Olivia
Online
Curt Wilson, human
@curtw
Exploring systems security since 1985. Malware+{cybercrime/espionage} analysis, threat intelligence + full-spectrum tech security research. Personal account.
Earth
Joined August 2008
5.5K Following
2.9K Followers
10.3K Posts
https://t.co/Z6lNM4ssoh
After Microsoft fixed BlueHammer, another Windows Defender privesc showed up: RedSun.
What makes this one interesting is that it’s not a classic memory corruption or logic bug. It looks more like Defender doing something… unexpected.
When Defender flags a file as malicious and it has a cloud verdict attached, it can end up writing that file back to its original location instead of removing it. If you can control that file and trigger the right behavior, you basically get Defender to write data for you with its elevated privileges.
The RedSun PoC shows that this can be abused to overwrite system files and escalate privileges to SYSTEM.
We took a closer look at the exploit and built detections. We’re publishing:
- Sigma rules covering different stages of the chain
- a YARA rule for the PoC
All rules are free on GitHub and also included in the free THOR Lite and THOR Lite Cloud scanner.
Sigma rules: https://t.co/w2jtiDzW4f
by @swachchhanda
YARA rule: https://t.co/vBNQkZhele
by @cod3nym
Hunting RedSun 🌞
Inspired by the Nightmare‑Eclipse RedSun PoC, I’ve expanded my BlueHammer KQL detection to uncover Defender’s behavioral blind spots.
Sharing my DefenderXDR hunting logic with the community — evolving the path from BlueHammer to RedSun.🎯
KQL Code: https://t.co/YK5EimNR2a
#CyberSecurity #RedSun #DetectionEngineering #DefenderXDR
@banthisguy9349 @UK_Daniel_Card Use JA4+ when it makes sense to do so. Check for reuse of custom favico files from actor infra. Not secret by any means but have borne fruit at times
Who to follow
Seongsu Park 
@unpacker
Hustlin’ in Cyber Threat Intelligence | Tweets are my own | Keybase: @seongsupark | Mastodon: @[email protected]
Stephen Fewer
@stephenfewer
Senior Principal Security Researcher @rapid7. Specializing in software vulnerabilities and exploitation.
Brandon Edwards
@drraid
CTO @crashappsec. Past: Cofounder and Chief Scientist @capsule8, Hacker-in-Residence @NYUTandon, and other research, reverse-engineering, and exploit dev roles.
A single hypervisor breach can put hundreds of virtual machines at risk.
We’ve seen Akira and others shift to ESXi/Hyper-V for mass impact.
✅ They use legit tools (like openssl)
✅ Bypass EDR
✅ Encrypt VMDKs directly
📃 @RussianPanda9xx @Purp1eW0lf
https://t.co/nWxBC2Tb65
Six years ago I wondered how we would enable scanning of end-to-end encrypted messages without destroying security and introducing trusted parties everywhere. Now in 2025, I realize the answer is: we’re going to introduce trusted parties everywhere.
Good find
This appears to be a key compromise.
Lydsec creates Keypasco, a MFA handling solution for enterprise and mobile.
The stolen key (not EV, no hardware token) was used to sign CobaltStrike.
Its not known how or who acquired the key, or what other damage was done.
New in Wirebrowser: Breakpoint-Driven Heap Search (BDHS) — step-out debugging + temporal heap snapshots to identify the user-land function where a JavaScript value is created, even across async boundaries.
Writeup: https://t.co/1pQAUX5zlj
LAC's Cyber Emergency Center describes a PlugX campaign by a China-based attack group targeting Japanese transport firms & their subsidiaries. The report analyses new PlugX variants MetaRAT and Talisman PlugX, and expands on findings first shared at VB2025 https://t.co/n5ZxOArZem
@tech_maddy @cyb3rops How practical is this approach though? You’d have to be making process dumps all the time. How does that scale?
https://t.co/pkcJdpmubl
I have spent some time this past day to investigate NodeJS source code and how a typical process tree from a react/next.js app will look like.
If you are building detections for React2Shell give this a read. as it'll help you identify the right strings to use to filter down FPs and what anomalous look might like.
https://t.co/pSSYRFir6O
Read the full Amnesty report: https://t.co/B6KYMZTsR4
@APTease IMO, Matt Walsh is a hateful person who resorted to trickery to film “what is a woman”, used to increase oppression on the trans community. Seeing his work get quoted is troubling. I’m thankful for the great yara work that Florian does but can live without this type of comment.
@hackerfantastic Now that’s going to be filled with some serious heavy metal(s) 🤘🏼
No code, but looks very interesting.
@AndreGironda Who would have guessed it would be misused! 😂
@silascutler So where’s the leet stego shellcode therein? Is it XOR’ed 99e99 times to do bad things? 😂
"Offense and defense aren't peers. Defense is offense's child." - @JohnLaTwC
We built an LLM-powered AMSI provider and paired it against a red team agent. Then, @0xdab0 wrote a blog about it: https://t.co/TTehwMdofs
A few observations from the experiment:
>>> To advance, we must generate unique, ground-truth datasets.
>>> Defenses will need to live at the edge.
>>> The real potential lies in the interaction between red and blue.
>>> This is a blueprint for generative adversarial reinforcement learning.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers