-
Centurion: Bring Your Own Execution Environment
How we built a custom virtualized loader with its own ISA, PE loader, TLS stack, and software crypto coprocessor in about a week using LLM-assisted development — and what the BYOEE model means for offensive tooling.
read more → -
Et Tu, RDP? Detecting Sticky Keys Backdoors with Brutus and WebAssembly
How we built automated RDP sticky keys backdoor detection into Brutus using WebAssembly to embed IronRDP, a Rust RDP library, into a single statically-linked Go binary.
read more → -
Living on the Edge: How I Ditched WordPress for a Fully Static Site on Cloudflare's Global Network
I moved my blog from a managed WordPress host to a fully static site built with Astro, KeyStatic, and Jekyll, deployed on Cloudflare Pages. Here's why going static and serving from 330+ edge locations beats a traditional CMS and costs nothing.
read more → -
Domain Fronting is Dead. Long Live Domain Fronting!
We discovered that domain fronting still works against Google's infrastructure, enabling covert C2 traffic through services like Google Meet, YouTube, and GCP. This research demonstrates how attackers can tunnel traffic through domains too critical for organizations to block.
read more → -
Beyond the Last Mile: How Internet Routing Shapes Red Team Ops
Understanding how internet routing infrastructure impacts red team operations, particularly for traffic tunneling and data exfiltration. Exploring why routing paths, international transit, and peering relationships often matter more than raw connection speeds.
read more → -
Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 2 of 2)
Part two of the Ghost Calls series details how we tunnel real-time C2 traffic through Zoom and Microsoft Teams TURN infrastructure using WebRTC — covering the approaches we evaluated, the WebRTC protocol suite, our SCTP-based implementation, and a walkthrough of the TURNt utility.
read more → -
Ghost Calls: Abusing Web Conferencing for Covert Command & Control (Part 1 of 2)
Web conferencing covert C2 turns the most trusted traffic on an enterprise network — the daily Zoom and Teams calls defenders are told to exempt from inspection — into an interactive command-and-control channel. Part one dissects the internals of Zoom's architecture, transport protocol, and clients.
read more → -
Analyzing a Modern Linux Kernel Vulnerability (CVE-2023-0266)
Deep dive into CVE-2023-0266, a race condition vulnerability in the Linux kernel sound subsystem that was exploited in-the-wild against Android devices. Exploring the technical details of how 32-bit/64-bit compatibility layers introduced a use-after-free condition.
read more → -
Local Privilege Escalation Vulnerability in Ant Media Server (CVE-2024-32656)
Disclosure of a local privilege escalation vulnerability in Ant Media Server arising from an unauthenticated JMX remote management interface accessible to unprivileged local users, enabling code execution as root.
read more → -
Bypassing Akamai's Web Application Firewall Using an Injected Content-Encoding Header
How we bypassed Akamai's XSS filtering by combining a CRLF injection vulnerability with response compression to inject a Content-Encoding header and deliver a compressed malicious payload.
read more →