中国関連APT「FishMonger」（Earth-Lusca/Aquatic-Pandaとも。i-Soonとの関連が指摘されている）が運用するLinux向けバックドア「SprySOCKS」のWindows移植版が報告されています。カーネルドライバを用いる「WIN_DRV」とドライバなしの「WIN_PLUS」の2バリアントが確認され、WIN_DRVではドライバローダー「fsdiskbit[.]sys」がメモリ上にのみ展開されるルートキット「RawWNPF」を読み込み、プロセスとファイルの隠蔽を行う構成。標的はホンジュラス、台湾、タイ、パキスタンの政府機関とされます。 【要点の整理】 ・ドライバローダーfsdiskbit[.]sysはPastDSE（GitHubで公開されているドライバ署名強制回避ツール）の証明書で署名されているが、この証明書は少なくとも一部の設定が不十分なシステムでは依然として有効とされる ・RawWNPFはNtQuerySystemInformationをフックしてプロセスを隠蔽し、ミニフィルタードライバーのコールバックでファイルやディレクトリも隠す。ディスクに書き込まれずメモリ上でのみ動作するため痕跡が残りにくい ・WIN_DRVバリアントにはUEFIブートキットの関与を示す限定的な兆候もあり、CVE-2023-24932が悪用された可能性が指摘されている。同グループの活動には継続的な注意が必要とされる ・SprySOCKSは2023年にLinux版が発見されたバックドアで、Windows版への移植によりFishMongerの攻撃対象OSが拡大した形となる 詳細は以下を参照： welivesecurity.com/en/eset-r…

[1day-1line] CVE-2026-40369: Arbitrary Kernel Address Increment LPE/Sandbox Escape Vulnerability Caused by Untrusted Pointer Dereference in Windows Kernel(ntoskrnl.exe) Hello, this is banda. Today's 1day-1line covers an LPE/Sandbox Escape vulnerability in the Windows Kernel. In the NtQuerySystemInformation Class 253 path, Length=0 can bypass pointer validation and trigger a limited 12-byte kernel write primitive at an attacker-controlled kernel address, potentially leading to SYSTEM privilege escalation even from restricted environments such as a browser renderer sandbox. Please refer to the blog post for more details! hackyboiz.github.io/2026/06/…

FishMonger's 🇨🇳 SprySOCKS backdoor goes Windows: two undocumented variants (WIN_DRV and WIN_PLUS) add kernel-level rootkit stealth, TCP traffic diversion, and UEFI bootkit indicators to a previously Linux-only implant targeting government orgs in Honduras, Taiwan 🇹🇼, Thailand, and Pakistan 🇵🇰. - Execution chain (WIN_DRV): batch script klelam00007.bat drops files to %SystemRoot%\Fonts\, creates scheduled task "ApphostRagistreationVerifier" (note the misspelling), and uses DLL side-loading via MFC satellite DLL (tpsvcloc.dll) to launch. Loader uses 128-bit AES-ECB (key: uXQLESMXGaRMs6BL) to decrypt payloads, then injects backdoor into svchost.exe via process doppelgänging (T1055.013), spawning from a spoolsv.exe token. TH-prefixed temp files in %TEMP% are a hunt artifact. - RawWNPF kernel rootkit (WIN_DRV only): loaded in-memory via DriverLoader (fsdiskbit.sys, signed with leaked cert from PastDSE project), it hooks NtQuerySystemInformation to hide processes, hooks nsiproxy.sys IoCompletionRoutine to hide connections from netstat, registers WFP filters (named "Delivery Optimization" to blend in) to divert specially crafted TCP packets to the hidden backdoor port, and uses minifilter callbacks to hide files under \SystemRoot\Fonts\. - WIN_PLUS persistence uses a malicious print processor: VSPMsg.dll at C:\Windows\System32\spool\prtprocs\x64\, registered under HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\VSPMsg. #DFIR_Radar

CVE-2026-40369 is an unprivileged arbitrary 12-byte kernel write in nt!ExpGetProcessInformation, reachable from Chrome/Edge/Firefox renderer sandboxes via NtQuerySystemInformation. A walk through the unchecked ProbeForWrite path and a five-phase LPE that forges a SYSTEM token with NtCreateToken. core-jmp.org/2026/06/cve-202… #BrowserExploitation #ChromeSandboxEscape #CVE #CVE202640369 #KASLR #KernelExploitation #KernelR/WPrimitive #LocalPrivilegeEscalation #NtCreateToken #ntoskrnlexe #NtQuerySystemInformation #Pwn2Own #SandboxEscape #Syscalls #SYSTEMPrivileges #Windows11 #Windows1125H2 #WindowsExploitDevelopment #WindowsInternals #WindowsKernel #WindowsKernelExploitation #WindowsKernelVulnerability #WindowsLPE #WindowsPrivilegeEscalation #Windowssecurity #WindowsServer2025

Found my first of perhaps many Wine “fix me”s looks like they didn’t emulate NtQuerySystemInformation() for use to get the TSC time scalar. Also implies all PC devs do this wrong, else Valve would have had this implemented already.

Looks like NtQuerySystemInformation() with SystemHypervisorSharedPageInformation (aka 0xc5) gives 64-bit scalar for TSC that converts time to units of 10 MHz. So the smart way is to work in units of TSC, then do a subtraction of TSC terms, then MULHI to get {ms, us, or ns} time

CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation TL;dR: One syscall from any unprivileged process, even inside Chrome’s renderer sandbox, can increment arbitrary kernel memory addresses, giving SYSTEM privilege escalation pwn2nimron.com/blog

Windowsカーネルに権限昇格脆弱性CVE-2026-40369が見つかった。ブラウザのサンドボックスを突破してSYSTEM権限取得が可能となり、PoCも公開済みのため悪用拡大が警戒されている。 問題はnt!ExpGetProcessInformation内のNtQuerySystemInformation処理に存在する。リクエスト長を0にした特殊呼び出しで、カーネルが書き込み先アドレスを適切検証せず任意のカーネル仮想メモリを書き換え可能となる。 これによりChrome、Edge、Firefoxなどのサンドボックスを突破し、低権限アプリからSYSTEM相当権限へ昇格できる。攻撃者はKASLR回避ツールなど既存公開技術と組み合わせ、カーネル構造を書き換える攻撃も可能とされる。 研究者Ori Nimronは詳細解析とPoCコードをGitHub上で公開済み。攻撃の自動化やマルウェア組み込みも容易になった。 影響を受けるのはWindows 11 24H2〜25H2。Microsoftは5月のPatch Tuesdayで修正版を配布しており、組織には即時更新適用と不審なカーネル書き込み監視が推奨されている。 securityonline.info/windows-…

#Kernel_Security CVE-2026-40369: Twelve Bytes to Escape the Browser Sandbox voidsec.com/cve-2026-40369-b… ]-> Full Exploit PoC - github.com/orinimron123/CVE-… // Windows kernel vulnerability enabling unprivileged arbitrary kernel memory writes via 'NtQuerySystemInformation', allowing privilege escalation to SYSTEM by forging tokens, affecting Windows 11 25H2 and Windows Server 2025

Windows 11最新環境で動作するカーネル権限昇格ゼロデイ「CVE-2026-40369」が公開された。NtQuerySystemInformationの欠陥を悪用し、Chromeサンドボックス内の低権限プロセスからでもカーネルメモリ書き換えが可能になる。 問題はntoskrnl.exe内のExpGetProcessInformationに存在し、SystemProcessInformationExtension（クラス253）処理時のNULLチェック欠如が原因だ。Length=0で呼び出すとProbeForWriteが完全に回避され、攻撃者が指定したカーネルアドレスへDWORD加算処理が実行される。これにより任意カーネルメモリのインクリメントが可能になり、権限昇格プリミティブとして悪用できる。 PoCではNtQuerySystemInformationへ細工したカーネルアドレスを渡し、プロセス数やスレッド数に応じた加算処理を実行する様子が示された。未マップ領域を指定した場合はBSODを引き起こすが、適切なアドレスを選べば安定動作するとされ、研究者は「100％決定論的」と主張している。 影響はWindows 11 24H2〜25H2で確認され、Chrome、Edge、Firefoxのサンドボックスからも到達可能とされる。KASLR回避には別ツールとの連携も提案されているが、現時点でMicrosoftから修正情報は出ていない。 github.com/orinimron123/CVE-…

Windowsカーネルの特権昇格脆弱性CVE-2026-40369のPoCが公開されています。システム情報取得API「NtQuerySystemInformation」のクラス253に対しバッファ長ゼロを指定すると、カーネル内のメモリ検証関数ProbeForWriteが丸ごとスキップされ、攻撃者が指定したカーネルアドレスにDWORD値を加算できるとのこと。 ブラウザのレンダラプロセスからも到達可能とされ、5月12日の月例パッチで修正済みです。 KASLRバイパスとの組み合わせで特権昇格チェーンが成立しうるとされ、PoCリポジトリにはその連鎖手法への参照も記載されています。 【要点の整理】 ・内部関数ExpGetProcessInformationはクラス5や252ではバッファのNULLを正しく処理するが、クラス253のみNULLチェックが欠落。攻撃者が指定したカーネルアドレスのポインタがプロセス列挙ループでそのまま使用されるとされる ・加算されるのはプロセス数（ 1ずつ）、全スレッド数合計、全ハンドル数合計の3つのDWORD値。バッファ長不足でエラーを返すが、エラーリターン前にプロセスループの加算処理が先に実行される設計が悪用の鍵とされる ・PoCではNtQuerySystemInformationがwin32kロックダウンの対象外で制限トークンでもブロックされないとして、Chrome、Edge、Firefoxのレンダラプロセスから直接呼び出し可能としている ・影響範囲はWindows 11（24H2〜26H1）およびWindows Server 2025。CVSS 7.8（Important）で、Microsoftは「悪用される可能性が高い」と評価。パッチ公開時点での実悪用は未確認 詳細は以下を参照： github.com/orinimron123/CVE-…

cl /W4 /O2 poc.c /Fe:poc.exe /link ntdll.lib That single command builds a working exploit for CVE-2026-40369. The flaw sits in ntoskrnl.exe inside ExpGetProcessInformation. Info class 253 accepts a caller-supplied kernel address when the length argument is zero. Because the ProbeForWrite guard is wrapped inside an `if (Length)` check, a zero-length call skips validation entirely. The function then walks every process and executes three increments at the attacker-chosen address: ` *v95; v95[1] = threadCnt; v95[2] = handleCnt`. The primitive is deterministic and reachable from any sandbox that can still issue NtQuerySystemInformation, including Chrome, Edge, and Firefox renderers. It affects Windows 11 24H2 and 25H2. A crash lands as bugcheck 50 at nt!ExpGetProcessInformation 0x42e. Ori Nimron published the PoC at github.com/orinimron123/CVE-…. Combined with any KASLR leak the increment turns into a direct LPE. A length guard that only protects non-zero buffers leaves the kernel address exposed on every call.

I use NtQuerySystemInformation(SystemProcessInformation), I had no performance issues

We've released four new challenges: 1. Bypassing Export Address Filtering (EAF) 2. DripLoader Memory Allocation Method 3. Foliage With Stack Duplication 4. Remote Process Handle Enumeration Via NTQuerySystemInformation

#threatreport #HighCompleteness Malware, from the Outside!: How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers | 04-03-2026 Source: huntress.com/blog/openclaw-g… Key details below ↓ 🧑‍💻Actors/Campaigns: Blackbasta 💀Threats: Ghostsocks, Stealth_packer_tool, Amos_stealer, Antivm_technique, Blackbasta, Bloat_technique, Vidar_stealer, Purelogs, Antidebugging_technique, 🎯Victims: Openclaw users, General users 📚TTPs: ⚔️Tactics: 3 🛠️Technics: 0 🤖LLM extracted TTPs:` T1005, T1027, T1053.005, T1055, T1059.003, T1059.004, T1071.001, T1083, T1090, T1105, ... 🧨IOCs: - File: 9 - Url: 5 - Hash: 10 - Email: 3 - Path: 10 - Domain: 1 - Registry: 1 - IP: 22 💽Software: OpenClaw, macOS, ChatGPT, Clawdbot, Moltbot, Telegram, Steam, Windows installer, GateKeeper, curl, ... 🔢Algorithms: zip, xor, sha256 🗂️Win API: NtQuerySystemInformation, NtClose, GetThreadContext, SetThreadContext 📜Programming Languages: rust, applescript 💻Platforms: apple, arm, intel #threatreport: Between February 2 and 10, 2026, threat actors utilized malicious GitHub repositories masquerading as OpenClaw installers to distribute information stealers, notably employing a novel malware packer called Stealth Packer. These malicious installers were low-detection exploits designed to target users attempting to install OpenClaw across both Windows and macOS systems. Specifically, the malware facilitated information theft and allowed for circumvention of multi-factor authentication (MFA) and anti-fraud measures using a tool known as GhostSocks, which converts compromised systems into proxies for unauthorized account access. The campaign's distribution mechanism involved promoting the malicious GitHub repository directly within Bing's AI search results, leveraging the platform's algorithms to lead users unknowingly to the compromised software. Previous campaigns had also exploited search poisoning techniques, exemplifying a trend wherein threat actors take advantage of AI tools to disseminate malicious installers. The OpenClaw-themed installer injected several malware variants upon execution, including a Rust-based loader facilitating the deployment of information stealers that operated solely in memory. Stealth Packer is significant in this context due to its advanced capabilities, including injecting malware into memory, manipulating firewall settings, and performing anti-virtualization checks, facilitating stealthy operation without detection. Specific malware artifacts associated with this campaign included various executables like cloudvideo.exe and svc_service.exe, the former a known Vidar stealer, while the latter was suspected to be a Rust-based malware loader that executed payloads dynamically. GhostSocks, integral to the attack’s operational success, is employed to obscure the threat actor’s identity by routing malicious traffic through the victim's system. The variant observed in this incident notably implemented enhanced security features, utilizing TLS connections, a shift from its earlier iterations. This functionality not only allows for the exfiltration of sensitive data but also ensures persistence within compromised environments. For macOS targets, an associated malicious account delivered a variant known as OpenClawBot, which mimicked legitimate deployment commands but was designed to capture sensitive information, including TCC-protected files. The malware prompted users for administrative credentials prior to executing its infostealing functions.

There's a variant with timing conditions added that made this a pain that randomly get decrypted and ran 3 to 12 of the reflections codes while others just do bail outs if it feels like its being ran through a debugger. i ~think~ they borrowed some code from i think one of the .NET Chemeleon variants, i cant remember But in some of the junk sections they add the following random checks calling everything from Environment.TickCount64 DateTime.UtcNow SpinWait QueryPerformanceFrequency NtQueryInformationProcess If they were smart they would have tossed in QueryProcessCycleTime, NtQuerySystemInformation(SystemProcessorPerformanceInformation), or PdhOpenQuery as a meants to look at cycles and figure out if they are being traced instead by looking at the deltas and noticing they arent matching up oh well ☯️

Win11 ntquerysysteminformation Needs admin

Oh this is cool! This is the first time I've seen a WarBird payload not in the ?g_Encry PE section. What's even more interesting is that there doesn't seem to be the expected call to NtQuerySystemInformation(SystemPolicyInformation) in here

Is there a NtQuerySystemInformation call after all these shenanigans? w/ SystemPolicyInformation class ?

#Kernel_Security 1⃣. NT OS Kernel Information Disclosure Vulnerability (CVE-2025-53136, CVE-2024-43511) - crowdfense.com/nt-os-kernel-… // A race condition in Windows' "NtQuerySystemInformation()" allows kernel address leaks and potential privilege escalation across recent versions 2⃣. Dumping LSASS With Windows Error Reporting On Modern Windows 11 - zerosalarium.com/2025/09/Dum… // tool: github.com/TwoSevenOneT/WSAS… 3⃣. Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days - willsroot.io/2025/09/ksmbd-0… // PoC: Authenticated 0-click RCE against Linux 6.1.45 for CVE-2023-52440 and CVE-2023-4130 - github.com/BitsByWill/ksmbd-…