I'm currently working on reviving the OG social engineering technique for phishing attacks to be natively supported in Evilginx Pro.
The Browser-in-the-Browser (BITB) technique (pioneered by @mrd0x) is making a well-deserved comeback soon.
- Displays a fake OS pop-up window with the phishing page rendered within. 🖼️
- Customisable URL in the pop-up window's address bar to spoof the legitimate domain. 🔗
- Rendered pop-up window supports moving and resizing. ↔️
- Evades IFraming protections. 🔓
- Auto-detects Windows & macOS (light/dark modes) to make the pop-up window match the visitor's OS theme. 🎨
- Displays any web page in the background to support your social engineering pretext. 🖌️
I will soon release a full-length demo video to demonstrate how it works.
For the time being, enjoy the sneak peek of BITB paired with the latest Google phishlet using Phishlets 2.0.
Made exclusively for vetted cybersecurity professionals.
Coming soon to Evilginx Pro. 🪝🐟
‼️🚨 He's back: Nightmare Eclipse just dropped RoguePlanet, a new Windows Defender local privilege escalation 0day PoC. The RCE paths broke after Microsoft's Defender patch. NE suspects the BitLocker bypass may still work but isn't certain.
He has a new GitHub btw, let's see how long the account will last: https://t.co/NjgfycFgMC
Response from @github .
You can see this yourself. Your thoughts please, i don't have any words to speak. Next it could be you guys.
@Microsoft@github@MsftSecIntel . i still have 1% of hope and i have replied with proper evidence. Kindly reconsider and fix the issue.
Also the mentioned repositories does not harm anyone are allowed under: GitHub Active Malware or Exploits policies.
Ticket ID: #4440743
Thank you.
‼️ HackerOne disclosed it was training its AI with "12+ years of real-world vulnerability data," and now is in damage control after backlash over how it marketed its new AI product.
That line set researchers off. Bug bounty hunters accused HackerOne of using researchers' reports and prior bounty findings to train its Hai agentic AI system, framing it as theft.
HackerOne answered the next day. It admitted the messaging "created confusion" and stated that researcher submissions are not used to train, fine-tune, or improve generative AI models. The company said this applies across H1 Continuous Testing, H1 Agentic PTaaS, and Hai, and that third-party model providers are barred from retaining or using researcher data for their own training. It said it updated its website language.
This week the platform launched H1 Continuous Testing, pitched as "continuous assurance built for how attacks actually work." Its own page says the product uses specialized AI agents to find, validate, and prove exploitable risk across applications.
The gap that remains: the marketing still credits "12+ years of real-world vulnerability data," while the denial is scoped tightly to training generative models. HackerOne has not said what that data set actually is, or how it differs from the submissions hunters spent more than a decade filing.
Can you fix Opus 4.8/4.7 to work for offensive security with proper cyber validation approval? I’m a big fan of Claude code but at this point it’s unusable. 4.6 is usable but it’s hard to justify/advocate for the spend of a model 2 versions behind frontier. @bcherny@AnthropicAI
📅3 New Courses Coming to GH in 2026:
🥇Anticheat Development Course
🥈Devirtualization Course
🥉Rust Game Hacking Course
Sneak Peak: LLVM IR Fundamentals | DEVIRT 102C
❗️🚨 BREAKING: Security researchers are now handing Nightmare-Eclipse vulnerabilities for free, in what looks like both a show of support and a reaction to how Microsoft treats researchers. First up: "Bitskrieg," violates Secure Boot trust and fully bypasses BitLocker.
It seems aimed squarely at Microsoft's recent blog, where the company said its Digital Crimes Unit would bring cases against threat actors "and those that enable their criminal activity," language many researchers read as a threat pointed at them.
Hi
vx-underground is 7 years old, as of 2 days ago. I forgot my own website birthday.
Some of you who found vx-underground as early to mid teenagers are now adults.
Some of you who found vx-underground while attending university are now in the work force.
Some people who follow this account have unfortunately passed away.
Some followers have been arrested. Some followers have already been released from prison.
Some of you (including myself) have had children.
A lot has changed over the past 7 years.
The only thing that hasn't really changed is the website: free malware source code, samples, and papers, forever.
Thank you for letting me serve the community. It has been a pleasure. I look forward to serving all of you for another ... unknown duration of time, probably a long time, I don't know. I'm not sure how long I'll do this, but I'm already 7 years deep.
‼️🚨 Microsoft calls this "intended behaviour," so here we go.
How to dump the credentials of every user stored in Microsoft Edge:
1. Open Edge. Don't browse anywhere, just open it.
2. Flip to Task Manager, find Edge, expand the task.
3. Highlight the "browser" sub-task, right-click, and choose "Create Memory Dump."
4. Open the dump file and look for credentials.
The logged-in Windows user can dump every stored Edge credential with no additional rights. Which means any malware that user executes has those credentials for the asking.
Thanks to Rob VandenBrink at SANS: https://t.co/ebtVZxne4L
Edoardo has released a great write-up on setting up Caddy in front of Evilginx and automating the process with the tool he wrote - kCaddy.
Take a look, as there are not that many posts on properly setting up redirectors for your phishing infrastructure.
Finally back to the forge. ⚒️
I revisited an old friend, #CaddyWebServer, and forged kCaddy: a malleable Caddy redirector for #RedTeam ops.
New post: proxying and obfuscating #Evilginx with M365, Google, and Okta phishlets.
https://t.co/TFCOXdx1Hr