Building an Encrypted C2 Implant Using QUIC

Building an Encrypted C2 Implant Using QUIC

R.B.C (g3tsyst3m) builds crudeRAT: a minimal Python C2 implant using QUIC (RFC 9000) as its transport. Starting from an unprivileged shell, the QUIC channel delivers TLS 1.3 encryption from the first packet, UDP-based transport that evades TCP-centric monitoring, bidirectional file transfer with tqdm progress bars, and shellcode execution via the EnumSystemLocalesW Windows API callback pattern. The article covers both server and implant code, the file transfer state machines, ALPN selection for operational engagements, and known limitations.

Callback Hell: Abusing Callbacks, Tail-Calls, and Proxy Frames to Obfuscate the Stack

Callback Hell: Abusing Callbacks, Tail-Calls, and Proxy Frames to Obfuscate the Stack

klezVirus introduces frame swapping — a technique that hides Windows callback frames from EDR call-stack inspectors while preserving return value recovery. Building on thread-pool execution models and tail-call optimisation, the post develops a full callback-chain primitive that produces highly variable synthetic call stacks in n! orderings. Proof-of-concept and detection guidance included.

Windows Sandbox .wsb HostFolder NTLM Leak: A New UNC Coercion Primitive for Initial Access

Windows Sandbox is supposed to be the safe place to open untrusted files — but the .wsb configuration file is parsed by the host long before the guest boots. The UNCagedSandbox research by 0xHossam shows that a MappedFolder whose HostFolder points to a UNC path coerces the host into authenticating over SMB, leaking NetNTLMv2 to an attacker. Networking=Disable and ReadOnly=true do not stop it. Here is how the primitive works, what triggers it, and how to detect and defend against it.

FUD Shellcode Stagers in Python: String Reversal, NT APIs and IAT Walking to Bypass EDR

FUD Shellcode Stagers in Python: String Reversal, NT APIs and IAT Walking to Bypass EDR

Two Python shellcode stagers from g3tsyst3m that hit 0/63 on VirusTotal — Variant #1 uses string-reversed NT APIs (NtAllocateVirtualMemory, NtCreateThreadEx) plus RWX allocation; Variant #2 skips VirtualAlloc as a symbol entirely and walks the IAT of pythonXY.dll to dereference the live pointer the loader wrote at startup. Both source files reproduced verbatim, plus ten dynamic-analysis detection ideas for defenders.

Autonomous Vulnerability Hunting with MCP: Inside a Self-Improving 0-Day Pipeline

Autonomous Vulnerability Hunting with MCP: Inside a Self-Improving 0-Day Pipeline

Andy Gill’s ZephrSec write-up of an autonomous vulnerability hunting system built around Claude Code and the Model Context Protocol: 8 MCP servers, 300+ tools, a 5-VM Proxmox hunt range, a four-gate hallucination bin, a FAISS-backed RAG knowledge loop, and a bounty-intelligence ROI scorer. Already produced two assigned Go standard-library CVEs (CVE-2026-33809 in x/image/tiff, CVE-2026-33812 in x/image/font/sfnt), a four-stage OEM update-service chain ending in SYSTEM code execution on Windows 11 25H2, and two macOS findings, with multiple Windows LPEs/RCEs/UAFs in progress. Faithful walkthrough with all source assets reproduced.

DCOMIllusionist — Fileless Windows Lateral Movement via .NET DCOM Server Deserialization

DCOMIllusionist — Fileless Windows Lateral Movement via .NET DCOM Server Deserialization

Synacktiv’s open-source DCOMIllusionist takes James Forshaw’s .NET DCOM deserialization primitive — the same one that seeded the “Potato” family — and turns it into a polished, fileless C# lateral-movement tool. With local admin on both sides, it remotely re-configures the registry to expose a .NET CLSID over DCOM, forces an IManagedObject::GetSerializedBuffer round-trip, and deserialises a payload directly into the target process — in-memory DLL load, cross-session command execution, or NTLM relay via an HTTP gadget, no files on disk.

Vulnerabilities in Enterprise Audiovisual Hardware — Aver Cameras and Crestron TSW-1060 Tablets

Vulnerabilities in Enterprise Audiovisual Hardware — Aver Cameras and Crestron TSW-1060 Tablets

Meeting-room cameras and conference-room tablets are some of the least-monitored, most insecurely-configured attack surfaces in an enterprise. Spaceraccoon (Eugene Lim) walks through an unauthenticated RCE in Aver PTC320UV2 cameras (CVE-2026-26461), a command injection in the Crestron TSW-1060 console’s undocumented HDCP2XLOAD handler, a hardcoded Gingco app password leading to local file disclosure, and a weak DES-crypt admin-password scheme cracked in two seconds with Hashcat.