Thanks a lot! tonvi and I are glad you enjoyed MalOpSec 2 — it means a lot coming from someone in the trenches. Custom implants are exactly where things get fun. Stay sharp, and see you on the next op! #MalOpSec #Retooling #RedTeam #OffensiveSecurity

Microsoft takes Windows Subsystem for Linux open source after nearly a decade arstechnica.com/gadgets/2025/0…

#OffensiveCon25 videos are now up! youtube.com/playlist?list=…

The video for my talk at offensivecon with Cedric Halbronn is out! It was an absolute pleasure working with Cedric on this dream of mine! youtu.be/goEb7eKj660

Looks like BlueHat IL talks are online now, so here’s my talk for anyone who wanted to learn about the latest episode of KASLR and couldn’t make it: youtu.be/Dk2rLO2LC6I

Code injection getting tougher? @rwxstoned is at #x33fcon to unveil how to abuse Windows DLL loading complexities for stealthy execution! Learn new API proxying and remote injection techniques using only read/write ops. This is a must for #RedTeam pros seeking evasion. Learn

I haven't been publishing much lately, but not because I haven't been doing research -- in fact, I've done more than ever in the past five years. My ~200KLOC backlog will soon begin trickling out into the IDA/Hex-Rays ecosystem.

Recon 20th year anniversary is almost upon us, and we just realised we got our first a copyright Strike on Youtube on one of our last year video. I guess VMProtect is not happy about Holger Unterbrink talk. We will release the video soon directly on our website. Stay tuned.

Cybersecurity Terminology

Recon 2025 Schedule is released recon.cx cfp.recon.cx/recon-2025/sch…

What if we traced local functions just like we trace the exported APIs? 👀Coming soon in #TinyTracer...

Conference preregistration will start at 16h (4pm) in grand salon opera on floor 4 and welcome cocktail at 18h (6pm) in Creation room on floor 6(lobby floor) and terrasse if the temperature allow it. Welcome to Montreal, see you all soon!

Credentials access via Shadow Snapshots, WMI and SMB, all done remotely. Technique implemented inside impacket framework accompanied with detection automation utilizing ETW providers: Microsoft-Windows-WMI-Activity + Microsoft-Windows-SMBServer. A technique developed by Peter

Cloudflare CEO Matthew Prince 🌥 is having the most honest conversations I've come across about the current & future of content creation "6 months ago, 75% of queries to Google get answered on Google. Which means if you're an original content creator, your content is getting

Just wrapped up our talk at REcon ! 🎤tonvi 🚀 My Emulation Goes to the Moon (Until FALSE_FLAG) is now also a blog post: 📖 retooling.io/blog/my-emulat… 🎥 cfp.recon.cx/recon-2025/tal… #recon2025 #reverseengineering #emulation

Excellent blog post exploring the re-implementation of APT41 Scatterbrain's obfuscation for adversary emulation retooling.io/blog/my-emulat… #malware #infosec

"SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O" Part 1: coderush.me/hydroph0bia-pa… Part 2: coderush.me/hydroph0bia-pa… #cybersecurity #uefi

I'm happy to finally release NovaHypervisor! NovaHypervisor is a defensive hypervisor with the goal of protecting AV/EDR vendors and crucial kernel structures that are currently uncovered by VBS and PatchGuard. Full explanation below 1/6. github.com/Idov31/NovaHyp…

[Research] CVE-2025-24985: Windows Fast FAT Driver RCE Vulnerability hackyboiz.github.io/2025/07/17/ogu… The vulnerability was caused by the ability to control five variables within the VHD file that determine the number of clusters.

Rasta Mouse To clarify because I realized I forgot an important detail: you can still call the API from Medium IL in recent windows 11 but the Object field leaking a kernel address will be 0 unless the caller has SeDebugPrivilege enabled.