InfoSec Briefing - June 09, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Tuesday the 9th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 12 articles to cover. All attribution is by the article authors. All article analysis is automated.

Aurora have published a research repository documenting the Chinese-language cybercrime ecosystem, which has industrialized into a fully professionalized operation. It covers everything from phishing-as-a-service kits through to pig butchering scam compounds in Southeast Asia, illicit stablecoin payment networks, and modular malware targeting enterprises. One for anyone tracking how organized cybercrime has evolved beyond individual actors into something resembling legitimate industry.

ByteRay Labs have released CQL-Hub, an open-source repository of detection and hunting queries specifically for CrowdStrike Falcon and LogScale. The queries are structured in YAML format with metadata, and it's designed as a community-driven resource to standardize threat hunting workflows. Worth a look if you're running that particular stack.

OpenAI have written up how they built a sandbox for Codex on Windows using restricted tokens, custom user accounts, and Windows Firewall rules to isolate autonomous coding agents. It's a good example of defense-in-depth using OS-native security primitives rather than advisory controls, which is particularly relevant given how many organizations are now experimenting with agentic workflows.

Division-36 have released Z-Jail, a lightweight Linux sandbox that combines namespaces, pivot root, and seccomp filters to safely execute untrusted binaries. It whitelists just 15 system calls and includes fingerprinting with audit logs, designed for researchers analyzing potentially malicious payloads without the risk of sandbox escapes or privilege escalation.

Subhash Bharadwaj has published OT Sentinel, an open-source collection of detection rules for industrial control systems covering Modbus, DNP3, IEC 104, MQTT, and OPC-UA. The rules are provided in both Wazuh and Sigma formats, mapped to MITRE ATT&CK for ICS, and validated against real OpenPLC hardware in a lab environment. Intended as an educational resource for organizations that can't justify the cost of commercial OT security platforms.

Meta disclosed that between April 17th and May 31st this year, attackers exploited a vulnerability in Instagram's AI-assisted account recovery system to reset passwords on approximately 20,000 accounts. The attackers manipulated the chatbot into linking their email addresses to victim accounts, gaining full control. Meta patched it on May 31st once they discovered the issue.

Rasmus Moorats reverse-engineered the Creative Sound Blaster Katana soundbar and found it accepts unauthenticated firmware uploads over Bluetooth with no signature verification. An attacker within Bluetooth range can exploit it to turn the device into a covert listening device or inject keystrokes into a connected PC via HID emulation. Creative have dismissed the findings and provided no patch, which is either admirably confident or deeply concerning depending on your perspective.

A technical analysis of PCIe DMA cheats has been published, covering how attackers exploit hardware-level memory access to bypass system security. The piece walks through attack mechanisms using PCIe devices, IOMMU bypass techniques, and defensive strategies including firmware fingerprinting and configuration hardening. Useful background if you're working on anti-cheat or endpoint integrity.

A researcher has detailed BusyWork, a Rust library that replaces standard sleep functions with 76 different legitimate-looking tasks across filesystem, registry, network, and cryptographic operations. The idea is to evade behavioral detection by eliminating detectable timing signatures and creating non-deterministic execution paths. It's designed for malware and game cheats, and challenges the assumption that sleep patterns are a reliable detection signal.

A proof-of-concept demonstrates a local arbitrary file read in the Windows UPnP Device Host service, affecting Windows 11 and potentially other versions. The exploit uses the UPnPRegistrar COM object to read files in the context of the LOCAL SERVICE account, allowing unprivileged users to access sensitive system files. Microsoft assessed this as not meeting their definition of a vulnerability.

EDRChoker is a tool that abuses Windows QoS Policy to throttle the network bandwidth of endpoint security agents, forcing communication timeouts with management servers. The technique creates persistent system-level policies that survive reboots and has been tested against major products including Elastic Defend. Defenders should monitor for unauthorized QoS policy creation targeting security processes.

And finally, Cygor is a modular Python framework that automates asset discovery by orchestrating tools like Nmap, Masscan, and Naabu through a unified dashboard. It's intended for authorized testing by red teams and penetration testers, but defenders should be aware of the characteristic traffic patterns, especially when they appear in high-volume automated sequences.

That concludes today's briefing.

📰 Articles Covered

Chinese-Cybercrime-Research: Resources to learn more about Chinese-language cybercrime actors. - aurora

The repository "Chinese-Cybercrime-Research" provides a comprehensive overview of a highly professionalized, global cybercrime ecosystem operating within Chinese-language networks. Below is a detailed precis based on the provided documentation.

### What Happened
The landscape is defined by the industrialization of cybercrime through "as-a-service" models. Criminal actors have moved beyond opportunistic attacks to structured, large-scale operations. Key activities include:
* **Phishing-as-a-Service (PaaS):** The widespread use of sophisticated kits (e.g., Darcula, Magic Mouse, CoGUI) to automate large-scale smishing and phishing campaigns.
* **Scam Compounds:** The emergence of large-scale, often forced-labor-based operations in Southeast Asia, specializing in "pig butchering" (long-term investment fraud), sextortion, and other social engineering scams.
* **Financial Fraud:** Sophisticated money laundering, "ramp-and-dump" stock market schemes, and the exploitation of mobile banking vulnerabilities (e.g., Ghost Tap).
* **Data Trafficking:** The commodification of stolen Personally Identifiable Information (PII), military data, and insider-acquired intelligence on both domestic and international forums.

### Who is Affected
The impact is widespread and global, targeting:
* **Individuals:** The general public is frequently targeted by smishing, e-commerce fraud, and investment scams. Chinese expatriates are specifically targeted by "cyber-kidnapping" and automated robocall scams.
* **Financial Institutions:** Banks and brokerage firms are primary targets for mobile phishing and market manipulation schemes.
* **Enterprises:** Businesses face infiltration from modular malware (e.g., Silver Fox, ValleyRAT) and botnets (e.g., Kimwolf, BADBOX) that compromise local networks.

### Security Implications
The ecosystem is marked by high levels of integration and professionalization. Criminal groups utilize "guarantee groups" (such as the Huione Group) to facilitate illicit stablecoin transactions, which provides significant financial obfuscation. A major concern is the blurring line between pure cybercriminal activity and state-aligned Advanced Persistent Threat (APT) operators, who may engage in cybercrime to generate revenue or conduct espionage.

### Technical Details
* **Infrastructure:** Attackers rely heavily on residential proxy services (e.g., 911s5, IPIDEA) to mask malicious traffic and bypass security filters.
* **Malware:** The use of modular Remote Access Trojans (RATs) and stealers—such as Silver Fox, ValleyRAT, and AtlasRAT—is prevalent, often distributed via plug-and-play phishing kits.
* **Botnets:** Threat actors exploit pre-infected devices (BADBOX) and insecure local network equipment to relay malicious commands and maintain persistence.

### What Defenders Should Know
* **Smishing Awareness:** Defenders should familiarize themselves with the specific kits mentioned (e.g., Darcula, Lighthouse) and their tactics, which often mimic legitimate postal or toll-payment services.
* **Financial Monitoring:** Security teams should monitor for the role of stablecoins in illicit economies and watch for "ramp-and-dump" patterns within financial data.
* **Network Hardening:** It is critical to secure local network devices against exploitation by botnets that leverage residential proxy endpoints.
* **Threat Intelligence:** The repository serves as a central hub for tracking these threats; security professionals should actively monitor the cited research blogs and reports (e.g., Krebs on Security, Netcraft, Elliptic, Proofpoint) for real-time updates on evolving tactics.
Query-Hub: CQL Hub is an open repository of detection and hunting queries for CrowdStrike NextGen SIEM and Falcon LogScale - ByteRay-Labs

The provided URL does not point to a cybersecurity incident report or an article detailing a security event. Instead, it is the public repository for **CQL-Hub**, a community-driven project designed to host and share CrowdStrike Falcon SIEM and LogScale queries.

Because this is a legitimate resource for security practitioners rather than a report of a breach or vulnerability, there is no "incident" to analyze. Below is a summary of the project based on the repository documentation:

### Project Overview
CQL-Hub is an open-source, community-focused platform that serves as a centralized library for detection and threat-hunting queries compatible with CrowdStrike Falcon. It aims to simplify the process of discovering and implementing security logic within the Falcon ecosystem.

### Key Features
* **Centralized Repository**: Acts as a backend for [cql-hub.com](https://cql-hub.com), where queries are indexed and made searchable.
* **Structured Data**: Queries are maintained in **YAML format**, which includes metadata to help users filter and organize them by specific use cases or threat vectors.
* **Community-Driven**: The project relies on contributions from security professionals worldwide, with a standardized "YAML Builder" tool to ensure consistency in submissions.
* **Open Access**: The repository is licensed under the **MIT License**, allowing users to freely use, adapt, and share the queries.

### What Defenders Should Know
For security teams and threat hunters using CrowdStrike Falcon, this repository is a resource for:
* **Improving Detection Coverage**: Accessing pre-written queries can help fill gaps in existing detection logic.
* **Standardization**: The use of structured YAML metadata makes it easier to integrate these queries into automated workflows or documentation.
* **Collaboration**: Security teams can contribute their own hunting logic back to the community, fostering a shared knowledge base for common threats.

If you were looking for information regarding a specific cybersecurity incident or vulnerability report, please verify the URL provided, as this repository is a tool for security operations rather than a record of a security event.
Building a safe, effective sandbox to enable Codex on Windows - OpenAI

The summary provided accurately captures the core components and security rationale behind OpenAI's development of the Codex Windows sandbox. To ensure you have the complete picture, here is a consolidated overview of the key takeaways for defenders and security engineers based on the article's technical findings.

### Summary of Key Security Takeaways

| Category | Details |
| :--- | :--- |
| **The Problem** | Windows lacked a native, granular isolation primitive suitable for autonomous coding agents, forcing a choice between full user-level access (dangerous) or constant manual approval (inefficient). |
| **The Solution** | A multi-layered "elevated sandbox" architecture that leverages Windows-native security features to enforce filesystem and network constraints. |
| **Technical Core** | Uses restricted tokens, custom local user accounts (`CodexSandboxOffline`/`Online`), and Windows Firewall rules to enforce isolation. |
| **Defensive Insight** | Security for agentic workflows often requires a "defense-in-depth" approach, combining multiple OS-level primitives rather than relying on a single isolation feature. |

### Critical Considerations for Defenders

* **Advisory vs. Enforced Controls:** The article highlights a crucial lesson: prototype security controls—such as those relying on advisory network suppression—are often easily bypassed. Robust isolation requires hard enforcement via OS-level mechanisms like Windows Firewall rules and restricted tokens 【1】.
* **Complexity of Agent Isolation:** Implementing secure sandboxing for autonomous agents is inherently complex. It requires managing not just process isolation, but also stateful filesystem access (via ACLs) and network egress control, which may necessitate custom binaries and asynchronous setup tasks 【1】.
* **Balancing UX and Security:** The "elevated" architecture was specifically chosen to provide a seamless developer experience while maintaining strict security boundaries. Defenders should note that when security controls are too restrictive or manual, they are often bypassed or ignored; the goal is to build "secure by default" environments that do not impede the agent's utility 【1】.

If you need to examine specific implementation details or the rationale behind the chosen Windows security primitives, I can retrieve further sections of the article for you.
Z-Jail: A lightweight, multi-layer Linux sandbox combining namespaces, pivot_root, seccomp-bpf, capability dropping, and an evidence-based verdict engine) for secure, auditable code execution. - Division-36

Z-Jail is a lightweight, high-security sandboxing framework developed by Division-36, designed to execute untrusted binaries within a strictly isolated environment 【1】. It is not a security incident or a vulnerability report, but rather a defensive tool intended to mitigate the risks associated with running potentially malicious or untrusted code 【1】.

### What Happened & Who Is Affected
Z-Jail was created as a solution for independent researchers and small-scale laboratories to safely analyze untrusted payloads 【1】. It is intended for use by security professionals and developers who need to isolate processes on Linux systems (kernel 5.4+) to prevent unauthorized system access or resource abuse 【1】.

### Security Implications
The project is designed to neutralize common attack vectors used by malicious payloads, including:
* **Sandbox Escapes:** Prevents escapes via `chroot`, `mount`, `ptrace`, or `socket` operations 【1】.
* **Privilege Escalation:** Blocks escalation attempts via `setuid` binaries or `LD_PRELOAD` techniques 【1】.
* **Resource Exhaustion:** Limits CPU, address space, file counts, and process counts to prevent attacks like fork bombs 【1】.

**Limitations:** The project explicitly notes that it does not protect against kernel zero-day vulnerabilities, hardware side-channel attacks, or escapes from co-located virtual machines 【1】.

### Technical Details
Z-Jail utilizes a parent-child process model where the child is hardened before executing the target binary 【1】. Its architecture relies on several Linux kernel primitives:

| Feature | Implementation Detail |
| :--- | :--- |
| **Namespaces** | Uses `CLONE_NEWNS`, `CLONE_NEWPID`, `CLONE_NEWNET`, `CLONE_NEWIPC`, and `CLONE_NEWUTS` for isolation 【1】. |
| **Filesystem** | Employs `pivot_root` to detach from the host filesystem, providing stronger isolation than `chroot` 【1】. |
| **Syscall Filtering** | Uses `seccomp-BPF` to enforce a strict whitelist of only 15 allowed system calls 【1】. |
| **Privilege Control** | Sets `PR_SET_NO_NEW_PRIVS` and drops all Linux capabilities 【1】. |
| **Auditing** | Features BLAKE2b-256 content fingerprinting of the target binary and generates JSON audit logs 【1】. |

### What Defenders Should Know
* **Performance:** The tool is highly efficient, with a mean sandbox latency of approximately 8 ms and a peak memory footprint of ~4 MiB 【1】.
* **Requirements:** It requires `CAP_SYS_ADMIN` privileges to initialize the necessary namespaces and a Linux kernel version of 5.4 or higher 【1】.
* **Licensing:** It is released under the **Axiom Public License v1.0**, which contains specific restrictions regarding commercial and government use without prior written authorization 【1】.
* **Usage:** The tool is invoked via the command `z_jail --root=<dir> --seccomp-enforce -- <program>` 【1】.
ot-sentinel-rules: Open-source ICS/OT detection rules (Wazuh + Sigma) for Modbus, DNP3, IEC 104, MQTT, and OPC-UA — tested against a real OpenPLC + GNS3 digital twin lab. - Subhash Bharadwaj

The provided summary accurately captures the essence of the **OT Sentinel** project. To ensure you have the complete picture, here is a synthesized precis based on the information gathered:

### **Overview**
OT Sentinel is an open-source initiative developed by security engineer Subhash Bharadwaj to address the scarcity of accessible, vendor-neutral security detection rules for Industrial Control Systems (ICS) and Operational Technology (OT) environments.

### **What Happened**
The project was established to provide a transparent, community-driven alternative to expensive, proprietary "black box" security solutions. It serves as an educational resource and a detection engineering accelerator, offering validated rules for common industrial protocols that are often difficult to monitor without high-cost commercial tools.

### **Who is Affected**
The primary beneficiaries are security teams, researchers, and operators managing small-to-medium OT infrastructure—such as water treatment facilities, power substations, and manufacturing plants—that may lack the budget for enterprise-grade commercial OT security platforms.

### **Security Implications**
By providing open, auditable, and customizable detection logic, OT Sentinel enables defenders to gain visibility into threats targeting industrial processes. The project maps its rules to the **MITRE ATT&CK for ICS** framework, helping security teams understand how attacks against OT protocols manifest at the SIEM layer, thereby improving overall threat detection capabilities.

### **Technical Details**
* **Platforms & Formats**: The project provides Wazuh XML rules and SIEM-agnostic Sigma YAML rules.
* **Protocols Covered**: Support includes Modbus, DNP3, IEC 104, MQTT, and OPC-UA.
* **Validation**: Rules are validated using `wazuh-logtest` (Wazuh 4.14.5), with Modbus rules tested against real OpenPLC hardware.
* **Components**: The repository includes custom decoders, CDB (Constant Database) allowlists, test scripts, and documentation mapping rules to the MITRE ATT&CK framework.

### **What Defenders Should Know**
* **Not Production-Ready**: The project is intended strictly for learning, lab testing, and kickstarting detection engineering. It should **not** be deployed to live production OT assets without extensive testing and tuning.
* **Safety Culture**: Defenders must prioritize OT safety, validate all rules in non-production environments, and carefully tune thresholds to account for specific traffic patterns and authorized devices.
* **Independence**: This is an independent project and is not affiliated with Microsoft Sentinel or any commercial OT security vendor. Contributions are encouraged to expand support for additional protocols like PROFINET, EtherNet/IP, and BACnet.
On May 31, 2026, Meta discovered that there was a vulnerability in an AI-assisted account recovery system for Instagram ("High Touch Support" or "HTS") that was exploited by unauthorized third parties - Maine Office of the Attorney General

This incident involves a significant security failure within Meta’s automated support infrastructure, resulting in the unauthorized takeover of thousands of user accounts.

### What Happened
Between April 17, 2026, and May 31, 2026, unauthorized third parties exploited a vulnerability in Meta’s AI-assisted account recovery system, known as "High Touch Support" (HTS) 【4】【3】. Attackers used this tool to bypass security protocols and perform unauthorized password resets on targeted Instagram accounts 【6】. Meta identified and addressed the vulnerability on May 31, 2026 【3】.

### Who Is Affected
A total of **20,225 Instagram accounts** were potentially compromised in the incident 【1】. While the total number of affected individuals is 20,225, Meta has indicated that the actual number of successfully hijacked accounts may be lower 【1】. The incident affected users globally, including at least 30 residents of Maine 【2】.

### Security Implications
The breach granted attackers full control over the compromised Instagram accounts. This level of access allowed them to view and potentially exfiltrate sensitive personal information, including:
* Contact information and dates of birth 【2】
* Profile data, posts, and direct messages 【2】
* Account activity history 【2】

Furthermore, because many users link their Instagram accounts to other services, the compromise of an Instagram account could potentially serve as a pivot point for further unauthorized access to linked third-party accounts 【2】.

### Technical Details
The vulnerability resided in the **High Touch Support (HTS)** tool, an AI chatbot designed to assist users who have been locked out of their accounts 【5】. Attackers exploited the system by manipulating the chatbot's logic to link their own email addresses to the targeted accounts 【1】. Once the attacker's email was associated with the victim's account, they could trigger a standard password reset process to gain full control 【1】.

### What Defenders Should Know
* **Automation Risks:** This incident highlights the significant security risks associated with automating sensitive account recovery processes using AI. When AI systems are given the authority to perform high-privilege actions (like changing account ownership or resetting passwords), they become high-value targets for exploitation 【3】.
* **Verification Gaps:** The flaw suggests a failure in the AI's ability to properly verify the identity of the requester before executing sensitive account changes. Defenders should ensure that any automated recovery flow includes robust, multi-factor identity verification that cannot be bypassed by simple chatbot prompts.
* **Monitoring and Auditing:** Automated support tools must be subject to the same rigorous security auditing, logging, and anomaly detection as traditional administrative interfaces. Unusual patterns in account recovery requests should trigger immediate alerts for human review.
Pwnd Blaster: Hacking your PC using your speaker without ever touching it | nns.ee - Rasmus Moorats

The security research regarding the Creative Sound Blaster Katana V2X soundbar highlights a significant vulnerability in consumer IoT hardware where proprietary protocols lack fundamental security controls. Below is a detailed precis of the findings.

### What Happened
A security researcher reverse-engineered the firmware of the Creative Sound Blaster Katana V2X and discovered that the Creative Transport Protocol (CTP)—used for device configuration and firmware updates—is insecure. The researcher successfully demonstrated that custom, malicious firmware can be uploaded to the device over Bluetooth without requiring authentication or pairing 【1】.

### Who is Affected
The Katana V2X is confirmed to be vulnerable. Based on the researcher's analysis of the firmware, the Katana V2 and Katana SE models are also likely affected. Creative has reportedly dismissed these findings as not posing a cybersecurity risk and has not released any security patches 【1】.

### Security Implications
An attacker within Bluetooth range (approximately 15 meters) can compromise the device to perform the following actions:
* **Covert Monitoring:** The speaker can be repurposed as a listening device by activating its built-in microphone 【1】.
* **HID Attacks:** By modifying the firmware, an attacker can force the device to identify itself as a Human Interface Device (HID) keyboard. This allows the speaker to inject arbitrary keystrokes into a connected PC, facilitating the execution of malicious commands 【1】.

### Technical Details
* **Protocol Vulnerability:** CTP commands are accepted over Bluetooth without any authentication mechanism 【1】.
* **Lack of Integrity Checks:** The firmware container is essentially a ZIP file that lacks cryptographic signature verification. It only performs a trivial check against a SHA-256 checksum (`CHK2`), which is easily bypassed 【1】.
* **HID Injection:** The researcher modified the USB report descriptor to enable keyboard emulation and injected ARM/Thumb assembly code into an unused diagnostic task, ensuring keystroke injection occurs automatically upon boot 【1】.
* **Persistence:** Attackers can disable the device's firmware update routines, effectively making the malicious firmware permanent and difficult to remove 【1】.

### What Defenders Should Know
* **Lack of Remediation:** There is no official fix from the manufacturer. Furthermore, Creative has removed firmware download URLs, which complicates efforts for users to apply community-developed patches 【1】.
* **Persistent Bluetooth Exposure:** The Bluetooth functionality remains active even when the device is in sleep mode, and there is no user-accessible option to disable it 【1】.
* **Risk Profile:** These devices remain permanently vulnerable unless users can source clean firmware files from third-party repositories to apply unofficial, community-created security patches 【1】.
About PCIe DMA Cheats: Protocol, IOMMU, Hardware, and Detection - kernullist

The precis you provided accurately captures the core technical and security aspects of the article regarding PCIe DMA cheats. Since you have already successfully summarized the key points—the mechanism of the attack, the hardware involved, the IOMMU bypass techniques, and the defensive strategies—there is no need for further research.

If you would like to explore specific sections of the original article in greater depth, such as the detailed examples of firmware fingerprinting or the specific IOMMU configuration pitfalls mentioned by the author, I can certainly assist with that using the `text_editor` tool. Otherwise, the summary you have is comprehensive and covers all the requested areas.
BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection - m4n0w4r

The article details the development and security implications of **BusyWork**, a Rust-based library designed to evade behavioral detection by replacing standard `sleep()` functions with randomized, legitimate-looking application activity 【1】.

### Summary of BusyWork

| Category | Details |
| :--- | :--- |
| **What Happened** | The author created a library to replace traditional sleep primitives (e.g., `Sleep()`, `std::thread::sleep()`) with randomized, genuine tasks to bypass behavioral analysis 【1】. |
| **Who is Affected** | Primarily malware authors and game cheat developers seeking to evade detection, and EDR/anti-cheat vendors whose behavioral heuristics are being targeted 【1】. |
| **Security Implications** | It eliminates detectable timing signatures, introduces non-deterministic execution paths, and mimics legitimate application behavior, making it difficult for security products to distinguish malicious activity from normal software without causing false positives 【1】. |
| **Technical Details** | Features 76 tasks across seven categories (e.g., Filesystem, Registry, Network, Crypto) with intensity scaling and ±30% jitter; uses function pointer dispatch and `std::hint::black_box` to thwart compiler optimizations 【1】. |
| **Defensive Guidance** | Defenders should focus on contextual correlation (e.g., unexpected process behavior), monitoring for anomalous network activity, and identifying "soft indicators" like the presence of `rand` in non-UI binaries 【1】. |

### Key Takeaways for Defenders
Beyond the specific indicators mentioned, the article emphasizes that the effectiveness of BusyWork lies in its ability to blend into the "noise" of a normal operating system environment. Because the library performs real filesystem, registry, and network operations, defenders must move beyond simple API hooking or signature-based detection. Instead, they should focus on:

* **Contextual Behavioral Analysis:** Evaluating whether the *type* of activity (e.g., registry queries or network requests) is appropriate for the specific process performing it.
* **Process Profiling:** Establishing baselines for legitimate software to better identify when a process begins exhibiting uncharacteristic behavior, even if that behavior is technically "legitimate" in isolation.
* **Heuristic Refinement:** Recognizing that the absence of standard sleep calls is not a sign of inactivity, but rather a potential indicator that a process is attempting to mask its pacing mechanisms.
UPnPHostFileRead: Arbitrary file read exploit for the Windows UPnP Device Host service. - SpacePlant

This precis outlines the details of the `UPnPHostFileRead` proof-of-concept (PoC) regarding the Windows UPnP Device Host service.

### Overview
The `UPnPHostFileRead` repository demonstrates a local arbitrary file read vulnerability within the Windows UPnP (Universal Plug and Play) Device Host service. While the researcher reported this issue to Microsoft, it was assessed as "not a vulnerability" by the vendor 【1】.

### Who Is Affected
The PoC was specifically tested against Windows 11 Pro (build 26200.8457). Because the issue stems from the design of the `UPnPRegistrar` COM object, it is likely that other versions of Windows utilizing this service are also susceptible 【1】.

### Security Implications
This vulnerability allows a local, unprivileged user to read arbitrary files on the system. Because the file is accessed in the context of the `LOCAL SERVICE` account—which often has higher privileges than a standard user—an attacker could potentially read sensitive system files or configuration data that would otherwise be restricted 【1】.

### Technical Details
The exploit leverages the `UPnPRegistrar` COM object, which can be instantiated by normal users. The process functions as follows:
* **Device Registration:** An attacker calls the `RegisterRunningDevice` method, providing a device description XML file.
* **Path Traversal:** The XML file includes a reference to an icon. This reference is vulnerable to path traversal, allowing an attacker to point it to any file on the local file system.
* **File Exposure:** Once the device is registered, the UPnP service exposes the referenced file via an HTTP endpoint.
* **Exfiltration:** The attacker can then access this HTTP endpoint to download the contents of the targeted file, effectively bypassing standard file system permissions 【1】.

### What Defenders Should Know
* **Vendor Status:** Microsoft has officially assessed this behavior as "not a vulnerability," meaning a patch is unlikely to be released 【1】.
* **Detection:** Defenders should monitor for unexpected usage of the `UPnPRegistrar` COM object or unusual HTTP traffic originating from the UPnP Device Host service.
* **Mitigation:** Since this is a local exploit, organizations should focus on standard hardening practices, such as minimizing the number of users with local access and employing robust Endpoint Detection and Response (EDR) solutions to monitor for suspicious process behavior and unauthorized file access attempts.
EDRChoker: A tool uses the QoS Policy (Pacer.sys) to throttle Endpoint Detection and Response (EDR) agents from connecting to the server. - Two Seven One Three

EDRChoker is a security tool designed to demonstrate a novel method for neutralizing Endpoint Detection and Response (EDR) agents by manipulating Windows network traffic policies 【1】.

### What Happened
EDRChoker leverages the Windows Policy-based Quality of Service (QoS) framework to impose severe bandwidth limitations on EDR agent processes. By setting these hard caps, the tool forces the EDR agents to time out, effectively severing their ability to communicate with their management consoles or cloud backends, thereby blinding the security solution 【1】.

### Who is Affected
The tool targets EDR agents running on Windows operating systems. It has been successfully tested against major security products, including Elastic Defend 【1】.

### Security Implications
The primary security implication is the complete degradation of endpoint visibility and protection. Because the QoS policies are applied at the system level, they persist even after a system reboot, ensuring that the EDR agent remains incapacitated until the policies are explicitly removed 【1】.

### Technical Details
* **Mechanism:** EDRChoker utilizes the native Windows `pacer.sys` driver to enforce bandwidth throttling 【1】.
* **Execution:** The tool allows an operator to provide a list of process names (e.g., EDR binaries) via a text file. It then automatically creates QoS policies for each specified process, forcing them into a state of constant network timeout 【1】.
* **Persistence:** Unlike memory-only bypasses, these policies are registered within the Windows system configuration and remain active across reboots 【1】.

### What Defenders Should Know
* **Detection:** Defenders should monitor for the creation of new QoS policies, particularly those targeting security-related processes.
* **Remediation:** The tool includes functionality to remove all installed QoS policies, which is the primary method for restoring EDR functionality 【1】.
* **Proactive Defense:** Organizations should audit their Windows environment for unauthorized QoS policy configurations and ensure that security agents are configured to alert or fail-safe if their network telemetry stream is interrupted or throttled.
cygor: An modular asset discovery framework written in python to automate the repeating manual work - tjnull

Cygor is a modular, automated asset discovery and enumeration framework designed to consolidate fragmented security workflows into a unified, dashboard-driven process 【1】. It is intended for use by red teams, penetration testers, blue teams, system administrators, and security researchers to streamline reconnaissance and triage 【1】.

### Summary of the Cygor Framework

| Category | Details |
| :--- | :--- |
| **What Happened** | The development and release of an orchestration framework that integrates various scanning and enumeration tools into a single, automated pipeline with a visual Web UI 【1】. |
| **Who is Affected** | Security professionals and organizations; it provides a tool for authorized testing while also serving as a signature for defenders to monitor 【1】. |
| **Security Implications** | It significantly reduces the time required for asset discovery and attack surface mapping, allowing for rapid identification of misconfigurations and exposed services 【1】. |
| **Technical Details** | Orchestrates tools like Nmap, Masscan, Naabu, Playwright, ffuf, and various service-specific enumerators (SMB, LDAP, SNMP, etc.) using a Python-based architecture with PostgreSQL/SQLite support 【1】. |
| **Defender Guidance** | Defenders should monitor for the characteristic traffic patterns of the underlying tools (Nmap, Masscan, etc.) and recognize that this framework automates and scales these activities 【1】. |

### Key Takeaways for Defenders
* **Automated Reconnaissance:** Cygor automates the identification of services and potential attack surface expansion, which can be used to uncover unknown assets or validate existing inventories 【1】.
* **Detection Strategy:** Because the framework relies on industry-standard tools, defenders should focus on detecting the specific activity patterns associated with those utilities, especially when they appear in high-volume or automated sequences 【1】.
* **Ethical Compliance:** The project is strictly intended for authorized security research and testing; users are solely responsible for ensuring their use of the tool complies with legal and ethical standards 【1】.