Random in Security is a summary of the cybersecurity news.
Vulnerabilities#
Exploiting Keyspace Reduction and Relay Attacks in 3DES and AES-protected NFC Technologies#
Researchers behind the BREAKMEIFYOUCAN project demonstrated critical vulnerabilities in NFC technologies including MIFARE Ultralight C/AES and NTAG 223/224 DNA. By exploiting “partial key overwrite attacks,” they reduced 3DES keyspace from 2^112 to a laughably brute-forceable 2^28, enabling key recovery in days instead of centuries. The core issue stems from protocol design choices that allow unauthenticated memory writes after initial authentication — not the underlying crypto itself, which is a fun reminder that you can have perfect locks and still leave the back door open. The research resources and Flipper Zero apps are publicly available following responsible disclosure coordinated with NXP since July 2025.
12 OpenSSL Vulnerabilities#
AISLE’s autonomous analyzer discovered all 12 CVEs in OpenSSL’s January 2026 release, including two high/moderate severity vulnerabilities enabling remote code execution and buffer overflows. The system found flaws that had persisted for decades in one of the world’s most scrutinized codebases — apparently humans have been staring at the same code for years and just needed an AI to say “have you tried looking there?” Six additional vulnerabilities were caught and fixed before release, demonstrating how integrating automated analysis into development workflows shifts security from reactive patching to preventive discovery.
Interesting Reads#
VoidLink: The Cloud-Native Malware Framework#
Check Point Research uncovered VoidLink, a sophisticated Linux malware framework purpose-built for cloud environments. Written in Zig by suspected Chinese-affiliated developers, VoidLink features a modular architecture with 30+ plugins, adaptive stealth mechanisms that adjust behavior based on detected security products, and multiple rootkit techniques spanning LD_PRELOAD, LKM, and eBPF. No real-world infections have been confirmed yet, but a malware framework with 30 plugins and cloud-native architecture feels like someone is building enterprise software for the wrong team.
Inside GoBruteforcer#
Check Point Research also dissected GoBruteforcer, a Go-based botnet targeting Linux servers by brute-forcing passwords for FTP, MySQL, PostgreSQL, and phpMyAdmin services. The twist: attackers are exploiting the widespread use of AI-generated server configurations that come with common default usernames and weak credentials, with researchers estimating over 50,000 vulnerable internet-facing servers. Beyond standard credential stuffing, operators deployed specialized blockchain tools to target crypto projects and execute token-sweep operations — proving that when you combine lazy defaults with cryptocurrency, someone will inevitably help themselves.
Drone Hacking Part 1: Dumping Firmware and Bruteforcing ECC#
Neodyme researchers dove into the Potensic Atom 2 drone by physically desoldering its NAND chip and extracting firmware through some impressively tedious reverse engineering. They overcame random bit-flip corruption via majority voting across multiple reads, then brute-forced the SoC’s BCH error correction polynomial parameters to recover 247,134 bit errors across 131,072 pages. Part one of the series is pure hardware hacking artistry — stay tuned for when they inevitably find the drone’s firmware is running something terrifying.
Fake PoCs Wasting Everyone’s Time#
The Ashwesker GitHub account was caught publishing fake PoC exploits for multiple Oracle CVEs, following a pattern of creating repositories named after real vulnerabilities to trick security researchers into running malicious code. The account had multiple similarly structured repos (CVE-2026-21962, CVE-2026-21440, CVE-2026-21509, CVE-2026-22812), each mimicking legitimate exploit code. A timely reminder that blindly running PoCs from GitHub is the security researcher equivalent of eating candy from strangers.
A LinkedIn Job Offer Tried to Install Malware on My Machine#
A developer documented a malware attempt disguised as a legitimate job opportunity on LinkedIn.
The attack used a malicious Node.js repository posing as a real estate tech project, leveraging npm’s postinstall hook and Function.constructor to dynamically load and execute remote payloads designed for C2 access, credential theft, and file exfiltration.
Supply chain attacks via fake job offers — because apparently the worst thing about LinkedIn recruiters can always get worse.
PeckBirdy: LOLBins Exploitation by China-aligned Threat Groups#
Trend Micro detailed PeckBirdy, a JScript-based C2 framework used by China-aligned APT groups to target gambling industries and Asian governments through Living-off-the-Land Binaries. The framework executes across multiple environments including browsers, MSHTA, and WScript, deploying modular backdoors like HOLODONUT and MKDOOR. Defense evasion techniques include AMSI/ETW disabling and manipulating Microsoft Defender exclusion lists — because why fight the antivirus when you can just politely ask it to look the other way?
PDF Forensics: The Epstein PDFs#
The PDF Association published a thorough forensic analysis of the 4,085 PDF files released by the US Department of Justice under the Epstein Files Transparency Act. The analysis revealed that while redactions were correctly applied (no recoverable hidden text, despite social media claims), the DoJ’s processing pipeline left behind orphaned document information dictionaries inside compressed object streams, leaked software metadata (OmniPage CSDK 21.1), and converted all JPEG images to low-res 96 DPI bitmaps to strip EXIF data. The piece is a masterclass in why you should never trust a single PDF analysis tool — and why proper document sanitization is harder than most government agencies appreciate.
Recreating Uncensored Epstein PDFs from Raw Encoded Attachments#
In a complementary effort, one researcher explained the mystery of orphaned equals signs in leaked emails — a side effect of buggy quoted-printable decoding when someone converted line endings from Windows (CRLF) to Unix (LF) without properly handling soft line breaks. Meanwhile, another researcher successfully extracted PDF attachments embedded as base64 text in scanned DOJ documents, using template-matching OCR that achieved 99.96% accuracy on 76-character base64 lines rendered in Courier New — a font where “1” and “l” are practically indistinguishable. They recovered 39 of 40 compressed streams, revealing a 2012 charity gala invitation, which is perhaps the most anticlimactic forensic payoff imaginable.
Tools#
- NUS-Curiosity/VulZoo - VulZoo: A Comprehensive Vulnerability Intelligence Dataset integrating CVE, NVD, CWE, and exploit databases for security research tasks like vulnerability detection, assessment, and prioritization.
- Prompting the Priorities - Research evaluating LLMs (ChatGPT, Claude, Gemini, DeepSeek) for SSVC-based vulnerability triage across 384 real-world vulnerabilities — spoiler: they don’t replace expert judgment yet, but Gemini ranked highest.
- Qwen3-TTS Demo - a Hugging Face Space by Qwen - Qwen’s text-to-speech model demo running on Hugging Face Spaces, Apache 2.0 licensed.