R.B.C (g3tsyst3m) builds crudeRAT: a minimal Python C2 implant using QUIC (RFC 9000) as its transport. Starting from an unprivileged shell, the QUIC channel delivers TLS 1.3 encryption from the first packet, UDP-based transport that evades TCP-centric monitoring, bidirectional file transfer with tqdm progress bars, and shellcode execution via the EnumSystemLocalesW Windows API callback pattern. The article covers both server and implant code, the file transfer state machines, ALPN selection for operational engagements, and known limitations.
Callback Hell: Abusing Callbacks, Tail-Calls, and Proxy Frames to Obfuscate the Stack
klezVirus introduces frame swapping — a technique that hides Windows callback frames from EDR call-stack inspectors while preserving return value recovery. Building on thread-pool execution models and tail-call optimisation, the post develops a full callback-chain primitive that produces highly variable synthetic call stacks in n! orderings. Proof-of-concept and detection guidance included.
Disposable Tooling: Generating Mythic C2 Agents End-to-End With LLMs
A walkthrough of how an LLM, wrapped in a tiered build-and-test harness, can take a Mythic C2 agent from a one-paragraph spec all the way to a deployed, working implant — and what that means for defenders relying on static signatures.
Windows Sandbox .wsb HostFolder NTLM Leak: A New UNC Coercion Primitive for Initial Access
Windows Sandbox is supposed to be the safe place to open untrusted files — but the .wsb configuration file is parsed by the host long before the guest boots. The UNCagedSandbox research by 0xHossam shows that a MappedFolder whose HostFolder points to a UNC path coerces the host into authenticating over SMB, leaking NetNTLMv2 to an attacker. Networking=Disable and ReadOnly=true do not stop it. Here is how the primitive works, what triggers it, and how to detect and defend against it.
FUD Shellcode Stagers in Python: String Reversal, NT APIs and IAT Walking to Bypass EDR
Two Python shellcode stagers from g3tsyst3m that hit 0/63 on VirusTotal — Variant #1 uses string-reversed NT APIs (NtAllocateVirtualMemory, NtCreateThreadEx) plus RWX allocation; Variant #2 skips VirtualAlloc as a symbol entirely and walks the IAT of pythonXY.dll to dereference the live pointer the loader wrote at startup. Both source files reproduced verbatim, plus ten dynamic-analysis detection ideas for defenders.
LACUNA Chain: Ghost Frames Defeat Every Layer of EDR Call-Stack Detection
Mohamed Alzhrani’s LACUNA Chain combines BYOUD-Gap, the ETW-Ti APC window, win32u’s 1,242 NOP gaps, ntdll/kernelbase ghost functions, BYOUD-MF machine-frame RSP teleport, BYOUD-RT runtime calibration and hardware-breakpoint parameter encryption into a six-layer call chain that bypasses every EDR call-stack-based detection layer — verified against Bitdefender and Kaspersky in lab.
Autonomous Vulnerability Hunting with MCP: Inside a Self-Improving 0-Day Pipeline
Andy Gill’s ZephrSec write-up of an autonomous vulnerability hunting system built around Claude Code and the Model Context Protocol: 8 MCP servers, 300+ tools, a 5-VM Proxmox hunt range, a four-gate hallucination bin, a FAISS-backed RAG knowledge loop, and a bounty-intelligence ROI scorer. Already produced two assigned Go standard-library CVEs (CVE-2026-33809 in x/image/tiff, CVE-2026-33812 in x/image/font/sfnt), a four-stage OEM update-service chain ending in SYSTEM code execution on Windows 11 25H2, and two macOS findings, with multiple Windows LPEs/RCEs/UAFs in progress. Faithful walkthrough with all source assets reproduced.
Hunting Active Directory Honeypots: Reading lastLogon as a Decoy Oracle
Decoy accounts in Active Directory look legitimate at the schema level but cannot fake behavioural history. This walkthrough shows how to read lastLogon = 0 over SAMR as a high-confidence honeypot oracle, with a full sam_honeypot_enum.c implementation reproduced from CYPFER.
DCOMIllusionist — Fileless Windows Lateral Movement via .NET DCOM Server Deserialization
Synacktiv’s open-source DCOMIllusionist takes James Forshaw’s .NET DCOM deserialization primitive — the same one that seeded the “Potato” family — and turns it into a polished, fileless C# lateral-movement tool. With local admin on both sides, it remotely re-configures the registry to expose a .NET CLSID over DCOM, forces an IManagedObject::GetSerializedBuffer round-trip, and deserialises a payload directly into the target process — in-memory DLL load, cross-session command execution, or NTLM relay via an HTTP gadget, no files on disk.
Vulnerabilities in Enterprise Audiovisual Hardware — Aver Cameras and Crestron TSW-1060 Tablets
Meeting-room cameras and conference-room tablets are some of the least-monitored, most insecurely-configured attack surfaces in an enterprise. Spaceraccoon (Eugene Lim) walks through an unauthenticated RCE in Aver PTC320UV2 cameras (CVE-2026-26461), a command injection in the Crestron TSW-1060 console’s undocumented HDCP2XLOAD handler, a hardcoded Gingco app password leading to local file disclosure, and a weak DES-crypt admin-password scheme cracked in two seconds with Hashcat.








