Scales is a Linux supply-chain malware that pairs an embedded eBPF rootkit with a built-in Tor client and aggressive credential theft. This walkthrough covers how it hides processes and network activity, and the exact command-line forensics — stat, bpftool, ss, /sys/fs/bpf — to confirm an infection.
CVE-2026-41873: Apache Pony Mail OAuth SSRF + Lua CRLF Smuggling = Unauthenticated Account Takeover
STAR Labs’ advisory on CVE-2026-41873 in Apache Pony Mail by Li Jiantao and Tevel Sho (disclosed 28 April 2026). Two independent bugs reach the same outcome — full admin takeover — without any authentication. In the modern Foal (Python) build, an attacker-supplied “oauth_token” URL drives a blind SSRF against the local Elasticsearch SQL endpoint, leaking the admin session cookie character-by-character (CVSS 9.1). In the legacy Lua build (now retired, no patch), a single unescaped query parameter in “email.lua” lets the attacker inject CRLF bytes into the Elasticsearch HTTP request and smuggle a second request that creates an admin account outright.
CVE-2026-5426: Mandiant Catches ViewState RCE Against KnowledgeDeliver LMS in Japan
Disclosure of CVE-2026-5426: an ASP.NET ViewState deserialization RCE in Digital Knowledge’s KnowledgeDeliver LMS, caused by identical hardcoded “machineKey values” shipped to every customer. Pre-Feb-24-2026 deployments are exploitable as a zero-day. Mandiant observed BLUEBEAM (Godzilla-class) in-memory web shells, JavaScript tampering for follow-on social engineering, and Cobalt Strike BEACON keyed to the victim’s name — with Application Event ID 1316 (code 4009) as the primary detection signal.
Microphones Leak EM Signals Carrying Audio: A 93%-Accurate Side-Channel Attack on MEMS Mics
An English rewrite of Denis Laskov’s “Eye on Cyber” pointer to a USENIX Security 2025 paper by Onishi et al. The research shows that MEMS microphones, because of their PDM (Pulse Density Modulation) digital interface, radiate unintended EM signals that still carry the original audio. With nothing more than copper-foil-tape antennas, the authors recovered enough signal through a 25 cm concrete wall at 2 m to hit 93% speaker-recognition accuracy — a TEMPEST-class result for cheap consumer mics.
PPL Abuse: How Attackers Turn Windows’ Own Trust Anchors Into EDR Killers
An original English rewrite of Ghost Wolf Lab’s 2026-05-25 article on Protected Process Light (PPL) abuse. The piece maps Windows’ PPL trust hierarchy, walks three production techniques that turn WinTcb-Light binaries (WerFaultSecure, ClipUp, WaaSMedicSvc) into EDR-disabling primitives, and lays out a four-phase attack chain — BYOVD kernel kills, EDR-Freeze race condition, ClipUp-as-PPL-proxy, and unsigned WDAC policies — that defenders are seeing in the wild against Defender and Chinese antivirus stacks (360, Kingsoft, Tencent). Includes the original PPL inspection C program and a working Sigma rule.
UAC-0247 / UAC-0244: HTA-Borne Malware Hunts Ukrainian FPV Drone Operators
An original English rewrite of Robin Dost’s deep dive into UAC-0247 (now confirmed by CERT-UA as a continuation of UAC-0244): a multi-stage HTA → JavaScript → curl → updater.exe chain that ends in a syscall-resolving loader injecting EncryptedReverseShell into RuntimeBroker.exe. The campaign weaponises the Ukrainian humanitarian foundation UkrVarta as a lure against FPV drone operators, with infrastructure hosted at a Russian provider and OPSEC mistakes that leak the entire kill chain.
BYOVD Attack Surface: From Vulnerability-Driven to Certificate Abuse
Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.
RemotePE: Inside Lazarus’s In-Memory RAT and Its DPAPI-Keyed Three-Stage Loader Chain
Fox-IT (NCC Group) details RemotePE, a North-Korean Lazarus in-memory RAT delivered through a three-stage chain — DPAPILoader (environmentally-keyed first-stage), RemotePELoader (HellsGate / ETW-patched HTTP beacon) and RemotePE itself, which never touches disk. The writeup walks AES-GCM C2, MSZIP-compressed command batches, the IConsole / IFileExplorer / IProcess command surface, infrastructure, MITRE ATT&CK mapping, and a full IOC set spanning July 2023 — May 2026.








