A walkthrough of klezVirus’ “Callback hell” — a technique that hides callback frames from stack inspectors by combining tail-calls, forward and backward proxy frames, and a chained thread-pool dispatcher, while still recovering the callee’s return value via a MOV [REG], RAX gadget. Published under CC BY 4.0 and republished here in full, with all original figures, assembly listings, and the POC video.
TREVEX is a post-silicon black-box CPU fuzzer from CISPA designed to discover data-flow transient execution vulnerabilities without needing RTL access, an ISA emulator, or a leakage contract. The framework runs across 20 microarchitectures from Intel, AMD, and Zhaoxin and uncovers a new TEA — Floating Point Divider State Sampling (FP-DSS, CVE-2025-54505) — on AMD Zen and Zen+, a new FPVI variant on AMD that does not need denormal inputs, three instances of Zero-at-ret on Intel, and FPVI on Zhaoxin. The authors weaponise FP-DSS from native code, the Linux kernel, and a Chrome JavaScript exploit.
{“_yoast_wpseo_title”: “TREVEX: Black-Box CPU Fuzzer Finds FP-DSS (CVE-2025-54505)”, “_yoast_wpseo_metadesc”: “TREVEX black-box CPU fuzzer (CISPA, S&P 2026) finds FP-DSS (CVE-2025-54505), new FPVI variants, and Zero-at-ret across 20 Intel, AMD, Zhaoxin microarchitectures.”, “rank_math_title”: “TREVEX: Black-Box CPU Fuzzer Finds FP-DSS (CVE-2025-54505)”, “rank_math_description”: “TREVEX black-box CPU fuzzer (CISPA, S&P 2026) finds FP-DSS (CVE-2025-54505), new FPVI variants, and Zero-at-ret across 20 Intel, AMD, Zhaoxin microarchitectures.”}
CVE-2025-54539 is a deserialization policy bypass in Apache.NMS.AMQP (≤ 2.3.0) that lets a single 290-byte AMQP message reach BinaryFormatter inside an unsuspecting .NET client and execute arbitrary commands.
A tiny funny FASM program for Windows where BX generously shares its value with AX using mov ax, bx, turning a simple register copy into a dramatic love story with a MessageBox punchline.
A walkthrough of “APC Tandem”, a stealth Windows process-injection technique that replaces WriteProcessMemory, CreateRemoteThread and VirtualAllocEx with a chain of less-watched primitives — thread description smuggling, paired GetThreadDescription/RtlMoveMemory APCs, and a Special User APC for execution.
SYLK is an ancient spreadsheet format, but Excel still supports it. GhostWolf Lab shows how .slk files can carry XLM macros, masquerade as CSV, bypass weak detections, and revive legacy macro abuse.
GhostTree abuses NTFS junctions to create recursive, near-endless valid paths. Recursive scanners and EDRs can hang in the maze while malware in the parent folder remains unchecked. Watch junction creation.
A trojanized HWMonitor archive abuses DLL sideloading with malicious CRYPTBASE.dll to launch multi-stage in-memory loaders and deploy STX RAT.
A practical look at DLL sideloading and proxying: how attackers abuse trusted Windows executables to load malicious DLLs while keeping the app running normally.
