Author | Lightnews

Reposted

Volatility @volatilityfoundation.org · 2d

The 13th annual @volatility #PluginContest is OPEN for submissions until 31 Dec 2025!

This contest is designed to encourage research & development in the field of #memoryanalysis. Every year, contributions from all around the world continue to help build the next generation of #memoryforensics.

The 13th Annual Volatility Plugin Contest is Open!

We are excited to announce that the Volatility Plugin Contest is officially open for submissions! The annual Plugin Contest is your opportunity to: Directly contribute to the open source forensics …

volatilityfoundation.org

3 1

Reposted

Catalin Cimpanu @campuscodi.risky.biz · 8d

-iOS 26 change deletes clues of old spyware infections
-Starlink disables 2.5k scam compound terminals
-Caribbean hospital still down 5 months after ransomware attack
-Poland charges officials in Pegasus scandal

Newsletter: news.risky.biz/risky-bullet...
Podcast: risky.biz/RBNEWS495/

1 11 20

Reposted

Paul Hudson @twostraws.bsky.social · 10d

Today I'm launching my new app, Hacktivate. It teaches real-world computer science skills through 240 "capture the flag" challenges, and works on iPhone, iPad, and Mac with one purchase. I've poured a ton of love into it, and I'd love to hear what you think 🙌 apps.apple.com/gb/app/hackt...

‎Hacktivate: Capture the Flag

‎Crack codes. Break firewalls. Conquer the map. Hacktivate is the ultimate cybersecurity challenge: a world map of 240 missions where every puzzle is built on real cybersecurity techniques hackers us...

apps.apple.com

17 30 150

Reposted

clibm079 @clibm079.bsky.social · 13d

I used PE-bear for the first time to dump an embedded binary. Its intuitive UI made extraction effortless. Because malware often embeds payloads with the form A in B to evade detection, pulling out the inner binary was crucial for deeper analysis and IoCs hunting.

2 2 2

hasherezade.bsky.social @hasherezade.bsky.social · 20d

Finally done with #FlareOn12. What a ride! I am looking forward to read other people’s solutions, especially of those who did the 9th task quickly.

9

Reposted

Volatility @volatilityfoundation.org · Sep 18

#FTSCon Speaker Spotlight: Aleksandra Doniec (@hasherezade.bsky.social) is presenting “Uncovering Malware's Secrets with TinyTracer” in the MAKER track.

See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...

6 2

Reposted

Karsten Hahn @struppigel.bsky.social · Sep 1

My intermediate level malware analysis course is there.
60% off for the next two weeks.

malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...

Malware Analysis - Intermediate Level

Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more

malwareanalysis-for-hedgehogs.learnworlds.com

1 6 9

Reposted

Hexacorn @hexacorn.bsky.social · Jul 5

Beyond good ol’ Run key, Part 148

www.hexacorn.com/blog/2025/07...

1 5

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

- option of custom parsing exports directory allows to pinpoint even the APIs that the malware author tried to hide by erasing exports table in memory: (github.com/hasherezade/...)

3

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

- watching not only the functions arguments, but also, how they changed after the function execution, and the function return value: (github.com/hasherezade/...) - thanks to a new contributor, maxspl:

1 3

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

includes: tracing defined local functions (github.com/hasherezade/...):

1

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!

1 6 16

Reposted

sixtyvividtails @sixtyvividtails.bsky.social · May 6

1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.

1 2

Reposted

sixtyvividtails @sixtyvividtails.bsky.social · May 6

Heard of #ContextJail?
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.

The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.

Src & binary in [ALT].

Usecases: ⤵️

Screenshot of contextjail.exe running with default arguments.

Highlighted:

* prisoner thread (latched to CPU1 with priority 15) couldn't run for the entire test duration (30 seconds).

* 99 jailer threads (latched to 6/8 processors, CPU2..CPU7) were using 20% of total CPU time.

Overlay: pseudo-ASSCII art with prisoner thread and 6 jailer threads (guards), spamming NtGetContextThread to block the prisoner.

Source and compiled binary:
https://pastebin.com/pBJcGp1y

1 6 7

hasherezade.bsky.social @hasherezade.bsky.social · Apr 14

yes, we catch it, but I cannot speak for others

hasherezade.bsky.social @hasherezade.bsky.social · Apr 14

demo: www.youtube.com/watch?v=CZIR... ; src: github.com/hasherezade/...

[DEMO] Waiting Thread Hijacking (on Windows 11 24 H2)

YouTube video by hasherezade

www.youtube.com

5

hasherezade.bsky.social @hasherezade.bsky.social · Apr 14

My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection

Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research

Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...

research.checkpoint.com

3 10 15

hasherezade.bsky.social @hasherezade.bsky.social · Apr 13

🫂

1

Reposted

Catalin Cimpanu @campuscodi.risky.biz · Apr 1

Zscaler has published a technical report on HijackLoader (IDAT Loader, GhostPulse) and its recent changes, such as its new call stack spoofing module, anti-VM module, and support for scheduled task persistence

www.zscaler.com/blogs/securi...

New HijackLoader Evasion Tactics | ThreatLabz

Learn how HijackLoader has introduced call stack spoofing and new modules to improve its evasion and anti-analysis capabilities.

www.zscaler.com

1 4 10

Reposted

pixelatedboat aka “mr bluesky” @pixelatedboat.bsky.social · Apr 1

Abolish April Fool’s day. Society has moved past the need for April Fool’s day

540 1.6K 13K

Reposted

Catalin Cimpanu @campuscodi.risky.biz · Mar 27

KELA has published a profile on Rey and Pryx, the two main individuals behind the Hellcat hacking group, responsible for several breaches over the past months, such as Schneider Electric, Telefónica, and Orange Romania.

www.kelacyber.com/blog/hellcat...

Hellcat Hacking Group Unmasked: Investigating Rey and Pryx | KELA Cyber

KELA’s latest research uncovers key insights into two key threat actors of Hellcat Group, Pryx and Rey. Read more.

www.kelacyber.com

2 8

Reposted

Kim Zetter @kimzetter.bsky.social · Mar 24

We all knew this day would arrive when the DNA samples you willingly provided 23andMe would be up for sale. Company now says it's seeking a buyer as it files for bankruptcy. 23andMe says any buyer will have to adhere to privacy laws for customer DNA/data they acquire. people.com/23andme-file...

23andMe Files for Bankruptcy as CEO Anne Wojcicki Resigns — What Will Happen to Your DNA Data?

Genetics company 23andMe has filed for bankruptcy and its CEO is stepping down, leaving many users concerned about the future of their data.

people.com

6 36 81

Reposted

Catalin Cimpanu @campuscodi.risky.biz · Mar 23

Clevo Boot Guard Keys Leaked in Update Package

www.binarly.io/blog/clevo-b...

Clevo Boot Guard Keys Leaked in Update Package

Over the past few years, the Binarly Research team has led the way in documenting security problems haunting the entire UEFI ecosystem. We presented our discoveries at major security conferences like ...

www.binarly.io

5 9

Reposted

vx-underground (automated mirror) @vxundergroundre.bsky.social · Mar 22

Someone has done an excellent job collecting RATs and documenting them by version. They also included images.

A+ work. This is amazing (we're going to ingest this eventually)

github.com/Cryakl/Ultim...

GitHub - Cryakl/Ultimate-RAT-Collection: For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots.

For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots. - Cryakl/Ultimate-RAT-Collection

github.com

17 45

hasherezade.bsky.social @hasherezade.bsky.social · Mar 22

A small demo/tutorial on unpacking executables with #PEsieve and #TinyTracer: hshrzd.wordpress.com/2025/03/22/u...
- automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims

Tutorial: unpacking executables with TinyTracer + PE-sieve

In this short blog I would like to demonstrate you how to unpack an executable with PE-sieve and Tiny Tracer. As an example, let’s use the executable that was packed with a modified UPX: 8f66…

hshrzd.wordpress.com

13 29