EDR-Freeze and PPL EDR bypass concept illustration

PPL Abuse: How Attackers Turn Windows’ Own Trust Anchors Into EDR Killers

An original English rewrite of Ghost Wolf Lab’s 2026-05-25 article on Protected Process Light (PPL) abuse. The piece maps Windows’ PPL trust hierarchy, walks three production techniques that turn WinTcb-Light binaries (WerFaultSecure, ClipUp, WaaSMedicSvc) into EDR-disabling primitives, and lays out a four-phase attack chain — BYOVD kernel kills, EDR-Freeze race condition, ClipUp-as-PPL-proxy, and unsigned WDAC policies — that defenders are seeing in the wild against Defender and Chinese antivirus stacks (360, Kingsoft, Tencent). Includes the original PPL inspection C program and a working Sigma rule.

Attacking Samsung RKP

Attacking Samsung RKP: Three Bypasses of EL2 Kernel Protection on Exynos Devices

An original English rewrite of Alexandre Adamski’s 2021 Impalabs deep dive into Samsung’s Real-time Kernel Protection (RKP). The post walks through three independent vulnerabilities — CVE-2021-25415, CVE-2021-25416 and CVE-2021-25417 — that let a kernel-level attacker remap hypervisor memory as writable, sneak executable kernel pages through the “dynamic load” interface, and modify RKP-protected read-only kernel memory. All credit for the research belongs to the original author and Impalabs.

UAC-0247 / UAC-0244 campaign header image

UAC-0247 / UAC-0244: HTA-Borne Malware Hunts Ukrainian FPV Drone Operators

An original English rewrite of Robin Dost’s deep dive into UAC-0247 (now confirmed by CERT-UA as a continuation of UAC-0244): a multi-stage HTA → JavaScript → curl → updater.exe chain that ends in a syscall-resolving loader injecting EncryptedReverseShell into RuntimeBroker.exe. The campaign weaponises the Ukrainian humanitarian foundation UkrVarta as a lure against FPV drone operators, with infrastructure hosted at a Russian provider and OPSEC mistakes that leak the entire kill chain.

Header image — CVE-2024-27398 Linux Bluetooth SCO UAF article

CVE-2024-27398: Exploiting a Linux Bluetooth SCO Use-After-Free with SMEP Bypass

A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.

Normal Callback call stack showing callback address visible in inspector

Callback Hell: Abusing Callbacks, Tail Calls, and Proxy Frames to Obfuscate the Stack

A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.

Diagram contrasting Windows user mode and kernel mode boundaries

BYOVD Attack Surface: From Vulnerability-Driven to Certificate Abuse

Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.

Screenshot of the pb2au fake DMG-style installer used by the proof of concept

CVE-2026-28910: Breaking the macOS App Sandbox, TCC and Code Signing with Archive Utility

Mysk research details CVE-2026-28910 — a chain of three macOS design flaws that turns the built-in Archive Utility plus a single drag-and-drop into a sandbox-escaping, TCC-bypassing, app-hijacking primitive. The pb2au proof of concept compromises Notes, Messages, Mail, Safari, WhatsApp, Telegram, Signal Desktop and 1Password in under 30 seconds with no root, no password, and no special permissions. Patched in macOS 26.4 (March 2026); all earlier macOS Tahoe builds remained exposed for ~5 months.

RemotePE Lazarus in-memory RAT title banner from the Fox-IT writeup

RemotePE: Inside Lazarus’s In-Memory RAT and Its DPAPI-Keyed Three-Stage Loader Chain

Fox-IT (NCC Group) details RemotePE, a North-Korean Lazarus in-memory RAT delivered through a three-stage chain — DPAPILoader (environmentally-keyed first-stage), RemotePELoader (HellsGate / ETW-patched HTTP beacon) and RemotePE itself, which never touches disk. The writeup walks AES-GCM C2, MSZIP-compressed command batches, the IConsole / IFileExplorer / IProcess command surface, infrastructure, MITRE ATT&CK mapping, and a full IOC set spanning July 2023 — May 2026.

NASM CVE-2026-6068 attack demo (heap UAF to persistent RCE)

CVE-2026-6068 — NASM Heap UAF Turns Into Persistent RCE Through a Dependency-File Symlink Trick

A heap use-after-free in NASM’s response-file parser (CVE-2026-6068) sounds boring — until the dangling pointer is reused as a filename for fopen(). Project SEKAI’s breakingbad turns it into a deterministic, supply-chain-style persistent RCE that overwrites the victim’s ~/.bashrc through a 120-character heap-spray label, a shipped symlink, and the unescaped shell metacharacters in NASM’s Makefile-style dependency output. No ASLR, NX, PIE, RELRO or stack-canary bypass needed. Still unpatched at disclosure.

Diagram explaining the PHP object deserialization flow in Roundcube CVE-2025-49113

Roundcube CVE-2025-49113: Authenticated PHP Object Deserialization to RCE in Open-Source Webmail

CVE-2025-49113 is a critical authenticated remote-code-execution flaw in Roundcube webmail — the default in cPanel, Plesk, and many hosting stacks — caused by insufficient validation of the _from upload parameter that lets attackers inject malicious PHP-serialized objects into session storage. The bug went undetected for nearly a decade and reportedly exposes more than 53 million hosts across all Roundcube 1.1.0–1.6.10 builds.