UEFI bootkits are no longer theoretical. BlackLotus. HybridPetya. CosmicStrand as demonstrated by the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" by @matrosov Researchers demonstrated the same class of technique against VBS enclaves, the most isolated execution environment Windows offers. Hooked GetVariable(). Intercepted BlLdrLoadImage(). Injected into hvax64.exe before VBS initialised. Owned the VM-exit handler at ring -1. Read and wrote VTL1 enclave memory directly from the hypervisor. If your threat model stops at ring-0, it stops too early. Full PoC included. tulach.cc/using-vbs-enclaves… tulach.cc/from-firmware-to-v… Author: @tulachsam #Malware #Infosec #ReverseEngineering

Most people learn security research by reading finished writeups. This one shows the actual process. The messy, organic, step-by-step reality of reversing an unknown Windows mitigation from scratch. WinDbg. IDA. Hex Rays. Guard page violations. Trap flags. Zero prior knowledge of the target. If you want to learn how to actually approach unknown Windows internals, start here. windows-internals.com/an-exe… Author: @yarden_shafir #ReverseEngineering #WindowsInternals #InfoSec

Alexandre Borges has published over 700 pages of free security, malware and vulnerability research. A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085. No paywall. No course. Just research. Free as in beer. exploitreversing.com Author: @ale_sp_brazil #ReverseEngineering #MalwareAnalysis #InfoSec

🚨 do you understand what just happened to your passwords cpuid one of the most trusted sites in PC hardware. hacked. April 10th, 2026. CPU-Z and HWMonitor. both compromised. > fake CRYPTBASE.dll ships inside the installer > connects to C2, downloads a C# file > compiles it silently using YOUR own Windows tools > injects into memory. never touches disk. AV sees nothing. > opens Chrome's password vault. dumps everything. the chain: cpuid → HWMonitor installer → DLL hijack → supp0v3[.]com → silent .NET compile → in-memory injection → Chrome credentials stolen same group. same C2 domain. hit FileZilla in March 2026. they got lazy. that's the only reason we caught it.

Rapid7 dropped a write-up on the Notepad update-chain abuse and - finally - it comes with real IOCs - update.exe downloaded from 95.179.213[.]0 after notepad .exe -> GUP.exe - file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll - network IOCs incl. api[.]skycloudcenter[.]com (-> 61.4.102[.]97), api[.]wiresguard[.]com, 59.110.7[.]32, 124.222.137[.]114 by @rapid7 rapid7.com/blog/post/tr-chry…

At #Pwn2Own Berlin 2025, a full exploit chain against VMware Workstation was demonstrated via a heap overflow in the PVSCSI controller. Despite Windows 11 LFH mitigations, advanced heap shaping and side-channel techniques enabled a reliable exploit. 🔍 Full technical write-up 👇 synacktiv.com/en/publication…

Think urlscan is only useful for phishing? Think again. We break down how urlscan Pro can be leveraged to identify exposed malware C2 admin panels and support infrastructure hunting. New intel report published on urlscan Pro now.

To help celebrate @arcanuminfosec Information Security's two-year anniversary, @Jhaddix gave me 5 codes good for any Arcanum course to give away! Winners will be announced on 1/22. 👍 1 Like = 1 Entry! ♻️ 1 Share = 2 Entries!

In other news, we just dropped a new blog on threat actors leveraging AI to write their half-ass working scripts and payloads. At this point I'm not even mad, just disappointed. 🙃 huntress.com/blog/ai-2025-fa…

NEW BLOG: The Great VM Escape 💕 We caught threat actors deploying a VMware ESXi exploit toolkit in the wild - potentially was a zero-day developed over a year before VMware's disclosure 👀 If anyone has thoughts on it let me know, but I needed almost a full case of beer to wrap my head around this one 🍺 Full technical breakdown 👇 huntress.com/blog/esxi-vm-es…

New video dropped! 🤓 Vibe hunting through @ValidinLLC with no preparation at all, just pivoting on whatever looks interesting and seeing where it takes us 🐇🕳️ We stumbled across SmartApe, SmokedHam, Mintsloader ... Also caught up with Kenneth, the mind behind Validin! 🧠 youtu.be/yRjae5iuDTY

‼️🇰🇵 Meet North Korean recruiter 'Aaron,' who infiltrates Western companies by using AI and posing as a remote IT worker using stolen or rented identities. He was lured into a sandbox by researchers, who observed the wild APT in a controlled setting to see what he would do.

Introducing RAPTOR, an Autonomous Offensive/Defensive Research Framework based on Anthropic's Claude Code, written by @dcuthbert, @halvarflake, @mbrg0, and myself. Let's rock. Get it from GitHub, here: github.com/gadievron/raptor/

New shiny things = expanded attack surface. #LLM #MCP

🌟New report out today!🌟 From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Analysis/reporting completed by @RussianPanda, Christos Fotopoulos, Salem Salem, reviewed by @svch0st. Audio: Available on Spotify, Apple, YouTube and more! Report:⬇️

👀 New Microsoft threat report shows how attackers are using AI for evasion and obfuscation in a phishing campaign! One part is very interesting, the team spotted 5 AI fingerprints in the code. But instead of hiding the attack (the initial goal), these fingerprints actually became detection artefacts! Here are the 5 fingerprints you have probably already seen some of them in the wild: ・Overly descriptive and redundant naming ・Modular and over-engineered code structure ・Generic comments ・Formulaic obfuscation techniques ・Unusual use of CDATA and XML declaration Blog: microsoft.com/en-us/security…

I foresee 2026 as a year of FIDO authentication downgrade attacks. 🪝🐟 I discovered a universal method for downgrading secure MFA methods (passkeys, security keys) to less secure alternatives during phishing attacks. Enjoy the quick demo! 🎬

And here is the complete video of the talk 🤓 youtu.be/a_QBENR--nc?si=bg9w…

The latest threat in the wild: A stealthy malvertising campaign spreading a powerful multi-stage malware Talos calls "PS1Bot." Find out what makes this campaign so dangerous and how it’s evolving: cs.co/6017foCOb

Join Cisco Talos Incident Response for an off-the-record briefing on how we tackle threats on the frontlines. Real stories, real lessons. Register now: cs.co/IRTales