klezVirus introduces frame swapping — a technique that hides Windows callback frames from EDR call-stack inspectors while preserving return value recovery. Building on thread-pool execution models and tail-call optimisation, the post develops a full callback-chain primitive that produces highly variable synthetic call stacks in n! orderings. Proof-of-concept and detection guidance included.
HDD Firmware Hacking Part 1
A first-principles deep-dive into dumping, analyzing, and patching hard drive firmware: Western Digital custom LZHUF decompression, Samsung SSD deobfuscation, JTAG debugging of a live HDD, vendor-specific ATA backdoor commands, and an ARM Thumb trampoline that hot-patches the DMA READ EXT handler in service-area overlay RAM.
Breaking Out of Chrome’s Sandbox: A Native Messaging Backdoor Observed in Italy
In June 2026, D3Lab documented an Italian-language phishing campaign that delivered a compound browser threat: a malicious Google Chrome extension paired with a Native Messaging Host, granting the attacker both browser-level data access and unrestricted PowerShell execution on the victim’s Windows system. The infection chain began with a JavaScript file disguised as a PDF invoice, used DLL side-loading via a signed Epic Games binary, and leveraged Chrome’s own enterprise policy keys to install the extension silently — no administrator credentials required.
Unprivileged Root via Use-After-Free in Linux DRM GEM change_handle (CVE-2026-46215)
CVE-2026-46215 is a use-after-free race in the Linux DRM GEM change_handle ioctl (v6.8–v6.14-rc2) that allows unprivileged LPE to root via pipe_buffer slab reclaim, FLINK-based KASLR leak, and DirtyPipe page-cache overwrite.
Disposable Tooling: Generating Mythic C2 Agents End-to-End With LLMs
A walkthrough of how an LLM, wrapped in a tiered build-and-test harness, can take a Mythic C2 agent from a one-paragraph spec all the way to a deployed, working implant — and what that means for defenders relying on static signatures.




