Google Threat Intelligence website banner

CVE-2026-5426: Mandiant Catches ViewState RCE Against KnowledgeDeliver LMS in Japan

Disclosure of CVE-2026-5426: an ASP.NET ViewState deserialization RCE in Digital Knowledge’s KnowledgeDeliver LMS, caused by identical hardcoded “machineKey values” shipped to every customer. Pre-Feb-24-2026 deployments are exploitable as a zero-day. Mandiant observed BLUEBEAM (Godzilla-class) in-memory web shells, JavaScript tampering for follow-on social engineering, and Cobalt Strike BEACON keyed to the victim’s name — with Application Event ID 1316 (code 4009) as the primary detection signal.

Diagram of MEMS microphone EM signal leakage and recovery attack

Microphones Leak EM Signals Carrying Audio: A 93%-Accurate Side-Channel Attack on MEMS Mics

An English rewrite of Denis Laskov’s “Eye on Cyber” pointer to a USENIX Security 2025 paper by Onishi et al. The research shows that MEMS microphones, because of their PDM (Pulse Density Modulation) digital interface, radiate unintended EM signals that still carry the original audio. With nothing more than copper-foil-tape antennas, the authors recovered enough signal through a 25 cm concrete wall at 2 m to hit 93% speaker-recognition accuracy — a TEMPEST-class result for cheap consumer mics.

EDR-Freeze and PPL EDR bypass concept illustration

PPL Abuse: How Attackers Turn Windows’ Own Trust Anchors Into EDR Killers

An original English rewrite of Ghost Wolf Lab’s 2026-05-25 article on Protected Process Light (PPL) abuse. The piece maps Windows’ PPL trust hierarchy, walks three production techniques that turn WinTcb-Light binaries (WerFaultSecure, ClipUp, WaaSMedicSvc) into EDR-disabling primitives, and lays out a four-phase attack chain — BYOVD kernel kills, EDR-Freeze race condition, ClipUp-as-PPL-proxy, and unsigned WDAC policies — that defenders are seeing in the wild against Defender and Chinese antivirus stacks (360, Kingsoft, Tencent). Includes the original PPL inspection C program and a working Sigma rule.

UAC-0247 / UAC-0244 campaign header image

UAC-0247 / UAC-0244: HTA-Borne Malware Hunts Ukrainian FPV Drone Operators

An original English rewrite of Robin Dost’s deep dive into UAC-0247 (now confirmed by CERT-UA as a continuation of UAC-0244): a multi-stage HTA → JavaScript → curl → updater.exe chain that ends in a syscall-resolving loader injecting EncryptedReverseShell into RuntimeBroker.exe. The campaign weaponises the Ukrainian humanitarian foundation UkrVarta as a lure against FPV drone operators, with infrastructure hosted at a Russian provider and OPSEC mistakes that leak the entire kill chain.

Diagram contrasting Windows user mode and kernel mode boundaries

BYOVD Attack Surface: From Vulnerability-Driven to Certificate Abuse

Between 2025 and 2026, BYOVD attacks completed a fundamental paradigm shift: from exploiting known-vulnerable drivers to abusing legitimately-signed drivers and certificates themselves. This English rewrite of the Ghost Wolf Lab research walks through dual-driver campaigns, single-byte signature-preserving hash flips, independent certificate abuse, and Microsoft’s March 2026 cross-signed trust removal.

RemotePE Lazarus in-memory RAT title banner from the Fox-IT writeup

RemotePE: Inside Lazarus’s In-Memory RAT and Its DPAPI-Keyed Three-Stage Loader Chain

Fox-IT (NCC Group) details RemotePE, a North-Korean Lazarus in-memory RAT delivered through a three-stage chain — DPAPILoader (environmentally-keyed first-stage), RemotePELoader (HellsGate / ETW-patched HTTP beacon) and RemotePE itself, which never touches disk. The writeup walks AES-GCM C2, MSZIP-compressed command batches, the IConsole / IFileExplorer / IProcess command surface, infrastructure, MITRE ATT&CK mapping, and a full IOC set spanning July 2023 — May 2026.