🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• RemotePE: The Lazarus RAT that lives in memory - Fox-IT 🔍 Show Kagi Synopsis
  This precis summarizes the findings regarding "RemotePE," a sophisticated, memory-only malware toolset attributed to a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations 【1】.
  
  ### What Happened
  A Lazarus subgroup has transitioned from using older tools like ThemeForestRAT and PondRAT to a more advanced, three-stage, memory-only toolset. This chain—consisting of **DPAPILoader**, **RemotePELoader**, and **RemotePE**—is designed for long-term, stealthy persistence. The toolset is purpose-built to minimize forensic footprints, allowing the actor to maintain access for extended periods before executing high-impact objectives like data theft or financial heists 【1】.
  
  ### Who Is Affected
  The campaign primarily targets financial and cryptocurrency organizations. The actor utilizes an "actor-in-the-loop" delivery model, suggesting the toolset is reserved for high-value targets where long-term, stealthy access is required 【1】.
  
  ### Security Implications
  * **Forensic Evasion:** By using environmental keying (DPAPI) and executing the final RAT entirely in memory, the actor ensures that disk-based forensic imaging will not yield recoverable artifacts of the RemotePE payload 【1】.
  * **Static Analysis Resistance:** Because the encrypted payloads are tied to specific victim DPAPI keys, samples uploaded to repositories like VirusTotal are effectively useless for analysis without the original environment's keys 【1】.
  * **EDR Evasion:** The toolset actively bypasses security products by unhooking userland API hooks and suppressing Event Tracing for Windows (ETW) telemetry 【1】.
  
  ### Technical Details
  The toolset operates as a three-stage chain:
  1. **DPAPILoader:** A DLL masquerading as a Windows service (e.g., "Internet Authentication Service"). It decrypts the next stage from disk using DPAPI and XOR operations (environmental keying) and loads it into memory 【1】.
  2. **RemotePELoader:** Responsible for beaconing to a C2 server to retrieve the final RemotePE module. It employs **HellsGate/TartarusGate** to resolve direct syscalls (bypassing EDR hooks) and patches `EtwEventWrite` to disable ETW logging 【1】.
  3. **RemotePE:** A multithreaded, C++ based RAT that runs entirely in memory. It features a plugin system for "shellcodified DLLs," secure file deletion (multi-pass overwrite), and robust C2 communication logic 【1】.
  
  ### What Defenders Should Know
  * **Host-Based Detection:** Focus on identifying DPAPI-encrypted blobs in unusual directories (e.g., `DeviceMetadataStore`) and monitoring for suspicious DLLs masquerading as legitimate Windows services or sideloaded modules 【1】.
  * **Network-Based Detection:** Monitor for DNS queries and SNI fields associated with known C2 domains. Organizations utilizing TLS inspection should look for characteristic JSON keys and cookie fields, though they should be tuned to avoid false positives against legitimate Microsoft traffic 【1】.
  * **Resources:** The original article provides YARA rules, IOCs, and decrypted samples to assist in detection and response efforts 【1】.
• North Korean cyber hackers and masterminds behind gambling sites... Sentenced to 5 years in prison in the first trial - Yonhap News Agency 🔍 Show Kagi Synopsis
  Based on the report regarding the criminal activities involving North Korean state-sponsored entities and domestic illegal gambling operations, here is a detailed precis of the incident.
  
  ### Incident Overview
  Between 2022 and 2024, a South Korean individual (referred to as Kim) operated a criminal organization that collaborated with North Korean hackers to develop and distribute illegal gambling websites within South Korea 【1】. Kim was recently sentenced to a significant prison term for his role in this operation, which involved creating 16 illegal gambling platforms across 71 domains 【1】 【1】.
  
  ### Involved Parties
  * **Perpetrator:** A South Korean national who acted as the leader of the gambling site distribution organization 【1】.
  * **North Korean Entities:** Hackers affiliated with the **313 General Bureau** (formerly the Korea Computer Center) and the **Reconnaissance General Bureau’s 5th Bureau** (formerly the 35th Room/Overseas Intelligence Bureau) 【1】.
  
  ### Technical and Operational Details
  The operation functioned as a service-based model where North Korean developers provided the technical infrastructure and software for the gambling platforms, which were then sold to domestic operators in South Korea 【1】. The 313 General Bureau, which oversees North Korea's IT strategy, utilized bases in locations such as Dandong, China, to provide these illicit programming services to generate foreign currency 【1】.
  
  ### Security Implications
  * **Illicit Financing:** The operation generated approximately 23.5 billion KRW in total illegal revenue. It is estimated that at least 7 billion KRW (roughly 30%) was funneled directly to the North Korean regime, serving as a source of illicit funding for state operations 【1】.
  * **Strategic Threat:** The 313 General Bureau is not merely a commercial entity; it serves as a forward base for cyber warfare operations against South Korea, meaning that the technical infrastructure used for these gambling sites could potentially be repurposed for broader cyber-espionage or disruptive attacks 【1】.
  * **National Security:** The court noted that the defendant was aware the funds were being transferred to the North Korean regime, ruling that such financial support poses a direct threat to the security and fundamental democratic order of South Korea 【1】.
  
  ### Recommendations for Defenders
  * **Supply Chain Awareness:** Organizations and security professionals should be aware that North Korean state-sponsored actors are actively engaged in the "software-as-a-service" market for illicit industries. Any engagement with offshore development teams, particularly those operating in regions with known North Korean presence (like border cities in China), carries a high risk of state-sponsored involvement.
  * **Financial Monitoring:** Financial institutions and law enforcement should monitor for unusual, high-volume transactions involving gambling-related entities, as these are primary vehicles for North Korean revenue generation.
  * **Threat Intelligence:** Defenders should incorporate intelligence regarding the 313 General Bureau and the Reconnaissance General Bureau into their threat modeling, specifically focusing on the TTPs (Tactics, Techniques, and Procedures) used by these groups to establish and maintain remote infrastructure.
• Paved With Intent: ROADtools and Nation-State Tactics in the Cloud - Palo Alto Networks 🔍 Show Kagi Synopsis
  Thank you for the summary. Based on the article, here is the detailed precis covering the requested areas:
  
  ### What Happened
  The open-source framework **ROADtools**, originally developed for security research and red-teaming, has been increasingly weaponized by nation-state threat actors to conduct malicious operations within Microsoft Entra ID (formerly Azure AD) environments 【1】. Adversaries leverage the framework's ability to interact with legitimate Microsoft APIs and authentication flows to perform reconnaissance, establish persistence, and evade traditional security detections 【1】.
  
  ### Who Is Affected
  Any organization utilizing Microsoft Entra ID is a potential target. The article highlights that sophisticated nation-state groups, specifically **Midnight Blizzard (APT29)**, **Curious Serpens (APT33)**, and **UTA0355**, have incorporated ROADtools into their attack playbooks for targeted campaigns 【1】.
  
  ### Security Implications
  * **Persistence:** Threat actors utilize the `roadtx` module to register rogue devices. This allows them to maintain long-term, durable access to the environment, often bypassing Multi-Factor Authentication (MFA) and Conditional Access policies 【1】.
  * **Defense Evasion:** Because the tool utilizes legitimate APIs and allows for the customization of request attributes (such as user-agent strings), malicious activity can easily blend in with benign administrative traffic 【1】. Furthermore, the use of stolen tokens, including Primary Refresh Tokens (PRTs), enables attackers to maintain access without triggering repeated interactive login alerts 【1】.
  * **Discovery:** The `roadrecon` module allows attackers to perform comprehensive enumeration of users, groups, roles, devices, and service principals, providing them with a detailed map of the environment to facilitate lateral movement and privilege escalation 【1】.
  
  ### Technical Details
  ROADtools is a Python-based framework designed for interacting with Entra ID, composed of three primary components:
  * **`roadrecon`:** A module focused on internal discovery and environment enumeration, which stores gathered data in a local SQLite database for offline analysis 【1】.
  * **`roadtx`:** A tool for token acquisition, exchange, and manipulation, supporting various OAuth 2.0 and OpenID Connect flows to facilitate authentication bypasses 【1】.
  * **`roadlib`:** The underlying library layer that manages low-level authentication and API request handling 【1】.
  
  ### What Defenders Should Know
  Detecting ROADtools is challenging because it mimics legitimate administrative behavior. Defenders should focus on the following strategies:
  * **Preventive Controls:** Organizations should implement Entra ID token protection, restrict device code flow via Conditional Access policies, audit OAuth applications for excessive permissions, and strictly enforce the principle of least privilege 【1】.
  * **Anomaly Hunting:** Security teams should monitor for indicators such as scripted user agents (e.g., `python-requests`), unusual service principal activity, and high-volume, repetitive Microsoft Graph API queries 【1】.
  * **Log Correlation:** It is critical to aggregate Azure audit logs, Microsoft Graph API activity, and sign-in logs into a SIEM to identify suspicious patterns that might otherwise go unnoticed in isolated logs 【1】.
  * **Detection Queries:** The article provides specific Cortex XQL queries designed to hunt for unauthorized device registration, token misuse, and bulk Graph API enumeration, which defenders can use to baseline and monitor their environments 【1】.
• Sharp Eyes: Mass surveillance of foreigners in China - Part 1 - NetAskari 🔍 Show Kagi Synopsis
  This report provides a precis of the findings regarding a specialized surveillance system identified by *NetAskari*.
  
  ### What Happened
  *NetAskari* gained exclusive access to a web-based front-end for a remote tracking system developed for the Public Security Bureau in Zhangjiakou, China. The system is a functional demonstration of the "Sharp Eyes" (*Xueliang*) project, a long-term, nationwide Chinese surveillance initiative. It contains real data on foreign nationals who have resided or currently reside in China, providing a clear view of the state's advanced mass surveillance capabilities 【1】 【1】 【1】.
  
  ### Who Is Affected
  The system specifically targets foreign nationals. Notable groups identified include:
  * **Foreign Journalists:** The system includes a dedicated "Inquiry for Journalist files" section containing detailed dossiers on foreign journalists based in Beijing around 2021, including passport numbers, ID photos from visa applications, and private phone numbers 【1】.
  * **Long-term Residents:** Foreigners working or residing in the Zhangjiakou prefecture are tracked on a daily basis 【1】.
  * **"Five Eyes" Citizens:** Statistics within the system indicate a blanket suspicion and specific focus on citizens from the UK, USA, Australia, New Zealand, and Canada 【1】.
  
  ### Security Implications
  The system represents a shift from manual monitoring to automated, high-efficiency surveillance. It enables real-time tracking and predictive policing by aggregating disparate datasets to build comprehensive profiles of individuals. The ability to perform group analysis and map social interconnections allows authorities to monitor relationships and interactions without significant human resources, effectively automating the surveillance process 【1】 【1】.
  
  ### Technical Details
  The system functions as a data aggregator, pulling from both official and private streams to create a granular view of a subject's life:
  * **Data Sources:** It integrates traditional facial-recognition-enabled surveillance cameras, travel records (train, airplane, and car companies), hotel registrations, hospital visits, and even facial recognition data from private ski-pass systems 【1】 【1】.
  * **Granularity:** Movement data is highly detailed, including specific train carriage and seat numbers, as well as frequency of sightings via public cameras 【1】 【1】.
  * **Analytics:** The platform uses this data to generate relationship models, identifying how targets are socially interconnected 【1】.
  
  ### What Defenders Should Know
  For those operating in or analyzing such environments, the key takeaway is the "holistic" nature of modern surveillance. Defenders and security professionals should recognize that:
  * **Data Fusion is Key:** Surveillance is no longer just about cameras; it is the synthesis of travel, medical, commercial, and identity data.
  * **Privacy is Compromised at Entry:** Official processes, such as visa applications, act as primary data-collection points for government dossiers 【1】.
  * **Private Systems are Integrated:** Commercial facial recognition systems (like those at ski resorts) are not isolated; they are potential nodes in a larger state surveillance network 【1】.
• Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability - Google 🔍 Show Kagi Synopsis
  This precis outlines the critical security vulnerability identified in KnowledgeDeliver, a learning management system (LMS), which is now tracked as **CVE-2026-5426** 【1】.
  
  ### What Happened
  Threat actors exploited a deserialization vulnerability to gain unauthorized access to internet-facing KnowledgeDeliver instances. By leveraging hardcoded, identical `machineKey` values that were shared across independent customer deployments, attackers were able to craft and execute malicious payloads, ultimately deploying an in-memory web shell known as **BLUEBEAM** (or Godzilla) to maintain persistence and execute commands 【1】 【1】.
  
  ### Who Is Affected
  Organizations running KnowledgeDeliver installations deployed before **February 24, 2026**, are affected. These versions relied on a standardized `web.config` file provided by the vendor that contained the vulnerable, hardcoded `machineKey` values 【1】.
  
  ### Security Implications
  The primary implication is the potential for full system compromise. Because the `machineKey` was identical across different customer environments, a threat actor who obtained the key from one deployment could compromise any other internet-facing instance 【1】. The deployment of the BLUEBEAM web shell allows attackers to operate entirely in memory within the IIS worker process (`w3wp.exe`), making detection via traditional file-based scanning extremely difficult 【1】.
  
  ### Technical Details
  * **Vulnerability Mechanism:** The ASP.NET framework uses the `machineKey` to encrypt and sign data, including the `__VIEWSTATE` parameter used to persist page state across postbacks.
  * **Exploitation:** When the `machineKey` is known, an attacker can craft a malicious ViewState payload. By sending this payload in an HTTP request, the attacker forces the server to deserialize it, leading to remote code execution 【1】.
  * **Persistence:** The BLUEBEAM web shell operates in-memory and receives further commands via encrypted data in HTTP POST request bodies 【1】.
  
  ### What Defenders Should Know
  * **Detection:** Monitor Windows Application logs for **Event ID 1316** from the `ASP.NET 4.0.30319.0` source.
  * An "Integrity Failure" indicates an attack attempt with an incorrect key.
  * An "Invalid ViewState" error confirms that integrity checks were passed, meaning a deserialization attempt occurred and may have succeeded 【1】.
  * **Remediation:**
  * **Rotate Machine Keys:** Immediately generate a unique, cryptographically strong `machineKey` for every KnowledgeDeliver instance to invalidate the shared secret 【1】.
  * **Restrict Access:** Limit access to the LMS to known, trusted organizational IP address ranges where feasible 【1】.
• Apex One and Vision One – Standard Endpoint Protection (SEP) May 2026 Security Bulletin - TrendAI has observed at least one instance of an attempt to actively exploit one of these vulnerabilities - Trend Micro 🔍 Show Kagi Synopsis
  On May 21, 2026, TrendAI released security updates for Apex One (on-premise), Apex One as a Service, and Vision One - Standard Endpoint Protection (SEP) to address a series of vulnerabilities, including several that have been observed being exploited in the wild 【1】.
  
  ### What Happened
  TrendAI issued patches for eight vulnerabilities (CVE-2026-34926 through 34930 and CVE-2026-45206 through 45208) affecting Windows-based endpoint security products 【1】. Notably, the company has confirmed at least one instance of active exploitation in the wild 【1】.
  
  ### Who Is Affected
  The vulnerabilities affect the following Windows-based products 【1】:
  * **Apex One (On-premise)**: Server and agent builds below 17079.
  * **Apex One as a Service / Vision One SEP**: SaaS agent builds below 14.0.20731.
  
  ### Security Implications
  The vulnerabilities pose a significant risk, with CVSS 3.1 scores ranging from 6.7 to 7.8 (Medium to High severity) 【1】.
  * **Server Compromise**: The directory traversal vulnerability (CVE-2026-34926) could allow an attacker with existing administrative credentials to inject malicious code, which could then be deployed to agents across the environment 【1】.
  * **Local Privilege Escalation (LPE)**: The remaining vulnerabilities (CVE-2026-34927 through CVE-2026-45208) allow a local attacker who has already achieved low-privileged code execution on a system to escalate their privileges to a higher level 【1】.
  
  ### Technical Details
  The vulnerabilities are categorized into three primary types 【1】:
  * **Directory Traversal (CWE-23)**: Affects the Apex One server, allowing unauthorized modification of key tables 【1】.
  * **Origin Validation Errors (CWE-346)**: Affects various inter-process and named pipe communication mechanisms in the security agent, enabling LPE 【1】.
  * **Time-of-Check Time-of-Use (CWE-367)**: A race condition in the security agent that also facilitates LPE 【1】.
  
  ### What Defenders Should Know
  * **Immediate Action**: Organizations must update to the latest builds immediately to mitigate the risk of exploitation 【1】.
  
  | Product | Minimum Required Version |
  | :--- | :--- |
  | **Apex One (on-prem)** | SP1 CP Build 18012 (or SP1 Build 17079 for new installs) 【1】 |
  | **Apex One as a Service / Vision One SEP** | Security Agent build 14.0.20731 【1】 |
  
  * **Mitigation**: While exploitation typically requires an attacker to already have access to a machine (physical or remote), defenders should review remote access policies and ensure perimeter security is robust 【1】.
• Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer - Aikido Security 🔍 Show Kagi Synopsis
  This precis summarizes the supply chain attack targeting the Laravel-Lang ecosystem as reported by Aikido.
  
  ### **What Happened**
  On May 22, 2026, an active supply chain attack was identified targeting the `laravel-lang` ecosystem. Attackers successfully published 233 compromised version tags across three popular repositories. The attack was uniquely sophisticated because the malicious code was never committed to the official repositories; instead, the attackers exploited a feature in GitHub that allows version tags to point to commits from a malicious fork they controlled. These tags were then used to inject credential-stealing code that executed automatically via Composer’s autoloader.
  
  ### **Who Is Affected**
  Users of the following packages who installed or updated to the compromised versions are affected:
  * `laravel-lang/lang`
  * `laravel-lang/attributes`
  * `laravel-lang/http-statuses`
  
  Packagist has since taken down the malicious versions and temporarily unlisted the affected packages to prevent further installations.
  
  ### **Technical Details**
  The attack followed a two-stage execution process:
  1. **Stage 1 (The Dropper):** A file named `src/helpers.php` was introduced. It appeared to be a standard localization helper but contained a self-executing block that fingerprinted the host machine. It then fetched a payload from `flipboxstudio[.]info/payload` (using insecure connections) and executed it via `cscript` on Windows or `exec()` on Linux/macOS.
  2. **Stage 2 (The Stealer):** The payload was a ~5,900-line PHP script designed to harvest a massive range of sensitive data. Once collected, the data was encrypted with AES-256, exfiltrated to `flipboxstudio[.]info/exfil`, and the script deleted itself to minimize forensic traces.
  
  ### **Security Implications**
  The scope of the data theft was extensive, targeting virtually every sensitive file and credential stored on a developer's machine, including:
  * **Cloud & Infrastructure:** AWS, GCP, and Azure credentials; kubeconfig files, Docker configurations, and HashiCorp Vault tokens.
  * **Developer Secrets:** SSH private keys, `.git-credentials`, shell history files, and various package manager auth files (e.g., `.npmrc`, `.composer/auth.json`).
  * **Browsers & Password Managers:** Saved passwords from 17 Chromium-based browsers, Firefox/Thunderbird data, and local vaults for 1Password, Bitwarden, and KeePass.
  * **Other:** Cryptocurrency wallets, VPN configurations, and communication platform tokens (Slack, Discord, Telegram).
  
  ### **What Defenders Should Know**
  * **Indicators of Compromise (IoCs):** Monitor network traffic for connections to `flipboxstudio[.]info`. Check system temp directories for the presence of `.laravel_locale/` folders, which contain infection markers, dropped PHP stealers, or `.vbs` launchers.
  * **Remediation:** If you suspect your environment was compromised, assume all credentials stored on those machines—including cloud keys, SSH keys, and password manager vaults—are compromised. Rotate all secrets immediately.
  * **Detection & Prevention:** Security teams should utilize tools that perform deep dependency scanning. Aikido, for instance, provides malware detection for installed packages and "Safe Chain" functionality to intercept and verify packages during the installation process.
• CVE-2026-20700: A controlled exploration of dyld's page-in linking and chained fixup machinery as a PAC signing oracle, in the context of CVE-2026-20700. - R3n3r0 🔍 Show Kagi Synopsis
  The provided repository details a proof-of-concept (PoC) for **CVE-2026-20700**, a vulnerability in the Apple dynamic linker (`dyld`) on `arm64e` systems. It demonstrates how `dyld` can be coerced into acting as a **Pointer Authentication Code (PAC) signing oracle**.
  
  ### What Happened
  The vulnerability exploits the way `dyld` handles "chained fixups"—a mechanism used to resolve symbols and relocate pointers when a binary is loaded. By crafting a malicious Mach-O dylib, an attacker can manipulate this process to force `dyld` to write PAC-valid function pointers into arbitrary, attacker-chosen memory locations within the `__DATA` segment.
  
  ### Who is Affected
  The PoC was specifically tested on an **iPhone 14 running iOS 18.5 (arm64e)**. The vulnerability is inherent to the `arm64e` architecture, which relies on hardware-level PAC to authenticate function pointers.
  
  ### Security Implications
  This is a high-severity primitive because it effectively bypasses PAC, a critical hardware security feature designed to prevent control-flow hijacking.
  * **PAC Bypass:** By using `dyld` as a "signing oracle," an attacker can generate cryptographically valid pointers that the hardware will accept.
  * **Control-Flow Hijacking:** The PoC demonstrates that these forged, PAC-valid pointers can be registered as event handlers (e.g., `dispatch_source_t` timers) and executed naturally by the system, allowing for arbitrary code execution without triggering PAC violations.
  
  ### Technical Details
  * **Chained Fixup Manipulation:** The exploit uses a hand-crafted Mach-O file to trigger specific behaviors in `dyld`'s page-in linking machinery.
  * **The "Gate" Stress:** The PoC uses a large number of bind targets (up to 99,000 symbols) to stress the `dyld` page-in linking gate, which is necessary to reach the vulnerable code paths.
  * **Deterministic Execution:** The PoC proves branch reachability by inducing a deterministic crash in `fixupPage64` when malformed `page_start` or `next` values are provided.
  * **Event Loop Integration:** The final stage of the PoC registers the forged pointer as a timer handler, demonstrating that the system's own event loop will execute the attacker-controlled code.
  
  ### What Defenders Should Know
  * **Detection:** Defenders should monitor for anomalous `dyld` activity, particularly processes that load an unusually high number of symbols or exhibit suspicious Mach-O header structures.
  * **Analysis Tools:** The repository includes several tools that can be used to audit binaries for potential exploitation:
  * `tools/scan_pointers.py`: Identifies writable/readable pointer sections.
  * `tools/inspect_fixups.py`: Parses `LC_DYLD_CHAINED_FIXUPS` headers to identify potentially malicious layouts.
  * **Mitigation:** The exploit relies on the ability to load custom, hand-crafted dylibs. Restricting the ability to load unsigned or improperly signed code (e.g., via strict code signing policies and sandbox restrictions) remains a primary defense.
• Fix: CVE-2025-33073 NTLM reflection not exploitable on pre-NT10.0 systems by azoxlpf · Pull Request #1245 · Pennyw0rth/NetExec - Pennyw0rth 🔍 Show Kagi Synopsis
  This pull request in the `NetExec` repository provides critical clarification regarding the exploitability of **CVE-2025-33073**, an NTLM reflection vulnerability 【1】.
  
  ### Summary of Findings
  The pull request establishes that CVE-2025-33073 is **architecturally impossible to exploit on Windows systems prior to NT 10.0** (i.e., versions older than Windows 10 or Windows Server 2016), regardless of whether those systems are patched or unpatched 【1】.
  
  ### Technical Details
  The vulnerability relies on a specific function, `MsvIsIpAddressLocal`, located within `msv1_0.dll` 【1】.
  * **Dependency:** This function was introduced in Windows NT 10.0.
  * **Mechanism:** On older operating systems (such as Windows Server 2003, 2008, and 2012 R2), this export does not exist.
  * **Failure Chain:** Because the function is missing, the marshalled target name is never parsed, the `NTLMSSP_NEGOTIATE_LOCAL_CALL` (0x4000) flag is never set in the NTLM CHALLENGE, and the legacy MS08-68 protection continues to block reflection as a standard relay 【1】.
  
  ### Who is Affected
  The vulnerability is limited to Windows systems running **Windows NT 10.0 or later** (Windows 10, Windows Server 2016, and subsequent versions). Systems running older Windows versions are inherently immune to this specific reflection vector 【1】.
  
  ### Guidance for Defenders
  * **Verification:** Security teams testing for this vulnerability on legacy systems (e.g., Windows Server 2003, 2008 R2, or 2012 R2) should expect relay attempts to fail.
  * **Testing Results:** Even when SMB signing is disabled and authentication is coerced via methods such as `PrinterBug` or `PetitPotam`, the relay will not succeed on these older platforms 【1】.
  * **Prioritization:** Defenders should focus their mitigation and patching efforts for CVE-2025-33073 on modern Windows environments (NT 10.0+), as legacy systems do not require patches to address this specific architectural limitation 【1】.
• relay_bible: Technical Reference to multiple relay techniques - rootsecdev 🔍 Show Kagi Synopsis
  The "Relay Bible" is a comprehensive, centralized reference guide designed for authorized internal penetration testing, focusing on the mechanics, exploitation, and mitigation of NTLM and Kerberos relay attacks.
  
  ### What Happened
  The repository serves as a knowledge base for relay-based authentication attacks, which exploit the way Windows services handle authentication requests. A notable recent addition is the documentation of **CVE-2026-20929** (discovered in January 2026), a primitive that enables Kerberos relay via DNS CNAME abuse. This allows attackers to poison DNS, forcing clients to request Ticket Granting Service (TGS) tickets for attacker-chosen targets, which are then relayed to gain unauthorized access.
  
  ### Who Is Affected
  Organizations running Windows-based internal networks are the primary targets. The effectiveness of these attacks depends heavily on the configuration of individual services and whether they enforce modern security controls.
  
  ### Security Implications
  Relay attacks allow an attacker to impersonate a user or machine by intercepting and forwarding their authentication credentials to a different service.
  * **NTLM Relay:** Historically limited by SMB signing requirements. The guide highlights that SMB-sourced NTLM is often ineffective against high-value targets like LDAP or Active Directory Certificate Services (ADCS) because it includes signing flags the attacker cannot satisfy. HTTP/WebDAV-sourced authentication is preferred for these targets.
  * **Kerberos Relay (CVE-2026-20929):** This technique bypasses many traditional SPN-based restrictions. The success of the attack is no longer gated by the source SPN class, but rather by whether the target service enforces its own anti-relay controls.
  
  ### Technical Details
  The guide provides a breakdown of relay capabilities across various protocols:
  
  | Source Auth | → SMB | → LDAP | → MSSQL | → HTTP | → ADCS | → SOCKS |
  | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
  | **SMB** | ✅* | ❌† | ✅ | ✅ | ❌† | ✅ |
  | **HTTP** | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ |
  | **WebDAV** | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ |
  | **MSSQL** | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ |
  
  *\*Target must not require SMB signing.*
  *†SMB-sourced NTLM includes signing flags that LDAP and ADCS enforce, causing the relayed session to fail.*
  
  For Kerberos relay, the attack requires the attacker to have a network position to poison DNS (e.g., via DHCPv6/mitm6, ARP, or rogue DHCPv4).
  
  ### What Defenders Should Know
  Defenders must prioritize hardening services against relay primitives. Key defensive strategies include:
  
  * **Implement Robust Mitigations:** Enforce SMB signing, LDAP signing, and Extended Protection for Authentication (EPA) across the environment.
  * **Specific Service Controls:**
  * **LDAPS:** Ensure `LdapEnforceChannelBinding` is set to `2` (Always).
  * **HTTP/IIS/ADCS:** Ensure HTTP Channel Binding Tokens (CBT) are enforced (via `HTTP.sys` token checking).
  * **Exchange:** Enable EPA on all virtual directories.
  * **Detection:** Utilize log sources and Sigma rules to identify behavioral indicators of relay attempts, as these attacks often leave distinct traces in network and authentication logs.
• SYLK 文件格式的武器化滥用 – Weaponization and abuse of the SYLK file format - Ghost Wolf Lab 🔍 Show Kagi Synopsis
  基于对所提供文章的分析，以下是关于 SYLK 文件格式被滥用以执行恶意 XLM 宏的详细综述：
  
  ### 1. 事件概述
  攻击者正在利用一种古老的表格数据交换格式——**SYLK (Symbolic Link)**，将其作为载体来隐藏和执行 **Excel 4.0 (XLM) 宏**。由于 SYLK 文件格式在 Microsoft Office 生态系统中享有“默认信任”地位，且其处理机制与现代 VBA 宏截然不同，攻击者得以绕过多种安全防御措施，实现低风险、高成功率的恶意代码执行。
  
  ### 2. 受影响范围
  * **软件环境：** Microsoft Office（包括 2010、2013、2016 及更新版本）以及 Microsoft Office for Mac。
  * **特定风险：** 运行过时版本（如 Microsoft Office for Mac 2011）的用户面临极高风险，因为该版本存在一个已停止支持的永久性漏洞，会导致恶意宏在打开时静默执行，无需任何用户交互或安全警告。
  
  ### 3. 安全隐患与技术细节
  * **绕过沙箱：** SYLK 文件不受 Windows“受保护视图”（Protected View）沙箱的限制，这意味着即使文件带有“网络标记”（Mark of the Web），用户打开时也不会触发宏执行拦截或安全警告。
  * **规避网关拦截：** 由于 `.slk` 扩展名通常不在电子邮件网关（Outlook/OWA）或浏览器安全黑名单的拦截列表中，恶意文件能以极高的送达率进入用户收件箱。
  * **高伪装性：** Excel 解析器依据文件内容（如以 `ID;P` 开头）而非扩展名来识别格式。攻击者可将恶意文件伪装为 `.csv` 文件，利用用户对 CSV 格式“纯文本、无宏”的认知误区，诱导用户点击并激活宏。
  * **AMSI 盲区：** Windows 的反恶意软件扫描接口（AMSI）目前仅针对 VBA 宏设计，无法解析 Excel 4.0/XLM 宏的语法与执行上下文。这使得该攻击链完全处于 AMSI 的监控盲区。
  
  ### 4. 给防御者的建议
  * **更新与补丁：** 确保所有用户使用受支持的 Office 版本，并彻底淘汰已停止支持的旧版本（如 Office 2011）。
  * **强化网关策略：** 建议在邮件网关和 Web 代理中将 `.slk` 扩展名列入黑名单，防止其进入企业环境。
  * **端点检测局限性：** 意识到主流杀毒软件对 `.slk` 文件的启发式检测可能滞后。防御者应关注针对 XLM 宏特有语法（如 `Auto_open` 触发器、`EXEC()` 函数）的检测规则，而非仅依赖 VBA 特征库。
  * **用户教育：** 警惕即使是看似无害的 `.csv` 文件，如果 Excel 弹出关于“SYLK 格式”的转换提示，应保持高度警惕并拒绝打开。
• The Gold Mine Red Teamers Never Touch - "read the Windows source code. Both Windows XP and Server 2003." [to make their tools blend in] - Abdul Mhanni 🔍 Show Kagi Synopsis
  The article "The Gold Mine Red Teamers Never Touch" by Abdul provides a compelling argument for why security professionals should move beyond official documentation and leverage the leaked Windows Server 2003/XP source code to gain a deeper understanding of Windows internals.
  
  ### What Happened
  The author argues that there is a persistent gap between Microsoft’s official protocol specifications (MS-* documents) and the actual implementation of these protocols within the Windows operating system. By analyzing the leaked source code, the author demonstrates that one can uncover the "truth" behind how Windows handles core protocols, moving past the idealized "gold standard" described in documentation to understand the specific behaviors, defaults, and quirks that define real-world Windows traffic.
  
  ### Who Is Affected
  * **Red Teamers/Tool Developers:** Those creating offensive tools or exploits who need to ensure their traffic is indistinguishable from legitimate Windows activity.
  * **Blue Teamers/Detection Engineers:** Security professionals responsible for building high-fidelity detections who need to understand the nuances of "normal" Windows behavior to reduce false positives and identify subtle malicious activity.
  
  ### Security Implications
  Relying exclusively on specifications rather than implementation details creates significant blind spots:
  * **Detection Evasion:** Offensive tools that strictly follow specifications but deviate from Windows' specific implementation patterns are often easily flagged by behavioral analysis.
  * **Ineffective Detections:** Defensive rules that do not account for the "SHOULD/MAY" behaviors or implementation-specific defaults of Windows often result in noisy, unreliable alerts.
  
  ### Technical Details
  The article provides concrete examples of how source code analysis clarifies protocol behavior:
  * **Kerberos:** It reveals that Windows sets specific, non-default flags (e.g., `forwardable`, `renewable`) and uses specific sentinel values for ticket lifetimes (resulting in dates around 2037). It also explains why Windows etype lists are often longer than those generated by common tools.
  * **NTLM:** The source code clarifies the consistent baseline of negotiate flags (e.g., `NEGOTIATE_OEM`, `NEGOTIATE_ALWAYS_SIGN`) that Windows sends.
  * **SPN Casing:** It clarifies the logic behind how service class casing is inherited versus how hostnames are downcased.
  
  ### What Defenders Should Know
  * **Research Workflow:** When encountering an anomaly in traffic or logs, defenders should use the source code as a primary reference to trace the actual decision-making logic, especially when specifications are ambiguous or silent.
  * **High-Value Targets:** The article identifies key directories for research, such as `ds/` (Directory Services), `base/` (Core OS), and `com/` (RPC/DCOM).
  * **Detection Strategy:** Effective detections should focus on behaviors that are consistent across Windows versions, occur prior to authentication, are difficult for attackers to normalize, and—crucially—can be directly explained by the underlying source code logic.
• honeyslop: Code canaries to quickly triage hallucinated ('slop') vulnerability reports - Gadi Evron, John Cartwright, Daniel Cuthbert, and Michal Kamensky 🔍 Show Kagi Synopsis
  The **HoneySlop** project provides a framework of "code canaries"—deliberate, decoy code snippets designed to combat the rising tide of AI-hallucinated ("slop") and unverified vulnerability reports plaguing open-source maintainers 【1】.
  
  ### What Happened
  Open-source projects are increasingly overwhelmed by automated, AI-generated security reports that often hallucinate vulnerabilities or misidentify benign code as dangerous. HoneySlop introduces "adversarial noise injection" by embedding decoy files into a codebase. When an automated scanner or LLM-based tool crawls the repository, it ingests these decoys and generates a vulnerability report based on them. Because these reports are derived from the canary, they contain specific "tells" (like unique UUIDs or fake function names) that allow maintainers to identify and dismiss them instantly 【1】.
  
  ### Who is Affected
  * **Target Audience:** Open-source maintainers and security teams who are drowning in low-quality, automated, or AI-generated vulnerability reports.
  * **Threat Actors:** The project targets automated scanners, LLM-based security pipelines, and "slop" generators that scan source code for patterns of vulnerabilities without human verification 【1】.
  
  ### Security Implications
  * **Signal-to-Noise Ratio:** By forcing scanners to flag decoys, maintainers can quickly filter out automated noise, allowing them to focus on genuine security issues.
  * **Resource Exhaustion:** Some stages of HoneySlop (Stages F+G) are designed to force agentic LLM scanners to exhaust their full iteration budget, increasing the cost and time required for attackers to scan the project 【1】.
  * **Risk of "Going Live":** The decoys are intentionally written to look like vulnerable code (e.g., using `memcpy` or `pickle.loads`). If these files are accidentally included in a build or made reachable, they could introduce actual vulnerabilities into the production environment 【1】.
  
  ### Technical Details
  The project uses two categories of canaries:
  * **Scanner-Flag (Stages A–E):** These contain CWE sinks, fake secrets, and "heartbleed-style" silhouettes designed to trip scanners 【1】.
  * **Resource-Waste (Stages F+G):** These use complex DAGs (Directed Acyclic Graphs) of request handlers to force LLMs to perform intensive analysis 【1】.
  
  **Key mechanisms include:**
  * **UUIDs/Shibboleths:** Each canary embeds a unique UUID and specific function names (e.g., `zqxTarnishV3`) that act as a signature for the decoy 【1】.
  * **Fake CVEs:** The inclusion of fake identifiers like `CVE-2025-99919` provides an easy grep-based filter for maintainers 【1】.
  * **Plausibility:** The code is written to look like deprecated modules, avoiding obvious "honeypot" terminology to ensure scanners treat them as legitimate source code 【1】.
  
  ### What Defenders Should Know
  * **Implementation:** Defenders must ensure these files are **excluded** from build artifacts, CI/CD static analysis, and production deployments to prevent them from being compiled or executed 【1】.
  * **Maintenance:** Canaries require active management. UUIDs and fake CVEs should be rotated annually to prevent scanners from learning to ignore them. Maintainers must also protect these files from well-meaning contributors who might try to "clean up" the code 【1】.
  * **Triage:** Maintainers should add specific triage rules to their `SECURITY.md` or internal workflows, such as automatically closing any report that references the canary UUIDs or the fake function names 【1】.
  * **Warning:** The project explicitly warns that this code is "vulnerable-shaped" and should never be run or deployed in a real environment 【1】.
• YouTube SMS Blaster Ad Displays Scam Messages That Impersonate Telcos - Eric Priezkalns 🔍 Show Kagi Synopsis
  This precis outlines the concerns raised regarding the promotion of illegal telecommunications equipment on YouTube.
  
  ### **What Happened**
  YouTube has been hosting advertisements for "SMS blasters"—portable, illicit base stations manufactured in China that allow criminals to broadcast fraudulent text messages directly to mobile devices 【1】. A specific advertisement was identified that explicitly demonstrates this equipment being used to impersonate Globe and Smart, the two largest telecommunications operators in the Philippines, to conduct "smishing" (SMS phishing) campaigns 【1】.
  
  ### **Who Is Affected**
  * **Mobile Subscribers:** The primary victims are the approximately 120 million combined users of Globe and Smart in the Philippines, who are targeted by these deceptive messages 【1】.
  * **Telecommunications Operators:** Globe and Smart suffer brand damage and increased customer support burdens due to the impersonation of their services 【1】.
  
  ### **Security Implications**
  The use of SMS blasters bypasses traditional network-based security filters because the messages are injected directly into the radio environment near the victim's device 【1】. These messages typically use high-pressure tactics, such as fake loyalty point expiration warnings or urgent tariff plan notifications, to trick users into clicking malicious links that lead to credential-harvesting sites 【1】.
  
  ### **Technical Details**
  * **Equipment:** The advertised devices are marketed as "carrier-grade" fake base stations, with specific offerings for 4G and 5G networks 【1】.
  * **Smishing Tactics:** The scam messages leverage the names of legitimate services (e.g., GCash, GlobeOne) and use suspicious top-level domains (e.g., `.xin`, `.top`) to host phishing pages 【1】.
  
  ### **What Defenders Should Know**
  * **Platform Responsibility:** The article argues that social media platforms, specifically Google/YouTube, are failing to adequately police advertisements for illegal radio equipment, effectively facilitating criminal activity 【1】.
  * **Limitations of Device-Level Security:** Current mobile security protections are often insufficient against these localized radio-based attacks, as the threat originates from the physical proximity of the blaster rather than the internet-based delivery of the message 【1】.
  * **Actionable Defense:** The author advocates for a systemic approach: disrupting the supply chain and advertising of these devices is a more effective, low-cost strategy to reduce the prevalence of these scams than relying solely on individual user vigilance 【1】.
• Twee mannen aangehouden voor phishing - Two men arrested for phishing - Politie 🔍 Show Kagi Synopsis
  On May 19, 2026, the Dutch police (Team Cybercrime of the North Holland Unit) arrested two 23-year-old men from Bergschenhoek for their involvement in the sale of "phishing panels" 【1】. Following their interrogation in the Netherlands, the suspects were extradited to Belgium to face further legal proceedings for related criminal activities 【1】.
  
  ### Summary of the Incident
  
  | Category | Details |
  | :--- | :--- |
  | **What happened** | The suspects operated a "Phishing as a Service" (PhaaS) model, selling ready-to-use phishing kits and tools to other criminals 【1】. |
  | **Who is affected** | Banking customers across Europe were the primary targets of the phishing campaigns enabled by these tools 【1】. |
  | **Security Implications** | The availability of these kits lowered the barrier to entry for cybercrime, allowing individuals without technical expertise to launch sophisticated phishing attacks 【1】. |
  | **Technical Details** | The phishing panels were designed to create highly convincing replicas of legitimate bank websites, which were then used to harvest login credentials, personal data, and banking information 【1】. |
  | **Distribution** | The illicit tools were marketed and sold to international users via various social media channels 【1】. |
  
  ### What Defenders Should Know
  * **PhaaS Threat:** The rise of "Phishing as a Service" means that phishing campaigns are no longer limited to highly skilled threat actors. Defenders should anticipate a higher volume of attacks due to the accessibility of these "off-the-shelf" kits 【1】.
  * **Credential Harvesting:** These panels are specifically engineered to mimic trusted institutions (banks, webshops, etc.) to deceive users into voluntarily providing sensitive information 【1】.
  * **Reporting and Evidence:** Victims of such crimes are encouraged to contact the police, who can assist in filing reports and securing digital evidence to support investigations 【1】.
• Putin appoints Rostec cybersecurity specialist linked to GRU hackers from Fancy Bear as aide to Sergei Shoigu in Russia’s Security Council - Roman Dobrokhotov )?kagi_q=who+is+the+founder+or+owner+of+The+Insider+%28theins.press%29 🔍 Show Kagi Synopsis
  This article details the appointment of Andrei Kozlov as an aide to Sergei Shoigu, the secretary of Russia’s Security Council, and highlights the ongoing integration of individuals with ties to state-sponsored cyber-espionage units into high-level government roles 【1】.
  
  ### **What Happened**
  Vladimir Putin appointed Andrei Kozlov to serve as an aide to Sergei Shoigu. Kozlov replaces General Pavel Konovalchik, who held the position until March 2026. Both individuals share backgrounds in cybersecurity structures linked to the Russian state defense corporation Rostec and possess documented ties to Military Unit 26165, which is widely identified by researchers and international authorities as the GRU-linked hacker group Fancy Bear (APT28) 【1】.
  
  ### **Who Is Affected**
  * **Andrei Kozlov:** The new appointee, whose career spans leadership roles in Rostec’s cybersecurity arm and now a senior position within the Security Council.
  * **General Pavel Konovalchik:** The predecessor, who has been linked to the GRU’s 85th Special Service Center and the Defense Ministry’s information operations troops.
  * **Rostec and its Subsidiaries:** Major defense entities such as the United Aircraft Corporation and Uralvagonzavod, which rely on RT-Information Security (RT-IB) for their cybersecurity infrastructure 【1】.
  
  ### **Security Implications**
  The appointment underscores the deepening overlap between Russia's official state security apparatus and its offensive cyber-operations units. By placing personnel with direct links to APT28 into the Security Council, the Russian government is effectively formalizing the role of state-sponsored hackers in national policy and strategic decision-making. Furthermore, the fact that these individuals manage organizations (like RT-IB) that hold sensitive FSB licenses for cryptography and critical infrastructure protection creates a significant risk of state-level exploitation of those very systems 【1】.
  
  ### **Technical Details**
  * **Military Unit 26165:** Identified as the GRU’s 85th Special Service Center, this unit is the primary entity linked to APT28/Fancy Bear. It has been implicated in major international cyber-espionage campaigns, including the 2016 U.S. Democratic Party hack, the targeting of NATO, WADA, and the 2017 Emmanuel Macron campaign 【1】.
  * **RT-Information Security (RT-IB):** Formerly known as IB Reform, this company acts as Rostec’s cybersecurity center. It is responsible for monitoring computer incidents, conducting penetration testing, and performing security audits for critical Russian defense infrastructure. The company is currently under U.S. sanctions (SDN List) under Executive Order 14024 【1】.
  
  ### **What Defenders Should Know**
  Defenders and organizations monitoring for Russian state-sponsored activity should note the following:
  * **Personnel Continuity:** The transition from Konovalchik to Kozlov suggests a deliberate strategy of maintaining "cyber-hardened" leadership within the Security Council.
  * **Supply Chain Risk:** Because RT-IB is responsible for protecting critical Russian defense infrastructure, any software, hardware, or security services provided by or audited by this firm should be treated as high-risk for potential backdoors or intelligence collection.
  * **Sanctions Compliance:** RT-IB is under U.S. sanctions; organizations should ensure they are not engaging in business with or relying on security products from this entity to avoid secondary sanctions and security compromises 【1】.