Vulnerability reporting for public-facing applications and networks of Telecommunication service providers, Broadcast, Print (Newspaper) and Postal service providers operating in Singapore
https://t.co/M49dEWeoX1
Someone released what is basically an offline VirusTotal without burning your payload: a security researcher reverse-engineered four major EDRs (SentinelOne, Cortex XDR, CrowdStrike, and Sophos) and extracted their detection logic from on-disk agent binaries, ML models, YARA rules, and behavioral scripts.
The project rebuilds the kernel telemetry stack those products run on, including Windows process, thread, registry, and handle callbacks plus a file-system minifilter. It even reconstructs access to the ETW Threat Intelligence provider that Windows normally reserves for protected anti-malware processes. Thus, both the detection rules and the sensor layer can be replicated outside the vendor’s agent.
@rekdt We detonate them in a malware lab with our EDR enabled. No way company will allow us to detonate it on our workstations, haha
In general, we find that it's working, and improvements required
This is big! Sentinel workbooks support Advanced Hunting queries.
No need to forward the data to Sentinel anymore to get dashboarding capabilities. This is also great to combine Sentinel and Advanced Hunting logs in a single view.
Yesterday saw a new Clickfix variant:
Google search > click on compromised website > fake CAPTCHA > copy & paste WebDAV command into Run box
@HackingLZ With low to no-code, it's possible. They probably use it for simple automation stuffs. Handled numerous incidents related to those. And AI will allow them to do more complex stuffs. Bless the IR teams when BUs do that
@Kostastsale Not 100% sure for now, but I've seen variants that drop ScreenConnect, UltraVNC and/or Splashtop
Splashtop seems to be less consistently dropped, but other known RMMs are
Probably will take a closer look during my free time
Microsoft just laid out a new way to keep enterprise software growing in an AI-heavy workplace: charge AI agents for software seats the same way companies pay for human employees.
The old SaaS model was easy, a company buys 1 license for 1 worker, so revenue rises when headcount rises.
AI agents threaten that model because 1 person might supervise 10 or 50 agents, which makes investors ask why a company would still need to pay for many separate licenses.
So Microsoft executive Rajesh Jha’s answer is that an agent may become its own software user, with its own identity, login, email, permissions, and access to tools, which turns each agent into a possible paid seat.
It shifts the pricing logic from “how many humans work here” to “how many active digital workers operate inside the company.”
Basically his logic is, once an agent can read messages, call apps, update records, and take actions on its own, software systems may need to track it as a distinct actor for security, auditing, and workflow control.
That gives Microsoft, Salesforce, and Workday a path to defend seat-based pricing even if AI reduces human hiring.
---
businessinsider. com/microsoft-executive-suggests-ai-agents-buy-software-licenses-seats-2026-4
i’m fucking crying 😭 this guy installed a malware that keeps redirecting his queries through Yahoo, and vibe coded an extension that redirects Yahoo to Google, probably not understanding that he has malware 😭 😭
https://t.co/dpbEZbIIfE
First few minutes of first episode saw victims being smuggled into Thailand.
Filmed before scam compounds are widely reported.
Looks exciting to watch
@HackingLZ The other recommendations are not specific to secure coding, which Mythos and other AI agents and models are targeting. They are still key protections you need to have though, once attackers breached the app
@hetmehtaa This seems like a type of pentest firm I've seen from experience - one that does VA scans, but billed as pentest.
I will ask for a real pentest next, and some of them will not be able to do it due to lack of expertise or simply say it's out of scope, lol.
@miaaowing@big_dog87 It still doesn't have the number row on top, although some Google searches suggest it does.
I tried it out, and no number row.
All the screenshots with it are a scam
TeamPCP msbuild.exe Malware Analysis
Here is a breakdown of the execution chain, featuring EDR bypasses and steganography.
🛡️ 1. Evasion
• Dynamic SSN Resolution: The malware resolves native API functions (e.g., ZwAllocateVirtualMemory, NtProtectVirtualMemory) by matching their DJB2 hashes to dynamically extract their Syscall Service Numbers (SSNs).
• Trampoline Syscalls: To bypass EDR user-land hooks, it then searches the ntdll.dll .text section for the first occurrence of a clean syscall; ret gadget (0x0f05C3), typically finding it inside NtAccessCheck.
• Custom Syscall Stubs: Finally, it uses the extracted SSNs with custom syscall stubs. These stubs load the appropriate registers and jump to the located ntdll.dll gadget, cleanly executing indirect syscalls from a legitimate memory region.
• ETW Blinding: Neutralizes telemetry by patching the first instruction of EtwEventWrite with 0xC3 (ret).
🖼️ 2. Steganography
• Spawns a suspended dllhost.exe child process.
• Extracts the Adaptix C2 payload (shellcode loader + payload) embedded into the Red, Green, and Blue color channels of the image, while locking the Alpha (transparency) channel to fully opaque (FF).
• Writes the payload directly into an allocated buffer in dllhost.exe.
💉 3. Injection
• Instead of relying on one method, it sequentially tries multiple techniques to execute the payload in dllhost.exe:
1️⃣ APC Injection: NtQueueApcThread, NtResumeThread
2️⃣ Thread Execution Hijacking: ZwGetContextThread, ZwSetContextThread, NtResumeThread
3️⃣ Remote Thread Injection: NtCreateThreadEx, NtResumeThread
(Note: APIs for process hollowing and doppelgänging are also present but remain unused).
📡 4. Adaptix C2 Payload
• C2 URL: checkmarx[.]zone/telemetry/checkmarx.json (Defanged)
• Exfiltration: HTTP POST requests using the X-Content-ID header for encoded/encrypted data.
• User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0
🔬 5. IOCs
• Analyzed Sample: https://t.co/Xq8Jh5ngJq
• Related Sample: https://t.co/W65u77Abec
Overall, a nice mix of methods, but nothing novel.
🐈⬛Meet nsa[.]cat
Kudelski's IR writeup is flying under the radar, and it's the first with TeamPCP post-exploit IOCs you can hunt
TrufflesHog scans led back to an attacker VPS hosting not just this file share, but target lists & MinIO storage
This is one to read 🧵
#ESETresearch analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse. https://t.co/fHOclYAGGn 1/6
Let me explain what just happened, because I don’t think people realize how INSANE this is.
> Cortical Labs put 200,000 real human brain cells onto a silicon chip and trained them to play Doom in just one week.
> Each CL1 system costs $35,000.
> A rack of 30 units consumes only 850–1,000 watts combined.
> The human brain operates on 20 watts.
> Large AI training clusters burn through megawatts.
>Backed by In-Q-Tel.
115 units began shipping in 2025.
> Cortical Labs is selling “Wetware as a Service” through Cortical Cloud, letting developers deploy code remotely to living human neurons with no lab required,
> priced like a software subscription but powered by real brain cells grown from adult skin and blood samples.
> it isn’t about gaming, it’s about biological computing that could eventually outperform traditional silicon in energy efficiency and adaptability.
This is getting really scary and we’re still at the very beginning.