Flare-On 12 – Task 8 In this mini-series I describe the solutions of my favorite tasks from this year’s Flare-On competition. To those of you who are not familiar, Flare-On is a marathon of reverse engineering. This ye…

And #FlareOn12 Task 8: wp.me/p2mVNF-2Qf

Flare-On 12 – Task 8 In this mini-series I describe the solutions of my favorite tasks from this year’s Flare-On competition. To those of you who are not familiar, Flare-On is a marathon of reverse engineering. This ye…

And #FlareOn12 Task 8: wp.me/p2mVNF-2Qf

Flare-On 12 – Task 9 In this mini-series I describe the solutions of my favorite tasks from this year’s Flare-On competition. To those of you who are not familiar, Flare-On is a marathon of reverse engineering. T…

Long overdue, but here’s my writeup for #FlareOn12 Task 9: hshrzd.wordpress.com/2025/11/20/f...

Heeey, ncurses/terminfo has a small virtual machine! And if there's a VM, there are CTF challenges :)
hackarcana.com/public-exerc...
hackarcana.com/public-exerc...
(third one coming next week, will be a bit harder)

The 13th Annual Volatility Plugin Contest is Open! We are excited to announce that the Volatility Plugin Contest is officially open for submissions! The annual Plugin Contest is your opportunity to: Directly contribute to the open source forensics …

The 13th annual @volatility #PluginContest is OPEN for submissions until 31 Dec 2025!

This contest is designed to encourage research & development in the field of #memoryanalysis. Every year, contributions from all around the world continue to help build the next generation of #memoryforensics.

-iOS 26 change deletes clues of old spyware infections
-Starlink disables 2.5k scam compound terminals
-Caribbean hospital still down 5 months after ransomware attack
-Poland charges officials in Pegasus scandal

Newsletter: news.risky.biz/risky-bullet...
Podcast: risky.biz/RBNEWS495/

‎Hacktivate: Capture the Flag ‎Crack codes. Break firewalls. Conquer the map. Hacktivate is the ultimate cybersecurity challenge: a world map of 240 missions where every puzzle is built on real cybersecurity techniques hackers us...

Today I'm launching my new app, Hacktivate. It teaches real-world computer science skills through 240 "capture the flag" challenges, and works on iPhone, iPad, and Mac with one purchase. I've poured a ton of love into it, and I'd love to hear what you think 🙌 apps.apple.com/gb/app/hackt...

I used PE-bear for the first time to dump an embedded binary. Its intuitive UI made extraction effortless. Because malware often embeds payloads with the form A in B to evade detection, pulling out the inner binary was crucial for deeper analysis and IoCs hunting.

Finally done with #FlareOn12. What a ride! I am looking forward to read other people’s solutions, especially of those who did the 9th task quickly.

#FTSCon Speaker Spotlight: Aleksandra Doniec (@hasherezade.bsky.social) is presenting “Uncovering Malware's Secrets with TinyTracer” in the MAKER track.

See the full list of speakers + event info, including how to register, here: volatilityfoundation.org/from-the-sou...

Malware Analysis - Intermediate Level Signature writing, deobfuscation, dynamic API resolving, syscalls, hooking, shellcode analysis and more

My intermediate level malware analysis course is there.
60% off for the next two weeks.

malwareanalysis-for-hedgehogs.learnworlds.com/course/inter...

Beyond good ol’ Run key, Part 148

www.hexacorn.com/blog/2025/07...

- option of custom parsing exports directory allows to pinpoint even the APIs that the malware author tried to hide by erasing exports table in memory: (github.com/hasherezade/...)

- watching not only the functions arguments, but also, how they changed after the function execution, and the function return value: (github.com/hasherezade/...) - thanks to a new contributor, maxspl:

includes: tracing defined local functions (github.com/hasherezade/...):

New #TinyTracer (v3.0) is out - with many cool features: github.com/hasherezade/... - check them out!

1. Pause thread midway in exploit races (even ⓪).
2. Or block entire CPU core. Kernel APCs run at APC_LEVEL (🤯), so thread scheduling kinda disabled (think priority == ∞).
3. Or build upon @hasherezade.bsky.social work & generalize #WaitingThreadHijacking — making it, in fact, Waitless.

Screenshot of contextjail.exe running with default arguments. Highlighted: * prisoner thread (latched to CPU1 with priority 15) couldn't run for the entire test duration (30 seconds). * 99 jailer threads (latched to 6/8 processors, CPU2..CPU7) were using 20% of total CPU time. Overlay: pseudo-ASSCII art with prisoner thread and 6 jailer threads (guards), spamming NtGetContextThread to block the prisoner. Source and compiled binary: https://pastebin.com/pBJcGp1y

Heard of #ContextJail?
It's a nasty new technique: puts target thread into ⓪ deadloop, for as long as you can afford. Requires THREAD_GET_CONTEXT right.

The gist? Just spam NtGetContextThread(tgt).😸
Target will be jailed, running nt!PspGetSetContextSpecialApc 🔁.

Src & binary in [ALT].

Usecases: ⤵️

yes, we catch it, but I cannot speak for others

[DEMO] Waiting Thread Hijacking (on Windows 11 24 H2) YouTube video by hasherezade

demo: www.youtube.com/watch?v=CZIR... ; src: github.com/hasherezade/...

Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...

My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection

🫂

New HijackLoader Evasion Tactics | ThreatLabz Learn how HijackLoader has introduced call stack spoofing and new modules to improve its evasion and anti-analysis capabilities.

Zscaler has published a technical report on HijackLoader (IDAT Loader, GhostPulse) and its recent changes, such as its new call stack spoofing module, anti-VM module, and support for scheduled task persistence

www.zscaler.com/blogs/securi...

Abolish April Fool’s day. Society has moved past the need for April Fool’s day

Hellcat Hacking Group Unmasked: Investigating Rey and Pryx | KELA Cyber KELA’s latest research uncovers key insights into two key threat actors of Hellcat Group, Pryx and Rey. Read more.

KELA has published a profile on Rey and Pryx, the two main individuals behind the Hellcat hacking group, responsible for several breaches over the past months, such as Schneider Electric, Telefónica, and Orange Romania.

www.kelacyber.com/blog/hellcat...

23andMe Files for Bankruptcy as CEO Anne Wojcicki Resigns — What Will Happen to Your DNA Data? Genetics company 23andMe has filed for bankruptcy and its CEO is stepping down, leaving many users concerned about the future of their data.

We all knew this day would arrive when the DNA samples you willingly provided 23andMe would be up for sale. Company now says it's seeking a buyer as it files for bankruptcy. 23andMe says any buyer will have to adhere to privacy laws for customer DNA/data they acquire. people.com/23andme-file...

Clevo Boot Guard Keys Leaked in Update Package Over the past few years, the Binarly Research team has led the way in documenting security problems haunting the entire UEFI ecosystem. We presented our discoveries at major security conferences like ...

Clevo Boot Guard Keys Leaked in Update Package

www.binarly.io/blog/clevo-b...

GitHub - Cryakl/Ultimate-RAT-Collection: For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots. For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots. - Cryakl/Ultimate-RAT-Collection

Someone has done an excellent job collecting RATs and documenting them by version. They also included images.

A+ work. This is amazing (we're going to ingest this eventually)

github.com/Cryakl/Ultim...

Tutorial: unpacking executables with TinyTracer + PE-sieve In this short blog I would like to demonstrate you how to unpack an executable with PE-sieve and Tiny Tracer. As an example, let’s use the executable that was packed with a modified UPX: 8f66…

A small demo/tutorial on unpacking executables with #PEsieve and #TinyTracer: hshrzd.wordpress.com/2025/03/22/u...
- automatic OEP finding, reconstructing IAT, avoiding antidebugs and fixing imports broken by shims

table of contents for tmp.0ut volume 4

Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!

tmpout.sh/4/