My notes on IT-Security and tech

Newsletter 2026-06-30


Another week with articles. Thanks to the high temperatures I wasn’t motivated to do anything else but read, which lead to some more links this week.


Quarkslab took a closer look at Xiaomi’s proprietary security chip as used in cameras. Methods used included, among others, I2C sniffing, flash dumping, and firmware analysis.


Praetorian’s setup for automated vulnerability analysis with AI was recently introduced. In the first part, the target was FreeBSD and the approach is explained in detail.

Read more ⟶

Newsletter 2026-06-22


Another week, nother round


A VirtualBox escape through a use-after-free vulnerability, compiled by Luca Ginex.


FIFA apparently was busy awarding peace prizes and didn’t have time to test their central systems. For many football fans, probably a happy outcome.


Niels Provos versus frontier models.


I have to agree with Justin Bollinger here. I’ve always taken a detour around jq and maybe used Python’s json.tool or awk and cut to prepare and filter data.

Read more ⟶

Newsletter 2026-06-16


Another week with new articles.


Zoltan Madarassy and Alex Brown wrote another article for Elttam on what to watch out for in Go reviews.


Matthew Green looked at the reasoning blocks in LLMs and was able to derive secrets from the systems (with a bit of luck). Additionally, neither Claude nor GPT5x seem to use system prompts in API mode.


A comprehensive write-up of CVE-2026-23111. This is a use-after-free vulnerability caused by incorrect use of the exclamation mark.

Read more ⟶

Newsletter 2026-06-09


Another week and another round of articles.


LevelBlue investigated a malware campaign in Brazil where Havoc was being used. Nine different stager variants were observed and they were distributed via .zip files. But that seems quite common, especially in May to receive invoices as ZIP archives. So good preparation.


Ruby Gems can now also be installed with a cooldown to reduce supply chain attacks. You can define the number of days a gem must exist before it’s listed for update.

Read more ⟶

Newsletter 2026-06-02


Again a lot of interesting articles, at least in my opinion.


Interesting approach to bridge the air-gap using audio signals to get malware onto a target system when USB ports and the like are disabled. cocomelonc kicks off in the first blog post [1] with the transmitter side and some basics. The second part [2] then deals with the receiver under Linux.

  1. https://cocomelonc.github.io/malware/2026/05/24/malware-tricks-56.html
  2. https://cocomelonc.github.io/malware/2026/05/26/malware-tricks-57.html

Something a bit different for a change. nand2mario from Small Things Retro has set about pouring the 80386 (for those old enough to remember) into an FPGA based on the original microcode. Cool project.

Read more ⟶

Newsletter 2026-05-26


Another week and a new round of links


Mathieu Farrell describes for Quarkslab which vulnerabilities he found in Optical Line Terminals in great detail. Including an explanation of what the whole thing actually is.


Massive attack on GitHub repositories. I couldn’t figure out which ones are directly affected. On 2026/05/21 it have been 5000 repositories and rising.


Elliot Belt/Felix Billières has extensively worked with AI in security research and provides his research along with recommendations on how to reproduce.

Read more ⟶

Newsletter 2026-05-19


Another week, another round.


Datadog has looked at malicious agent skills and lists indicators to watch out for.


Synacktiv looked at the Tesla Wall Connector in 2025 and has now published a second part to the first article.


Trail of Bits introduces a new Go fuzzer.


Hacktron found an RCE in Github Copilot.


Daniel Stenberg explains “named globbing” in curl. Very practical and I just wasn’t aware that curl can do that.

Read more ⟶

Newsletter 2026-05-12


Another Week, another round of interesting news. This time with different views on the Claude Mythos results from Mozilla and Curl


Citizenlab has compiled studies on telco network surveillance. Very comprehensive, but also very interesting.


Talos has identified a previously unknown attacker using the CloudZ RAT with a plugin “Pheno” that’s used to check if the Phone Link application is being used under Windows. The goal is probably to obtain credentials and possibly also OTP codes.

Read more ⟶

Newsletter 2026-04-29


Another week, another round of interesting news.


Lazarus comes around the corner with a new malware variant for Macs and has ported a known variant from Go to Python using AI. The entry point is Telegram messages containing fake Teams, Meets, or Zoom invitations.


Talos sees strong growth in the adoption of Macs in the enterprise world. So far, Living off the Land tools seem to be less documented. They want to address this in their post. Certainly doesn’t hurt to be broadly positioned.

Read more ⟶

Newsletter 2026-04-21


Another week another round.


Level Blue addresses a phishing vector that only became interesting thanks to the wider adoption of MFA. Attackers try to get the victim or helpdesk to deactivate or reset the second factor.


Calif unleashed Codex on a TV with a compromised browser to see how Codex performs in such scenarios and can turn an existing shell into a root shell. I think it’s a good insight into the current state of things and it aligns with what I’ve seen so far.

Read more ⟶

Newsletter 2026-04-13


Another week another round


itm4n took a closer look at Windows’ implementation for collecting Bitlocker information. Maybe a pretty interesting topic if you want to dive into the depths of disk encryption.


Something a bit different. Unlocking features in an Audi.


Something else again. A Mastodon discussion around the latest Windows zero-day Bluehammer. The discussion goes into the functionality a bit. Plus the repo.


Talos analyzes LucidRook, a Lua-based stager that provides stripped Rust elements.

Read more ⟶

Newsletter 2026-04-07


Another busy week:


Claude found an RCE in vim and emacs relatively easily.


Another week and another supply chain attack.


And right along with that, TeamPCP uses audio steganography in WAV files to bypass EDR and other analysis tools.


I’m an avowed RSS fan, but I didn’t know about XSLT. Too bad I only find out about it when it’s being discontinued.


MDSec shows a way in the article to disable pre-boot DMA without triggering the Bitlocker Recovery Key by reading out the UEFI, modifying it, and writing it back.

Read more ⟶

Newsletter 2026-03-31


Looks like there was a lot going on last week, which resulted in quite a few links.


TrustedSec has started a blog series around detection. In my view, very much worth reading.


Corelan is back after 7 years without an article and starts with a very comprehensive session around WinDBG and WinDBGX.


Level Blue Security wrote in their blog how the Azure ServiceBus can be used for C2 communication via WebSockets.

Read more ⟶

Newsletter 2026-03-24


Another week another round of interesting articles I came across during the week. Even though it’s again without a specific theme, Talos made it into the list twice.


An approach to add agents to a C2 through indirect prompt injections. The whole thing builds on prompting and further reduces the technical requirements for attackers, which in turn could increase the number of attacks.


Various threat actors are now apparently relying on an iOS exploit chain called DarkSword. The Google Threat Intelligence Team has a very interesting write up on that chain.

Read more ⟶

Newsletter 2026-03-17


Another week another round. For week 12 we have a colourful mix of articles with no particular theme.


Praetorian shows in their blog how different interpretation of headers can lead to gaps in system security. They use two CVEs in Fabio and OAuth to explain header injection.


An OSINT newsletter that’s just starting. The person previously worked in Dutch law enforcement and already ran an OSINT newsletter for colleagues there. Now the tips are being shared with everyone. I definitely think it’s worth adding to your RSS feed if you’re interested in OSINT.

Read more ⟶

Newsletter 2026-03-11


Another week another round of articles i deemed interesting


I wasn’t aware until now that nuclei also has an OSINT tag and can check user accounts on platforms.


Jean-Francois Maes outlines a system that could make it possible to use commercial LLMs with a private upstream system for pentests. Strictly speaking, there would be two upstream systems. The first one anonymizes confidential information on the way in and deanonymizes it on the way back. The second upstream system then checks whether the first one was successful before it goes into the commercial LLM.

Read more ⟶

Newsletter 2026-03-03


Another week with multiple very interesting articles.


Graham Helton presents an RCE in Kubernetes on his blog. It requires GET permission and WebSocket communication. The report was closed as Won't fix (Intended behavior), so it’s worth keeping this in the back of your mind.


Patrick Binder introduces his tool apimspray, which uses Azure API Management (APIM) to conduct EntraID password spraying via Microsoft’s own IP addresses. The whole thing is difficult to detect, but he also explains that EntraID Identity Protection can help with detection through its alerts. Besides the usual MFA everywhere, he also gives additional recommendations to better secure accounts against this attack and tool.

Read more ⟶

Newsletter 2026-02-24


Welcome to the next week of articles I deemed interesting.


A pretty interesting phishing approach.


Talos looked into how to bypass Code Read-out Protection (RDP) by emulating a single thread to find vulnerabilities in the ModBus TCP implementation of the devices.


Usually it’s more articles around security and red teaming topics, but containerization also plays a significant role in modern environments. Even though dependencies that are installed separately from the OS package manager need to be checked independently since many security scanners struggle with that (at least that’s my last understanding, it might have changed), higher speed when building containers is also important in many places. Andrew Nesbitt shows in his article that most package managers (Cargo, Go, and Co.) for software development allow downloading dependencies separately.

Read more ⟶

Newsletter 2026-02-19


Another week, another round.


Credential exfiltration through an Outlook add-in. They’re leveraging an “abandoned” project to infiltrate 4,000 systems.


I find SpecterOps’ article about their new tool V8-forensics pretty interesting. It can help debug exploits by extracting JavaScript artifacts from Chrome’s memory after it crashes.


Apparently more and more providers are already filtering Telnet in their networks. But the sheer volume of Telnet connections running over the internet alone is pretty alarming to me.

Read more ⟶

Newsletter 2026-02-12


Back again with some interesting articles that came across my way during the last few days.


Stan Ghouls relies on spear phishing to land their targets. The writeup on initial access is very detailed. They’re also recycling Mirai here. https://securelist.com/stan-ghouls-in-uzbekistan/118738/


I’m not exactly sure when this article was written (or if that’s just the modification date), but the author exploits a race condition to bypass protections against credential dumping. https://otter.gitbook.io/red-teaming/articles/windows-of-opportunity-exploiting-race-conditions-in-seclogon-to-dump-lsass


Yarix introduces their tool Doppelganger in this article, which they use to disable PPL by leveraging a vulnerable driver and clone the lsass process to save the dump obfuscated. https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/

Read more ⟶