CTO at NCSC Summary: week ending June 8th
Multiple supply chain attacks which resulted in client access..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing of note this week..
In the high-level this week:
Creating the right organisational culture for cyber security - UK NCSC publishes - “Today we are launching our Cyber security culture principles. They were developed as a result of extensive research by the NCSC, and our industry and government partners. The principles describe cultural conditions that are essential underpinnings for an organisation to be cyber secure and offer an approach to developing that culture.”
Retail cyber attacks: boards must engage more with cyber security, government urges UK businesses - Airmic publishes - “Writing for Airmic News, cyber security minister, Feryal Clark, says that the new Cyber Governance Code will support executives understand and prioritise cyber risk.”
The National Telecoms Security And Research Facility - UKTL launches - its website, a national asset is now front and centre..
National Cybersecurity Strategies: What’s new in the EU’s national cybersecurity policymaking - ENISA publishes - “Designed as a central hub for information and collaboration, the NCSS Interactive Map provides insights into how EU Member States are translating cybersecurity strategy into action. It highlights strategic objectives, implementation measures, and good practices - outlining the concrete steps taken by the EU Member States to safeguard Europe’s digital future.”
Warner, Colleagues Call on DHS to Prioritize Cybersecurity, Reestablish Cyber Safety Review Board - U.S. Sen. Mark R. Warner (D-VA) - “wrote to Department of Homeland Security Secretary Kristi Noem urging her to reestablish the Cyber Safety Review Board (CSRB)”
Handreiking Cybersecurity voor Bestuurders en Bedrijfseigenaren - Netherlands Cyber Security Raad publishes in Dutch - “This guideline is intended for both directors and business owners, as well as members of supervisory or supervisory boards in all organizations.”
Cybercom’s defensive arm elevated to sub-unified command - Defence Scoop reports - “Secretary of Defense Pete Hegseth directed that JFHQ-DODIN be designated a sub-unified command, effective immediately May 28, and its name has been changed to Department of Defense Cyber Defense Command (DCDC).”
43rd meeting (May 29, 2020) - Japanese Cyber Security Strategy Headquarters publishes - includes budgets etc.
Foreign thieves hack WhatsApp of Minister of Home Affairs - Nasional Daily reports - “Acting Director of the Commercial Crime Investigation Department (JSJK), Datuk Seri Muhammed Hasbullah Ali, said that the attacker tried to log in to a WhatsApp account before sending the URL link to a friend on the WhatsApp application.”
How a Spyware App Compromised Assad’s Army - New Line Magazine reports - “In the early summer of 2024, months before the opposition launched Operation Deterrence of Aggression, a mobile application began circulating among a group of Syrian army officers. It carried an innocuous name: STFD-686, a string of letters standing for Syria Trust for Development.”
The Human Factor: Addressing Computing Risks for Critical National Infrastructure towards 2040 - Lancaster University and University of Manchester publish - “The findings propose making Internet Services a CNI sector, and suggested the weightiest concern to be human-centric challenges around the recovery from software disasters and cyberattacks. Other major concerns also related to human factors, such as attacks via operators, and errors stemming from poorly designed human-computer interfaces.”
Reporting on/from China
Tokyo Metropolitan Police Department begins investigation into securities account hijacking, possible unauthorized access from China - Nikkei reports - ”So far, 17 companies have been found to have had their securities accounts hijacked, with the total amount of fraudulent transactions exceeding 300 billion yen.”
China rejects Dutch minister's spying accusation, says tech achievements not 'stolen' - Reuters reports- “China firmly opposes attempts to "smear" it using accusations of "spying" and "cyberattacks" as a pretext, the Chinese foreign ministry said in a written response to Reuters. “
AI
Scaling coordinated vulnerability disclosure - OpenAI publishes - “We are publishing an Outbound Coordinated Disclosure Policy that we will follow when disclosing vulnerabilities to third-parties.”
Hacktron finds pre-auth RCE in Dassault Delmia Apriso - Hacktron announce - “Hacktron ended up finding CVE-2025-5086, a pre-auth remote code execution vulnerability with a 9.0 CVSS severity rating.” - AI finding more vulnerabilities
Cybersecurity AI (CAI), an open Bug Bounty-ready Artificial Intelligence -Alias Robotics publishes - “CAI is specifically designed to enhance these efforts by providing a lightweight, ergonomic framework for building specialized AI agents that can assist in various aspects of Bug Bounty hunting”
Securing AI Model Weights - RAND Corporation publish - “Specifically, the authors (1) identify 38 meaningfully distinct attack vectors, (2) explore a variety of potential attacker operational capacities, from opportunistic (often financially driven) criminals to highly resourced nation-state operations, (3) estimate the feasibility of each attack vector being executed by different categories of attackers, and (4) define five security levels and recommend preliminary benchmark security systems that roughly achieve the security levels.”
Test Criteria Catalogue for AI Systems in Finance - German Federal Office for Information Security publish - “The catalog provides practical criteria for testing AI systems and suggests suitable test methods and tools for technical and document-based testing. In addition, a process for applying the catalog is described… This document serves as support for the implementation of the EU AI Regulation , and the target audience includes financial and insurance institutions across the EU”
Cyber proliferation
Israel's acting ambassador warns: "My government has yet to respond to Pegasus revelations." - El Espanol report - “And he drops a warning. Should the Spanish government fear any revelations from Israel stemming from the "Pegasus" software, which (perhaps Morocco) used to spy on those government phones, in response to so much belligerence?”
NSO Group asks judge for new trial, calling $167 million in damages 'outrageous' - TechCrunch publishes - “On Thursday, the company filed a motion for a new trial or a “remittitur,” which is a procedure that allows a court to reduce an excessive verdict.”
Spyware co Paragon leases more space in Tel Aviv tower - Globes reports - “Paragon, whose founders include former prime minister Ehud Barak, is currently hiring about 150 additional employees to staff the two new floors.”
Tackling the Proliferation of Cyber Intrusion Capabilities - Lawfare analyzes - “The Pall Mall Process Code of Practice paves the way for strong action against cyber intrusion, but it still has a long way to go.”
Bounty Hunting
Key service for malware developers taken down - Netherlands Police announce - "The service that was taken offline is AVCheck, one of the largest Counter Antivirus (CAV) services used internationally by cybercriminals."
Maxim Alexandrovich Rudometov & RedLine - US Rewards for Justice bounty - “Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”
KOVALEV, Vitalii Nikolaevich - Federal Criminal Police Office Bundeskriminalamt detail - “is suspected of having made a significant contribution to the execution of global cyberattacks as the founder of the group behind the malware "Trickbot." Specifically, it is suspected that the wanted man founded the group under the pseudonyms <stern> and <ben> and acted as its leader.”
Department Files Civil Forfeiture Complaint Against Over $7.74M Laundered on Behalf of the North Korean Government - US Department of Justice announces - “The funds were initially restrained in connection with an April 2023 indictment against Sim Hyon Sop (Sim), a North Korean Foreign Trade Bank (FTB) representative who was allegedly conspiring with the IT workers. While the North Koreans were attempting to launder those ill-gotten gains, the U.S. government was able to freeze and seize over $7.74 million tied to the scheme.”
M&S boss's pay hit £7m before cyber attack chaos - BBC reports - “The retailer's remuneration committee said it had considered the "recent cyber incident" when deciding on performance-related pay and concluded that "no adjustments were needed". .. “But it said it "recognised it would need to re-visit the matter" when deciding on next year's compensation.” - there are implications from this remco decision and signalling..
No reflections this week, instead there is this podcast featuring Jeremy from NCSC on PQC.
Monday sees our next publication on Market Incentives where we build on the CyberUK discussion..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign
CERT Polska detail this alleged Russian campaign which is noteworthy as it follows a pattern of finding and exploiting vulnerabilities in web mail based systems..
CERT Polska has observed a spear phishing campaign targeting Polish entities this week. The threat actor attempted to exploit the CVE-2024-42009 vulnerability, which allows JavaScript code to be executed when an email message is opened, with the aim of stealing user credentials.
It's also worth noting that a new vulnerability in Roundcube, CVE-2025-49113, was discovered just this week. It allows an authenticated attacker to execute code and potentially take over the entire webmail server. While we haven't observed any signs of this vulnerability being exploited, it could be combined with an account compromise vulnerability to form a highly effective attack chain.
Based on technical indicators, we attribute this campaign to a cluster of UNC1151 activity with high confidence. According to publications by Mandiant and Google, UNC1151 is associated with the Belarusian government while other sources connect it with Russian intelligence services.
https://cert.pl/en/posts/2025/06/unc1151-campaign-roundcube/
Reporting on China
BPFDoor
HaxRob walks through the history to the current day of this alleged Chinese Linux implant..
Similarities between
BPFDoorandsniffdoor(v1.0):
Sharing the same code for its pseudo terminal handling (taken from
bindtty).Numerous overlapping function names/routines
Uses raw sockets to intercept magic / wakeup packets
Supports both connect/bind and reverse shells
https://haxrob.net/bpfdoor-past-and-present-part-1/
https://haxrob.net/bpfdoor-past-and-present-part-2/
Reporting on North Korea
Nothing overly of note this week
Reporting on Iran
BladedFeline: Whispering in the dark
ESET Research detail this alleged Iranian operation which is noteworthy for the victimology and the length of some of their accesses..
BladedFeline compromised officials within the Kurdistan Regional Government at least as early as 2017.
The initial implants used there can be traced back to OilRig.
We discovered BladedFeline after its operators compromised Kurdish diplomatic officials with the group’s Shahmaran signature backdoor in 2023.
This APT group has also infiltrated high-ranking officials within the government of Iraq.
We assess with medium confidence that BladedFeline is a subgroup within OilRig.
We analyze two reverse tunnels (Laret and Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache), and various supplementary tools.
…
It is still unclear how BladedFeline is developing access to its victims. What we know is that in the case of the KRG victims, the threat actors obtained access at least as far back as 2017 and have maintained it ever since. As for the GOI victims, we suspect that the group exploited a vulnerability in an application on an internet-facing web server, which allowed them to deploy the Flog webshell.
https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/
Reporting on Other Actors
Spear Phishing in Armenia: Inside a Persistent Campaign by UNC5792
CyberHUB-AM (a Computer Emergency Response Team (CERT) for Armenian civil society) detail this unattributed campaign which is noteworthy due to victimology and a degree of operational agility..
In early March 2025, CyberHUB-AM identified a targeted spear phishing campaign focused on individuals and organizations within Armenia’s civil society and public sector. The campaign exhibited IOCs consistent with advanced persistent threat (APT) operations and has been attributed to UNC5792, a group previously identified by Mandiant.
The attackers impersonated an imaginary “Armine Poghosyan”, who is supposedly “an employee” of Armenia’s High-Tech Industry Ministry, using Signal to send messages inviting recipients to a purported “information platform” on global and Armenian political events. The core of the attack involves highly malicious, temporary URLs (initially on add-group.tech, then shifting to group-add.com), which are designed to compromise the targets; notably, the attackers demonstrated real-time adaptability by providing a new, active malicious link on a different domain immediately after being informed that the initial URL had expired.
Operation Phantom Enigma
Positive Technologies details an unattributed campaign which is noteworthy for the deployment of a remote management agent.
A malicious campaign discovered by Positive Technologies specialists is primarily targeting residents of Brazil. Attacks have been detected since the beginning of 2025.
Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack.
The attackers used a malicious extension for Google Chrome, Microsoft Edge, and Brave browsers, as well as Mesh Agent and PDQ Connect Agent.
..
As mentioned earlier, the analyzed malicious campaign utilizes two attack chains: one involving a malicious extension targeting users in Brazil, and another using Mesh Agent. The second attack enables attackers to spread across the infrastructures of infected companies.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/operation-phantom-enigma
The Rise of Residential Proxies as a Cybercrime Enabler
Feike Hacquebord, Philippe Lin, Fyodor Yarochkin and Vladimir Kropotov give a sense of the scale of this challenge. But they also provide some good solid technical detection approaches.
Residential proxy providers and bulletproof hosting companies stand side by side as key enablers of cybercrime today. Residential proxy providers offer millions of IP addresses with precise location data that can allow cybercriminals to execute targeted attacks and bypass antifraud and IT security systems of enterprises, governments and ecommerce websites.
The effectiveness of IP address blocklists has diminished over time, due to the abundant availability of residential proxy providers; this creates a growing need for connection-based and session-based access control.
We anticipate that residential proxy providers will seek to bypass connection and session-based access controls, such as uploading separate software modules to residential endpoints, enabling them to perform specific tasks.
This modular model is already employed by certain residential proxy providers in the far east who obtain close to millions of residential proxies by exploiting vulnerabilities in the software and hardware supply chains of inexpensive IoT devices and by selling pre-infected Android Open Source Project-supported devices (AOSP).
Discovery
How we find and understand the latent compromises within our environments.
RDCMan - Verifying DPAPI Activity
Chris walks through how to setup DPAPI logging and then how to utilise said logging..
https://ogmini.github.io/2025/05/27/RDCMan-Verifying-DPAPI-Activity.html
Defence
How we proactively defend our environments.
On the Correctness of Metadata-based SBOM Generation: A Differential Analysis Approach
Sheng Yu, Wei Song , Xunchao Hu and Heng Yin show the value of the science of cyber security by uncovering some woeful performance in reality of SBOM generators.
To date, there has not been a systematic study addressing the correctness of contemporary SBOM generation solutions. In this paper, we conduct a large-scale differential analysis of the correctness of four popular SBOM generators. Surprisingly, our evaluation reveals all four SBOM generators exhibit inconsistent SBOMs and dependency omissions, leading to incomplete and potentially inaccurate SBOMs. Moreover, we construct a parser confusion attack against these tools, introducing a new attack vector to conceal malicious, vulnerable, or illegal packages within the software supply chain. Drawing from our analysis, we propose best practices for SBOM generation and introduce a benchmark to steer the development of more robust SBOM generators.
…
We generated SBOMs using four popular SBOM generators for 7,876 open-source projects and systematically studied the correctness of these SBOMs. Our evaluation uncovered significant deficiencies in current SBOM generators.
https://www.cs.ucr.edu/~heng/pubs/sbom-dsn24.pdf
PCI DSS Vulnerability Management Processes
PCI Security Standards Council publish this inforgraphic to hang on your cube wall..
https://blog.pcisecuritystandards.org/new-infographic-pci-dss-vulnerability-mangement-processes
Quick machine recovery in Windows
Riddhi Ameser details a new resilience feature in Windows post CrowdStrike etc.
Quick machine recovery— … automatically detects, diagnoses, and resolves critical issues on your device—is now available in the Windows Insider Preview Beta Channel for Windows 11, version 24H2. First announced by Microsoft CEO Satya Nadella at Microsoft Ignite 2024 as part of the Windows Resiliency Initiative, this feature is a game-changer for Windows 11 devices facing boot issues.
Incident Writeups & Disclosures
How they got in and what they did.
Coinbase breach linked to customer data leak in India
Reuters reports the manifestation of insider risk..
Cryptocurrency exchange Coinbase knew as far back as January about a customer data leak at an outsourcing company connected to a larger breach estimated to cost up to $400 million, six people familiar with the matter told Reuters.
…
The ex-employees said they were briefed on the matter by company investigators or colleagues who witnessed the incident in the Indian city of Indore, noting that the woman and a suspected accomplice were alleged to have been feeding Coinbase customer information to hackers in return for bribes.
Vulnerability
Our attack surface.
Multiple CVEs in Infoblox NetMRI: RCE, Auth Bypass, SQLi, and File Read Vulnerabilities
Rhino Security Labs detail a range of vulnerabilities which if compromised will likely provide substantial access in the target network..
While performing research on Infoblox’s NetMRI network automation and configuration management solution, we discovered 6 vulnerabilities in version 7.5.4.104695 of the NetMRI virtual appliance. These ranged from unauthenticated command injection (CVE-2025-32813), SQL injection (CVE-2025-32814), hardcoded credentials (CVE-2025-32815), cookie forgery, and arbitrary file read as root (CVE-2024-54188).
https://rhinosecuritylabs.com/research/infoblox-multiple-cves/
HPE StoreOnce Software, Multiple Vulnerabilities
HP’s Backup solution..
Potential security vulnerabilities have been identified in HPE StoreOnce Software. These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information disclosure vulnerabilities.
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US
Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability
This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same.
CVE-2025-5054 and CVE-2025-4598
Saeed Abbasi provide another reason we should aim kill passwords..
Both issues are race-condition vulnerabilities. The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, Apport, and the second (CVE-2025-4598) targets systemd-coredump, which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump.
Qualys TRU has developed proofs of concept (POCs) for certain operating systems for these vulnerabilities. These POCs demonstrate how a local attacker can exploit the coredump of a crashed unix_chkpwd process (designed to verify the validity of a user’s password)—installed by default on most Linux distributions—to obtain password hashes from the /etc/shadow file.
Offense
Attack capability, techniques and trade-craft.
OktaGinx
OtterHacker releases a capability you will want to be able to detect or otherwise mitigate if you are an Okta user..
Evilginx phishlet allowing to bypass Okta authentication chained with Azure.
It implements some framebuster bypass to perform Bitb [Browser in the Browser]
https://github.com/OtterHacker/OktaGinx/
Disclosure: Covert Web-to-App Tracking via Localhost on Android
Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara and Tim Vlummens detail an interesting techique employed by a couple of platforms.
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.
This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
Abusing Client-Side Extensions (CSE): A Backdoor into Your AD Environment
Antoine Cauchois details an Active Directory persistence technique you will want to engineer detections for..
Rather than cover well-documented common abuses of built-in CSEs, this article demonstrates how to create custom malicious ones. These are harder for defenders to identify than legitimate built-in CSEs used in malicious contexts, which have known globally unique identifiers
https://www.tenable.com/blog/abusing-client-side-extensions-cse-a-backdoor-into-your-ad-environment
Spying On Screen Activity Using Chromium Browsers
mr.d0x shows how Chrome can be used as an implant of sorts..
Chromium browsers have the
--auto-select-desktop-capture-sourceflag which allows you to automatically choose a specific screen or window for capture without requiring any user interaction. If we set this to flag to “Entire” it will auto-select the entire screen for sharing. As an example, the command below will launch Chrome and navigate toexample.com/screenshare.html. If the website prompts the user to select which screen/window/tab to share, the browser will automatically select the entire screen.
https://mrd0x.com/spying-with-chromium-browsers-screensharing/
Camera and Microphone Spying Using Chromium Browsers
mr.d0x shows how Chrome can be used as an implant of sorts part deux..
Chromium conveniently has the
--auto-accept-camera-and-microphone-captureflag that will automatically accept the previously shown prompt and allow a website to access the camera and microphone. This flag can be used with the--headlessflag, allowing it to run invisible to the user.
https://mrd0x.com/spying-with-chromium-browsers-camera/
Obfusk8
x86byte releases a C++ obfuscation technique which will add some cost, until you deploy the automation/augmentation..
Obfusk8 is a lightweight, header-only C++17 library designed to significantly enhance the obfuscation of your applications, making reverse engineering a substantially more challenging endeavor. It achieves this through a diverse set of compile-time and runtime techniques aimed at protecting your code's logic and data.
https://github.com/x86byte/Obfusk8
No Agent, No Problem: Discovering Remote EDR
Jonathan Johnson demonstrates a fascinating bit of tradecraft if you need to do things against remote hosts in a more clandestine manner..
I’ll demonstrate how to leverage the Performance Logs and Alerts APIs to create what is essentially a remote, agentless EDR solution. This approach also offers unique advantages for offensive engineers who need stealthy monitoring capabilities and for defenders who want to extend their visibility without the complexity of traditional agent deployment. So…let’s dive in!
https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f
Exploitation
What is being exploited..
Evidence of Zero-Click Mobile Exploitation in the U.S.
iVerify Research Team hint at the possibility of the zero-click iMessage vulnerability being exploited in the wild. Highlights the value we highlight to vendors to implement our Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances - for device vendors
In the course of our investigation, we discovered evidence suggesting – but not definitively proving – this vulnerability was exploited in targeted attacks as recently as March of this year. Specifically, we learned that Apple sent Threat Notifications to at least one device belonging to a senior government official in the EU on which we saw the highly anomalous crashes. Likewise, one device demonstrated behavior frequently associated with successful exploitation, specifically the creation and deletion of iMessage attachments in bulk within a matter of seconds on several occasions after an anomalous crash. We only observed these crashes on devices belonging to extremely high value targets. And these crashes constituted only .0001% of the crash log telemetry taken from a sample of 50,000 iPhones.
https://iverify.io/blog/iverify-uncovers-evidence-of-zero-click-mobile-exploitation-in-the-us
PumaBot Linux Botnet Targets IoT Surveillance Devices
The Hivemind details a botnet which is clearly someone’s pet..
PumaBot, a Go-based Linux botnet, targets embedded IoT devices by brute-forcing SSH credentials, establishing persistence, and executing cryptocurrency mining. Its sophisticated evasion tactics and focus on surveillance devices highlight the growing threat to IoT ecosystems.
Written in Go, PumaBot targets Linux-based IoT devices, retrieving target lists from a C2 server to brute-force SSH credentials.
Establishes persistence by mimicking legitimate binaries like Redis and abusing systemd services.
Executes cryptocurrency mining via commands like “xmrig” and “networkxm,” leveraging compromised devices for illicit profit.
Incorporates fingerprinting to evade honeypots, checking for specific strings like “Pumatronix” to target or exclude surveillance systems.
https://blog.polyswarm.io/pumabot-linux-botnet-targets-iot-surveillance-devices
Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
Anderson Leite details another botnet which is also clearly someone’s pet..
The DVR bot is also based on the Mirai source code but it includes different features as well, such as string encryption using RC4, anti-VM checks, and anti-emulation techniques.
https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
VulBinLLM: LLM-powered Vulnerability Detection for Stripped Binaries
Nasir Hussain, Haohan Chen, Chanh Tran, Philip Huang, Zhuohao Li, Pravir Chugh, William Chen, Ashish Kundu and Yuan Tian show another application of AI to improve productivity in vulnerability research..
we present Vul-BinLLM , an LLM-based framework for binary vulnerability detection that mirrors traditional binary analysis workflows with fine-grained optimizations in decompilation and vulnerability reasoning with an extended context. In the decompilation phase, Vul-BinLLM adds vulnerability and weakness comments without altering the code structure or functionality, providing more contextual information for vulnerability reasoning later. Then for vulnerability reasoning, Vul-BinLLM combines in-context learning and chain-of-thought prompting along with a memory management agent to enhance accuracy.
https://arxiv.org/abs/2505.22010
Hypervisors for Memory Introspection and Reverse Engineering
memN0ps walks through how to build a hypervisor with security research minded features..
In this article, we explore the design and implementation of Rust-based hypervisors for memory introspection and reverse engineering on Windows. We cover two projects - illusion-rs, a UEFI-based hypervisor, and matrix-rs, a Windows kernel driver-based hypervisor. Both leverage Extended Page Tables (EPT) to implement stealthy control flow redirection without modifying guest memory.
https://secret.club/2025/06/02/hypervisors-for-memory-introspection-and-reverse-engineering.html
Delegations
Rémi GASCOU (Podalirius) releases a tool for any of you working in enterprise technology archaeology..
Delegations is a tool that allows you to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active Directory.
https://github.com/TheManticoreProject/Delegations?tab=readme-ov-file
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Cyber meets reality: The invisible hand behind physical crimes
VRDP Training Material - This repository contains the pre-joining training materials given to aspiring researchers on the Vulnerability Researcher Development Program
Artificial intelligence
Books
Nothing overly of note this week
Events
Symposium sur la sécurité des technologies de l'information et des communications - slides, papers and videos online
Infographic of the week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.