Sharing a sneak peek of a new feature exclusive to the upcoming Evilginx Phishlets 2.0 format. 🧐
Here is how chained rewrites allow you to downgrade FIDO MFA when phishing M365 accounts. 🪝🐟
The power of Phishlets 2.0 will hopefully blow you away! 💥
We're mostly an IDA shop at @CellebriteLabs, but I decided to play around with Ghidra. My main motivation was to experiment with agentic reverse engineering techniques. The result is an agent skill for Ghidra, which we are releasing publicly:
https://t.co/mPrNFR8mOq >>
Round two!
Yesterday was one report, here’s another: an unpatched NTLM coercion via the Windows Search (search-ms://) URI handler.
Same questions about how it got handled. It’s all in the writeup, timeline included.
https://t.co/eMbyEGbx8b
… we’ve determined the appropriate path forward is to not pay the ransom.
As part of Grafana Labs’ standard security practices, we will share additional information from our post-incident review when our investigations are complete. (6/6)
Another Windows zero day released by Nightmare Eclipse (sort of)
It turns out Microsoft just straight up didn't patch an old CVE from 2020 correctly.
https://t.co/sNWBtTo4at
Yippie
Two new Microsoft Windows 0days. The exploits have cool and badass mysterious names to be extra spoopy
- GreenPlasma: Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability
- YellowKey: Bitlocker Bypass Vulnerability
https://t.co/VaWFtW5lFi
PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github.
Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak.
https://t.co/D3dg5iTuwP
https://t.co/2zyr1ds4Mo
Reproducing a Double Free RCE in Apache CVE-2026-23918 on the most used software on the internet with one prompt that costs like $0.001 via DeepSeek is scary as hell.
Now, anyone with zero knowledge can hack the internet.
(Not default installs though. You need mod_http2 enabled.)
🚨 BREAKING: Hackers are now exploiting the cPanel authentication bypass flaw (CVE-2026-41940) to deploy "Sorry" ransomware on compromised websites.
Numerous sources say attacks began Thursday, with threat actors breaching servers and deploying a Go-based Linux encryptor that appends the .sorry extension to files.
What the ransomware does:
🔴 Encrypts files and appends the ".sorry" extension.
🔴 Protects the encryption key with an embedded RSA-2048 public key
🔴 Drops a README.md ransom note in every folder
🔴 Uses a fixed Tox ID for ransom negotiations
Victims are being instructed to contact the attacker via Tox to pay for decryption.
This is not related to the older 2018 HiddenTear ".sorry" ransomware. This is a new, Linux-targeting encryptor tied directly to active cPanel exploitation.
If you're running cPanel or WHM, patch immediately.
He began by replicating Mythos findings with his specialized harness.
Then went on to find more critical novel zero days in open source code that he can't share yet because they're not fixed.
TL;DR - harnesses are where the magic is. https://t.co/e8jhbktBKQ
🚨 BREAKING: Wiz Research discovered Remote Code Execution on https://t.co/SvN2lGsnbO with a single git push
The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯
We've launched a new @WebSecAcademy topic on exploiting AI-powered security scanners! Learn how to use indirect prompt injection to steal data, cause damage & trigger exploit chains!
Despite 271 bugs massacred by Anthropic, our renderer rce and sbx escape alive and well ready unless there is sudden patch before p2o ( mean we dont have enough time for prepare new one ) - wish us luck!
https://t.co/3oTRESGt5r