İbrahim BALOĞLU - Siber Güvenlik Paylaşımları

Windows Defender 0-Day Exploit * Allowing Attackers to Gain Full Access Full PoC

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (Mar.28-Apr.4, 2026) 1⃣  Supply Chain Attack on Axios Pulls Malicious Dependency from npm // This is an active and developing incident... 2⃣  Remotely exploitable vulnerabilities in FreeBSD kernel, Vim, and Emacs // CVE-2026-4747, CVE-2026-34714, CVE-2026-33150, CVE-2026-34743 3⃣  Operation NoVoice: Rootkit Tells No Tales // The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities 4⃣ Nmap 7.99 Release // Changelog 5⃣  ghostsurf: From NTLM Relay to Browser Session Hijacking // NTLM HTTP relay tool with SOCKS proxy for browser session hijacking 6⃣  OpenSSH 10.3 Release // Changes 7⃣  Progress ShareFile Pre-Auth RCE Chain // CVE-2026-2699, CVE-2026-2701 ]-> Analytical review (Mar.21-28, 2026)

#tools #Offensive_security 1⃣ dexfinder - Cross-platform APK/DEX method & field reference finder with call chain tracing, ProGuard/R8 deobfuscation, and Android hidden API detection 2⃣ LogonTracer - tool to investigate malicious logon by visualizing and analyzing Windows AD event logs 3⃣ efiguard-detect - tool to detect EfiGuard 4⃣ ReDyne - iOS Decompiler/Reverse Engineering Suite 5⃣ Disconnected RSAT - launcher for running Group Policy Manager, Certificate Authority and Certificate Templates MMC snap-ins from non-domain joined machies

Unauthenticated MCP Endpoint Allows Remote Nginx Takeover * Detail and PoC

CVE-2026-4747 * Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell * exploit.py

#exploit #AppSec 1⃣ CVE-2026-4946: NSA Ghidra Auto-Analysis Annotation Command Execution // A novel and highly effective attack against reverse engineers and malware analysts. By embedding malicious annotation payloads into distributed binaries, an attacker can reliably achieve code execution on the systems of analysts who inspect those binaries in Ghidra 2⃣ CVE-2025-14325: SpiderMonkey Type Confusion in Baseline JIT Inline Cache // A type confusion in SpiderMonkey's JIT inline cache that enables arbitrary memory access and RCE through heap leaks and memory overlapping exploits during property operations

#Kernel_Security Linux File System Basics Part 1 // Overview and CVE-2022-0185 / CVE-2023-5345 Part 2 // Isolation, Permission Model and CVE-2023-0386

#Malware_analysis 1⃣  EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons 2⃣ Compromised telnyx on PyPI: WAV Steganography and Credential Theft https://safedep.io/malicious-telnyx-pypi-compromise 3⃣ Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework https://www.elastic.co/de/security-labs/illuminating-voidlink

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (Mar.21-28, 2026) 1⃣  Telegram 0-click RCE // CVSS: 9.8 2⃣ litellm PyPI package (v1.82.7 + v1.82.8) compromised // full timeline and status 3⃣  Claude security configurations // Enhanced security configurations for Claude on MacOS 4⃣  Business TikTok accounts targeted with AITM phishing kits 5⃣  Exploiting AQL Injection Vulnerabilities in ArangoDB // This post serves as a comprehensive reference for pentesters seeking detailed insight into AQL injections and how they can be exploited 6⃣  Infiniti Stealer // New macOS infostealer using ClickFix and Python/Nuitka 7⃣  Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack // On Mar.19,2026, threat actors injected credential-stealing malware into Aqua Security’s Trivy scanner and related GitHub Actions 8⃣  strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication // Critical integer underflow vulnerability in strongSwan 4.5.0-6.0.4 allows attackers to cause DoS via malformed EAP-TTLS messages ]-> P.S. The past week has demonstrated that attackers' focus has finally shifted to developer tools (AI libraries, CI/CD) ... ]-> Analytical review (Mar.14-21, 2026)

#tools #Hardware_Security Disabling Security Features in a Locked BIOS https://www.mdsec.co.uk/2026/03/disabling-security-features-in-a-locked-bios ]-> Manually tampering with UEFI settings ]-> DMAReaper - Disable Kernel DMA Protection on Win11 via pre-boot DMA attack // This post explores how modifying a Dell UEFI firmware image at the flash level can fundamentally undermine platform security without leaving visible traces in the firmware interface..

#Malware_analysis 1⃣ When Bills Come with Surprise: Donut of Python and Rat https://labs.itresit.es/2026/03/25/when-bills-come-with-surprise-donut-of-python-and-rat // This analysis breaks down a highly evasive, multi-stage malware infection chain to bypass traditional file-based detection and operate almost entirely within memory 2⃣ Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack // On Mar.19, 2026, threat actors injected credential-stealing malware into Aqua Security’s Trivy scanner and related GitHub Actions 3⃣ How Cloudflare Services are Abused for Credential Theft and Malware Distribution https://securityboulevard.com/2026/03/the-unintentional-enabler-how-cloudflare-services-are-abused-for-credential-theft-and-malware-distribution // Threat actors continue exploiting Cloudflare’s services for credential phishing and malware distribution and evading email-based security controls like Secure Email Gateways

#tools #exploit #Offensive_security 1⃣ Fritter - tool that generates unique, evasive, position-independent shellcode for in-memory execution, building on Donut's framework with dynamic memory management and randomized components for enhanced stealth 2⃣ KslDump exploits a Microsoft-signed Defender driver vulnerability via IOCTL 0x222044, enabling unrestricted kernel and physical memory access, bypassing security protections, through registry manipulation and local privileges 3⃣ RegPwn - privilege escalation exploit affecting Windows 10, 11, and Server editions (CVE-2026-24291) // Disclaimer

#tools #Offensive_security #Red_Team_Tactics 1⃣ VMkatz - Extract Windows credentials directly from VM memory snapshots and virtual disks 2⃣ KaplaStrike - module overloading, NtContinue entry transfer, call stack spoofing, sleep masking, and static signature removal 3⃣ StealthyWMIExec - a stealthier approach to WMI-based command execution using Impacket without touching the disk 4⃣ Kerlab - a Rust implementation of Kerberos for Fun and Detection 5⃣ Ghost in the PPL - LSASS Memory Dump

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (Mar.7-14, 2026) 1⃣ YARA-X 1.14.0 Release // A rewrite of YARA in Rust 2⃣ RCE in Nextcloud Flow via vulnerable Windmill version // CVE-2026-29059 3⃣ Analyzing "Zombie Zip" Files (CVE-2026-0866) // The trick is to change the compression method to STORED while the contend is still DEFLATED: a flag in the ZIP file header states the content is not compressed, while in reality, the content is compressed 4⃣ How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit // An authentication bypass in FreshRSS, a self-hosted RSS aggregator. It is a good example of how over-engineering can hurt the security of an application 5⃣ OpenAI Codex Security AI agent // Available in research preview format 6⃣ On the Effectiveness of Mutational Grammar Fuzzing // More coverage does not mean more bugs. Mutational grammar fuzzing tends to produce samples that are very similar 7⃣ AEGIS v.0.9.1 // EDR for AI Agents ]-> Analytical review (Feb.28-Mar.7, 2026)

#Malware_analysis 1⃣ The ExifTool vulnerability: how an image can infect macOS systems https://www.kaspersky.com/blog/exiftool-macos-picture-vulnerability-mitigation-cve-2026-3102/55362 2⃣ 5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files https://socket.dev/blog/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files 3⃣ New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering 4⃣ Uncovering a phishing campaign abusing MS Device Code Authentication and Cloudflare Worker Pages, with detection hunts for Entra and MS365 https://newtonpaul.com/blog/device-code-phishing-campaign 5⃣ BeatBanker: A dual‑mode Android Trojan https://securelist.com/beatbanker-miner-and-banker/119121

#Offensive_security A Deep Dive into the GetProcessHandleFromHwnd API https://projectzero.google/2026/02/gphfh-deep-dive.html // From Windows XP to Windows 11 24H2 See also: ]-> PPLwindow PPL Bypass via GetProcessHandleFromHwnd