The Dark Side of WebAssembly: Cryptomining, Keyloggers, and Browser Exploitation

The Dark Side of WebAssembly: Cryptomining, Keyloggers, and Browser Exploitation

WebAssembly (WASM) unlocks near-native performance for compiled code inside the browser — and that same power has been weaponized by threat actors. This post surveys documented abuse patterns: in-browser cryptomining (Coinhive, Cryptonight), tech-support-scam social engineering, WASM-based keyloggers that evade JavaScript detection, and browser-exploitation shellcode loaders. Includes a proof-of-concept walk-through and a hardening checklist for security engineers.

Debugging the Pixel 8 Kernel via KGDB

Debugging the Pixel 8 Kernel via KGDB

A complete walkthrough of attaching GDB to a running Android kernel on a physical Pixel 8 via KGDB: USB-Cereal UART wiring, custom kernel build with kleaf patches, hardware watchdog suppression, interrupt-safe stepping macro, and GEF integration with custom ARM64 system-register extensions.

setresuid(⚡): Glitching Google’s TV Streamer from ADB to Root

setresuid(⚡): Glitching Google’s TV Streamer from ADB to Root

Raelize B.V. researchers demonstrated a practical electromagnetic fault injection (EMFI) attack on Google’s TV Streamer 4K, corrupting the MT8696 SoC’s execution of the setresuid kernel syscall to bypass the CAP_SETUID capability check from an ADB shell. No hardware trigger was needed; a 0.3% per-attempt success rate at the optimal probe position delivered a root telnet shell. SELinux enforcement persisted, bounding the post-exploitation impact.

How I Ruined My Vacation by Reverse Engineering WSC

How I Ruined My Vacation by Reverse Engineering WSC

es3n1n built defendnot—a tool that deregisters any installed antivirus from Windows Security Center—over a four-day vacation in Seoul. This day-by-day diary traces every layer of WSC’s caller-validation stack: the initial access denied for unsigned callers, the Process Protection Level gate, the WinDefend SID token membership check in WscServiceUtils::CreateExternalBaseFromCaller, a failed impersonation detour, and finally the PE ForceIntegrity flag plus signature hash check in CSecurityVerificationManager::CreateExternalBaseFromPESettings—which Taskmgr.exe satisfies, making it the perfect injection host.

Building an Encrypted C2 Implant Using QUIC

Building an Encrypted C2 Implant Using QUIC

R.B.C (g3tsyst3m) builds crudeRAT: a minimal Python C2 implant using QUIC (RFC 9000) as its transport. Starting from an unprivileged shell, the QUIC channel delivers TLS 1.3 encryption from the first packet, UDP-based transport that evades TCP-centric monitoring, bidirectional file transfer with tqdm progress bars, and shellcode execution via the EnumSystemLocalesW Windows API callback pattern. The article covers both server and implant code, the file transfer state machines, ALPN selection for operational engagements, and known limitations.