A practical survey of publicly available AI harnesses for offensive security research—RAPTOR, Anthropic’s reference harness, baby-naptime, Evil Socket’s Audit, and Visa’s VVAH—plus guidance on building your own orchestration pipeline with scoped context, validation gates, model routing, and RAG-backed memory.
Process Parameter Poisoning: EDR Evasion via Windows Process Startup Parameters
Process Parameter Poisoning (P3) is a stealthy process injection technique that abuses Windows startup parameters to transfer and execute code in a new process while avoiding common EDR-monitored APIs like WriteProcessMemory and VirtualAllocEx.
The Dark Side of WebAssembly: Cryptomining, Keyloggers, and Browser Exploitation
WebAssembly (WASM) unlocks near-native performance for compiled code inside the browser — and that same power has been weaponized by threat actors. This post surveys documented abuse patterns: in-browser cryptomining (Coinhive, Cryptonight), tech-support-scam social engineering, WASM-based keyloggers that evade JavaScript detection, and browser-exploitation shellcode loaders. Includes a proof-of-concept walk-through and a hardening checklist for security engineers.
Debugging the Pixel 8 Kernel via KGDB
A complete walkthrough of attaching GDB to a running Android kernel on a physical Pixel 8 via KGDB: USB-Cereal UART wiring, custom kernel build with kleaf patches, hardware watchdog suppression, interrupt-safe stepping macro, and GEF integration with custom ARM64 system-register extensions.
How to Use Ghidra to Analyse Shellcode and Extract Cobalt Strike Command & Control Servers
A complete walkthrough of loading, disassembling, and decompiling raw Cobalt Strike shellcode in Ghidra, resolving ROR13 API hashes via Google lookup and x32dbg debugging with BlobRunner, and extracting the embedded C2 server address.
Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools
A kernel rootkit using ftrace hooks can selectively blind Falco, Tracee, GhostScan, and Decloaker simultaneously by intercepting the BPF iterator, ringbuffer, perf event, and map functions those tools depend on for kernel-to-userspace data delivery — without touching the eBPF programs themselves.
setresuid(⚡): Glitching Google’s TV Streamer from ADB to Root
Raelize B.V. researchers demonstrated a practical electromagnetic fault injection (EMFI) attack on Google’s TV Streamer 4K, corrupting the MT8696 SoC’s execution of the setresuid kernel syscall to bypass the CAP_SETUID capability check from an ADB shell. No hardware trigger was needed; a 0.3% per-attempt success rate at the optimal probe position delivered a root telnet shell. SELinux enforcement persisted, bounding the post-exploitation impact.
How I Ruined My Vacation by Reverse Engineering WSC
es3n1n built defendnot—a tool that deregisters any installed antivirus from Windows Security Center—over a four-day vacation in Seoul. This day-by-day diary traces every layer of WSC’s caller-validation stack: the initial access denied for unsigned callers, the Process Protection Level gate, the WinDefend SID token membership check in WscServiceUtils::CreateExternalBaseFromCaller, a failed impersonation detour, and finally the PE ForceIntegrity flag plus signature hash check in CSecurityVerificationManager::CreateExternalBaseFromPESettings—which Taskmgr.exe satisfies, making it the perfect injection host.
Building an Encrypted C2 Implant Using QUIC
R.B.C (g3tsyst3m) builds crudeRAT: a minimal Python C2 implant using QUIC (RFC 9000) as its transport. Starting from an unprivileged shell, the QUIC channel delivers TLS 1.3 encryption from the first packet, UDP-based transport that evades TCP-centric monitoring, bidirectional file transfer with tqdm progress bars, and shellcode execution via the EnumSystemLocalesW Windows API callback pattern. The article covers both server and implant code, the file transfer state machines, ALPN selection for operational engagements, and known limitations.
The QNAP Pattern: Systemic Security Failures in QTS Plugin Architecture
CVE-2026-34007 and CVE-2026-34008 expose a systemic pattern in QNAP QTS: header injection into shell_exec, hand-rolled SQL escaping, and unremapped container namespaces that turn a single pre-auth request into host root. The bugs are symptoms of platform architecture, not individual developer mistakes.










