Login
Hi everyone,
Over the last month I’ve been analyzing modular addition not as a bitwise operation, but as a fractional mapping. Treating (a + b) mod 2^32 as a projection into the fractional domain [0, 1), modular “bit loss” stops behaving like noise and instead becomes predictable geometric wrapping.
This leads to what I call the Kaoru Method.
The core idea is to run a “Shadow SHA-256” in parallel using infinite precision arithmetic. By comparing the real SHA-256 state with the shadow state, it’s possible to reconstruct a Universal Carry Map (k) that fully captures all modular wraps occurring during execution.
Once k is recovered for the 64 rounds, the modular barriers effectively disappear and the compression function reduces to a system of linear equations.
In my experiments, a standard SHA-256 block produces exactly 186 modular wraps. This number appears stable and acts like a structural “DNA” of the hash computation.
Under this framework, differential cryptanalysis becomes significantly simpler, since the carry behavior is no longer hidden. I’m releasing both the theoretical framework and an extractor implementation so others can validate, attack, or extend the idea toward full collisions.
Paper (theory):
https://osf.io/jd392/files/4qyxc
Code (Shadow SHA-256 extractor):
https://osf.io/n9xcw
DOI:
https://doi.org/10.17605/OSF.IO/JD392
I’m aware this challenges some long-held assumptions about modular addition as a source of non-linearity, so I’m especially interested in feedback, counterexamples, or independent replication.
Thanks for reading.
Over one year ago the Goverment wanted to email the victims but Bitfinex denied it. But it is not too late yet if we act now. Did you hear of any availability of old crypto exchange user email addresses? Security researchers in possession of historic leak data could help to return $ nine digits to victims soon.
Please suggest specific forums for outreach.
Thanks!
Ranked list of 2016 exchanges: Poloniex Bitstamp OKCoin BTC-e LocalBitcoins Huobi Xapo Kraken CoinJoinMess Bittrex BitPay NitrogenSports-eu Cex-io BitVC Bitcoin-de YoBit-net Cryptsy HaoBTC BTCC BX-in-th Hashnest BtcMarkets-net Gatecoin Purse-io CloudBet Cubits AnxPro Bitcurex AlphaBayMarket Luno BTCC Loanbase Bitbond BTCJam Bit-x BitPay BitBay-net NucleusMarket PrimeDice BitAces-me Bter MasterXchange CoinGaming-io CoinJar Cryptopay-me FaucetBOX Genesis-Mining
Mac Malware analysis
A few days ago u/broadexample pointed out that our free STIX feed was doing it wrong:
"You're creating everything as Indicator, not as IPv4Address linked to Indicator via STIX Relationship hierarchy. This works when you use just this feed alone, but for everyone using multiple feeds it would be much less useful."
They were right. We were creating flat Indicator objects instead of proper STIX 2.1 hierarchy with SCOs and Relationships.
Fixed it today. New V2 endpoint with:
- IPv4Address SCOs with deterministic UUIDs (uuid5 for cross-feed deduplication)
- Relationship objects linking Indicator → SCO ("based-on")
- Malware SDOs for 10 families (Stealc, LummaC2, Cobalt Strike, etc.)
- Relationship objects linking Indicator → Malware ("indicates")
Should actually work properly in OpenCTI now.
V2 endpoint: https://analytics.dugganusa.com/api/v1/stix-feed/v2
V1 still works if you just need IOC lists: https://analytics.dugganusa.com/api/v1/stix-feed
Full writeup: https://www.dugganusa.com/post/stix-v2-reddit-feedback-opencti-ready
Thanks for the feedback. This is why we post here - you catch the stuff we miss.
During routine threat hunting on my Beelzebub honeypot, I caught something interesting: a Rust-based DDoS bot with 0 detections across 60+ AV engines at the time of capture.
TL;DR:
In the post you'll find:
The fact that no AV detected it shows that Rust + string obfuscation is making life hard for traditional detection engines.
Questions? AMA!
I’ve opened the early access waitlist for CyberCTF.space, a cybersecurity CTF platform focused on real-world attacks, not puzzle only challenges. - Docker based labs - MITRE ATT&CK aligned techniques - Real World exploits
🎖 Early joiners receive Founding Hacker recognition.
I’m also looking for security practitioners interested in contributing labs, challenges, or documentation.
Join the waitlist: https://cyberctf.space/
Contributors: https://cyberctf.space/contributors
Full disclosure: I'm a researcher at CyberArk Labs.
This is a technical deep dive from our threat research team, no marketing fluff, just code and methodology.
Static analysis tools like CodeQL are great at identifying "maybe" issues, but the signal-to-noise ratio is often overwhelming. You get thousands of alerts, and manually triaging them is impossible.
We built an open-source tool, Vulnhalla, to address this issue. It queries CodeQL's "haystack" into GPT-4o, which reasons about the code context to verify if the alert is legitimate.
The sheer volume of false positives often tricks us into thinking a codebase is "clean enough" just because we can't physically get through the backlog. This creates a significant amount of frustration for us. Still, the vulnerabilities remain, hidden in the noise.
Once we used GPT-4o to strip away ~96% of the false positives, we uncovered confirmed CVEs in the Linux Kernel, FFmpeg, Redis, Bullet3, and RetroArch. We found these in just 2 days of running the tool and triaging the output (total API cost <$80).
Running the tool for longer periods, with improved models, can reveal many additional vulnerabilities.
Write-up & Tool:
We don’t lack security ideas. We lack companies hiring juniors and products that are secure by default. These two problems are connected, and until we fix both, we’ll keep talking about a skills shortage while making it impossible to build a secure society.
What do you all think?
New preprint exploring unconventional cryptanalysis:
• Framework: “Inverse Dimensionalization”
• Target: SHA-256 structural analysis
• Result: 174/256 matching bits (M₁ = 88514, M₂ = 88551)
• Time: 3.8 seconds
• NOT a collision — but statistically anomalous
Paper + reproducible code: https://doi.org/10.17605/OSF.IO/6YRW8
Full paper with math and code: https://doi.org/10.17605/OSF.IO/6YRW8
Paper: https://osf.io/6yrw8/files/wj9ze
Code: https://osf.io/6yrw8/files/zy8ck
Verification code: https://osf.io/6yrw8/files/pqne7
Device specifications used to find the 174/256-bit match in 3.8 seconds:
• Google Colab Free CPU
• Intel Xeon
• Clock speed: between 2.20 GHz and 2.30 GHz
• Cores (vCPUs): 2 virtual cores
• RAM: 12 GB
Security implications discussion welcome.
I’m traveling next week and will need to access a website that is IP address -sensitive. My work computer’s IP address is approved for the site. If I access my work desktop remotely using something like LogMeIn or Team Viewer, will I be able to get onto the website I need to use? Or will my public IP address show up as the one I’m using from far?
Built a threat intel platform that runs on $75/month infrastructure. Decided to give the STIX feed away for free instead of charging enterprise prices for it.
What's in it:
- 59K IOCs (IPs, domains, hashes, URLs)
- ThreatFox, OTX, honeypot captures, and original discoveries
- STIX 2.1 compliant (works with Sentinel, TAXII consumers, etc.)
- Updated continuously
Feed URL: https://analytics.dugganusa.com/api/v1/stix-feed
Search API (if you want to query it): https://analytics.dugganusa.com/api/v1/search?q=cobalt+strike
We've been running this for a few months. Microsoft Sentinel and AT&T are already polling it. Found 244 things before CrowdStrike/Palo Alto had signatures for them (timestamped, documented).
Not trying to sell anything - genuinely curious if it's useful and what we're missing. Built it to scratch our own itch.
Tear it apart.
tl;dr: Ask Claude Code to tee mitmdump to a log file (with request and response). Create skills based on hackerone public reports (download from hf), let Claude Code figure out if it can find anything in the log file.
An active phishing campaign has been detection by Evalian SOC targeting HubSpot customers.
Just finished reading ActiveFence’s emerging threats assessment on 7 major models across hate speech, disinfo, fraud, and CSAM-adjacent prompts.
Key findings are: 44% of outputs were rated risky, 68% of unsafe ones were hate-speech-related, and only a single model landed in the safe range.
What really jumps out is how different vendors behave per abuse area (fraud looks relatively well-covered, hate and child safety really don’t).
For those doing your own evals/red teaming: are you seeing similar per-category gaps? Has anyone brought in an external research partner like ActiveFence to track emerging threats over time?
Freedom of the Press Foundation is developing Dangerzone, an open-source tool that uses multiple layers of containerization (gVisor, Linux containers) to sanitize untrusted documents. The target users of this tool are people who may be vulnerable to malware attacks, such as journalists and activists. To ensure that Dangerzone is adequately secure, it received a favorable security audit in December 2023, but never had a bug bounty program until now.
We are kick-starting a limited bug bounty program for this holiday season, that challenges the popular adage "containers don't contain". The premise is simple; sent Santa a naughty letter, and its team of elves will run it by Dangerzone. If your letter breaks a containerization layer by capturing a flag, you get the associated bounty. Have fun!
For the past several years I've been trying intermittently to get Cross Translation Unit taint analysis with clang static analyzer working for Firefox. While the efforts _have_ found some impactful bugs, overall the project has burnt out because of too many issues in LLVM we are unable to overcome.
Not everything you do succeeds, and I think it's important to talk about what _doesn't_ succeed just as much (if not more) about what does.
With the help of an LLVM contractor, we've authored this post to talk about our attempts, and some of the issues we'd run into.
I'm optimistic that people will get CTU taint analysis working on projects the size of Firefox, and if you do, well I guess I'll see you in the bounty committee meetings ;)
Hey everyone, I saw this report on Hacker News, about a pretty serious privacy breach involving the Urban VPN Proxy browser extension and several other extensions from the same publisher.
According to the research:
What’s especially concerning is that Urban VPN advertises an “AI protection” feature, but that doesn’t prevent data harvesting - the extension just warns you about sharing data while quietly exfiltrating it.
If you’ve ever used this extension and chatted with an AI, it’s worth uninstalling it and treating those interactions as compromised.
Link to the report:
https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
Would love to hear thoughts on this.
Microsoft has released a fix for CVE-2025-64669, addressing a local privilege escalation vulnerability we reported in Windows Admin Center.
This issue allowed low privileged users to escalate to SYSTEM by abusing trusted components under insecure filesystem permissions. Microsoft validated the finding and shipped a fix as part of the latest update.
This CVE represents only the first vulnerability from our research.
We identified four distinct vulnerabilities during the investigation, and additional fixes and disclosures are coming.
More details soon.
Stay tuned.
These aren't theoretical numbers. The attackers left their C2 wide open with a /stats endpoint showing real-time campaign metrics. Yes, really.
I've been monitoring attacks hitting my Beelzebub research honeypots and caught what I'm calling "Operation PCPcat" - a large-scale credential theft campaign targeting Next.js deployments.
TL;DR of the attack chain:
FreshRSS .env files, SSH keys, AWS/Docker/Git credentialsWhat I documented:
If you're running Next.js in prod: patch immediately and rotate your credentials. Assume compromise if you were vulnerable during this window.
Happy to answer questions or share more technical details.
Delegation cannot be secured by refining identity because delegation is not an attribute of who you are. It is an operation on authority itself. Authority must be constructed, passed, and monotonically reduced as data. Capability systems are the only authorization model that treats delegation as a first-class, enforceable transformation rather than an inferred side effect.
Hello everybody,
Some activist friends and I have been discussing a problematic gap in the current landscape of secure messaging tools: the lack of user‑friendly communication systems that remain secure even in the presence of spyware. Standard E2E encrypted messengers such as Signal or Element become ineffective once the communication device itself is compromised. If spyware is able to read the screen, capture keystrokes, or access memory, E2E-encryption no longer protects the message content.
For this reason, we "developed" a concept we call Offline Decryption Messaging. The core idea is that each communication participant uses two distinct devices:
All sensitive operations, like writing, decrypting, and displaying clear messages, take place exclusively on the offline device. The online device is used only to transmit encrypted data via standard messaging services.
In practice, the user writes the clear message on the offline device, where it is encrypted and immediately deleted. The resulting ciphertext is then transferred to the online device (for example via a QR code) and sent over an existing messenger. The online device never has access to either the clear message or the cryptographic keys. On the receiving side, the process is reversed: the encrypted message is transferred to the recipient’s offline device and decrypted there.
Under this model, even if all participating online devices are fully compromised by spyware, no sensitive information can be exfiltrated. While spyware on the online device may observe or manipulate transmitted ciphertext, it never encounters the decrypted message. At the same time, spyware on the offline device has no communication channel through which it could leak information to an attacker.
The goal of our project, currently called HelioSphere, is to explore whether this security model can be implemented in a way that is not only robust against modern spyware, but also practical enough for real‑world activist use.
We would love feedback from this community, especially regarding:
The concept is further introduced in the document accessible via the link above. The link also contains information about our first functional prototype.
Thanks for reading! We’re looking forward to your thoughts.
EDIT 1: To clarify the use case we have in mind: the proposed concept is intended for activists who already rely on E2E encrypted platforms such as Signal or Element, but who want to add an additional layer of protection by using offline decryption. This approach does not make them less trackable, as the comments correctly note. However, it significantly limits the impact of spyware: apart from metadata, no meaningful information can be extracted. So, the only added benefit is that, in the event of a device compromise, the message content itself remains protected.
EDIT 2: We think that avoiding detection and infection in the first place is critical, but we believe there is still a meaningful security gain if, in the event of detection and compromise, the message content remains inaccessible to the attacker. We are interested to hear whether you think the same or see this differently!
I've been experimenting with LangGraph's ReAct agents for offensive security automation and wanted to share some interesting results. I built an autonomous exploitation framework that uses a tiny open-source model (Qwen3:1.7b) to chain together reconnaissance, vulnerability analysis, and exploit execution—entirely locally without any paid APIs.
My father got tricked into calling scammers after a hidden Google logout URL made him think his computer was hacked. Turns out, Google lets any website instantly log you out of Gmail, YouTube, and Drive just by loading a simple link - no warning, no confirmation. I made a petition, and I want to know if this is something worth signing and sharing, or if it's not realistic.
We’ve been testing AI agents in blue-team scenarios (log triage, recursive investigation steps, correlation, incident reconstruction). A recurring issue surfaced during testing:
Pay-per-use models can’t handle the load.
Deep reasoning tasks trigger non-linear token spikes, and we found that Competitor-style metered billing either slowed down workflows, caused interruptions, or became too expensive to use during real incidents — especially when dealing with iterative analysis under pressure.
We published a case study summarizing the data, the reasoning patterns behind the token spikes, and why unlimited usage models are better suited for continuous defensive operations.
Sharing here in case it helps others experimenting with AI in blue team environments
Scanned 1.3M npm packages + top GitHub repos: Dify, LobeChat, Umami are affected and maybe exploited
I wrote a post about how to perform a red team phishing campaign, including a reconnaissance and AITM sesssion capture. I hope you enjoy it. It does not cover creating a m365 proxy config, I will leave that as a exercise to the reader :)
A new wave of ClickFix attacks spreading a macOS infostealer are posting malicious user guides on the official ChatGPT website by piggybacking the chatbot’s chat-sharing feature.
A comprehensive guide on extending Burp Scanner with custom scan checks.
Howdy folks - former red teamer (a lot of my work is available under the rad9800 alias, if you're interested in malware - check it out!) now building the product to catch me/and in turn the many other adversaries running the same playbooks. We offer a paid deception platform, but I wanted to make a free tier actually useful.
What's free:
No credit card, no trial expiry. Just drop your email, get credentials, plant them where they shouldn't be touched. We have 12 other token types in the paid version, and will slowly expand these out in this edition depending on feedback/and increasing limits based on what's being used/what folk want.
Additionally - something unique about our AWS Access Keys in particular you can specify the username and they're allocated from a pool of 1000s of accounts so they're hard/impossible to fingerprint (prove me wrong, I'll be curious). When someone uses them, you get an alert (via email, which is why we need your email - else we wouldn't!) with:
Why these token types?
They're the ones I'd actually look for on an engagement. Hardcoded AWS creds in repos, SSH keys in backup folders, that .env file someone forgot to gitignore. If an attacker finds them, you want to reveal these internal breaches. I've written one or two blogs about "Read Teaming" and the trend (and more than happy to chat about it)
No catch?
The catch is I'm hoping some of you upgrade when you need more coverage/scale and/or feedback on this! But the free tier isn't crippled - it is very much the same detection pipeline we use for paying customers!
Link: https://starter.deceptiq.com
More than happy/excited to answer questions about the detection methodology or token placement strategies.
If you work on firmware RE, unknown protocols, C2 RE, or undocumented file formats, give it a read.
I start by defining a custom binary file format, then show how Kaitai Struct comes into play
I know SaaS app detection and response is not in everyone's remit although I've worked in a few orgs where we've had to threat model SaaS apps, understand their telemetry and devise attack paths that could lead to unfavourable outcomes. We spent a lot of time doing this research. I thought about it and myself if I could get ( don't hate for me it ) agents to perform this research. So I started with this mental objective:
"How can I greedily transpose a SaaS app and find attack surface by transposing it onto MITRE attack and emulating adversarial techniques making some assumptions about an environment"
It turns out, I think, that the early results are really promising. Full transparency I am trying to build this into a product, but I've released a public version of some of the analysis in the attached link. You can view Slack and see 2 views:
My next steps are to integrate audit log context to identify detection opportunities and configuration context to identify mitigation options. If you’ve had to do this with your own teams, I’d really value hearing your perspective. Always open to chatting as this is my life now
This particular course, SANS 588, has assembled 6 sections all on areas of pentesting I am most interested in learning, on account of all my prior work in the past as a DevSecOps engineer.
These subjects are what I want to study, but the hefty price tag of approx 9000 dollars is pretty crazy, and I don't have a company to pay for it. Are there any other worthwhile and reputable providers of this kind of education or certification?
