My notes on IT-Security and tech
Newsletter 2026-04-29
Another week, another round of interesting news.
Lazarus comes around the corner with a new malware variant for Macs and has ported a known variant from Go to Python using AI. The entry point is Telegram messages containing fake Teams, Meets, or Zoom invitations.
Talos sees strong growth in the adoption of Macs in the enterprise world. So far, Living off the Land tools seem to be less documented. They want to address this in their post. Certainly doesn’t hurt to be broadly positioned.
…Newsletter 2026-04-21
Another week another round.
Level Blue addresses a phishing vector that only became interesting thanks to the wider adoption of MFA. Attackers try to get the victim or helpdesk to deactivate or reset the second factor.
Calif unleashed Codex on a TV with a compromised browser to see how Codex performs in such scenarios and can turn an existing shell into a root shell. I think it’s a good insight into the current state of things and it aligns with what I’ve seen so far.
…Newsletter 2026-04-13
Another week another round
itm4n took a closer look at Windows’ implementation for collecting Bitlocker information. Maybe a pretty interesting topic if you want to dive into the depths of disk encryption.
Something a bit different. Unlocking features in an Audi.
Something else again. A Mastodon discussion around the latest Windows zero-day Bluehammer. The discussion goes into the functionality a bit. Plus the repo.
- https://infosec.exchange/@wdormann/116358064691025711
- https://github.com/Nightmare-Eclipse/BlueHammer/tree/main
Talos analyzes LucidRook, a Lua-based stager that provides stripped Rust elements.
…Newsletter 2026-04-07
Another busy week:
Claude found an RCE in vim and emacs relatively easily.
Another week and another supply chain attack.
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise/
And right along with that, TeamPCP uses audio steganography in WAV files to bypass EDR and other analysis tools.
I’m an avowed RSS fan, but I didn’t know about XSLT. Too bad I only find out about it when it’s being discontinued.
MDSec shows a way in the article to disable pre-boot DMA without triggering the Bitlocker Recovery Key by reading out the UEFI, modifying it, and writing it back.
…Newsletter 2026-03-31
Looks like there was a lot going on last week, which resulted in quite a few links.
TrustedSec has started a blog series around detection. In my view, very much worth reading.
- https://trustedsec.com/blog/building-a-detection-foundation-part-1-the-single-source-problem
- https://trustedsec.com/blog/building-a-detection-foundation-part-2-windows-security-events
- https://trustedsec.com/blog/building-a-detection-foundation-part-3-powershell-and-script-logging
- https://trustedsec.com/blog/building-a-detection-foundation-part-4-sysmon
Corelan is back after 7 years without an article and starts with a very comprehensive session around WinDBG and WinDBGX.
Level Blue Security wrote in their blog how the Azure ServiceBus can be used for C2 communication via WebSockets.
…Newsletter 2026-03-24
Another week another round of interesting articles I came across during the week. Even though it’s again without a specific theme, Talos made it into the list twice.
An approach to add agents to a C2 through indirect prompt injections. The whole thing builds on prompting and further reduces the technical requirements for attackers, which in turn could increase the number of attacks.
Various threat actors are now apparently relying on an iOS exploit chain called DarkSword. The Google Threat Intelligence Team has a very interesting write up on that chain.
…Newsletter 2026-03-17
Another week another round. For week 12 we have a colourful mix of articles with no particular theme.
Praetorian shows in their blog how different interpretation of headers can lead to gaps in system security. They use two CVEs in Fabio and OAuth to explain header injection.
An OSINT newsletter that’s just starting. The person previously worked in Dutch law enforcement and already ran an OSINT newsletter for colleagues there. Now the tips are being shared with everyone. I definitely think it’s worth adding to your RSS feed if you’re interested in OSINT.
…Newsletter 2026-03-11
Another week another round of articles i deemed interesting
I wasn’t aware until now that nuclei also has an OSINT tag and can check user accounts on platforms.
Jean-Francois Maes outlines a system that could make it possible to use commercial LLMs with a private upstream system for pentests. Strictly speaking, there would be two upstream systems. The first one anonymizes confidential information on the way in and deanonymizes it on the way back. The second upstream system then checks whether the first one was successful before it goes into the commercial LLM.
…Newsletter 2026-03-03
Another week with multiple very interesting articles.
Graham Helton presents an RCE in Kubernetes on his blog. It requires GET permission and WebSocket communication.
The report was closed as Won't fix (Intended behavior), so it’s worth keeping this in the back of your mind.
Patrick Binder introduces his tool apimspray, which uses Azure API Management (APIM) to conduct EntraID password spraying via Microsoft’s own IP addresses. The whole thing is difficult to detect, but he also explains that EntraID Identity Protection can help with detection through its alerts. Besides the usual MFA everywhere, he also gives additional recommendations to better secure accounts against this attack and tool.
…Newsletter 2026-02-24
Welcome to the next week of articles I deemed interesting.
A pretty interesting phishing approach.
Talos looked into how to bypass Code Read-out Protection (RDP) by emulating a single thread to find vulnerabilities in the ModBus TCP implementation of the devices.
Usually it’s more articles around security and red teaming topics, but containerization also plays a significant role in modern environments. Even though dependencies that are installed separately from the OS package manager need to be checked independently since many security scanners struggle with that (at least that’s my last understanding, it might have changed), higher speed when building containers is also important in many places. Andrew Nesbitt shows in his article that most package managers (Cargo, Go, and Co.) for software development allow downloading dependencies separately.
…Newsletter 2026-02-19
Another week, another round.
Credential exfiltration through an Outlook add-in. They’re leveraging an “abandoned” project to infiltrate 4,000 systems.
I find SpecterOps’ article about their new tool V8-forensics pretty interesting. It can help debug exploits by extracting JavaScript artifacts from Chrome’s memory after it crashes.
Apparently more and more providers are already filtering Telnet in their networks. But the sheer volume of Telnet connections running over the internet alone is pretty alarming to me.
…Newsletter 2026-02-12
Back again with some interesting articles that came across my way during the last few days.
Stan Ghouls relies on spear phishing to land their targets. The writeup on initial access is very detailed. They’re also recycling Mirai here. https://securelist.com/stan-ghouls-in-uzbekistan/118738/
I’m not exactly sure when this article was written (or if that’s just the modification date), but the author exploits a race condition to bypass protections against credential dumping. https://otter.gitbook.io/red-teaming/articles/windows-of-opportunity-exploiting-race-conditions-in-seclogon-to-dump-lsass
Yarix introduces their tool Doppelganger in this article, which they use to disable PPL by leveraging a vulnerable driver and clone the lsass process to save the dump obfuscated. https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
…Newsletter 2026-02-03
Welcome back to the newsletter in week 6.
WhiteKnightLabs writes about hollowing out Electron apps and the advantages this can bring in tightly controlled networks. Short but punchy.
Sean Heelan actually provides numbers and code here on what it takes using agents to develop proof-of-concept exploits that didn’t previously have any known PoCs.
In that context, this one’s also worth a read, even if it’s a bit older:
…Newsletter 2026-01-30
During a week I usually read some articles on varying topics. So why not provide them here as well with a short summary in hope someone finds this usefull.
I can’t say I understood everything, but I always find this kind of research fascinating. In the blog, Connor McGarr managed to send a “stop trace” to ETW using an undocumented security trace flag and they provide a pretty deep dive into it.
…