Lightnews — Scholar-powered news

cryptax.bsky.social @cryptax.bsky.social · 19d

Setting up your laptop before the workshop:

- It helps if you have already installed Radare2: radare.org/n/radare2.html .

- If you want to isolate your own OS from the workshop, I recommend Exegol, or Docker, or a Kali VM.

#radare2 #exegol #docker #kali #brucon

2

cryptax.bsky.social @cryptax.bsky.social · 19d

On Thursday afternoon, I am thrilled to give my first r2ai & ghidraMCP workshop at BruCON.

Pre-requisites: you are good to go if you already have reversed a binary (with whatever #disassembler, it doesn't matter) OR if you have basic skills and understanding in #assembly.

#mcp #LLM #AI

1 3

cryptax.bsky.social @cryptax.bsky.social · Sep 1

One of the demos is here: asciinema.org/a/pBPEaJhp6c...

It demonstrates the automatic mode of r2ai, where we can ask a question whose answer requires to read/understand several functions of the binary.

#radare2 #r2ai #AI #LLM

Linux/Trigona analysis of /fast option

Recorded by cryptax

asciinema.org

1 3

cryptax.bsky.social @cryptax.bsky.social · Sep 1

Slides of my prez at Barb'hack: www.fortiguard.com/events/6189/...

Understand what a recent sample of Linux/Trigona #ransomware does.

Learn how to spot #AI errors (hallucinations, omissions etc), learn how to tweak context length, output token limits to get the best out of your model.

#barbhack25

Publications | FortiGuard Labs

<p>This talk presents 2 different Linux malware:</p><ul><li><p>a shellcode, named Linux/Shellcode_ConnectBack.H!tr. The binary is small and compact, but traditional disassemblers like Ghidra fail to p...

www.fortiguard.com

1 2 6

cryptax.bsky.social @cryptax.bsky.social · Aug 31

Nevertheless, I've done more reverse engineering on Android malware than for Linux malware. I'm not "a strong expert", and r2ai lowered the bar + it quickens the analysis.

I think that's the goal of r2ai: give malware analysts a nice tip when they need one + speed up their work.

n=3

1

cryptax.bsky.social @cryptax.bsky.social · Aug 31

Nobody would expect me to play the violin in a concert hall tomorrow, even with the help of AI.
And, to be honest, that wouldn't even be good, it would devalue the profession.
The same applies to anti-virus research.

2/n

1

cryptax.bsky.social @cryptax.bsky.social · Aug 31

I had (several) interesting questions yesterday on r2ai.
One of them was that, obviously the tool needed to be used by an experienced reverse engineer.
I'd like to comment a bit further.
I feel normal that such a tool cannot be used by total beginners. All jobs require some adequate training. 1/n

1

cryptax.bsky.social @cryptax.bsky.social · Aug 31

Barb'hack is over and it was a pleasure to attend: very nice folks, friendly organizers, excellent food, best rumps lol and a CTF with a videogame interface+ challenges on Minitel. I loved it! Kudos to the staff.
#barbhack25

6

cryptax.bsky.social @cryptax.bsky.social · Aug 30

Thanks!

cryptax.bsky.social @cryptax.bsky.social · Aug 25

I've very happy to speak at Barb'hack on Saturday.
barbhack.fr/2025/fr/conf...

There will be 2 demos.
One live.
One recorded - simply because I don't have the guts to do it live ;P

We reverse engineer Linux/Trigona and Linux/Shellcode with radare2 + AI + HI

HI standards for Human Intelligence ;P

this image was generated by Dall-E based on a prompt that describes what Linux/Trigona malware does. The malware is implemented in Delphi, thus the FPC (Free Pascal Compiler).

1 1

cryptax.bsky.social @cryptax.bsky.social · Aug 21

Hey, @lastpass.bsky.social I wish you'd fix that. True, it involves a malicious website, but it's really difficult to spot from the end-user's perspective.
How about asking for a confirmation password before sharing the password database perhaps?

1

cryptax.bsky.social @cryptax.bsky.social · Aug 21

Overlays are often used in Android malware.
They are actually a burden to other domains such as browser extensions. This research, by Marek Toth, shows how click jacking [on hidden overlays] can trick the end-user in sharing his/her entire password manager.

marektoth.com/blog/dom-bas...

DOM-based Extension Clickjacking: Your Password Manager Data at Risk

I described a new attack technique that I used against 11 password managers. The result was that stored data of tens of millions of users could be at risk.

marektoth.com

1 1 1

Reposted

Virus Bulletin @virusbtn.bsky.social · Aug 19

Last chance to share your research at VB2025.

Whether you have fresh research, practical insights, or real-world case studies to share, now is your moment to step into the spotlight!

📅 24 Aug 2025 — only 5 days left
📍 Berlin. 24–26 Sept 2025

👉 tinyurl.com/3mccm8br

Aug 24
Last-minute CFP still open - only 5 days left
VB2025 Berlin 24-26 Sept 2025

3 1

cryptax.bsky.social @cryptax.bsky.social · Aug 19

Full explanation of why/how in my blog post: cryptax.medium.com/r2ai-with-lm...

r2ai with lmstudio and gpt-oss

Background: radare2, nickname “r2”, is an awesome open source disassembler. r2ai is an open source plugin for r2 to communicate with an AI.

cryptax.medium.com

1

cryptax.bsky.social @cryptax.bsky.social · Aug 19

I've recently setup a LM Studio server, with several models including gpt-oss. I can use it from my disassembler, here to analyze a Linux/Trigona sample.

Learn more about Trigona at Barb'hack on Aug 30 in Toulon.

#AI #malware #reverse #assembly #context #lmstudio #GPT

1 1 2

cryptax.bsky.social @cryptax.bsky.social · Jul 16

I love this kind of analysis 😍 Well done!
Exploiting the Thermomix.

Hey @synacktiv.com can you cook me a chocolate cake? ;-)

www.synacktiv.com/en/publicati...

Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5

www.synacktiv.com

1 3

cryptax.bsky.social @cryptax.bsky.social · Jul 10

My blog post on how AI is reshaping malware and malware analysis is out: www.fortinet.com/blog/threat-...

Examples on Linux/Trigona, Linux/Prometei, Linux/Ladvix and Android/SpyLoan.

Enjoy.

#malware #r2ai #r2 #claude #delphi #trigona #rust #flutter

Catching Smarter Mice with Even Smarter Cats | FortiGuard Labs

Explore how AI is changing the cat-and-mouse dynamic of cybersecurity, from cracking obfuscation and legacy languages to challenging new malware built with Flutter, Rust, and Delphi.…

www.fortinet.com

cryptax.bsky.social @cryptax.bsky.social · Jul 4

Normally, I don't do Windows malware ;P
This blog post sparked special interest research.checkpoint.com/2025/ai-evas...

Although after this interesting read, I still wondered how the prompt was launched, exactly what for, and also what the malware did globally. So, did my own research.

New Malware Embeds Prompt Injection to Evade AI Detection - Check Point Research

Detected for the first time, malware attempts AI evasion by injecting a prompt to tell the LLM to label the file as benign

research.checkpoint.com

1

cryptax.bsky.social @cryptax.bsky.social · Jul 4

If you want to follow (part) of the live reversing I did with r2ai, head here: youtu.be/o47QNN2Udto

Reverse engineering W32/SkyAI with r2ai

YouTube video by aafortinet

youtu.be

cryptax.bsky.social @cryptax.bsky.social · Jul 4

W32/SkyAI uses AI? So do I.

cryptax.medium.com/w32-skyai-us...

- Where the malware loads the AI prompt, what for, why it fails.
- How to find the encryption key with AI
- Extract & decrypt the embedded PE
- How the malware checks if it's on a VM
- R2ai tips when curl argument is too long

W32/SkyAI uses AI? So do I.

A new sample, named W32/SkyAI (or Topozuy, or Skynet), has recently emerged, showing use of a AI prompt bypass attempt. Perfect occasion to…

cryptax.medium.com

2 1

Reposted

Bearstech @bearstech.com · Jun 30

Le nouveau zine de @b0rk.jvns.ca : Les règles secrètes du terminal

👉 jvns.ca/blog/2025/06...

11 20

cryptax.bsky.social @cryptax.bsky.social · Jun 30

Mon code github.com/cryptax/pico...

Je contrôle les yeux et les sourcils de Pico + il peut parler avec une bulle de BD.
Rien de plus. Le contrôle via une manette n'est pas implémenté. Chez @tixlegeek.bsky.social, c'est bien plus avancé (synchro bouche par ex), j'en suis loin.

GitHub - cryptax/pico-controller: A web server that animates Pico le Croco

A web server that animates Pico le Croco. Contribute to cryptax/pico-controller development by creating an account on GitHub.

github.com

1

cryptax.bsky.social @cryptax.bsky.social · Jun 30

L'épisode 193 www.youtube.com/watch?v=B7oR... vers 1h40 (mais tout est intéressant dans cet épisode, une pépite !)

J'ai repris l'idée d'utiliser un serveur web et de mettre ça en source dans OBS. Après l'implémentation même du serveur est sans doute différente, chez moi en Python (Flask)

EP 193 | IOT & RADIO-HACKING Ft. @tixlegeek @FlUxIuS @virtualabsTechno-Watch

YouTube video by Laluka

www.youtube.com

1 1

cryptax.bsky.social @cryptax.bsky.social · Jun 30

Vous connaissez les vidéos de @tixlegeek.bsky.social ? Avec cet adorable Tux animé ? Ben, ça me faisait trop envie. Alors j'ai fait pareil avec Pico le Croco ! J'ai repris les explications de
@tixlegeek.bsky.social dans le Twitch @laluka.bsky.social EP 193, et j'ai codé pour Pico :)

1 6

cryptax.bsky.social @cryptax.bsky.social · Jun 19

Today!