Tired of malware development noobs complaining about the WINAPI and process creation stuff.
It's shrimple.
You simply use CreateProcess or ShellExecute. If you want to be extra specific, can you use ShellExecuteEx or CreateProcessAsUser. If you want to be a little more specific you can use CreateProcessWithLogonW. If you want to be specific, but in a slightly different way, you can use CreateProcessWithTokenW
Technically, you can use also the outdated (but still present) function from internet explorer called "OpenURL". OpenURL will treat a file path as a URL and create the process. It's inside IEFRAME.DLL. Very cool.
Also, you can use some weird library on Windows called MSHTML and use RunHTMLApplication. RunHTMLApplication can be used to execute VBS or JavaScript which then runs an executable.
Alternatively, you can use LaunchApplicationW from the PCWUTL library. This will also create a process.
Interestingly, there is a weird goof in Windows. Remember OpenURL from internet explorer? Well, it's also present in a library called shdocvw.dll. You can use OpenURL from there too.
If you don't want to use ShellExecute, or ShellExecuteEx, which comes from the SHELL32 library, you can use ShellExec_RunDLLW from SHELL32. It basically does the same thing.
I suppose if you don't like any of these you can use URL.DLL functionality, specifically FileProtocolHandlerA function. This will treat a file path like a URL and execute a file for you.
If you're not happy with FileProtocolHandlerA, URL.DLL also has OpenURL (the same function from IEFRAME.DLL! Internet explorer stuff!) so you can use OpenURL from URL.DLL too.
If none of these are sufficient, you can also use some weird function called RouteTheCall from the ZIPFLDR library. I'm not sure what's up with this function, it is Windows ZIP stuff. Regardless, RouteTheCall has three parameters. The first two are NULL and the third parameter accepts a file path to a file you want to execute.
Of course, if you're doing low-level development, or want to be more evasive, you can always do the NTDLL stuff and use NtCreateUserProcess, or ZwCreateUserProcess.
Oh, I almost forgot, you can also use RunAsNewUser_RunDLLW from SHELL32. Luckily this library exposes several different ways to create a process (although they're not documented well, no idea why).
My memory is fuzzy, I almost forgot this one, but Windows also exposes a way to create a process from the little "Help" icon thingy on GUIs. You can initialize IHxHelpPaneServer or IHxInteractiveUser from the Windows Component Object Model then invoke the "Execute" method. This method is supposed to be for URLs, but Windows will treat a URL like a file still.
Before I forget, you can also use the Windows Management Instrumentation (WMI) stuff for process creation. If you use the Windows Component Object Model and initialize IWbemLocator you can initialize Win32_ProcessStartup and use that to create a process too.
I guess I should note, if you don't want to use SHELL32 directly, you can use also the Component Object Model and initialize CLSID_ShellWindows, get the Desktop ShellView, find it's COM automation objects, and using the Shell.Application interface you invoke ShellExecuteW
Anyway, it's shrimple, just use one of these to create a process:
- CreateProcess
- ShellExecute
- ShellExecuteEx
- CreateProcessAsUser
- CreateProcessWithLogonW
- CreateProcessWithTokenW
- OpenURL (ieframe.dll)
- RunHTMLApplication
- OpenURL (shdocvw.dll)
- ShellExec_RunDLLW
- FileProtocolHandlerA
- OpenURL (URL.dll)
- RouteTheCall
- NtCreateUserProcess
- RunAsNewUser_RunDLLW
- IHxHelpPaneServer
- IHxInteractiveUser
- Win32_ProcessStartup
- CLSID_ShellWindows (Shell Automation)
I'll skip on the touch pad injection, INF section abuse, in-memory execution, or shellcode injection. That's a different topic.
ACTIVE DIRECTORY IS KING OF SIMPLICITY THUS SECURITY!!!
In Server Manager, after being prompted for credentials on the Secure Desktop, we have _all_ of the AD Consoles and PowerShell interface.
How many is that? About half a dozen.
Between Active Directory Users & Computers, the Group Policy Management Console (GPMC) and PowerShell we have about 90% of what we need.
AD Sites & Services, DNS, and DHCP consoles round out the principle methods we manage a UserVille, Infrastructure, Dev, DMZ, or other ADDS Forest/Domain in our secure KISS (Keep It Simple S______) ADDS System.
How is any one person, or team of persons, supposed to keep track and manage all of this?
IMNSHO, this complexity is the worst "We're more Secure" model in existence!
I suggest bookmarking this site:
https://t.co/IvqtSDq2Ia
* Note the scrollbar in the snips!!!
Every SOC team should read this repo before building any LLM-powered security tool
https://t.co/3L4zH8f31p
The failure modes of LLMs in security contexts are well documented in academic literature
They are almost completely ignored in product development
"You can run OpenClaw inside your company now." Annoucing our work with @Microsoft to bring OpenClaw to the Microsoft and Windows ecosystems. Claws now work securly in the enterprise.
Conditional Access policies won’t stop token theft—and standard MFA won't fix it either.
When teams roll out Microsoft Authenticator push codes or SMS, some assume the cloud perimeter is safe. But sophisticated actors have moved completely past brute-forcing passwords. They use Adversary-in-the-Middle (AiTM) phishing frameworks like Evilginx.
The attack flow is clean: The proxy site mirrors your Entra ID login page. The user enters credentials and solves the genuine MFA challenge.
Once Entra ID validates the session, it issues an ESTSAUTH session cookie. The malicious proxy server snatches that cookie before passing it back to the victim’s browser.
The Result: The attacker drops that stolen cookie into their own machine. Because the session has already passed the MFA verification loop, they gain instant access to the mailbox or cloud apps. They bypass standard Conditional Access rules seamlessly.
, when an identical session jumps between network or device contexts
Advanced features like Continuous Access Evaluation (CAE), Token Protection session controls, or strict device compliance rules can mitigate this. But they are rarely part of an organization’s "default" browser-based setups.
Because a stolen token completely bypasses the sign-in loop, you cannot hunt for it by looking for failed logins. You have to hunt for Session Anomalies—specifically when an identical session jumps network or device context mid-lifecycle.
From Sentinel or Entra ID Advanced Hunting, you can run the below KQL query to identify active token replays across interactive and non-interactive sign-ins:
first thing i do when a host i depend on posts something like this
1. pull audit logs for the last 30 days
2. grep for commits from IPs i don't recognize
3. rotate every PAT with write scope
4. enable required 2FA on the org if it isn't already not paranoid just cheap insurance
A sophisticated and multi-layered attack by the threat actor tracked by Microsoft as Storm-2949 demonstrates how a single compromised cloud identity could lead to a full-scale organizational breach. https://t.co/s1MMx0fI4L
Relying on social engineering and abusing legitimate administrative tools, Storm-2949 moved laterally across cloud resources and endpoints without using traditional malware, quietly exfiltrating large volumes of sensitive data.
This stealthy attack underscores the importance of strong identity protections, least-privilege access, and unified visibility across environments. Read the latest Microsoft Defender Research blog for guidance on detecting and containing multi-stage attacks before they escalate.
A sophisticated, state-sponsored intrusion observed in early 2026 appeared to be a standard Chaos ransomware attack.
Forensic analysis has since unmasked it as a false flag attempt, linking the incident to the Iranian APT #MuddyWater.
More in a new blog: https://t.co/CaXPvXl0pj
MICROSOFT OPEN-SOURCED THEIR ENTIRE SENTINEL SECURITY TOOLKIT
most teams building on azure figure out threat detection the hard way
trial and error, custom KQL, dashboards built from nothing, playbooks written by hand
nobody told them it was already done
the sentinel github repo has:
▫️ 1000+ pre-built threat detection rules
▫️ hunting queries for active threat investigation
▫️ automated response playbooks
▫️ security workbooks + dashboards
▫️ data connectors for 100s of sources
the hard part was already done
https://t.co/VHbH2pIRRe
Chinese LLMs can hack better than state-sponsored hackers with properly evolved harness -
Kimi K2.5 managed to find and exploit 6 vulnerabilities in browsers: a single page view or an extension install by victims equal full system hijack.
Check https://t.co/d0SZSf1KqF
This is very good malware.
This is solid-solid-SOLID B+ malware, very close to A- malware.
APT37 is using a old-school playbook. They're doing EPO (Entry Point Obfuscation) on a self-delivered binary for evasion. They also unironically are using something akin to cavity infection ... but on themselves. This is something you saw more in the Windows 95 - Windows XP era, not something you see in 2026.
Very cool. I respect it.
The multi-staged fragmentation of shellcode phases is also really, really, really cool. This is (once again) a more old-school technique usually reserved for infected binaries, not self-delivered binaries.
Despite all of these super cool features, APT37 shoots themselves in the foot immediately.
- EAT walking for Kernel32 functionality (???)
- XOR decryption is a huge red flag
- Allocating with PAGE_EXECUTE_READWRITE (???)
- Hardcoded OAuth token (???)
- Used external dependency for AES (???)
Why not use NT functionality to hook evasion? XOR is easily identified in static analysis, why XOR? Allocating memory with VirtualAlloc with RWX is a MASSIVE RED FLAG. They also hardcode a OAuth token ... they can multi-staged shellcode payload with old-school malware techniques but hardcore AN OAUTH TOKEN?
It unironically makes me wonder if they had one old-head malware guy working on it, then they had some newer dude do the non-hardcore stuff. There is a huge gap in skill sets here.
Or the old-head hasn't kept up to date on malware stuff since 2005... or they got lazy... I don't know, really weird.
.@joswr1ght just announced a 720-page modern incident response book. 18 months in the making. The first comprehensive update to foundational IR frameworks since 2001. Released to the community for free. “Someone asked me, ‘Do you like writing?’ I say, ‘No, I like having written.’ That’s a different thing altogether. But I wrote this book because I kept seeing the same problems over and over again.” This is what giving back looks like.
➡️ Details in the RSAC deep dive: https://t.co/0XGzso8Yfz
@OneRSAC | #RSAC #Cybersecurtiy #ThreatIntel #IncidentResponse
Chinese cyber threat actor, almost certainly Mustang Panda, launched an espionage campaign against Persian Gulf countries exactly 24 hours after the US-Israeli strikes on Iran began. The cyber operators were ready. The decryption key is literally the war's start date.
The attack uses a lure disguised as a PDF showing missile strikes on a US base in Bahrain - the kind of thing genuinely circulating at the time. Upon opening the file, a chain of components installs a backdoor PlugX. Multiple decoy layers, encrypted payloads, obfuscation designed to make reverse-engineering difficult. It reliably phones home via encrypted HTTPS, using Google's DNS to hide even that traffic.
The decryption key baked into the malware is 20260301@@@.
The popular phishing-as-a-service (PhaaS) platform used by threat actors, #Tycoon2FA, has been disrupted by law enforcement and private sector partners including, @Microsoft, @Europol, Proofpoint, @Cloudflare, and @trendaisecurity.
Details in our blog: https://t.co/lSNVnduL9y
Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).
A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar. This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution. It evaded detection by deleting the initial downloader and by adding Microsoft Defender exclusions for the RAT components. It also added persistence using a scheduled task and startup script named world.vbs. Finally, it deployed the final payload, a multi-purpose malware that acted as loader, runner, downloader, and RAT.
The RAT connected to the IP address 79.110.49[.]15 for command and control (C2), enabling threat actors to perform various actions like data theft and additional payload deployment.
Microsoft Defender detects the malware and malicious behavior observed across the attack chain. To defend against this threat, follow these recommendations:
- Block/monitor outbound connections to listed domains/IP addresses and alerts on downloads of java[.]zip or jd-gui.jar from non-corporate sources.
- Hunt for the related processes and components.
- Audit Microsoft Defender exclusions and scheduled tasks for random names; remove malicious tasks and startup scripts.
- Isolate affected endpoints, collect endpoint detection and response (EDR) telemetry, and reset credentials for users active on compromised hosts.
Indicators of compromise:
- decompiler.exe (SHA-256: 48cd5d1ef968bf024fc6a1a119083893b4191565dba59592c541eb77358a8cbb)
- jd-gui.jar (SHA-256: a33a96cbd92eef15116c0c1dcaa8feb6eee28a818046ac9576054183e920eeb5)
- worldview.db-wal/StandardName.exe (SHA-256: 4442ba4c60a6fc24a2b2dfd041a86f601e03b38deab0300a6116fea68042003f)
- world.vbs (SHA-256: 65f003998af7dd8103607c8e18ef418b131ba7d9962bd580759d90f4ac51da36)
- powercat[.]dog:443; remote IP 79.110.49[.]15
Notepad++ compromised (long pedantic version so nerds shut up)
- Notepad++ update infrastructure was compromised
- Notepad++ suspects it is the Chinese government
- No evidence provided currently demonstrating why they suspect it was the Chinese government
- Only "select targets" were delivered malicious Notepad++ from update infrastructure
- No information is provided who "select targets" were
- No information provided why they believe it was selective
- No information on what was delivered to "selective targets"
- Compromise timeline blurry
- "Incident began" JUNE, 2025
- Hosting infrastructure says "September 2, 2025"
- Attackers maintained access until "December 2nd, 2025"
- Notepad++ states they believe compromise was JUNE THROUGH DECEMBER, conflicting with hosting provider
- No analysis released yet on "exact technical mechanism"
- No IoCs (Indicator of compromise) released
I just solved the strangest tech problem I've ever come across.
My wifi kept dropping packets, confirmed by ping. It would look something like the first image (packets dropping, then it comes back to life). After a while the connection would just stop working completely and drop all packets. If I turned my wifi off and on again, it would resume working normally.
I thought this was a problem with my router, cables or ISP, so I went through the usual troubleshooting processes: checking settings, swapping cables, powercycling, etc. nothing worked.
Eventually I started noticing that it would only happen when I sat in my office. I was taking a video meeting and it kept dropping segments of audio, making it hard to understand the other person.
I unplugged my laptop from my monitor + keyboard because I wanted to try walking into another room. Immediately, the video started working perfectly.
I thought it was because I was a few steps closer to my router - but that didn't really make sense because the router had always worked fine from that location.
I started thinking about what I'd changed in my desk setup recently, the only thing I could think of was when I changed from using a USB-C <-> DP cable for my monitor, to using a HDMI <-> HDMI cable.
I tried plugging my screen back in. Immediately, the packets started dropping. I unplugged it, the dropping stopped.
It turns out my HDMI cable doesn't have enough shielding, so it was jamming my own WiFi signal with radio frequency interference 🤯
I unrolled the HDMI cable that was sitting behind my laptop and draped the main length of the cord down behind my desk, and now my internet works perfectly.
Apparently this is a fairly common issue?!
Coding a TCP/IP stack.
A series of posts that explore the fundamental link-layer protocols with minimal C implementation to process Ethernet frames and ARP requests.
Nicely done, Sami Niiranen (@saminiir)
1st post: https://t.co/qgPbZgd3qN
#redteam#maldev
Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus threat actor. https://t.co/d5Dr5fdNcE @Google