-linked-moist-grasshopper-homeland-justice-karmabelow80-handala-hackers-campaigns-and-evolution
The evidence examined across this analysis spanning U.S. government reporting, private-sector threat intelligence research, passive DNS and infrastructure enrichment, and longitudinal review of archived web and Telegram content supports a high-confidence assessment that the personas Homeland Justice, Karma, and Handala do not represent discrete or ideologically independent hacktivist groups. Rather, they constitute a coordinated, MOIS-aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles.
https://dti.domaintools.com/research/mois-linked-moist-grasshopper-homeland-justice-karmabelow80-handala-hackers-campaigns-and-evolution
👍2🔥2
Debugging - WinDBG(X) Automation & Scripting - Part 1
https://www.corelan.be/index.php/2026/04/17/debugging-windbgx-automation-scripting-part-1/
https://www.corelan.be/index.php/2026/04/17/debugging-windbgx-automation-scripting-part-1/
🔥2👎1
Introduction to SMM Rootkit
Some of the most powerful malware include kernel rootkits, hypervisor rootkits, and UEFI bootkits. However, one malware that is (had) more powerful than these is the System Management Mode (SMM) rootkit.
In this article, we will introduce the basics of SMM and then explain how SMM rootkits work and the threats they pose. We will also explain how well SMM rootkits will work on today's PCs, taking into account the current trend of SMMs being weakened.
https://engineers.ffri.jp/entry/2026/04/20/000000
Some of the most powerful malware include kernel rootkits, hypervisor rootkits, and UEFI bootkits. However, one malware that is (had) more powerful than these is the System Management Mode (SMM) rootkit.
In this article, we will introduce the basics of SMM and then explain how SMM rootkits work and the threats they pose. We will also explain how well SMM rootkits will work on today's PCs, taking into account the current trend of SMMs being weakened.
https://engineers.ffri.jp/entry/2026/04/20/000000
🔥6❤2👍1
Beware scam messages offering ships safe transit through Hormuz Strait, says security firm
https://www.straitstimes.com/world/middle-east/scam-messages-offering-ships-safe-transit-through-hormuz-security-firm-warns
https://www.straitstimes.com/world/middle-east/scam-messages-offering-ships-safe-transit-through-hormuz-security-firm-warns
💔2
where did the kelp $292m go? anatomy of a $292m laundering.
https://x.com/the_smart_ape/status/2047233756046438654
https://x.com/the_smart_ape/status/2047233756046438654
🔥3
HTA writing files when Windows doesnt want it to
https://branestawmc.pages.dev/posts/2025-07-24-HTA-writing-files-when-Windows-doesnt-want-it-to
https://branestawmc.pages.dev/posts/2025-07-24-HTA-writing-files-when-Windows-doesnt-want-it-to
❤5👾1
Forwarded from Iman's dmesg
Some programs only accept filenames, even when input comes from a pipe. A common convention is
Example from
That's what makes this work:
But
On Linux,
Ref:
- https://cgit.git.savannah.gnu.org/cgit/diffutils.git/tree/src/diff.c#n1481
- https://github.com/systemd/systemd/blob/v260.1/src/shared/dev-setup.c#L22
- for stdin, but each program has to implement that itself.Example from
diffutils:if (STREQ (cmp.file[f].name, "-")) {
fd = STDIN_FILENO; // <- THIS
...
}That's what makes this work:
ls | diff -u - oldfilelist
But
/dev/fd/0 avoids depending on that convention. It gives the current process's stdin a real pathname:ls | diff -u /dev/fd/0 oldfilelist
On Linux,
/proc/self/fd comes from the kernel via procfs, while /dev/fd, /dev/stdin, /dev/stdout, and /dev/stderr are usually set up in early userspace by udev.Ref:
- https://cgit.git.savannah.gnu.org/cgit/diffutils.git/tree/src/diff.c#n1481
- https://github.com/systemd/systemd/blob/v260.1/src/shared/dev-setup.c#L22
❤2
Forwarded from -
ما با موفقیت به اپراتور همراه اول و نظام صنفی رایانه ای کشور نفوذ کردیم و جزئیات این اقدام که در اعتراض به اینترنت پرو انجام شده بزودی منتشر خواهد شد
🔥5👏3❤2🤔2🤯2💔2
-
ما با موفقیت به اپراتور همراه اول و نظام صنفی رایانه ای کشور نفوذ کردیم و جزئیات این اقدام که در اعتراض به اینترنت پرو انجام شده بزودی منتشر خواهد شد
[ + ] They appear from no where
[ + ] say we are fighting GOV
[ + ] leak some MCI internal chats
[ + ] start sharing VPNs
plz don't fight 😆
[ + ] say we are fighting GOV
[ + ] leak some MCI internal chats
[ + ] start sharing VPNs
plz don't fight 😆
❤8👎1👏1🗿1
LLM Internals
Learn LLM internals step by step - from tokenization to attention to inference optimization.
https://github.com/amitshekhariitbhu/llm-internals
Learn LLM internals step by step - from tokenization to attention to inference optimization.
https://github.com/amitshekhariitbhu/llm-internals
❤4👍3👾3🔥1
Ghost Operators: How Israeli Telecoms Were Exploited to Track Citizens Worldwide
Report shows how an SMS exploit turns smartphones into tracking devices – and how 4G and 5G networks are abused
https://www.haaretz.com/israel-news/security-aviation/2026-05-03/ty-article-magazine/ghost-operators-how-israeli-telecoms-were-exploited-to-track-citizens-worldwide/0000019d-e9c0-dd9a-a79d-ede90a450000
Report shows how an SMS exploit turns smartphones into tracking devices – and how 4G and 5G networks are abused
https://www.haaretz.com/israel-news/security-aviation/2026-05-03/ty-article-magazine/ghost-operators-how-israeli-telecoms-were-exploited-to-track-citizens-worldwide/0000019d-e9c0-dd9a-a79d-ede90a450000
❤7👍1
Copy Fail (CVE-2026-31431): Technical summary of this Linux flaw
https://www.linuxtricks.fr/news/10-logiciels-libres/600-copy-fail-cve-2026-31431-synthese-technique-sur-cette-faille-linux/
https://www.linuxtricks.fr/news/10-logiciels-libres/600-copy-fail-cve-2026-31431-synthese-technique-sur-cette-faille-linux/
❤4🔥1