@jack_halon profile picture
Jack Halon @jack_halon

Red Team and Offensive R&D at @CrowdStrike | Powered by ☕🍻🍩

Joined October 2016
  • Tweets 3,418
  • Following 402
  • Followers 4,939
71 Photos and videos
Pinned Tweet
Jack Halon@jack_halon
29 Dec 2022
To wrap up 2022, I'm releasing the final part of my 3-part browser exploitation series on Chrome! In this post, we demonstrate the practical use of the concepts we've learned throughout the series by analyzing and exploiting CVE-2018-17463. Enjoy! jhalon.github.io/chrome-brow…

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the...

jhalon.github.io
8
128
455
55,690
Jack Halon retweeted
Michael Weber@BouncyHat
Jun 4
We think of WASM as a mechanism to run compiled code in your browser, but what if we shimmed in all the host APIs necessary to run full implants with ALL logic entirely in the WASM VM? This post walks through what that looks like. praetorian.com/blog/wasmforg… #wasm #malware #sliver

Enter the WasmForge: Compiling Sliver into WebAssembly

Expose how compiling Sliver into WebAssembly beats EDR: WasmForge produces opsec-safe binaries with zero changes to the tool source.

praetorian.com
3
24
72
8,723
Jack Halon retweeted
Michael Weber@BouncyHat
May 29
I'm tired of my tools getting sig'd so I built a pipeline to keep our tools alive for longer and bring some classics back. Post 1 of 3 is live now. The final post will drop our Go/C# -> WASM toolchain. It builds #Sliver, #Chisel, and some of #GhostPack. praetorian.com/blog/llm-edr-…

Adversarial Oracles: LLM-Guided EDR Signature Reduction

Stripping your binary makes EDR detection worse, not better. See how an LLM and VirusTotal automate antivirus evasion by blending in instead.

praetorian.com
1
19
67
9,797
Jack Halon retweeted
watchTowr
@watchtowrcyber
Apr 2
🫡 We’re back. Today, we’re publishing vulnerabilities we discovered, disclosed, and chained to achieve pre-auth RCE against Progress ShareFile. Enjoy the journey with us, while you sob into your hands 🫠 labs.watchtowr.com/youre-not…

You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699...

If you squint and look at the CISA KEV list, you might think it's made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn’t squint, it’s bad for...

labs.watchtowr.com
3
57
207
38,460
Jack Halon retweeted
watchTowr
@watchtowrcyber
Mar 28
while we’re eating our best writing crayons and using finger paint to finish our latest research, we’ve decided to take this opportunity to share research from the archives with new followers 🙂 happy Friday… for now 🥹 labs.watchtowr.com/we-spent-… (Yes this is not new don’t @ us)

We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI

Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries. Summary What started out as a bit of fun between colleagues while avoiding the Vegas...

labs.watchtowr.com
2
7
67
4,589
Jack Halon retweeted
watchTowr
@watchtowrcyber
Mar 19
What's new is old, and what's old is new - as is relentlessly proven. Join us in our analysis of CVE-2026-32746, the recent pre-auth RCE in inteutils' Telnetd Speak soon. labs.watchtowr.com/a-32-year…

A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)

A long, long time ago, in a land free of binary exploit mitigations, when Unix still roamed the Earth, there lived a pre-authentication Telnetd vulnerability. In fact, this vulnerability was born so...

labs.watchtowr.com
1
41
120
16,144
Jack Halon retweeted
watchTowr
@watchtowrcyber
Mar 18
In 2025, we achieved pre-auth RCE against another solution in a ransomware gang favourite category. Today, we finally click publish. Join us as we walk through a chain of vulnerabilities we identified in BMC’s FootPrints ITSM solution. Enjoy! labs.watchtowr.com/thanks-it…

The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution...

SolarWinds. Ivanti. SysAid. ManageEngine. Giants of the KEV world, all of whom have ITSM side-projects. ITSMs, as a group of solutions, have played pivotal roles in numerous ransomware gang campaigns...

labs.watchtowr.com
1
40
109
17,742
Jack Halon retweeted
watchTowr
@watchtowrcyber
Feb 25
We promised we'd be back! Join us on our journey, from repro'ing N-days to stumbling into 0-days in SolarWinds Web Help Desk, eventually achieving pre-auth RCE. This research fuels the watchTowr Platform, our Preemptive Exposure Management technology. labs.watchtowr.com/buy-a-hel…

Buy A Help Desk, Bundle A Remote Access Solution? (SolarWinds Web Help Desk Pre-Auth RCE Chain(s))

It’s been a while, but we’re back - in time for story time. Gather round, strap in, and prepare for another depressing journey of “all we wanted to do was reproduce an N-day, and here we are with...

labs.watchtowr.com
66
206
40,409
Jack Halon retweeted
Stephen Fewer@stephenfewer
Feb 10
We just published our @rapid7 analysis of CVE-2026-1731, a critical command injection affecting BeyondTrust Privileged Remote Access (PRA) & Remote Support (RS). Unauthenticated RCE, with a root cause due to Bash arithmetic evaluation. Analysis/PoC here: attackerkb.com/topics/jNMBcc…

CVE-2026-1731 | AttackerKB

On February 6, 2026, BeyondTrust published an advisory for a new critical command injection vulnerability, CVE-2026-1731, affecting their products Remote Suppo…

attackerkb.com
3
33
120
26,092
Jack Halon retweeted
Back Engineering Labs
@BackEngineerLab
Feb 7
We’re releasing our analysis of ring-1.io, a major game cheat targeted by multiple studios in recent legal actions. We partially deobfuscated several Themida-protected components and document how it hijacks Hyper-V to inject and manipulate game code. back.engineering/blog/04/02/… github.com/backengineering/r…

15
97
462
115,195
Jack Halon retweeted
b33f | 🇺🇦✊@FuzzySec
Feb 6
I wrote a post on creating "scalable research tooling for agent systems" and I'm also releasing the companion MCP server which lets you do autonomous Frida instrumentation on Android. Details in thread 👇📲🪝
3:46
5
15
117
18,514
Jack Halon retweeted
X-C3LL@TheXC3LL
Jan 31
A small rant: The State of Art in Red Team is whatever you want to believe x-c3ll.github.io/posts/Rant-…

The State of Art in Red Team is whatever you want to believe

a rant about Red Teaming.

x-c3ll.github.io
17
90
343
50,908
Jack Halon retweeted
watchTowr
@watchtowrcyber
Jan 30
Someone knows Bash disgustingly well, and we love it. Here's our analysis of the Ivanti EPMM Pre-Auth RCE vulnerabilities - CVE-2026-1281 & CVE-2026-1340. This research fuels our technology, enabling our clients to accurately determine their exposure. labs.watchtowr.com/someone-k…

Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-20...

When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - actively exploited pre-auth Remote Command Execution vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) solution - we...

labs.watchtowr.com
8
68
225
32,466
Jack Halon retweeted
Michael Weber@BouncyHat
Jan 26
Early last year @rad9800 shared an idea he'd discussed with @jonasLyk about how to stealthily write to the registry without using the traditional registry APIs EDR watches. The time has come to open source the tool. Hope this helps someone hit their goal! praetorian.com/blog/corrupti…

Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals

Swarmer enables stealthy Windows registry persistence by exploiting mandatory user profiles and the Offline Registry API to bypass EDR detection. Learn how this technique leverages NTUSER.MAN files...

praetorian.com
5
29
89
4,221
Jack Halon retweeted
watchTowr
@watchtowrcyber
Jan 22
Earlier this month, we reported a zero-day auth. bypass in the SmarterTools SmarterMail email solution. Someone has reversed the patch (released on 15th Jan) and begun exploiting it in the wild. Read our analysis and please, ASSUME BREACH PATCH NOW. labs.watchtowr.com/attackers…

Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass)

Well, well, well - look what we’re back with. You may recall that merely two weeks ago, we analyzed CVE-2025-52691 - a pre-auth RCE vulnerability in the SmarterTools SmarterMail email solution with a...

labs.watchtowr.com
40
93
15,571
Jack Halon retweeted
Sean Heelan@seanhn
Jan 18
Blog post: On the Coming Industrialisation of Exploit Generation with LLMs sean.heelan.io/2026/01/18/on… TL;DR: I ran an experiment with GPT-5.2 and Opus 4.5 based agents to generate exploits for a zeroday QuickJS bug. They're pretty good at it. Code: github.com/SeanHeelan/anamne…
29
233
1,100
230,004
Jack Halon retweeted
Natalie Silvanovich@natashenka
Jan 15
Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices. projectzero.google/2026/01/p…

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

Over the past few years, several AI-powered features have been added to mobile phones that allow ...

projectzero.google
7
236
1,021
117,070
Jack Halon retweeted
watchTowr
@watchtowrcyber
Jan 8
And, we're back - analyzing CVE-2025-52691, a pre-auth RCE in SmarterTools SmarterMail mail server solution. Speak soon (:^)) and enjoy.. labs.watchtowr.com/do-smart-…

Do Smart People Ever Say They’re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)

Welcome to 2026! While we are all waiting for the scheduled SSLVPN ITW exploitation programming that occurs every January, we’re back from Christmas and idle hands, idle minds, yada yada. In Decemb...

labs.watchtowr.com
5
52
188
37,657
Jack Halon@jack_halon
20 Dec 2025
A fun little Friday night project porting @AndrewOliveau C# SessionHop code to a BOF. Built off of @tiraniddo session moniker research & @CICADA8Research original IHxHelpPaneServer blog. Enjoy! github.com/jhalon/cSessionHo…

GitHub - jhalon/cSessionHop: Beacon Object File (BOF) for Windows Session Hijacking via IHxHelpPa...

Beacon Object File (BOF) for Windows Session Hijacking via IHxHelpPaneServer COM - jhalon/cSessionHop

github.com
39
106
7,790
Jack Halon retweeted
watchTowr
@watchtowrcyber
10 Dec 2025
Today, we’re releasing watchTowr Labs’ @chudyPB’s BlackHat .NET research, owning Barracuda, Ivanti and more solutions. Enjoy the read as Piotr explains a new .NET Framework primitive, used to achieve pre- and post-auth RCE on numerous enterprise appliances. labs.watchtowr.com/soapwn-pw…

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL

Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee. Before then, we want to...

labs.watchtowr.com
3
110
370
87,943
Jack Halon retweeted
Fox_threatintel@banthisguy9349
26 Nov 2025
krebsonsecurity.com/2025/11/… dear fucking lord. This is absolutely wild

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

A prolific cybercriminal group that calls itself "Scattered LAPSUS$ Hunters" made headlines regularly this year by stealing data from and publicly mass extorting dozens of major corporations. But the...

krebsonsecurity.com
9
63
296
47,120
Load more