Ohhhh, sneaky masquerading trick found in the wild and noted by JAMESWT The Threat Actor replaces / with "ん", a Japanese character +2 cat pictures

FIDO downgrades are still possible, in reverse proxy phishing attacks, if you manage to convince the server that your device does not support strong MFA. 🪝🐟 Research from Proofpoint: proofpoint.com/us/blog/threat…

Hey there, fellow phishermen! 👋 Evilginx Pro update 4.2 has been out for a month, and I decided to spend some time documenting the new features and explaining how to use them. Enjoy the write-up and let me know what else you would like to see added in future updates. 🔗👇

Xbow raised $117M to build AI hacker agents, in Alias Robotics open-sourced it and made it completely free. Github: github.com/aliasrobotics/… Paper: arxiv.org/abs/2504.06017

While playing DEF CON CTF Finals with Shellphish I managed to solve the ICO challenge using LLMs (GPT5 + Cursor) and almost no human intervention. You can read how I did it here! wilgibbs.com/blog/defcon-fi…

Should security solutions be secure? We're beginning to feel wrong. Enjoy some unscheduled programming - our analysis of CVE-2025-25256, a pre-auth Command Injection in Fortinet's FortiSIEM labs.watchtowr.com/should-securit…

1/ XBOW Unleashes GPT-5’s Hidden Hacking Power. OpenAI's initial assessment of GPT-5 showed modest cyber capabilities. But when integrated into the XBOW platform, we saw a completely different story: performance more than doubled. More on what we found: 🧵

For anyone with a Kindle, jailbreaking it takes 5 minutes and turns it into one of the cheapest, most capable eInk devices you can own. Runs Linux! kindlemodding.org

Thanks to everyone who joined my DEFCON33 talk!🎉 For those of you who missed it and are interested in seeing how we can extract cleartext credentials and bypass MFA directly from the official Microsoft login page, I just uploaded the recording to YouTube: youtu.be/z6GJqrkL0S0

Low-Cost and Comprehensive Non-textual Input Fuzzing with LLM-Synthesized Input Generators usenix.org/conference/use…

New blog post just dropped! West Shepherd breaks down extending the Mythic Poseidon agent for ARM64 Dylib injection on Apple Silicon. Details include: ✅ Shellcode construction ✅ Memory allocation ✅ Runtime patching ✅ Thread creation Read more ⤵️ ghst.ly/41Nu4ED

Trying to fly under EDR's radar? Logan Goins explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7

🚨 Plex patched a vuln in Media Server (1.41.7.x → 1.42.0.x). ⚠️ Censys sees 428k+ server interfaces, not all vuln, but at risk. ✅ Update to 1.42.1.10060+ immediately. 👇Check your exposures with Censys hubs.ly/Q03F5J4G0 #infosec #vulnerability #plex

🚨 New blog post: ELEGANTBOUNCER - Catch iOS 0-click exploits without having the samples. Features iOS backup forensics & messaging app scanning for iMessage, WhatsApp, Signal, Telegram & Viber attachments. 🔗 Link -> msuiche.com/posts/elegantb…

#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/6

Hardly anyone I know can do a good iOS app security assessment because it's such a pain in the ass to deal with this, amongst other ✨just Apple✨ things. Android has typically been much easier to test. Not anymore?

My 2nd Sitecore blog is live. This time, it's a Pre-Auth HTML Cache Poisoning (fun reflection) + Post-Auth RCE 🫡

My mind wanders a lot, right now I'm picking up on the 1Password CTF challenge (again!!). "Anyone who can read a private CTF flag from a private vault could receive $1 million USD from AgileBits." Looks daunting, but like all the hard things in life, we divide them into easier

I Researched Ruby class pollutions and discovered a new exploitation method, Rotate Chains, achieving 100% exploit success rate; also created a bi0s CTF 2025 challenge based on the technique which had 0 solves. Read the research/writeup: winters0x64.xyz/posts/post-2

Pentesting AWS IoT? 🔐 Learn how to use certs + IAM auth, simulate attacks with MQTT plugins, and test real-world scenarios using the EXPLIoT framework. 📺 Watch part 2 of our IoT security series: youtube.com/watch?v=5m6DSX… #IoTSecurity #AWS #Pentesting