Lightnews — Scholar-powered news

hasherezade.bsky.social @hasherezade.bsky.social · 4d

Finally done with #FlareOn12. What a ride! I am looking forward to read other people’s solutions, especially of those who did the 9th task quickly.

9

Reposted

Volatility @volatilityfoundation.org · 26d

#FTSCon Speaker Spotlight: Aleksandra Doniec (@hasherezade.bsky.social) is presenting “Uncovering Malware's Secrets with TinyTracer” in the MAKER track.

See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...

6 2

Reposted

Karsten Hahn @struppigel.bsky.social · Sep 1

My intermediate level malware analysis course is there.
60% off for the next two weeks.

malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...

Malware Analysis - Intermediate Level

Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more

malwareanalysis-for-hedgehogs.learnworlds.com

1 6 9

Reposted

Hexacorn @hexacorn.bsky.social · Jul 5

Beyond good ol’ Run key, Part 148

www.hexacorn.com/blog/2025/07...

1 5

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

- option of custom parsing exports directory allows to pinpoint even the APIs that the malware author tried to hide by erasing exports table in memory: (github.com/hasherezade/...)

3

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

- watching not only the functions arguments, but also, how they changed after the function execution, and the function return value: (github.com/hasherezade/...) - thanks to a new contributor, maxspl:

1 3

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

includes: tracing defined local functions (github.com/hasherezade/...):

1

hasherezade.bsky.social @hasherezade.bsky.social · Jun 6

New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!

1 6 16

Reposted

sixtyvividtails @sixtyvividtails.bsky.social · May 6

1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.

1 2

Reposted

sixtyvividtails @sixtyvividtails.bsky.social · May 6

Heard of #ContextJail?
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.

The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.

Src & binary in [ALT].

Usecases: ⤵️

Screenshot of contextjail.exe running with default arguments.

Highlighted:

* prisoner thread (latched to CPU1 with priority 15) couldn't run for the entire test duration (30 seconds).

* 99 jailer threads (latched to 6/8 processors, CPU2..CPU7) were using 20% of total CPU time.

Overlay: pseudo-ASSCII art with prisoner thread and 6 jailer threads (guards), spamming NtGetContextThread to block the prisoner.

Source and compiled binary:
https://pastebin.com/pBJcGp1y

1 6 7

hasherezade.bsky.social @hasherezade.bsky.social · Apr 14

yes, we catch it, but I cannot speak for others

hasherezade.bsky.social @hasherezade.bsky.social · Apr 14

demo: www.youtube.com/watch?v=CZIR... ; src: github.com/hasherezade/...

[DEMO] Waiting Thread Hijacking (on Windows 11 24 H2)

YouTube video by hasherezade

www.youtube.com

5

hasherezade.bsky.social @hasherezade.bsky.social · Apr 14

My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection

Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research

Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...

research.checkpoint.com

3 10 15

hasherezade.bsky.social @hasherezade.bsky.social · Apr 13

🫂

1

Reposted

Catalin Cimpanu @campuscodi.risky.biz · Apr 1

Zscaler has published a technical report on HijackLoader (IDAT Loader, GhostPulse) and its recent changes, such as its new call stack spoofing module, anti-VM module, and support for scheduled task persistence

www.zscaler.com/blogs/securi...

New HijackLoader Evasion Tactics | ThreatLabz

Learn how HijackLoader has introduced call stack spoofing and new modules to improve its evasion and anti-analysis capabilities.

www.zscaler.com

1 4 10

Reposted

pixelatedboat aka “mr bluesky” @pixelatedboat.bsky.social · Apr 1

Abolish April Fool’s day. Society has moved past the need for April Fool’s day

540 1.6K 13K

Reposted

Catalin Cimpanu @campuscodi.risky.biz · Mar 27

KELA has published a profile on Rey and Pryx, the two main individuals behind the Hellcat hacking group, responsible for several breaches over the past months, such as Schneider Electric, Telefónica, and Orange Romania.

www.kelacyber.com/blog/hellcat...

Hellcat Hacking Group Unmasked: Investigating Rey and Pryx | KELA Cyber

KELA’s latest research uncovers key insights into two key threat actors of Hellcat Group, Pryx and Rey. Read more.

www.kelacyber.com

2 8

Reposted

Kim Zetter @kimzetter.bsky.social · Mar 24

We all knew this day would arrive when the DNA samples you willingly provided 23andMe would be up for sale. Company now says it's seeking a buyer as it files for bankruptcy. 23andMe says any buyer will have to adhere to privacy laws for customer DNA/data they acquire. people.com/23andme-file...

23andMe Files for Bankruptcy as CEO Anne Wojcicki Resigns — What Will Happen to Your DNA Data?

Genetics company 23andMe has filed for bankruptcy and its CEO is stepping down, leaving many users concerned about the future of their data.

people.com

6 36 81

Reposted

Catalin Cimpanu @campuscodi.risky.biz · Mar 23

Clevo Boot Guard Keys Leaked in Update Package

www.binarly.io/blog/clevo-b...

Clevo Boot Guard Keys Leaked in Update Package

Over the past few years, the Binarly Research team has led the way in documenting security problems haunting the entire UEFI ecosystem. We presented our discoveries at major security conferences like ...

www.binarly.io

5 9

Reposted

vx-underground (automated mirror) @vxundergroundre.bsky.social · Mar 22

Someone has done an excellent job collecting RATs and documenting them by version. They also included images.

A+ work. This is amazing (we're going to ingest this eventually)

github.com/Cryakl/Ultim...

GitHub - Cryakl/Ultimate-RAT-Collection: For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots.

For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots. - Cryakl/Ultimate-RAT-Collection

github.com

18 46

hasherezade.bsky.social @hasherezade.bsky.social · Mar 22

A small demo/tutorial on unpacking executables with #PEsieve and #TinyTracer: hshrzd.wordpress.com/2025/03/22/u...
- automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims

Tutorial: unpacking executables with TinyTracer + PE-sieve

In this short blog I would like to demonstrate you how to unpack an executable with PE-sieve and Tiny Tracer. As an example, let’s use the executable that was packed with a modified UPX: 8f66…

hshrzd.wordpress.com

13 29

Reposted

tmp0ut @tmpout.sh · Mar 21

Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!

tmpout.sh/4/

2 66 130

Reposted

netspooky @vacci.ne · Mar 21

Did anyone find the secret art page? 👀

tmp0ut @tmpout.sh · Mar 21

Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!

tmpout.sh/4/

2 3 10

Reposted

RE//verse @re-verse.io · Mar 21

Next RE//verse video released! Andrew's Day 2 keynote was the next most requested video. It starts with an aside from neuroscience, ends with a challenge to all tool developers and has a fantastic journey between:

RE//verse 2025: What 20 Years of RE Practice and Tool Research Feels Like It’s Done (Andrew Ruef)

Andrew starts his keynote with a journey into neuroscience and ends with a challenge for all reverse engineering tooling authors.Original Abstract:From RE//v...

youtu.be

2 3

Reposted

nixCraft @cyberciti.biz · Mar 20

whoever made this one, it is perfect for IT work or life in general.

5 15 110