Random in Security is a summary of the cybersecurity news.
Interesting Reads#
Analysis of Kimsuky Leaks#
DomainTools analyzed the “Kim” leak that exposed North Korea’s Kimsuky/APT43 credential theft playbook targeting South Korea and Taiwan. The dump revealed terminal histories showing malware compilation with NASM, stolen government PKI certificates, phishing infrastructure mimicking official portals, and a Linux rootkit—all pointing to a credential-first espionage strategy. Turns out they were also using OCR tools to extract juicy details from Korean security PDFs, because why hack when you can just read the manual?
Threat Actor surveild via Huntress EDR#
In a delightful twist of irony, threat actors accidentally installed Huntress EDR on their own operational machine after finding it through a Google ad. Huntress got a front-row seat to watch them use AI tools for efficiency, automate workflows with Make.com, and shop for Evilginx and residential proxies—ultimately leading to the discovery of over 2,400 compromised identities. Pro tip: maybe don’t click on ads when you’re the bad guy.
AI autonomously completes GOAD cyber range#
NodeZero AI speedran the entire GOAD cyber range in just 14 minutes by exploiting Active Directory misconfigurations instead of CVEs. The autonomous system pulled off SMB null sessions, Kerberoasting, golden ticket generation, and AD CS exploitation to achieve full domain and forest compromise. Skynet called—it wants its pentesting credentials back.
Geedge Networks Leak#
Over 500 GB of internal documents from Geedge Networks and China’s MESA Lab leaked, exposing how the Great Firewall architects export surveillance tech to Myanmar, Pakistan, Ethiopia, and beyond under Belt and Road initiatives. The massive dump includes 100,000+ files from Jira, Confluence, and GitLab—essentially the blueprints for building your own authoritarian internet. A technical analysis reveals the operational infrastructure behind China’s internet control systems, though the source code portion remains largely unexamined by researchers.
Automated Multi-Agent Framework for Reproducing CVEs#
Researchers developed CVE-Genie, an automated multi-agent AI framework that converts CVE entries into reproducible exploits. The system orchestrates specialized agents to analyze vulnerability descriptions, generate proof-of-concept code, and verify successful exploitation—basically turning abstract security advisories into working attack code. What could possibly go wrong with automating exploit development?
Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat#
DomainTools dissects Salt Typhoon, a Chinese MSS-aligned APT group targeting global telecommunications infrastructure. What makes them special is their hybrid model blending direct state oversight with pseudo-private contractors like i-SOON to obscure attribution while scaling operations. They’ve demonstrated the ability to maintain persistent access for months or years, harvesting communications metadata and lawful intercept data—essentially wiretapping the wiretappers.
The Phantom Extension: Backdooring chrome through uncharted pathways#
Synacktiv researchers discovered a technique to silently inject malicious Chrome extensions by manipulating preference files and cryptographic signatures on Windows domain systems. By calculating correct MACs for extension entries, attackers can force-load arbitrary extensions without user interaction, enabling credential theft, traffic interception, and screen capture. Chrome’s extension security model just got a reality check.
Tools#
- orsted - Orsted C2 Framework
- Nighthawk 0.4 – Janus - Nighthawk 0.4 – Janus released