Callback Hell: Abusing Callbacks, Tail-Calls, and Proxy Frames to Obfuscate the Stack

Callback Hell: Abusing Callbacks, Tail-Calls, and Proxy Frames to Obfuscate the Stack

klezVirus introduces frame swapping — a technique that hides Windows callback frames from EDR call-stack inspectors while preserving return value recovery. Building on thread-pool execution models and tail-call optimisation, the post develops a full callback-chain primitive that produces highly variable synthetic call stacks in n! orderings. Proof-of-concept and detection guidance included.

HDD Firmware Hacking

HDD Firmware Hacking Part 1

A first-principles deep-dive into dumping, analyzing, and patching hard drive firmware: Western Digital custom LZHUF decompression, Samsung SSD deobfuscation, JTAG debugging of a live HDD, vendor-specific ATA backdoor commands, and an ARM Thumb trampoline that hot-patches the DMA READ EXT handler in service-area overlay RAM.

Breaking Out of Chrome's Sandbox: A Native Messaging Backdoor Observed in Italy

Breaking Out of Chrome’s Sandbox: A Native Messaging Backdoor Observed in Italy

In June 2026, D3Lab documented an Italian-language phishing campaign that delivered a compound browser threat: a malicious Google Chrome extension paired with a Native Messaging Host, granting the attacker both browser-level data access and unrestricted PowerShell execution on the victim’s Windows system. The infection chain began with a JavaScript file disguised as a PDF invoice, used DLL side-loading via a signed Epic Games binary, and leveraged Chrome’s own enterprise policy keys to install the extension silently — no administrator credentials required.