An English rewrite of Denis Laskov’s “Eye on Cyber” pointer to a USENIX Security 2025 paper by Onishi et al. The research shows that MEMS microphones, because of their PDM (Pulse Density Modulation) digital interface, radiate unintended EM signals that still carry the original audio. With nothing more than copper-foil-tape antennas, the authors recovered enough signal through a 25 cm concrete wall at 2 m to hit 93% speaker-recognition accuracy — a TEMPEST-class result for cheap consumer mics.
An English rewrite of Jean-Luc Aufranc’s May 25, 2026 CNX Software piece on V2X2MAP — an MIT-licensed Android app by Peter Holzhauser (Pit711) that pairs with a cheap Waveshare ESP32-C5 dual-band Wi-Fi board to receive the European ITS-G5 / 802.11p V2X stack and plot CAM, DENM, SPATEM and MAPEM messages on a live map. Includes the legal disclaimer carried inside the app and a defenders’ view of the privacy and detection implications.
A long-form tutorial on Windows malware development for offensive operators. It walks from dynamic API resolution and IAT hooking through process hollowing, DLL injection (LoadLibrary, reflective, syscall-level), Early Bird APC injection with AES-encrypted shellcode (driving VirusTotal from 27/72 down to 5/72), and into a full Windows driver: IRP dispatch, kernel-mode DLL injection via image-load callbacks, DKOM process and driver hiding, token stealing from PsInitialSystemProcess, and kernel callbacks for blocking EDR. Hardcoded Windows 10 build 19041+ offsets included.
An original English rewrite of Ghost Wolf Lab’s 2026-05-25 article on Protected Process Light (PPL) abuse. The piece maps Windows’ PPL trust hierarchy, walks three production techniques that turn WinTcb-Light binaries (WerFaultSecure, ClipUp, WaaSMedicSvc) into EDR-disabling primitives, and lays out a four-phase attack chain — BYOVD kernel kills, EDR-Freeze race condition, ClipUp-as-PPL-proxy, and unsigned WDAC policies — that defenders are seeing in the wild against Defender and Chinese antivirus stacks (360, Kingsoft, Tencent). Includes the original PPL inspection C program and a working Sigma rule.
An original English rewrite of Alexandre Adamski’s 2021 Impalabs deep dive into Samsung’s Real-time Kernel Protection (RKP). The post walks through three independent vulnerabilities — CVE-2021-25415, CVE-2021-25416 and CVE-2021-25417 — that let a kernel-level attacker remap hypervisor memory as writable, sneak executable kernel pages through the “dynamic load” interface, and modify RKP-protected read-only kernel memory. All credit for the research belongs to the original author and Impalabs.
An original English rewrite of Robin Dost’s deep dive into UAC-0247 (now confirmed by CERT-UA as a continuation of UAC-0244): a multi-stage HTA → JavaScript → curl → updater.exe chain that ends in a syscall-resolving loader injecting EncryptedReverseShell into RuntimeBroker.exe. The campaign weaponises the Ukrainian humanitarian foundation UkrVarta as a lure against FPV drone operators, with infrastructure hosted at a Russian provider and OPSEC mistakes that leak the entire kill chain.
A full walkthrough of CVE-2024-27398, a race-induced use-after-free in the Linux 6.8 Bluetooth SCO subsystem. The exploit races two connect() threads on the same SCO socket to orphan a delayed-work timer, reclaims the freed sock with add_key(), forges a valid DEBUG_SPINLOCK pattern in the spray payload, and uses an xchg eax, esp ; ret gadget to pivot the kernel stack into userspace — bypassing SMEP with pure ROP and overwriting modprobe_path to get root.
A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.
Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.
Mysk research details CVE-2026-28910 — a chain of three macOS design flaws that turns the built-in Archive Utility plus a single drag-and-drop into a sandbox-escaping, TCC-bypassing, app-hijacking primitive. The pb2au proof of concept compromises Notes, Messages, Mail, Safari, WhatsApp, Telegram, Signal Desktop and 1Password in under 30 seconds with no root, no password, and no special permissions. Patched in macOS 26.4 (March 2026); all earlier macOS Tahoe builds remained exposed for ~5 months.
