All posts by John Doe

■■■■□ Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attack. Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html

3️⃣ HTML to PDF Renderer: A tale of local file access and shellcode execution. https://neodyme.io/en/blog/html_renderer_to_rce/

■■■■□ United States 🇺🇸 Considers Banning TP-Link Routers Over Security Concerns Three US federal agencies are investigating TP-Link, which makes up 65% of the US router market, according to a new report. https://www.pcmag.com/news/tp-link-accused-of-keeping-router-prices-low-to-help-china-conduct-cyberattacks https://www.hudson.org/information-technology/chinese-wireless-routers-next-entry-point-state-sponsored-hackers-michael-orielly

■■■□□ Metamorphic Code Example (Malware Mutation). https://stackoverflow.com/questions/10113254/metamorphic-code-examples

■■■■■ Writing a Self-Mutating Malware. https://0x00sec.org/t/writing-a-self-mutating-malware/40213/2

■■■■■ Litterbox: Sandbox approach for malware developers and red teamers to test payloads against detection mechanisms before deployment. https://github.com/BlackSnufkin/LitterBox

■■■□□ Google says hackers behind UK retail cyber campaign now also targeting US. https://therecord.media/scattered-spider-suspected-retail-hackers-google-alert

■■□□□ DEFCON32 Exploiting insecure OTA updates to create the worlds first toothbrush Botnet. The author dumped the firmware and discovered that the toothbrush tries to connect to a specific Wi-Fi network with the password “12345678” to search for updates. Now, they can connect to other toothbrushes.

■■■■■ The RoKRAT family typically uses 3 cloud-based API services and tokens. Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story) ◈ Executive Summary Disguised the content as an academic forum invitation from a South Korean national security think tank to attract attention Lured…

■■■■□ A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities, including a then-zero-day in MDaemon, according to new findings from ESET. https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html