My notes on IT-Security and tech
Newsletter 2026-02-24
Welcome to the next week of articles I deemed interesting.
A pretty interesting phishing approach.
Talos looked into how to bypass Code Read-out Protection (RDP) by emulating a single thread to find vulnerabilities in the ModBus TCP implementation of the devices.
Usually it’s more articles around security and red teaming topics, but containerization also plays a significant role in modern environments. Even though dependencies that are installed separately from the OS package manager need to be checked independently since many security scanners struggle with that (at least that’s my last understanding, it might have changed), higher speed when building containers is also important in many places. Andrew Nesbitt shows in his article that most package managers (Cargo, Go, and Co.) for software development allow downloading dependencies separately.
…Newsletter 2026-02-19
Another week, another round.
Credential exfiltration through an Outlook add-in. They’re leveraging an “abandoned” project to infiltrate 4,000 systems.
I find SpecterOps’ article about their new tool V8-forensics pretty interesting. It can help debug exploits by extracting JavaScript artifacts from Chrome’s memory after it crashes.
Apparently more and more providers are already filtering Telnet in their networks. But the sheer volume of Telnet connections running over the internet alone is pretty alarming to me.
…Newsletter 2026-02-12
Back again with some interesting articles that came across my way during the last few days.
Stan Ghouls relies on spear phishing to land their targets. The writeup on initial access is very detailed. They’re also recycling Mirai here. https://securelist.com/stan-ghouls-in-uzbekistan/118738/
I’m not exactly sure when this article was written (or if that’s just the modification date), but the author exploits a race condition to bypass protections against credential dumping. https://otter.gitbook.io/red-teaming/articles/windows-of-opportunity-exploiting-race-conditions-in-seclogon-to-dump-lsass
Yarix introduces their tool Doppelganger in this article, which they use to disable PPL by leveraging a vulnerable driver and clone the lsass process to save the dump obfuscated. https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
…Newsletter 2026-02-03
Welcome back to the newsletter in week 6.
WhiteKnightLabs writes about hollowing out Electron apps and the advantages this can bring in tightly controlled networks. Short but punchy.
Sean Heelan actually provides numbers and code here on what it takes using agents to develop proof-of-concept exploits that didn’t previously have any known PoCs.
In that context, this one’s also worth a read, even if it’s a bit older:
…Newsletter 2026-01-30
During a week I usually read some articles on varying topics. So why not provide them here as well with a short summary in hope someone finds this usefull.
I can’t say I understood everything, but I always find this kind of research fascinating. In the blog, Connor McGarr managed to send a “stop trace” to ETW using an undocumented security trace flag and they provide a pretty deep dive into it.
…