Forem: Mark0

Update: cut-bytes.py Version 0.0.18

Mark0 — Wed, 22 Apr 2026 05:06:27 +0000

This update for cut-bytes.py (version 0.0.18) addresses compatibility issues with the latest Python releases. Specifically, it provides a fix for escape sequences that previously triggered warnings in modern Python environments, ensuring the tool remains functional and silent during execution.

The release includes direct download links for the updated software package in ZIP format. To ensure file integrity, the author has provided both MD5 and SHA256 hashes for verification, a standard practice for maintaining security when distributing forensic and analysis tools.

Read Full Article

Some unintelligent fun with ms-notepad protocol

Mark0 — Wed, 22 Apr 2026 05:05:54 +0000

The article explores the "ms-notepad://" protocol handler introduced in recent Windows 11 builds. The researcher demonstrates how this handler can be used to launch the Notepad application via custom URI links, highlighting its behavior when handling filename arguments and the resulting file path resolution, including attempts at directory traversal using relative paths.

Furthermore, the analysis reveals a /TESTING command line argument within the new Notepad version that processes Base64 encoded strings to resolve file paths. This discovery allows for opening specific files through both the command line and the protocol handler, suggesting that the continuous addition of URI-based protocols in Windows provides an expanding attack surface for security research.

Read Full Article

Automation at Machine Speed: Rethinking Execution in Modern Cybersecurity

Mark0 — Wed, 22 Apr 2026 05:05:15 +0000

Modern cybersecurity is shifting from human-centric to machine-speed defense, driven by the integration of AI and automation. While automation acts as the operational multiplier to handle increasing alert volumes and reclaiming defensive tempo, AI provides the necessary context and predictive intelligence to guide these automated workflows. This synergy allows security teams to move from reactive triage to proactive intervention.

Adversaries are leveraging similar technologies for AI-assisted phishing, polymorphic malware, and automated lateral movement, compressing the attack lifecycle significantly. To counter this, organizations are adopting agentic AI systems—such as SentinelOne’s Purple AI—that perform autonomous investigations under human-defined guardrails. The future of security operations depends on the intelligent orchestration of people and machines, ensuring that detection, investigation, and response happen autonomously and in parallel.

Read Full Article

What the ransom note won't say

Mark0 — Wed, 22 Apr 2026 05:04:35 +0000

Ransomware has evolved from simple extortion into a sophisticated franchise-based industry known as Ransomware-as-a-Service (RaaS). This model allows specialized actors—developers, access brokers, and affiliates—to operate efficiently at scale, targeting smaller organizations with lower ransom demands to maintain a high-volume business. The market remains resilient even under law enforcement pressure, as affiliates quickly migrate between groups when operations are disrupted, illustrating a professionalized ecosystem driven by economic incentives.

The technical landscape is defined by the 'Red Queen effect,' where attackers and defenders adapt in parallel. This is most evident in the rise of 'EDR killers' and Bring Your Own Vulnerable Driver (BYOVD) techniques used to disable security products at the kernel level. As AI begins to lower the barrier to entry for malware development, organizations must move beyond viewing ransomware as a random event and instead treat it as a professionalized industry that requires proactive monitoring of evolving tools and supply chain risks.

Read Full Article

FakeWallet crypto stealer spreading through iOS apps in the App Store

Mark0 — Wed, 22 Apr 2026 05:03:40 +0000

In March 2026, researchers identified over twenty phishing apps in the Apple App Store masquerading as popular crypto wallets like MetaMask and Ledger. These apps utilize typosquatting and functional placeholders to bypass store filters, eventually redirecting users to install trojanized versions via iOS provisioning profiles. The campaign specifically targets recovery phrases and private keys, with evidence suggesting it has been active since late 2025.

The technical execution involves sophisticated methods such as malicious library injection (dylib) and modifying React Native source code to hijack wallet creation and recovery screens. By substituting legitimate class methods with malicious versions, the attackers exfiltrate mnemonic phrases encrypted with RSA to remote C2 servers. The campaign, which shows links to the SparkKitty Trojan, primarily targets Chinese-speaking users but remains a global threat due to its ability to adapt to different system locales.

Read Full Article

Introducing the CrowdStrike Shadow AI Visibility Service

Mark0 — Wed, 22 Apr 2026 05:02:54 +0000

CrowdStrike's Professional Services team has observed that organizations consistently underestimate their AI tool inventory, often discovering significantly more active agents and services than initially reported. Many organizations rely on web filtering which creates a false sense of control while masking unapproved AI activity occurring across endpoints, cloud, and SaaS environments.

To address this visibility gap, the new CrowdStrike Shadow AI Visibility Service utilizes the Falcon platform to provide an accurate map of an organization's AI footprint. The service identifies risks associated with shadow AI, including desktop applications, browser extensions, and development frameworks, while monitoring user prompts and LLM responses for potential leaks of sensitive data or source code.

Read Full Article

CrowdStrike Falcon Platform Achieves 441% ROI in Three Years

Mark0 — Wed, 22 Apr 2026 05:02:23 +0000

A new IDC Business Value study highlights the significant financial and operational advantages of consolidating security tools onto the CrowdStrike Falcon platform. Organizations transitioning to this unified architecture reported a 441% return on investment over three years, with initial costs recovered within just four months. By replacing an average of five disparate security tools with a single platform, enterprises successfully reduced tool sprawl and simplified their security environments.

The study further reveals that standardizing on Falcon led to an 86% reduction in false positives and a 44% improvement in security operations efficiency. This shift allows security teams to move away from managing alert noise and manual triaging, instead focusing on proactive threat hunting and innovation. The platform's AI-native foundation provides the necessary visibility across endpoint, identity, and cloud environments to counter increasingly sophisticated adversaries.

Read Full Article

Fracturing Software Security With Frontier AI Models

Mark0 — Wed, 22 Apr 2026 05:01:43 +0000

Unit 42's research into frontier AI models reveals a significant shift in the speed and scale of vulnerability discovery. These models are evolving from coding assistants to full-spectrum security researchers capable of autonomous reasoning. This advancement allows for autonomous zero-day discovery, the collapse of patching windows for N-days, and the development of complex exploit chains that can adapt in real-time to bypass hardened environment controls.

The risk is particularly acute for Open Source Software (OSS) due to code transparency, which AI models can analyze more effectively than compiled binaries. Unit 42 predicts an increase in large-scale supply chain compromises as threat actors leverage AI for reconnaissance, initial access via sophisticated spear-phishing, and autonomous lateral movement. To counter these threats, security teams must move toward aggressive prevention, automated incident response, and hardened architectural barriers like memory-safe languages.

Read Full Article

Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

Mark0 — Wed, 22 Apr 2026 05:01:04 +0000

Void Dokkaebi (also known as Famous Chollima), a North Korea-aligned threat actor, is targeting software developers through a sophisticated campaign involving fake job interviews. The group lures developers into cloning malicious repositories that utilize Visual Studio Code's workspace task system to execute malware. This operation has evolved from targeted social engineering into a self-propagating supply chain threat, as compromised developers unknowingly commit malicious configurations and obfuscated JavaScript back into organizational and open-source repositories.

The campaign features advanced evasion techniques, including commit history tampering to hide malicious injections and the use of blockchain infrastructure (Tron, Aptos, and Binance Smart Chain) for payload staging. The primary payload is a variant of the DEV#POPPER remote access trojan (RAT), which enables multi-operator session management and specifically avoids CI/CD environments to evade detection. Analysts have identified over 750 infected repositories, highlighting a significant risk to the broader developer ecosystem and software supply chains.

Read Full Article

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

Mark0 — Wed, 22 Apr 2026 05:00:27 +0000

Cybersecurity researchers have identified a critical systemic vulnerability in Anthropic's Model Context Protocol (MCP) SDK architecture. The flaw, which stems from unsafe defaults in the STDIO transport interface, enables remote code execution (RCE) across various programming languages including Python, TypeScript, and Rust. This "by design" weakness affects over 7,000 publicly accessible servers and has impacted popular AI projects like LangChain and LiteLLM, creating a significant risk for the AI supply chain.

Despite the discovery of over 10 CVEs related to this issue, Anthropic has declined to modify the protocol's architecture, citing the behavior as expected. This leaves the responsibility of mitigation to downstream developers, who must now implement sandboxing and strict input validation to prevent command injection. The incident underscores the hidden dangers of architectural decisions in AI protocols that can propagate silently throughout an entire ecosystem.

Read Full Article

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

Mark0 — Wed, 22 Apr 2026 04:59:53 +0000

A critical security vulnerability, tracked as CVE-2026-5760, has been discovered in SGLang, a high-performance serving framework for large language models. With a CVSS score of 9.8, this flaw allows for remote code execution (RCE) through the /v1/rerank endpoint. The vulnerability arises from the insecure use of the Jinja2 rendering engine without proper sandboxing, specifically when processing malicious model files.

Attackers can exploit this by creating malicious GPT-Generated Unified Format (GGUF) model files containing a Server-Side Template Injection (SSTI) payload within the tokenizer.chat_template parameter. When a victim loads the model and accesses the vulnerable endpoint, the malicious code executes in the context of the SGLang service. Security experts recommend switching to ImmutableSandboxedEnvironment to mitigate this threat, as no official patch was confirmed during the initial coordination process.

Read Full Article

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation

Mark0 — Wed, 22 Apr 2026 04:59:20 +0000

Researchers have identified a significant expansion in the operations of "The Gentlemen" ransomware-as-a-service (RaaS), which has recently integrated the SystemBC proxy malware to facilitate network tunneling and lateral movement. By utilizing custom RC4-encrypted protocols and SOCKS5 tunnels, the group has compromised over 1,570 corporate networks. The group demonstrates high technical proficiency, targeting diverse platforms including Windows, Linux, and ESXi, while employing advanced evasion techniques like disabling Windows Defender through PowerShell scripts and abusing Group Policy Objects (GPOs) for domain-wide impact.

The broader ransomware landscape is shifting toward extreme specialization and reduced dwell times, with groups like Akira achieving full encryption in under an hour. Emerging families like Kyber are focusing on specific environments such as VMware ESXi using Rust and C++ encryptors. Despite increased law enforcement pressure, the ecosystem remains industrialized and resilient, with attackers increasingly targeting small to mid-sized organizations and operational technology (OT) environments during off-peak hours to bypass defensive responses.

Read Full Article