External PCIe DMA cheats are hard because the cheat code runs on another PC. Detection must move to PCIe fingerprints, IOMMU faults, ACS topology, TPM attestation, VBS/HVCI, and layered trust checks.
Weaponized abuse of SYLK file format
SYLK is an ancient spreadsheet format, but Excel still supports it. GhostWolf Lab shows how .slk files can carry XLM macros, masquerade as CSV, bypass weak detections, and revive legacy macro abuse.
Exploiting CVE-2024-32002: RCE via git clone
CVE-2024-32002 turns git clone –recursive into RCE on case-insensitive filesystems. A crafted submodule + symlink can plant a Git hook in .git and execute code before review.
GhostTree: The NTFS Trick That Can Make Malware Disappear from EDR Scans
GhostTree abuses NTFS junctions to create recursive, near-endless valid paths. Recursive scanners and EDRs can hang in the maze while malware in the parent folder remains unchecked. Watch junction creation.
DLL Proxy Loading: Hijacking Legitimate DLLs for Code Execution
DLL proxy loading lets a fake DLL forward every expected export to the real one while running a payload inside a trusted process. This framework automates exports, trampolines, embedding, builds, and testing.
IoT Hacking: Abusing Printers to Compromise Active Directory
Printers are not harmless office boxes. Misconfigured LDAP, SMTP, SMB or SNMP can leak domain creds, enabling AD enumeration, relay attacks and lateral movement. Treat printers like real network assets.
Revisiting Two-Shot Kernel Shellcode Execution From Control Flow Hijacking
Linux CR Pinning was meant to stop old SMEP/SMAP bypass tricks, but this research shows a clever two-shot path back: abuse the tiny CR4 write gap with KProbes, register a handler, and execute kernel shellcode before fixup.
Automating MS-RPC vulnerability research
Automating MS-RPC research shows how NtObjectManager, dynamic RPC clients, fuzzing, canary tracing, ProcMon and Neo4j can map interfaces, test procedures, find crashes and uncover coercion-style Windows bugs.
NGINX Rift: The 18-Year-Old Rewrite Bug That Turned a Single HTTP Request into Potential RCE
NGINX Rift is a heap overflow in the rewrite module that may crash workers or enable RCE under specific configs. Public PoC exists, so patching and config audits are urgent.
HWMonitor Trojanized to Deliver Multi-Stage STX RAT via DLL Sideloading
A trojanized HWMonitor archive abuses DLL sideloading with malicious CRYPTBASE.dll to launch multi-stage in-memory loaders and deploy STX RAT.