Phantom Killer: EDR evasion via Lenovo driver Researcher Jehad Abu Dagga from e& UAE (etisalat and) reverse-engineered the "BootRepair.sys" driver used by Lenovo PC Manager and uncovered critical security flaws that can be abused: 📌 The device" \Device\BootRepair" created by the driver has no defined DACL, allowing any low-privileged user to interact with it. 📌 The IOCTL dispatcher doesn’t verify permissions when invoking the process termination function ("sub_14000198C") 📌 A symbolic link "\DosDevices\BootRepair" is created in user space, allowing direct access to the device from user space. ⚠️ The developed PoC can terminate any process by specifying its PID. 🥷 Key advantage for an attacker: the driver is legitimate and signed by Lenovo, allowing it to bypass Driver Signature Enforcement (DSE) checks. 🎯 Attack scenarios: ✅ If the driver is already loaded on the system: any low-privileged user can access it without restrictions and terminate any process, including EDR/AV. ✅ If the driver isn’t loaded: an attacker can load the trusted, signed driver (Bring Your Own Vulnerable Driver — BYOVD attack) and then use it to kill protected processes. 📎Article: medium.com/@jehadbudagga/pha… 🦠PoC: github.com/redteamfortress/P… -> (git.redteamfortress.com/j3h4…), git.redteamfortress.com/j3h4… #dbugs_attacks

Introducing nginx-poolslip, a fresh RCE for the the latest nginx release 1.31.0. nginx-rift has been patched, but our security agent Vega has found a new 0 day. We will release the full technical writeup with ASLR bypass 30 days after the patch on nebusec.ai.

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

I just reverse engineered the YellowKey BitLocker bypass Microsoft shipped code that checks for a flag called "FailRelock" in every Windows 11 recovery image. When it's set to 1, after recovery unlocks your BitLocker drive, it never relocks it. All you need is a USB stick. This code only exists in the recovery environment. Not in normal Windows. They left an entire debug testing framework in production.

I'm using AI to find vulnerabilities (for 2 days), and its crazy how easy it is... currently fuzzing libpng which is being used by practically anything, already 3 different CVEs, memory corruption, memory leak and DoS. $20 is cheaper than a full time vuln researcher

The man who killed the $10,000 GPU myth. He did it alone, from Bulgaria, with one C file. 🤯 >Meet Georgi Gerganov. >Bulgarian developer. Nobody had heard of him. >In March 2023, Meta’s LLaMA model leaked online >Within days he wrote a single C file >Called it llama.cpp >It ran a full AI model on a MacBook. No GPU. No cloud. >The entire AI industry said you needed $10,000 GPUs to run LLMs 🔥 >He proved you didn’t. On a laptop. Alone. >Also built whisper.cpp ~ same thing for voice AI > His code is the foundation of Ollama, LM Studio, and GPT4All >107,000 GitHub stars. Fastest open-source AI project to hit 100K ever. 🚀 >In 2026 Hugging Face hired his entire team >Still ships code. Still open source. Still free. Every time you run AI locally, you’re running his work. Absolute Legend 🐐

My BlueHammer version ( now redhammer) implements my VDM version patch, deploys and loads the BYOVD for my exploitkit. It bypasses the new signature for BlueHammer aswell. How is this still unpatched?

Living on the Edge: Evicting threat actors from perimeter appliances youtube.com/watch?v=ZzGCs9H4…

found old stuff like PE compressors from 2002 ... wonder what to do with it

We know that Microsoft improved the overall printing security in 2025, now using DCE/RPC for callback, you can force NTLM local auth and reflect back machine auth even without CredMarshalTargetInfo() trick 😇

All my recent activity wasn't for nothing...I'm pleased to announce that I'll be speaking at @DistrictCon with @natashenka about a 0-click to kernel exploit chain for the Pixel 9 in January!

This is underrated and has worked forever

Lol "ZDI has marked all 13 issues as zero-day vulnerabilities, given Ivanti’s failure to release fixes in accordance with responsible disclosure deadlines." cyberinsider.com/zdi-drops-1…

CODE WHITE proudly presents #ULMageddon which is our newest applicants challenge at apply-if-you-can.com/ packaged as a metal festival. Have fun 🤘 and #applyIfYouCan

Tired of dull, standard interviews? Talk to Kurt. Also, a few of my colleagues and I will be attending BruCON next week. Feel free to come and talk to us.

We always love a good challenge. That’s why we’re sponsoring the 10th FAUST CTF. Game on at 2025.faustctf.net/

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! infinitycurve.org/blog/intro…

If you're battling phishing detections through CSS canary tokens, make sure to add these entries into your Evilginx MS365 phishlet to evade the detection. This will block requests to canaries hosted via cloudfront[.]net.

Thank you so much to @x33fcon and its organizers for an awesome experience! @tifkin_ and I had a blast talking about the new Nemesis 2.0 rewrite (code live at github.com/SpecterOps/Nemesi… !) and hope to be back next year #x33fcon

CVE-2025-33073 is really insane 🤯 Reproduce this attack in GOAD in 3 commands. x.com/Synacktiv/status/19327…