Random in Security is a summary of the cybersecurity news.
Interesting Reads#
Leaked Secrets in Hidden Commits#
A security researcher scanned all of GitHub’s “Oops Commits” for leaked secrets, focusing on commits that developers quickly deleted or modified after realizing they contained sensitive information. The methodology involved analyzing commit patterns and deleted content across millions of repositories to identify accidentally exposed credentials and secrets. This research highlights how even quickly corrected mistakes can leave lasting security vulnerabilities in version control history.
AUR packages contain malware#
Arch Linux pulled three malicious AUR packages that installed the CHAOS Remote Access Trojan on users’ systems. The packages “librewolf-fix-bin”, “firefox-patch-bin”, and “zen-browser-patched-bin” were uploaded by user “danikpapas” and contained malware with a command and control server at 130.162[.]225[.]47:8080. Users who installed these packages should check for and delete the suspicious “systemd-initd” executable in their /tmp folder, as reported in the official security advisory.
Offensive Python#
TrustedSec researchers explored Python’s potential for offensive security operations, highlighting how the language’s legitimate reputation and widespread use make it an attractive attack vector. The research demonstrates using Python’s ctypes module for direct Win32 API interactions, unmanaged code execution, and reflective DLL loading while minimizing dependencies on third-party libraries. Key techniques include leveraging the standard library for web requests, network connections, and system interactions, positioning Python as an “undervalued target” for malware development and red team operations.
Spotting Malicious Remote IT Applicants#
DTEX Systems released a threat advisory about North Korean remote IT workers who seek employment under false identities to fund weapons programs. Key warning signs include multiple online identities, unusual banking activity on corporate devices, excessive use of remote access tools, and behavioral anomalies like minimal collaboration and reluctance to appear on video calls. Organizations should integrate HR data with cybersecurity monitoring and use behavioral analytics to detect these sophisticated social engineering attempts that exploit the global IT skills gap.
Creating a Drone Based Synthetic Aperture Radar#
A security researcher built a homemade polarimetric synthetic aperture radar drone for under 800 EUR that can image targets at least 1.5 km away. The lightweight system uses a custom 6 GHz FMCW radar, Zynq 7020 FPGA for signal processing, and a cheap FPV drone platform, achieving four polarization modes and video SAR imaging capabilities. This project demonstrates how advanced radar imaging technology previously limited to military and research applications can now be developed at low cost using commercial off-the-shelf components.
Hafnium’s Cyber Ecosystem#
Security researchers documented the complex relationships surrounding Hafnium-affiliated hacker Xu Zewei, who was arrested at Milan airport and faces extradition for allegedly stealing COVID-19 research and exploiting Microsoft Exchange vulnerabilities. The investigation reveals connections between Shanghai State Security Bureau, companies like Shanghai Powerock Network and Chaitin Tech, demonstrating China’s interconnected “cyber ecosystem” where talent serves multiple interests. SentinelOne’s analysis reveals advanced capabilities including patented forensic technologies for remote evidence collection and sophisticated coordination between state security offices and private companies.
Fun with Gzip Bombs and Email Clients#
A security researcher tested how different email clients handle “gzip bombs” - 10MB compressed files that expand to 10GB when decompressed. The research revealed significant variations in client behavior, with Evolution Mail proving most vulnerable by downloading multiple 10GB files and filling 100GB of disk space, while other clients like Firefox and Thunderbird handled the attack more gracefully. The study highlights critical security lessons about email client image handling and demonstrates potential vulnerabilities in decompression processes, as discussed further on Hacker News.
How to Rob a Hotel#
Security researcher DMCXBLUE demonstrated comprehensive attack methods against hotel digital infrastructure, exploiting vulnerabilities in Azure cloud configurations, web applications, and identity management systems. The research revealed critical weaknesses including misconfigured Role-Based Access Controls, exposed Key Vaults with plaintext credentials, Jinja template injection allowing remote code execution, and weak authentication mechanisms. The methodology shows how attackers can progressively gain deeper access through vulnerability chaining, from initial web application flaws to complete compromise of hotel automation and database systems.
An inside look at NSA (Equation Group) TTPs from China’s lense#
Chinese security researchers analyzed NSA (Equation Group) tactics, techniques, and procedures through their investigation of attacks against Northwestern Polytechnical University. The analysis reveals sophisticated tooling including FOXACID browser exploit platform, SECONDDATE network traffic manipulation, and NOPEN remote access malware, deployed across 54 jump servers and 5 proxy servers in 17 countries. The research demonstrates systematic multi-stage cyber espionage operations with careful operational security, using attribution techniques like attack timing analysis and keyboard input language detection to identify human operational patterns.
Deep dive into CVE-2025-29824 in Windows#
BI.ZONE researchers conducted a detailed analysis of CVE-2025-29824 in the Windows clfs.sys driver. While the full technical details require accessing the original article, this vulnerability appears to be a significant Windows kernel-level flaw that warranted in-depth technical analysis. Security teams should review the complete research for exploitation mechanisms and mitigation strategies.
Tools#
- quad9-domains-top500 - Top 500 DNS domains seen on the Quad9 recursive resolver array each day
- AdaptixC2 - Cross-platform C2 framework with server in Golang and GUI client in C++/QT, featuring multiplayer support, encrypted communications, modular design with extensible plugins, and BOF support
- Drone Remote ID Monitoring System - Web application to monitor drones based on the Remote ID technology, including DJI DroneID
- Malware & Monsters game - Collaborative cybersecurity learning through incident response
- Thorium - A scalable file analysis and data generation platform that allows users to easily orchestrate arbitrary docker/vm/shell tools at scale (Docs)
- Anubis - Weighs the soul of incoming HTTP requests to stop AI crawlers (Website)
- ControlSTUDIO - Adversary Simulation Framework
- RABIDS - Modular malware framework to build custom payloads, designed for advanced adversary simulation and malware research