ClickFix Gets Creative: Malware Buried in Images
https://www.huntress.com/blog/clickfix-malware-buried-in-images
@IRCyberGuardians
https://www.huntress.com/blog/clickfix-malware-buried-in-images
@IRCyberGuardians
Huntress
ClickFix Gets Creative: Malware Buried in Images | Huntress
Huntress uncovered an attack utilizing a ClickFix lure to initiate a multi-stage malware execution chain. This analysis reveals how threat actors use steganography to conceal infostealers like LummaC2 and Rhadamanthys within seemingly harmless PNGs.
The Fragile Lock: Novel Bypasses For SAML Authentication
https://portswigger.net/research/the-fragile-lock
@IRCyberGuardians
https://portswigger.net/research/the-fragile-lock
@IRCyberGuardians
PortSwigger Research
The Fragile Lock: Novel Bypasses For SAML Authentication
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
Callback hell: abusing callbacks, tail-calls, and proxy frames to obfuscate the stack
https://klezvirus.github.io/posts/Callback-Hell
ThreadPoolExecChain PoC
@IRCyberGuardians
https://klezvirus.github.io/posts/Callback-Hell
ThreadPoolExecChain PoC
@IRCyberGuardians
klezVirus
Callback hell: abusing callbacks, tail-calls, and proxy frames to obfuscate the stack
Foreword
Intercepting LDAP With InterceptSuite https://infosecwriteups.com/intercepting-ldap-with-interceptsuite-45d219c14943
@IRCyberGuardians
@IRCyberGuardians
Medium
Intercepting LDAP With InterceptSuite
LDAP authentication is everywhere in networks, but intercepting encrypted LDAP traffic can be challenging. LDAP authentication in the web…
Hidden in Plain Sight: A Misconfigured Upload Path That Invited Trouble https://www.varonis.com/blog/misconfigured-upload-path
@IRCyberGuardians
@IRCyberGuardians
Varonis
Hidden in Plain Sight: A Misconfigured Upload Path That Invited Trouble
A misconfigured upload path exposed a Linux web server to attack. Varonis Threat Labs reveals how it happened and how to prevent future breaches.
DumpChromeSecrets
Extract data from modern Chrome versions, including refresh tokens, cookies, saved credentials, autofill data, browsing history, and bookmarks.
@IRCyberGuardians
Extract data from modern Chrome versions, including refresh tokens, cookies, saved credentials, autofill data, browsing history, and bookmarks.
@IRCyberGuardians
Mining_Composite_API_Traffic_to_Prevent_BAC.pdf
1.1 MB
"BacAlarm: Mining and Simulating Composite API Traffic to Prevent Broken Access Control Violations", Dec. 2025.
All source code and datasets
@IRCyberGuardians
All source code and datasets
@IRCyberGuardians
MongoBleed (CVE-2025-14847) - Unauthenticated Memory Leak PoC
A flaw in the zlib library enables attackers to leak sensitive data from MongoDB servers, the attacker can send the payload, without authentication, as the bug is exploited on the network level.
Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered.
Blog: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
Dork:
Affected versions:
@IRCyberGuardians
A flaw in the zlib library enables attackers to leak sensitive data from MongoDB servers, the attacker can send the payload, without authentication, as the bug is exploited on the network level.
Attackers can exploit this to extract sensitive information from MongoDB servers, including user information, passwords, API keys and more. Although the attacker might need to send a large amount of requests to gather the full database, and some data might be meaningless, the more time an attacker has the more information could be gathered.
Blog: https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
Dork:
Shodan: product:"MongoDB"
HUNTER: product.name="MongoDB"
ZoomEye Dork: app="MongoDB"
Affected versions:
8.2.0 to 8.2.2
8.0.0 to 8.0.16
7.0.0 to 7.0.27
6.0.0 to 6.0.26
5.0.0 to 5.0.31
4.4.0 to 4.4.29
4.2.0 and later
4.0.0 and later
3.6.0 and later
@IRCyberGuardians
This media is not supported in your browser
VIEW IN TELEGRAM
Chronomaly — Android / Linux Kernel LPE exploit (CVE-2025-38352)
The exploit was written specifically for Linux kernel v5.10.157, but should work against all vulnerable v5.10.x kernels, as it does not require any specific kernel text offsets to work.
Blog:
• Part 1 - In-the-wild Android Kernel Vulnerability Analysis + PoC
• Part 2 - Extending The Race Window Without a Kernel Patch
• Part 3 - Uncovering Chronomaly
@IRCyberGuardians
The exploit was written specifically for Linux kernel v5.10.157, but should work against all vulnerable v5.10.x kernels, as it does not require any specific kernel text offsets to work.
Blog:
• Part 1 - In-the-wild Android Kernel Vulnerability Analysis + PoC
• Part 2 - Extending The Race Window Without a Kernel Patch
• Part 3 - Uncovering Chronomaly
@IRCyberGuardians
ESC17: Using ADCS to Attack HTTPS-Enabled WSUS Clients
How to leverage misconfigured ADCS templates to gain code execution on HTTPS-enabled WSUS clients.
@IRCyberGuardians
How to leverage misconfigured ADCS templates to gain code execution on HTTPS-enabled WSUS clients.
@IRCyberGuardians
Profilehound
BloodHound OpenGraph collector for user profiles stored on domain machines. Make informed decisions about looting secrets by identifying active user profiles on domain machines.
@IRCyberGuardians
BloodHound OpenGraph collector for user profiles stored on domain machines. Make informed decisions about looting secrets by identifying active user profiles on domain machines.
P.S.
BloodHound's HasSession edge is great, but it's only useful when a user is logged into a machine. If a user is not logged into a machine when the data is collected, it's much more difficult to find which computer may contain secrets to facilitate further exploitation. User profiles may contain a significant amount of valuable intel within DPAPI, cached credentials, SSH keys, cloud keys, and more - these don't require an active user session to access.
@IRCyberGuardians
TaskHound
TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound integration.
Blog: https://r0bit.io/posts/taskhound.html
@IRCyberGuardians
TaskHound hunts for Windows scheduled tasks that run with privileged accounts and stored credentials. It enumerates tasks over SMB, parses XMLs, and identifies high-value attack opportunities through BloodHound integration.
Blog: https://r0bit.io/posts/taskhound.html
@IRCyberGuardians
EDRStartupHinder
Prevents AV / EDR from running by redirecting a core DLL in the System32 folder to another location during Windows startup.
Blog: https://www.zerosalarium.com/2026/01/edrstartuphinder-edr-startup-process-blocker.html
@IRCyberGuardians
Prevents AV / EDR from running by redirecting a core DLL in the System32 folder to another location during Windows startup.
Blog: https://www.zerosalarium.com/2026/01/edrstartuphinder-edr-startup-process-blocker.html
@IRCyberGuardians