GhostTree abuses NTFS junctions to create recursive, near-endless valid paths. Recursive scanners and EDRs can hang in the maze while malware in the parent folder remains unchecked. Watch junction creation.
DLL Proxy Loading: Hijacking Legitimate DLLs for Code Execution
DLL proxy loading lets a fake DLL forward every expected export to the real one while running a payload inside a trusted process. This framework automates exports, trampolines, embedding, builds, and testing.
IoT Hacking: Abusing Printers to Compromise Active Directory
Printers are not harmless office boxes. Misconfigured LDAP, SMTP, SMB or SNMP can leak domain creds, enabling AD enumeration, relay attacks and lateral movement. Treat printers like real network assets.
Revisiting Two-Shot Kernel Shellcode Execution From Control Flow Hijacking
Linux CR Pinning was meant to stop old SMEP/SMAP bypass tricks, but this research shows a clever two-shot path back: abuse the tiny CR4 write gap with KProbes, register a handler, and execute kernel shellcode before fixup.
Automating MS-RPC vulnerability research
Automating MS-RPC research shows how NtObjectManager, dynamic RPC clients, fuzzing, canary tracing, ProcMon and Neo4j can map interfaces, test procedures, find crashes and uncover coercion-style Windows bugs.
NGINX Rift: The 18-Year-Old Rewrite Bug That Turned a Single HTTP Request into Potential RCE
NGINX Rift is a heap overflow in the rewrite module that may crash workers or enable RCE under specific configs. Public PoC exists, so patching and config audits are urgent.
HWMonitor Trojanized to Deliver Multi-Stage STX RAT via DLL Sideloading
A trojanized HWMonitor archive abuses DLL sideloading with malicious CRYPTBASE.dll to launch multi-stage in-memory loaders and deploy STX RAT.
DLL Sideloading & Proxying for Advance Red Team Engagements
A practical look at DLL sideloading and proxying: how attackers abuse trusted Windows executables to load malicious DLLs while keeping the app running normally.
From API Key to Server Takeover: How LiteLLM 1.83.14 Chained Secret Leakage and Jinja2 SSTI into RCE
A LiteLLM 1.83.14 exploit chain leaks the master key through callback metadata, then abuses non-sandboxed Jinja2 GitLab prompts to achieve server-side RCE.
One Newline to Own Exim: How a Tiny TLS/BDAT Use-After-Free Became Unauthenticated RCE
A deep dive into CVE-2026-45185: an unauthenticated Exim RCE where one stale TLS/BDAT ungetc() byte corrupts freed memory and leads to exploitation.