This is a small bug fix for search-for-compression.py, and I’m also taking it out of the beta repository and putting it into the DidierStevensSuite repository. search-for-compression_V0_0_7.zip (http)MD5: DD113FF41851A562D271804E4558EA08SHA256: 6E663316F774BA5B373704E7FE41B8266F5D1ADC618327F9F2C4C4C830A1B3DE  ( 11 min )

Microsoft announced on May 8, 2026, that it will retire direct certificate-based authentication (CBA) for Exchange ActiveSync (EAS) by the end of 2026. If your organization uses certificates to authenticate mobile devices against Exchange Online, you must migrate to a new method before the deadline, or your users' mobile email will stop working. This article explains what the change means, who is affected, and what steps you need to take. Source

The RAG bot, with checkpoints Let’s circle back to the team from our introduction. With the three checkpoints in place, the same attack would have been intercepted three different ways: Three layers, three different ways to catch the same attack. That is what defense in depth means in this stack: not a single perfect filter, … Continue reading Securing AI systems without overconfidence or fear – Part 2: Attack surfaces and the checkpoint flow →  ( 16 min )

CVE-2026-0265 lets unauthenticated attackers forge a JWT and log in as any trusted user on CAS-enabled PAN-OS deployments. Bishop Fox built a detection tool that returns a definitive verdict from a single anonymous request, and breaks down exactly how the bug works and what to do about it.  ( 12 min )

A sanitization bypass in Strapi 4.0.0 through 5.36.1 lets unauthenticated attackers extract an admin's password reset token character by character and take over the account. With over 20,000 internet-facing hosts exposed, Bishop Fox breaks down how the exploit works and how to remediate it.  ( 17 min )

In March 2026, attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor LiteLLM on PyPI (see Trivy’s post-mortem for the full timeline). zizmor is a static analyzer that GitHub Actions users run to catch exactly these misconfigurations before they ship. When GitHub Actions added support for YAML anchors in September 2025, a small but high-value slice of the ecosystem started writing workflows that zizmor could only analyze on a best-effort basis. Over the past three months, Trail of Bits collaborated with the zizmor maintainers to bring zizmor’s anchor support up to full coverage. First, we fixed parsing bugs that caused crashes, produced wrong-locatio…  ( 4 min )

Microsoft is shutting down Exchange Web Services (EWS) — the nearly 20-year-old API that Exchange uses for hybrid coexistence — in Exchange Online in two phases: a soft block on October 1, 2026, and a permanent hard shutdown on April 1, 2027. If you run Exchange in hybrid mode, meaning some mailboxes are on-premises and some are in Microsoft 365, this requires a two-step migration. The first step should already be complete; the second step must be finished before October 2026 and requires Exchange Server Subscription Edition (SE). Microsoft has confirmed there will be no exceptions past April 2027. Source

Microsoft now offers Windows Server 2025 hotpatching through Azure Arc at no additional charge for eligible Azure Arc-enabled servers. Hotpatching installs Windows security updates without restarting the server in most months, but it does not eliminate all reboots. You still need Azure Arc, the Azure Connected Machine agent, Virtualization-based Security, and a supported Windows Server 2025 edition. This article explains what those requirements mean, how to enable the feature, and where its limits are. Source

Key Takeaways Vulnerabilities Report Offers Key Industry Benchmarks How does your MTTR hold up against the industry average? And does your organization encounter more high/critical vulnerabilities than others in your industry? Those are just a few questions that our 2026 State of Vulnerabilities Report answers. The report analyzes more than 11,000 vulnerabilities surfaced through the […] The post The 2026 State of Vulnerabilities Report: Industry Insights appeared first on Synack.  ( 11 min )

Explore the intricacies of UEFI security with exploration into emulation, dynamic analysis, and the LogoFail vulnerability. Learn how subtle input manipulations can expose critical firmware weaknesses. The post Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security appeared first on NetSPI.  ( 29 min )

Security and compliance teams can now monitor Claude activity directly in Wiz, extending the workflows they already rely on to AI  ( 53 min )

TL;DR: TailscaleHound is an OpenGraph collector for BloodHound that maps Tailscale users, devices, groups, tags, ACLs, grants, SSH rules, routes, app connectors, services, keys, invites, webhooks, and hybrid Azure identity relationships. The result is a graph that helps answer practical questions like, “Which users can reach this device?”, “Who can use this exit node?”, “Which […] The post Introducing TailscaleHound: Mapping Tailscale Attack Paths in BloodHound appeared first on SpecterOps.  ( 16 min )

Background While discussing with eversinc33 about lifting BinaryShield to LLVM IR I decided it would be useful to write a basic lifter in Python that can lift x86_64 instructions to LLVM IR. He has since released his blog post: Writing a Naive LLVM-based Devirtualizer, which I highly recommend you check out! This post assumes familiarity with the basics of LLVM IR. You can find some references at the end of this post. Over the years I noticed that a lot of people get stuck exploring lifters, because existing tooling is too difficult to compile. In October 2025 I spent around a month redoing Remill’s build system (remill#723) and earlier this month I did the same for the Dna project (Dna#9). Last year I also started working on Python bindings for LLVM, which I wanted to use for a real project. You can find the lifter at LLVMParty/striga. The goal of this post is to lower the barrier of entry and let you experiment with lifting to LLVM IR. For inspiration you can look at the Static Devirtualization of Themida post that was just released by Back Engineering Labs, as well as the Pushan: Trace-Free Deobfuscation of Virtualization-Obfuscated Binaries paper by ASU researchers published in March. If you enjoy this article and would like to learn more, see my website for information about my in-person trainings. Lifting Lifting is the process of translating assembly instructions to some kind of intermediate representation (IR). The motivation is usually that directly analyzing and manipulating (x86) assembly instructions is complex and error prone. The lifter translates the underlying instruction semantics directly to an IR that is easier to reason about (and therefore to manipulate as well). A few popular IRs: SMT-LIB, used by Triton (symbolic execution) VEX, used by angr Miasm IR Sleigh, used by Ghidra, Remill and Icicle LLVM IR, used by Rellume, revng and Remill Microcode, used by IDA (proprietary) BNIL, used by Binary Ninja (proprietary) For this project I picked LLVM IR, because I am the most familiar with it and it has a well-established ecosystem. LLVM already has all of the common compiler optimizations and it is used and maintained by teams at large corporations. Architecture The architecture of the lifter is very much inspired by remill, but I simplified some things to make it easier to follow. In LLVM a register is actually an SSA value, which means we can only assign to it once. CPU registers are variables that can be assigned to multiple times. We model this by creating a State structure in memory that represents the x86 CPU state: struct State { uint64_t rax; uint64_t rbx; uint64_t rcx; uint64_t rdx; // ... GPRs uint8_t cf; uint8_t zf; uint8_t of; // ... Flags // ... XMM }; Instructions that read or write to RAX will load/store to State->rax. If we play our cards right, the optimizer will use the mem2reg pass to translate this into SSA form for us and enable further optimizations. An important difference to an actual CPU is that flags are modelled as independent 8-bit registers. This makes it easier to reason about compared to a packed bitfield. For instance, it helps the optimizer to perform dead store elimination and propagation. In addition to the State, we need an opaque memory pointer that helps us differentiate a load/store in the State from memory accesses by the x86 CPU. In short: the State pointer is used to model the CPU and the memory pointer is used to model the RAM. While lifting, the prototype of the lifted function is void lifted(State* state, void* memory). Later on we will perform brightening, to turn this into something we can recompile. Below is the LLVM IR for the instruction mov rax, rcx, with comments in pseudo-C: define internal void @lifted_0x140001000(ptr %state, ptr %memory) { initialize: ; uint64_t* rcx = &state->rcx; %rcx = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 2 ; uint64_t* rax = &state->rax; %rax = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 0 ; Jump to the first instruction br label %insn_0x140001000 insn_0x140001000: ; preds = %initialize ; uint64_t v0 = *rcx; %0 = load i64, ptr %rcx, align 4 ; *rax = v0; store i64 %0, ptr %rax, align 4 ; Jump to the next instruction br label %insn_0x140001003 insn_0x140001003: ; preds = %insn_0x140001000 ; Block terminator to keep the IR valid ret void } We start out with the initialize block, which is used to get pointers to the relevant State members. Then every instruction gets its own basic block named insn_<addr>. Every instruction is responsible for emitting an unconditional branch to its successors. The basic block for the successor is created with just a ret terminator, to keep the module verifier happy. To illustrate memory accesses, here is the LLVM IR for mov rax, qword [rbx+42]: define internal void @lifted_0x140001000(ptr %state, ptr %memory) { initialize: %rbx = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 1 %rax = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 0 br label %insn_0x140001000 insn_0x140001000: ; preds = %initialize ; uint64_t v0 = *rbx; %0 = load i64, ptr %rbx, align 4 ; uint64_t v1 = v0 + 42; %1 = add i64 %0, 42 ; uint8_t* v2 = &memory[v1]; %2 = getelementptr i8, ptr %memory, i64 %1 ; uint64_t v3 = *(uint64_t*)v2; %3 = load i64, ptr %2, align 1 ; *rax = v3; store i64 %3, ptr %rax, align 4 br label %insn_0x140001004 insn_0x140001004: ; preds = %insn_0x140001000 ret void } Here you can see the getelementptr i8, ptr %memory, i64 %1 instruction which uses memory as a base, signaling that this is a read from the x86 memory (we will clean this up later). The lifter itself is contained in a ~500 line Semantics class with these main functions (some are omitted for brevity): # src/striga/semantics.py class Semantics: def __init__(self, module: Module): ... # Lifting def begin(self, address: int) -> Function: ... def get_or_create_block(self, address: int) -> BasicBlock: ... def lift_bytes(self, address: int, code: bytes) -> list[Successor]: ... # Semantic helpers def reg_read(self, name: str) -> Value: ... def reg_write(self, name: str, value: Value): ... def mem_read(self, addr: Value, ty: Type) -> Value: ... def mem_write(self, addr: Value, value: Value): ... def op_mem(self, op: X86Op) -> Value: ... def op_read(self, index: int) -> Value: ... def op_write(self, index: int, value: Value): ... def flag_read(self, name: str) -> Value: ... def flag_write(self, name: str, value: Value): ... # State (simplified) module: Module function: Function ir: Builder insn: CsInsn The begin(address) function is used to create the lifted_<address> function in LLVM IR and create the initialize block with a branch to the first instruction: def begin(self, address: int) -> Function: name = f"lifted_{hex(address)}" fn = self.module.get_function(name) if fn is None: fn = self.module.add_function(name, self.lifted_ty) fn.param_attributes(0).add("noalias") fn.param_attributes(1).add("noalias") state, memory = fn.params memory.name = "memory" state.name = "state" self.function = fn self.reg_ptrs = {} self.insn_blocks = {} entry = fn.append_basic_block("initialize") assert fn.last_basic_block == entry with entry.create_builder() as ir: ir.br(self.get_or_create_block(address)) else: # Omitted for brevity return self.function To create the instruction block, get_or_create_block is used: def get_or_create_block(self, address: int) -> BasicBlock: block = self.insn_blocks.get(address) if block is None: block = self.function.append_basic_block(f"insn_{hex(address)}") with block.create_builder() as ir: ir.ret_void() self.insn_blocks[address] = block assert block.function == self.function return block As mentioned above, an empty block is not valid LLVM IR so we populate it with a ret instruction. When actually lifting into the basic block, that instruction will be replaced with the lifted code. To lift a single instruction we pass its address and bytes to lift_bytes, which is responsible for producing LLVM IR: def lift_bytes(self, address: int, code: bytes) -> list[Successor]: # Ensure we have a function to lift into if not hasattr(self, "function"): self.begin(address) insn = self.cs_disasm(address, code) if self.verbose: print(";", hex(insn.address), insn.mnemonic, insn.op_str) # Skip lifting if the block is already populated block = self.get_or_create_block(address) assert block.first_instruction if block.first_instruction.opcode == Opcode.Ret: block.first_instruction.erase_from_parent() else: return [] with block.create_builder() as ir: # State used by semantic handlers self.ir = ir self.insn = insn handler = _semantics.get(insn.mnemonic) if handler is None and insn.mnemonic.startswith("lock "): # LOCK preserves the single-threaded architectural result; the # lifter does not model inter-thread atomicity separately. handler = _semantics.get(insn.mnemonic.removeprefix("lock ")) if handler is None: raise NotImplementedError(insn.mnemonic) successors = handler(self) if successors is None: # Linear fallthrough - handler didn't emit a terminator. fallthrough = address + insn.size ir.br(self.get_or_create_block(fallthrough)) successors = [Successor(address, self.const64(fallthrough))] # Make sure the handler produced valid IR self.module.verify_or_raise() return successors The function first ensures an empty insn_<address> block by removing the temporary ret instruction. Then it creates an IR Builder and calls the handler responsible for producing IR for the instruction being lifted (more on that below). If the handler does not return successors, lift_bytes handles the common fallthrough case by creating a basic block for the next instruction. It is up to the caller to handle the list of Successor tuples: class Successor(NamedTuple): src: int dst: Value We use an LLVM Value for the branch destination, because it is not always concrete (for example jmp reg). The semantic handlers are registered globally: # src/striga/semantic.py SemanticFn: TypeAlias = Callable[["Semantics"], list[Successor] | None] _semantics: dict[str, SemanticFn] = {} def semantic(fn: SemanticFn): name = getattr(fn, "__name__") _semantics[name.removesuffix("_")] = fn return fn # src/striga/x86/data.py @semantic def mov(sem: Semantics): value = sem.op_read(1) sem.op_write(0, value) Every handler gets an instance of Semantics, to allow easy access to x86 constructs like operands, registers, flags and memory. For example, op_read is implemented as follows: def op_read(self, index: int) -> Value: op: X86Op = self.insn.operands[index] if op.type == CS_OP_REG: name = self.reg_name(op.reg) # pyright: ignore[reportAssignmentType] return self.reg_read(name) if op.type == CS_OP_IMM: return self.const_n(op.imm, op.size * 8) if op.type == CS_OP_MEM: addr = self.op_mem(op) return self.mem_read(addr, self.types.int_n(op.size * 8)) assert False For our example mov rax, rcx, the function will forward to reg_read: def reg_read(self, name: str) -> Value: if name in self.reg_types: load = self.ir.load(self.reg_types[name], self.reg_ptr(name)) load.metadata["tbaa"] = self.tbaa_tags[name] return load full_name, size, bit_offset = self.subregs[name] load = self.ir.load(self.reg_types[full_name], self.reg_ptr(full_name)) load.metadata["tbaa"] = self.tbaa_tags[full_name] if bit_offset: load = self.ir.lshr(load, self.const64(bit_offset)) return self.ir.trunc(load, self.types.int_n(size)) This function transparently handles accesses to sub registers like eax, ax, al and ah and it returns an LLVM Value containing the loaded register value. The last missing piece is the reg_ptr function, which is responsible for creating the getelementptr in the function entry: def reg_ptr(self, name: str) -> Value: reg_ptr = self.reg_ptrs.get(name) if reg_ptr is not None: return reg_ptr entry = self.function.entry_block state = self.function.get_param(0) with entry.create_builder() as ir: ir.position_before(entry.terminator) reg_ptr = ir.struct_gep(self.state_ty, state, self.reg_indices[name], name) self.reg_ptrs[name] = reg_ptr return reg_ptr To help the optimizer we add TBAA Metadata to the register load/store instructions. In this case we know that a register loads/stores never alias with each other. By telling the optimizer about this, it can perform more aggressive dead-store elimination when optimizing a sequence of lifted instructions. Semantics So far we discussed the architecture of the lifter, but we only discussed the mov instruction so far. Almost every other instruction has more complex behavior, especially around flag handling. For instance here are the implementations of and/or/xor: # src/striga/x86/bitwise.py def write_logical_flags(sem: Semantics, result: Value): false = sem.const_n(0, 1) sem.flag_write("cf", false) sem.flag_write("pf", sem.result_parity_even(result)) sem.flag_write_undef("af") sem.flag_write("zf", sem.result_is_zero(result)) sem.flag_write("sf", sem.result_sign_bit(result)) sem.flag_write("of", false) def logical_binop(sem: Semantics, opcode: Opcode): dst = sem.op_read(0) src = sem.resize_int(sem.op_read(1), dst.type) result = sem.ir.binop(opcode, dst, src) sem.op_write(0, result) write_logical_flags(sem, result) @semantic def and_(sem: Semantics): logical_binop(sem, Opcode.And) @semantic def or_(sem: Semantics): logical_binop(sem, Opcode.Or) @semantic def xor(sem: Semantics): logical_binop(sem, Opcode.Xor) For reference here is the lifted LLVM IR for xor rax, rbx and the Python code responsible for each part: insn_0x140001000: ; preds = %initialize ; dst = sem.reg_read(0) %0 = load i64, ptr %rax, align 4 ; src = sem.resize_int(sem.op_read(1), dst.type) %1 = load i64, ptr %rbx, align 4 ; result = sem.ir.binop(Opcode.Xor, dst, src) %2 = xor i64 %0, %1 ; sem.op_write(0, result) store i64 %2, ptr %rax, align 4 ; sem.flag_write("cf", false) store i8 0, ptr %cf, align 1 ; sem.flag_write("pf", sem.result_parity_even(result)) %3 = trunc i64 %2 to i8 %4 = lshr i8 %3, 4 %5 = xor i8 %3, %4 %6 = lshr i8 %5, 2 %7 = xor i8 %5, %6 %8 = lshr i8 %7, 1 %9 = xor i8 %7, %8 %10 = and i8 %9, 1 %11 = icmp eq i8 %10, 0 %12 = zext i1 %11 to i8 store i8 %12, ptr %pf, align 1 ; sem.flag_write_undef("af") %13 = call i1 @__striga_undef_af(i64 5368713216) %14 = zext i1 %13 to i8 store i8 %14, ptr %af, align 1 ; sem.flag_write("zf", sem.result_is_zero(result)) %15 = icmp eq i64 %2, 0 %16 = zext i1 %15 to i8 store i8 %16, ptr %zf, align 1 ; sem.flag_write("sf", sem.result_sign_bit(result)) %17 = lshr i64 %2, 63 %18 = trunc i64 %17 to i1 %19 = zext i1 %18 to i8 store i8 %19, ptr %sf, align 1 ; sem.flag_write("of", false) store i8 0, ptr %of, align 1 ; Semantics.lift_bytes br label %insn_0x140001003 If you pay close attention you see a call to __striga_undef_af, which is a custom intrinsic used to represent something that has no clear analog in LLVM IR. In this case the description of the xor instruction says: The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the result. The state of the AF flag is undefined. This means that Intel/AMD does not want to document exactly how the value of AF is computed in silicon. In practice this can vary between CPU models/generations and it can be used as an anti-emulation trick, but we will not go into detail in this post. We emit __striga_undef_af, to allow the user to handle this however they see fit. If you are interested there is remill#766 with a little discussion about how to model this correctly. Another class of instructions to highlight here is the various branch instructions: # src/striga/x86/control.py def conditional_jump(sem: Semantics, cond: Value): brtrue = sem.insn.operands[0].imm brfalse = sem.insn.address + sem.insn.size sem.ir.cond_br( cond, sem.get_or_create_block(brtrue), sem.get_or_create_block(brfalse), ) src = sem.insn.address return [ Successor(src, sem.const64(brtrue)), Successor(src, sem.const64(brfalse)), ] def jcc(sem: Semantics, cc: str): return conditional_jump(sem, cc_cond(sem, cc)) @semantic def je(sem: Semantics): return jcc(sem, "e") @semantic def jmp(sem: Semantics): dst = sem.op_read(0) if dst.is_constant: sem.ir.br(sem.get_or_create_block(dst.const_zext_value)) else: sem.ir.call(sem.jmp_handler, [dst]) sem.ir.ret_void() return [Successor(sem.insn.address, dst)] @semantic def call(sem: Semantics): dst = sem.op_read(0) fallthrough = sem.insn.address + sem.insn.size sem.push(sem.const64(fallthrough)) sem.ir.call(sem.call_handler, [dst]) sem.ir.br(sem.get_or_create_block(fallthrough)) return [Successor(sem.insn.address, sem.const64(fallthrough))] @semantic def ret(sem: Semantics): dst = sem.pop(sem.i64) if sem.insn.operands: rsp = sem.reg_read("rsp") sem.reg_write("rsp", sem.ir.add(rsp, sem.const64(sem.insn.operands[0].imm))) sem.ir.call(sem.ret_handler, [dst]) sem.ir.ret_void() return [Successor(sem.insn.address, dst)] LLVM IR for je imm: insn_0x140001000: ; preds = %initialize %0 = load i8, ptr %zf, align 1 %1 = icmp ne i8 %0, 0 br i1 %1, label %insn_0x140001014, label %insn_0x140001002 insn_0x140001014: ; preds = %insn_0x140001000 ret void insn_0x140001002: ; preds = %insn_0x140001000 ret void } Note that the semantic handler for jcc is responsible for creating both the destination blocks as well as the br with the appropriate condition based on the flag(s). LLVM IR for jmp rbx: insn_0x140001000: ; preds = %initialize %0 = load i64, ptr %rbx, align 4 call void @__striga_jmp(i64 %0) ret void LLVM IR for call imm: insn_0x140001000: ; preds = %initialize %0 = load i64, ptr %rsp, align 4 %1 = sub i64 %0, 8 store i64 %1, ptr %rsp, align 4 %2 = getelementptr i8, ptr %memory, i64 %1 store i64 5368713221, ptr %2, align 1 call void @__striga_call(i64 5369761797) br label %insn_0x140001005 LLVM IR for ret: insn_0x140001000: ; preds = %initialize %0 = load i64, ptr %rsp, align 4 %1 = getelementptr i8, ptr %memory, i64 %0 %2 = load i64, ptr %1, align 1 %3 = add i64 %0, 8 store i64 %3, ptr %rsp, align 4 call void @__striga_ret(i64 %2) ret void } As you can see, we use the following intrinsics: __striga_jmp: indirect jump __striga_call: call instruction __striga_ret: ret instruction These are also used to give the user flexibility in how they want to handle these instructions. Control flow Because of the design choice where every instruction is a basic block, it becomes fairly straightforward to recover the control flow of a basic function: def lift(module: Module, container: Container, start: int, *, verbose=True): sem = Semantics(module, verbose=verbose) lifted_fn = sem.begin(start) queue: Queue[Successor] = Queue() queue.put(Successor(0, sem.const64(start))) # Keep destinations as LLVM Values instead of splitting constants into ints. # This keeps the worklist uniform and matches later slicing/data-flow uses. visited: set[Value] = set() while not queue.empty(): src, dst = queue.get() if not dst.is_constant: if sem.verbose: print(f"; non-constant branch destination: {hex(src)} -> {dst}") continue if dst in visited: continue visited.add(dst) va = dst.const_zext_value code = container.get_data(va, 15) successors = sem.lift_bytes(va, code) for successor in successors: if successor.dst in visited: continue queue.put(successor) sem.module.verify_or_raise() return lifted_fn This is a simple Breadth-first search over the control flow graph and it allows recovering functions without indirect branches. Note that we do not have to do anything special to handle back edges (loops) or block splitting. The lifted code is modeled with an LLVM basic block per instruction, so we can connect instructions arbitrarily. Below is a function with some simple control flow (if/else/loop): test_cfg: cmp rax, 0 je .else_block .if_true: add rax, 1 jmp .merge .else_block: add rax, 2 .merge: sub rax, 1 jne .merge .exit: ret The graph of the disassembly looks like this: The LLVM IR looks like this: define internal void @lifted_0x140001000(ptr %state, ptr %memory) { initialize: %rax = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 0 %zf = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 51 %rsp = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 6 br label %insn_0x140001000 insn_0x140001000: ; preds = %initialize ; cmp rax, 0 %0 = load i64, ptr %rax, align 4 %1 = sub i64 %0, 0 %19 = icmp eq i64 %1, 0 %20 = zext i1 %19 to i8 store i8 %20, ptr %zf, align 1 br label %insn_0x140001004 insn_0x140001004: ; preds = %insn_0x140001000 ; je 0x14000100c %30 = load i8, ptr %zf, align 1 %31 = icmp ne i8 %30, 0 br i1 %31, label %insn_0x14000100c, label %insn_0x140001006 insn_0x14000100c: ; preds = %insn_0x140001004 ; add rax, 2 %32 = load i64, ptr %rax, align 4 %33 = add i64 %32, 2 store i64 %33, ptr %rax, align 4 br label %insn_0x140001010 insn_0x140001006: ; preds = %insn_0x140001004 ; add rax, 1 %62 = load i64, ptr %rax, align 4 %63 = add i64 %62, 1 store i64 %63, ptr %rax, align 4 br label %insn_0x14000100a insn_0x140001010: ; preds = %insn_0x140001014, %insn_0x14000100a, %insn_0x14000100c ; sub rax, 1 %92 = load i64, ptr %rax, align 4 %93 = sub i64 %92, 1 store i64 %93, ptr %rax, align 4 %111 = icmp eq i64 %93, 0 %112 = zext i1 %111 to i8 store i8 %112, ptr %zf, align 1 br label %insn_0x140001014 insn_0x14000100a: ; preds = %insn_0x140001006 ; jmp 0x140001010 br label %insn_0x140001010 insn_0x140001014: ; preds = %insn_0x140001010 ; jne 0x140001010 %122 = load i8, ptr %zf, align 1 %123 = icmp ne i8 %122, 0 %124 = xor i1 %123, true br i1 %124, label %insn_0x140001010, label %insn_0x140001016 insn_0x140001016: ; preds = %insn_0x140001014 ; ret %125 = load i64, ptr %rsp, align 4 %126 = getelementptr i8, ptr %memory, i64 %125 %127 = load i64, ptr %126, align 1 %128 = add i64 %125, 8 store i64 %128, ptr %rsp, align 4 call void @__striga_ret(i64 %127) ret void } For clarity, some flag computations were omitted from this IR dump. Brightening Brightening was a term coined in 2019 by Peter Garba and Matteo Favaro in the SATURN paper: Brightening [COMP.] verb – Reshaping code to make it more readable and understandable for humans Concretely it means to transform the LLVM IR from the lifted shape (pseudo C): /* Lifted instructions: add rdi, rsi mov rax, rdi ret */ void lifted(State* state, void* memory) { state.rdi += state.rsi; state.rax = state.rdi; __striga_ret(...); } Back to a regular function for the lifted platform’s calling convention, such as: // Linux calling convention: https://wiki.osdev.org/System_V_ABI#x86-64 uint64_t /* rax */ brightened(uint64_t /* rdi */ x, uint64_t /* rsi */ y) { return x + y; } The brightened function sets up the State on the stack and assigns the arguments to the registers appropriate for the calling convention of our target platform. The result register is returned from the function. Conceptually this is not very difficult, but it requires a bit of mental gymnastics to wrap your head around the trick: // Symbolic variable for memory uint8_t RAM[0]; void lifted(State* state, void* memory) { ... } uint64_t brightened(uint64_t x, uint64_t y) { State state; state.rdi = x; state.rsi = y; lifted(&state, RAM); return state.rax; } After an inlining pass it would look something like this: uint64_t brightened(uint64_t x, uint64_t y) { State state; state.rdi = x; state.rsi = y; state.rdi += state.rsi; state.rax = state.rdi; __striga_ret(...); return state.rax; } We can get rid of the __striga_ret intrinsic in this case, which will let the optimizer reduce the function to its original shape: uint64_t brightened(uint64_t x, uint64_t y) { return x + y; } LLVM IR before optimizations: define i64 @brightened_0x1000(i64 %0, i64 %1) { entry: %state = alloca %State, align 8 %rdi = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 5 store i64 %0, ptr %rdi, align 4 %rsi = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 4 store i64 %1, ptr %rsi, align 4 %stack = alloca i8, i64 4096, align 1 %2 = getelementptr i8, ptr %stack, i64 4088 %3 = ptrtoint ptr %2 to i64 %rsp = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 6 store i64 %3, ptr %rsp, align 4 store i64 3735928559, ptr %2, align 1 call void @lifted_0x1000(ptr %state, ptr @RAM) %rax = getelementptr inbounds nuw %State, ptr %state, i32 0, i32 0 %4 = load i64, ptr %rax, align 4 ret i64 %4 } After optimizing the module with default<O1>: define i64 @brightened_0x1000(i64 %0, i64 %1) { entry: %2 = add i64 %1, %0 ret i64 %2 } Memory / Stack To handle memory accesses, we create a global RAM variable and pass that to our memory argument. In the previous example it folded away, but we need to handle it separately. The simplest form is access to a pointer parameter: uint64_t lift4_read(uint64_t *n) { return *n ^ 1337; } With our current brightening strategy the lifted code (after optimizations) would look like this: define i64 @brightened_0x1000(i64 %0) { entry: %1 = getelementptr i8, ptr @RAM, i64 %0 %2 = load i64, ptr %1, align 1, !alias.scope !19, !noalias !22 %3 = xor i64 %2, 1337 ret i64 %3 } We need to detect the getelementptr i8, ptr @RAM, i64 %0 shape and replace it with an inttoptr instruction: define i64 @brightened_0x1000(i64 %0) { entry: %1 = inttoptr i64 %0 to ptr %2 = load i64, ptr %1, align 1, !alias.scope !19, !noalias !22 %3 = xor i64 %2, 1337 ret i64 %3 } The stack can be modeled by allocating a local stack variable and pointing rsp to the end of that buffer (since on x86 the stack grows towards lower addresses): uint64_t brightened(uint64_t x, uint64_t y) { uint8_t stack[4096]; State state; state.rdi = x; state.rsi = y; state.rsp = (uint64_t)&stack[sizeof(stack) - 8]; lifted(&state, RAM); return state.rax; } Putting everything together in brighten.py: from llvm import Linkage, Module, Opcode, Value, global_context from bfs import lift_bfs from container import Container, RawContainer OPT_PIPELINE = "default<O1>" def rewrite_ram_geps(module: Module, ram: Value): """Replace GEPs rooted at @RAM with inttoptr(address).""" types = module.context.types for gep in ram.users: if not gep.is_instruction or gep.opcode != Opcode.GetElementPtr: raise ValueError(f"unexpected @RAM user: {gep}") if gep.get_operand(0) != ram: raise ValueError(f"unexpected @RAM GEP base: {gep}") if gep.num_operands == 2: if gep.gep_source_element_type != types.i8: raise ValueError(f"expected i8 ptradd-style @RAM GEP: {gep}") address = gep.get_operand(1) elif gep.num_operands == 3: zero = gep.get_operand(1) if not zero.is_constant_int or zero.const_zext_value != 0: raise ValueError(f"expected zero first @RAM GEP index: {gep}") address = gep.get_operand(2) else: raise ValueError(f"unexpected @RAM GEP shape: {gep}") with gep.create_builder() as ir: ptr = ir.inttoptr(address, types.ptr) gep.replace_all_uses_with(ptr) gep.erase_from_parent() if not ram.users: ram.delete_global() module.verify_or_raise() def define_ret_stub(module: Module): """Make the modeled return hook removable for this demo wrapper.""" ret_handler = module.get_function("__striga_ret") if ret_handler is not None and ret_handler.is_declaration: ret_handler.linkage = Linkage.Internal entry = ret_handler.append_basic_block("entry") with entry.create_builder() as ir: ir.ret_void() def lift_brightened(container: Container, entry: int, args: list[str]): with global_context().create_module("blog") as module: sem = lift_bfs(module, container, entry, verbose=True) # Convenience aliases types = module.context.types i8 = types.i8 i64 = types.i64 # Global RAM array ram = module.add_global(types.array(i8, 0), "RAM") # TODO: support different register sizes brightened_ty = types.function(i64, [i64 for _ in args]) brightened = module.add_function(f"brightened_{hex(entry)}", brightened_ty) with brightened.create_builder() as ir: state = ir.alloca(sem.state_ty, "state") def reg_ptr(name: str) -> Value: return ir.struct_gep(sem.state_ty, state, sem.reg_indices[name], name) # Assign arguments to register state for i, name in enumerate(args): ir.store(brightened.get_param(i), reg_ptr(name)) # Set up function stack stack = ir.alloca(i8, i64.constant(4096), "stack") stack_ptr = ir.gep(i8, stack, [i64.constant(4096 - 8)]) ir.store(ir.ptrtoint(stack_ptr, i64), reg_ptr("rsp")) # Set up return address retaddr_store = ir.store(i64.constant(0xDEADBEEF), stack_ptr) retaddr_store.inst_alignment = 1 # Call lifted function ir.call(sem.function, [state, ram]) # Load return value from rax and return it ir.ret(ir.load(i64, reg_ptr("rax"))) module.verify_or_raise() # 1. Inline/optimize with @RAM assigned to the lifted memory parameter. module.optimize(OPT_PIPELINE) # 2. Brighten lifted memory: @RAM + integer address -> inttoptr(address). rewrite_ram_geps(module, ram) # 3. Now that RAM accesses have been brightened, discard the modeled ret # hook for this demo and let LLVM clean up the remaining wrapper noise. # Undefined flag helpers are already declared memory(none) by Semantics, # so their dead uses fold away without local stub definitions. define_ret_stub(module) module.verify_or_raise() module.optimize(OPT_PIPELINE) print(brightened) This cleanly lifts the following (unoptimized) function: ; 0x1000 push rbp ; 0x1001 mov rbp, rsp ; 0x1004 mov qword ptr [rbp - 8], rdi ; 0x1008 mov rax, qword ptr [rbp - 8] ; 0x100c pop rbp ; 0x100d ret define i64 @brightened_0x1000(i64 returned %0) { entry: ret i64 %0 } Conclusion Hopefully this was an insightful introduction to lifting to LLVM IR. Feel free to check out the repository at LLVMParty/striga and reach out if you do something interesting with it! Note: Striga is not meant to be a production-ready lifter. There are no tests and only a very limited subset of x86 has been implemented. Thanks to the reviewers: Jack Royer Justas Masiulis Peter Goodman eversinc33 x86matthew LLVM IR references: A Gentle Introduction to LLVM IR A Journey to understand LLVM-IR! Mapping High Level Constructs to LLVM IR IR is better than assembly Introduction to LLVM Learning LLVM Part 1, Part 2 LLVM Passes for Security Part 1, Part 2, Part 3, Part 4  ( 32 min )

Learn how Jamf uses native macOS and iOS threat prevention to close security gaps and prove compliance where PC-based tooling leaves Apple devices exposed.  ( 6 min )

2026 Link to heading macOS Exploit Mixtape – Hack Like it’s the 80s /CA: Gergely Kalman/ (Zer0Con) Link to heading Finding Vulnerabilities in Apple Packages at Scale (SecurityFest, MacDevOpsYVR) Presentation Video - SecurityFest 2025 Video - MacDevOpsYVR 2025 The Evolution of macOS Security from the Desert to the Lake (MacSysAdmin, IT Defense 2026, University of Utah MacAdmins meeting)  ( 2 min )

Admin Insights for Windows 365 is a feature, currently in public preview, that surfaces prioritized health and performance signals for your Cloud PCs directly in the Microsoft Intune admin center. Instead of hunting through separate reports, you see dynamically generated insight cards on a single overview page. The feature covers connectivity, provisioning, performance, and utilization issues. It requires Windows 365 Enterprise or Windows 365 Flex licensing and appropriate read permissions. Source

In hybrid Exchange environments, organizations have long been forced to keep an on-premises Exchange Server running just to manage Exchange-related settings for mailboxes already hosted in Exchange Online. Microsoft has been addressing this with the Cloud-Managed Remote Mailboxes feature, and its latest addition — writeback — entered public preview on May 15, 2026. Writeback automatically pushes Exchange attribute changes made in Exchange Online back to your on-premises Active Directory, so internal line-of-business applications that read from AD stay in sync. This article explains what writeback does, what you need to configure it, and how it supports decommissioning your last on-premises Exchange Server. Source

MSP engineers must resist quick-win scoping in Jamf Pro and build scalable, automated, code-driven deployments instead.  ( 6 min )

MacBook Neo brings powerful, affordable Mac computing to K-12 classrooms — and with Jamf, deploying and managing it alongside iPad has never been easier.  ( 6 min )

Windows Autopatch in the Intune admin center now includes an updated Secure Boot status report that provides device-level visibility into certificate readiness ahead of the 2026 expiry deadline. The report shows which devices have Secure Boot enabled, whether their certificates are up to date, and whether automatic or manual deployment applies. New columns for trust configuration, confidence level, and alerts help you make targeted decisions instead of broad deployments. Source

The May 2026 cumulative update KB5089549 added a new C:\Windows\SecureBoot\ExampleRolloutScripts folder containing seven PowerShell scripts. These scripts are part of Microsoft's sample toolkit for managing Secure Boot certificate migration across enterprise environments. This article explains what each script does, how to run it, and its limitations. Source

Key Takeaways What AI Pentesting Means for Continuous Security Validation Every CISO conversation I’ve had this quarter circles back to the same problem: AI produces more vulnerability findings than security teams can read in a week, and it clouds their understanding of which findings are connected to real business risk. This week’s Wall Street Journal […] The post AI Can Find More Vulnerabilities. Humans Still Decide What Matters. appeared first on Synack.  ( 12 min )

Discover the latest on malicious versions of the pypi package durabletask, matching TeamPCP tactics.  ( 51 min )

Wiz Runtime Sensor support for Google Cloud Run Containers is now generally available, giving teams real-time threat detection and response for their serverless container workloads.  ( 54 min )

Multi-ecosystem supply chain compromise by TeamPCP targets GitHub, NPM, and VSCode to steal credentials and establish persistence.  ( 56 min )

This research was recently presented at BSides Luxembourg 2026. This blogpost documents our findings presented during the talk. The BSides slides are posted here. Today, we’re also releasing the Docker-based playground utilized for the demos so anyone interested can reproduce the findings locally: doyensec/cfitsio-efs-playground. In our previous post on CFITSIO, we wrote about the AI-assisted fuzzing pipeline and the memory corruption issues found in its Extended Filename Syntax (EFS). This was only half of the story. We kept thinking that even without memory issues, EFS seems like a pretty powerful and rather risky feature. The EFS page is full of very interesting use cases. To quote some of them (emphasis mine): ‘rawfile.dat[i512,512]’: reads raw binary data array (a 512x512 short intege…  ( 11 min )

Microsoft has made Platform Single Sign-On (PSSO) during Automated Device Enrollment (ADE) generally available for macOS. The new EnableRegistrationDuringSetup setting in Microsoft Intune completes device registration and SSO configuration automatically during Setup Assistant — the initial macOS setup wizard — before the user ever reaches the desktop. This article explains what PSSO is, why the new setting matters, what you need to configure it, and what limitations to expect. Source

Microsoft Identity Manager (MIM) 2016 Service Pack 3 (SP3) became generally available on May 14, 2026, after an initial release in late March 2026 that Microsoft quietly withdrew without public explanation. SP3 is primarily a platform compatibility update: it adds support for SQL Server 2022, SharePoint Subscription Edition (SE), and Exchange Server SE. The most technically significant additions are Azure SQL Database support for the Synchronization Service using managed identities and claims-based authentication via Active Directory Federation Services (AD FS) for the MIM Portal. MIM 2016 remains supported until January 9, 2029. Source

Eliminate cryptographic blind spots and neutralize legacy debt with an integrated cryptographic asset inventory. Identify risks across code, cloud, and runtime, using the Wiz Security Graph to prioritize migration and protect against "Harvest Now, Decrypt Later" attacks.  ( 58 min )

Following two days of intense competition, Day Three of Pwn2Own Berlin 2026 brought the curtain down on an incredible event. Security researchers delivered their final exploits, pushing enterprise systems to the limit one last time as the race for Master of Pwn came to a close. Day Three added to an already historic event, bringing the final totals to $1,298,250 awarded for 47 unique 0-day vulnerabilities across three days of competition. DEVCORE claimed the title of Master of Pwn with a commanding 50.5 points and $505,000 — a dominant performance across all three days. STARLabs SG finished in second with 25 points and $242,500, followed by Out Of Bounds in third with 12.75 points and $95,750. Congratulations to all the researchers who participated, and a special thank you to OffensiveCon …

Key Takeaways Why Continuous Security Validation Matters California’s evolving privacy regulations are doing more than adding another compliance requirement. They’re changing how organizations think about cybersecurity governance, accountability, and operational resilience. The latest guidance around cybersecurity audits under the California Consumer Privacy Act (CCPA) signals a broader shift happening across the industry: security leaders are […] The post How CCPA Cybersecurity Audits Are Reshaping Cyber Governance appeared first on Synack.  ( 15 min )

Day Two of Pwn2Own Berlin 2026 and the stakes continue to rise! Security researchers are back on the Pwn2Own stage, pushing enterprise systems to their limits as the competition heats up. More exploits, more surprises, and more standout moments are unfolding, so follow along here for live updates as the race for Master of Pwn intensifies. There were plenty of big targets on the schedule today, including SharePoint, Exchange, and Safari. Following an action-packed Day One where $523,000 was awarded for 24 unique 0-day vulnerabilities, Day Two added another $385,750 and 15 unique 0-days, bringing event totals to $908,750 with 39 unique vulnerabilities overall. DEVCORE holds a commanding lead for Master of Pwn with 40.5 points and $405,000, but with one day still to go, anything can happen. H…

Microsoft Desired State Configuration (DSC) v3.2.0 reached general availability on April 29, 2026. DSC is a tool that lets you describe how a Windows or Linux system should be configured — services running, firewall rules in place, features installed — and then automatically apply or verify that configuration. Version 3.2.0 adds built-in resources for services, firewall rules, and SSH settings; extends the --what-if preview mode to individual resources; introduces version pinning; and includes experimental Bicep integration via gRPC. This article covers what changed, the limitations, and how to install the update. Source

Microsoft is simplifying how you access Copilot in Word, Excel, and PowerPoint by reducing the number of entry points to just two. A new floating icon sits in the bottom-right corner of the document canvas, and a contextual entry point appears when you interact with content. Proactive suggestions are now surfaced directly from the Copilot button, and keyboard shortcuts have been unified across apps and platforms. These changes also improve access for users who rely on keyboards or screen readers. Source

TL;DR   Introduction  I have read a lot of OT pen test reports. I’ve spoken with a lot of clients about pen test reports. And I can tell you that the majority of reports contain recommendations that will never be actioned. Not because the client is unwilling, but because the recommendations are somewhere between difficult and impossible to put in place.  The […] The post OT pen test findings that plant teams can actually use  appeared first on Pen Test Partners.  ( 14 min )

Mick Baccio and Scott Roberts examine whether public breach signals and market timing models can turn cyber incidents into actionable trading opportunities.  ( 22 min )

Mick Baccio and Scott Roberts examine whether public breach signals and market timing models can turn cyber incidents into actionable trading opportunities.  ( 22 min )

If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.  ( 10 min )

Welcome to Day One of Pwn2Own Berlin 2026! Today, 22 entries took the Pwn2Own stage to target AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products, as the world’s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are unfolding. After Day One, we awarded $523,000 for 24 unique 0-days! DEVCORE is currently in the lead for Master of Pwn, but a pack of teams are right on their heels. Stay tuned tomorrow for more results and surprises. Follow the action live! We’ll be posting real-time updates and results throughout the competition on our blog and across social media. Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Berlin and #P2OBer…

Microsoft is introducing Cloud-Initiated Driver Recovery, a mechanism that automatically rolls back a faulty driver on your devices via Windows Update, without requiring any action from you or your hardware vendor. The feature is aimed at closing a gap where a bad driver could linger on devices for weeks before a fixed version became available. It works through the existing Windows Update pipeline and requires no new software on the client side. The feature is currently in a manual testing phase and is targeted for full automation in September 2026. Source

Microsoft announced two significant updates: Agent 365 reached general availability as a management tool for AI agents in the Microsoft 365 admin center, and Copilot Cowork — a feature that runs multi-step tasks on your behalf in the background — gained mobile support, reusable task templates called skills, and new third-party integrations. Agent 365 is licensed separately per user at $15/month or is included with Microsoft 365 E7; Copilot Cowork requires a Microsoft 365 Copilot license and is currently limited to participants in the Frontier early-access program. Source

TL;DR: Single-page applications ship their entire frontend codebase to every visitor, including unauthenticated ones. Even a login page with no visible functionality delivers JavaScript bundles containing route definitions, API endpoint URLs, authentication logic, data models, and sometimes hardcoded secrets. As part of Guard’s continuous penetration testing, we use AI-assisted tooling to extract this information and […] The post Your Login Page Is Lying: What AI Agents Find When They Read Your Frontend appeared first on Praetorian.  ( 15 min )

Willkommen! (Welcome!) Pwn2Own Berlin 2026 has arrived at OffensiveCon, and the world’s top security researchers are ready. This year’s enterprise-focused competition features AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products. Earlier today, we held the random draw to determine attempt order. Below is the official schedule. All times are Berlin local time (CET) and may change as the competition progresses. Check back for live updates. In case you missed it, you can watch the draw here. Jump to: Day One Day Two Day Three DAY ONE Thursday, May 14 - 1030 chompie of IBM X-Force Offensive Research (XOR) targeting NV Container Toolkit in the NVIDIA category for a total of $50…

Used primarily for resource management, cgroups unlock valuable telemetry for investigating malicious processes on Linux  ( 35 min )

See proven, exploitable risk in the context of your full cloud environment  ( 52 min )

A new page-cache corruption vulnerability in the Dirty Frag family enables unprivileged local attackers to achieve root  ( 50 min )

What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.  ( 10 min )

We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible to go from a zero-click context to root on Android in just two exploits. The Dolby 0-click vulnerability existed across all of Android, until it was patched in January 2026. While we had an exploit chain for the Pixel 9, we wanted to see if it was possible to write a similar exploit chain for Pixel 10. Updating the Dolby Exploit Altering our exploit for CVE-2025-54957 was fairly straightforward. The majority of needed changes involved updating offsets calculated for the specific version of the library we targeted on the Pixel 9 to similar offsets in the library for Pixel 10. The only challenge (outside of wishing we’d better documented which syncframes contained offsets) was that the Pixel 10 uses RET PAC in the place of -fstack-protector, which meant that __stack_chk_fail wasn’t available to be overwritten by code. After a bit of trial and error, we used dap_cpdp_init, initialization code that can be overwritten without causing functional problems, as it is called once when the decoder is initialized and never again.  ( 4 min )

Microsoft Discovery is a cloud-based enterprise platform that uses agentic AI — software that can plan and independently execute multi-step research tasks without constant human input — to accelerate research and development (R&D). Announced at Microsoft Build 2025 and now in expanded preview as of April 2026, it combines specialized AI agents, a graph-based knowledge engine, and high-performance computing (HPC — large-scale cloud server clusters for compute-intensive simulations) on Azure. The platform targets organizations in chemistry, pharmaceuticals, materials science, semiconductor design, and general engineering. You interact with it through a conversational interface orchestrated by Microsoft Copilot. General availability has not been announced. Source

I’m currently in Berlin helping set up for Pwn2Own Berlin, but that doesn’t stop Patch Tuesday from coming, and it’s another big one. At least nothing is listed as being in the wild – for now. Take a break from your regularly scheduled activities and let’s take a look at the latest security patches from Adobe and Microsoft. Due to technical difficulties, there will not be a video companion for this month. Adobe Patches for May 2026 For May, Adobe released 10 bulletins addressing 52 unique CVEs in Adobe Commerce, After Effects, Adobe Connect, Illustrator, Media Encoder, Premiere Pro, Substance 3D Painter, Substance 3D Sampler, Content Authenticity SDK, and the Adobe Substance 3D Designer. Here’s this month’s overview table: Bulletin ID Product CVE Count Highest Severity High…

We’ve received some feedback from those who read the Patch Blog that they would like something similar for macOS updates. Unfortunately, Apple doesn’t schedule these for a particular day, but we can provide our thoughts and analysis on the days they do release their latest patches. For May 2026, Apple released 82 unique CVEs across the three macOS versions: 79 for macOS Tahoe 26.5, 45 for macOS Sequoia 15.7.7, and 42 for macOS Sonoma 14.8.7. Since Apple doesn’t provide CVSS scores or other severity information, we’re left to speculate on which of these bugs is the most severe. However, there are a couple that stand out. -              CVE-2026-28819 (Wi-Fi) stands out as the strongest candidate for the most severe as it states, “An app may be able to execute arbitrary code with kernel pri…

Jamf earns a top 15 ranking and leads retail growth in Okta's 2026 report, a powerful validation of Apple security's role in the enterprise.  ( 7 min )

Jamf Nation Live (JNL) is a great way to connect with other admins and Jamfs alike. Did you miss it this year? Get a recap of this year's JNLs.  ( 5 min )

Now that the dust has settled on Mythos dropping, there is space for more considered reflection on the direction of travel. Mythos wasn't a surprise; it's another data point on a trajectory that's bee  ( 9 min )

Wiz Audit History is now GA, providing a continuous, cross-cloud timeline of changes to resource configurations and findings to accelerate incident response and simplify compliance.  ( 52 min )

Detect and mitigate malicious npm packages linked to the latest Mini Shai-Hulud supply chain campaign targeting high-value developer tooling.  ( 57 min )

Bishop Fox is releasing Joro, a collaborative web exploitation framework built almost entirely with AI. From intercepting proxy to C2 integration, this post covers how it was built, what it does, and what AI-assisted security tool development actually looks like in practice.  ( 9 min )

Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need handmade parsing. It doesn’t even detect several common bug classes, such as integer overflows, goroutine leaks, data races, and execution timeouts. So to make it better, we built gosentry, a fuzzing-oriented fork of the Go toolchain that keeps the standard testing.F workflow while using a stronger fuzzing stack underneath to tackle those issues. With gosentry, go test -fuzz uses LibAFL by default. It can fuzz structs natively, run grammar-based fuzzing with Nautilus, detect bug classes that it couldn’t detect before, and create a fuzzing campaign coverage report in one command. …  ( 5 min )

Elastic Security is the first security vendor to ship an interactive UI in AI tools. Triage alerts, hunt threats, correlate attack chains, and open cases, all from inside your AI conversation.  ( 24 min )

Microsoft has introduced a new mechanism to handle update installation failures on Windows 11: Windows now attempts to repair a failing update in real time during installation rather than rolling back immediately. This feature, called "automatic recovery for update failures," reduces the number of devices left in a failed-update state that requires manual troubleshooting. Administrators should note that this feature is distinct from—and should not be confused with—boot-level recovery, which is a separate safety net for devices that fail to start up after Patch Tuesday. Source

Microsoft Intune's April and May 2026 updates deliver three areas of practical change for administrators: richer and more frequent app inventory for Windows devices, a redesigned single sign-on (SSO) experience for Linux endpoints that replaces an aging authentication component, and automated enrollment support for Apple tvOS and visionOS devices in shared-use scenarios. Hotpatch updates — which apply security fixes without a restart — also become enabled by default for eligible Windows devices in May 2026. Source

Key Takeaways Sara Pentest and Sara Pentest+ Are Now Generally Available Since releasing Sara Pentest as general availability earlier this month, we’ve also shipped a set of platform updates that make it easier to scope, launch, and act on Sara findings at scale. This post walks through what’s new with the Synack PTaaS platform, and […] The post What’s New with Sara Pentest: Closing the Coverage Gap, One Test at a Time appeared first on Synack.  ( 13 min )

How Wiz security uses Service Catalog to turn cloud risk into service ownership  ( 55 min )

In-network filtering stops securing online activity the moment students leave campus, but Jamf Safe Internet delivers consistent content filtering everywhere they go.  ( 6 min )

Dev Tunnels aren’t “just port forwarding”. They consist of layers of embedded protocols with RPC messages being exchanged. Once you peel the layers, you quickly see how Dev Tunnels are a C2 framework with extra steps.  ( 12 min )

This research analyzes the Linux kernel privilege escalation vulnerabilities Copy Fail and DirtyFrag, which exploit subtle page cache corruption bugs to create reliable paths to root access. Additionally, Elastic Security Labs is releasing detection logic for these vulnerabilities.  ( 16 min )

The Canvas incident reflects systemic patterns in how education technology is deployed and how trust gets extended. Learn how to protect your school.  ( 8 min )

TeamViewer is a remote assistance solution that lets you remotely connect to and control Intune-managed Windows, macOS, Android, and iOS/iPadOS devices directly from the Intune admin center to support your users. Microsoft Intune's April 2026 update (service release 2604) introduces a redesigned TeamViewer connector for remote assistance. The new connector replaces the existing one with a simplified setup process and adds SSO (single sign-on) support, device group synchronization, and granular role-based permissions. If you still use the old connector, you have 12 months to migrate before it stops working. This article explains what changed, what you need, and how to configure the new connector. Source

AI models now find and exploit zero-days autonomously. This 4-pillar framework accelerates patching, analysis, and threat response.  ( 67 min )

Akamai edge configurations are now visible on the Wiz Security Graph, giving teams a single understanding of risk from edge to runtime  ( 53 min )

Unpatched kernel flaw chain (CVE-2026-43284, CVE-2026-43500) enables root escalation on major Linux distributions.  ( 51 min )

TL;DR: A year ago, my company handed me a project bigger than anything I’d worked on before. The project was OpenGraph, the new extensibility foundation for a cybersecurity tool called BloodHound, and this essay is partly about building it. Mostly it’s about what happens when an engineer leaves the comfortable bounds of individual ownership and […] The post What Comes Before Tickets appeared first on SpecterOps.  ( 26 min )

When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.  ( 8 min )

This article shows how a customized Elastic Security ES|QL detection rule can identify web server probing and fuzzing activity in Traefik logs and automatically block the attacking IP via Cloudflare.  ( 22 min )

Windows 11 version 25H2 introduces a new Group Policy setting, Configure maintenance windows for automatic updates, that lets you define precise time windows for downloading, installing, and restarting after updates. The policy ships with version 3.0 of the ADMX administrative templates and is currently available only in Windows 11 Insider Preview builds. It takes priority over several existing update-related policies, but the interaction rules are only partially documented. Source

Microsoft is rolling out a long-overdue change to the browser-based versions of Word, Excel, and PowerPoint: you can now apply sensitivity labels with user-defined permissions directly in the web apps without switching to the desktop client. Sensitivity labels are classification tags you attach to a file to control who can read, edit, or print it. They are configured centrally in Microsoft Purview (Microsoft's compliance and information protection platform) and enforced by the Rights Management Service (RMS), which is the encryption engine built into Microsoft 365. This update started rolling out in mid-April 2026 and is expected to be completed worldwide by early May 2026. It requires enabling coauthoring on encrypted files in your tenant beforehand. Source

TL;DR: Two command injection vulnerabilities exist in the Windows Explorer “Open PowerShell window here” context menu due to improper quoting and command injection through user-controlled folder paths. By creating folders with crafted names (e.g., folder; calc), an attacker can trigger arbitrary PowerShell command execution when a user uses Shift + Right-Click → Open PowerShell window […] The post Shift Happens – Uncovering Two Built-in Command Injections in Windows Context Menus appeared first on SpecterOps.  ( 18 min )

Clean up your browser by removing unneeded extensions, clearing cached data, scanning for info-stealing malware, and more.  ( 27 min )

SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.  ( 10 min )

With Wiz in Lovable, every builder can catch and fix risks in real time, keeping apps secure as they’re created  ( 52 min )

Ready to hit Zero Code Criticals? Here's how Wiz helps you get there and stay there, with the badge to prove you did.  ( 52 min )

Cloud attack framework skips cryptomining, harvests financial, messaging, and enterprise credentials for fraud, spam, and potential extortion.  ( 34 min )

Cloud attack framework skips cryptomining, harvests financial, messaging, and enterprise credentials for fraud, spam, and potential extortion.  ( 34 min )

REF3076 uses a trojanized Logitech installer to deploy TCLBANKER, a Brazilian banking trojan with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules.  ( 53 min )

Read our e-book to discover how Declarative Device Management (DDM) can help your organization scale up with faster updates, proactive compliance and real-time fleet visibility.  ( 5 min )

The April 2026 Windows update cycle includes several changes that matter to IT administrators. Source

OpenAI, together with AMD, Broadcom, Microsoft, and NVIDIA, published a new paper describing MRC (Multipath Reliable Connection), a new networking protocol designed for large AI training clusters. MRC addresses two of the most critical problems in these networks: traffic congestion and link failures. The protocol is already deployed in production at OpenAI and Microsoft data centers. The specification is freely available through the Open Compute Project (OCP) under an open license. Source

Dev Tunnels aren’t "just port forwarding". They consist of layers of embedded protocols with RPC messages being exchanged. Once you peal the layers, you quickly see how Dev Tunnels are a C2 framework with extra steps. The post The Accidental C2: Exploring Dev Tunnels for Remote Access appeared first on SpecterOps.  ( 21 min )

TL;DR: Red teaming means different things to different vendors. We discuss how SpecterOps defines it, why engagements start from assumed breach, and what organizations should expect to learn and take away. The terminology problem: not all “red teams” are the same  Organizations today face adversaries that chain together misconfigurations, privileges, and identity exposures across hybrid environments that often […] The post How We Think about Red Teaming appeared first on SpecterOps.  ( 13 min )

What usage patterns, plugin adoption, and configuration choices reveal about the Jenkins attack surface.  ( 58 min )

Detect and mitigate CVE-2026-0300, a critical vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal that allows unauthenticated attackers to achieve remote code execution (RCE) with root privileges.  ( 50 min )

Joe FitzPatrick reveals how consumer imports of networked devices pose a real security risk to small businesses and critical infrastructure alike.  ( 24 min )

Joe FitzPatrick reveals how consumer imports of networked devices pose a real security risk to small businesses and critical infrastructure alike.  ( 24 min )

AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.  ( 8 min )

Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.  ( 13 min )

In this old post I have demonstrated how to abuse forfiles.exe to run your ‘cmd.exe’ of choice. There is one more trick we can do with this tool. When forfiles.exe enumerates the files it executes a default command cmd /c … Continue reading →  ( 2 min )

Microsoft 365 Copilot Cowork moves beyond chat-based AI responses by acting as an autonomous agent—an AI that can perform multi-step tasks on your behalf across Outlook, Teams, Word, Excel, and other Microsoft 365 services. Cowork is built on top of Work IQ, Microsoft's intelligence layer that reads your emails, meetings, files, and organizational data to provide context for actions. As of May 2026, Cowork is available through the Frontier preview program and has expanded to include mobile support, custom skills, plugins, and integration with Agent 365. Access requires a Microsoft 365 Copilot license and enrollment in the Frontier early-access program. Source

Microsoft announced three updates for its cloud desktop products in May 2026: a 20% price cut for Windows 365 Business, a rename of Windows 365 Frontline to Windows 365 Flex, and a public preview of Azure Virtual Desktop (AVD) Hybrid, which lets you run cloud-managed virtual desktops on your own on-premises servers. This article focuses on the technical aspects of these changes, particularly AVD Hybrid, which introduces meaningful new infrastructure options for organizations that cannot fully migrate workloads to Azure. Source

Streamline pen-testing by unifying findings from bug bounties, manual audits, and Wiz Red Agent into a single, context-rich view.  ( 52 min )

We recently added a C/C++ security checklist to the Testing Handbook and challenged readers to spot the bugs in two code samples: a deceptively simple Linux ping program and a Windows driver registry handler. If you found the inet_ntoa global buffer gotcha or the missing RTL_QUERY_REGISTRY_TYPECHECK flag, nice work. If not, here’s a full walkthrough of both challenges, plus a deep dive into how the Windows registry type confusion escalates from a local denial of service to a kernel write primitive. Since we first released the new C/C++ security checklist, we also developed a new Claude skill, c-review. It turns the checklist into bug-finding prompts that an LLM can run against a codebase. It’s also platform and threat-model aware. Run these commands to install the skill: The Linux ping pro…  ( 13 min )

Elastic Security v9.4 introduces Entity Analytics Watchlists, a way to codify what your team already knows about high-risk entities and feed that context directly into risk scoring, without custom pipelines or detection engineering overhead  ( 15 min )

Introducing AI-generated hunting leads, proactive, environment-aware threat hypotheses powered by Elastic Entity analytics and integrated AI reasoning.  ( 11 min )

Most entity analytics systems are confidently wrong. They track users who do not exist, generate risk scores built on noise, and call it behavioral analytics. Learn why the entities records you don't create matter as much as the ones you do and how a confidence-tiered model changes the game.  ( 21 min )

Elastic Workflows is generally available in 9.4, bringing production-ready security automation with deeper case management integration, human-in-the-loop support, natural language authoring, and more.  ( 22 min )

The Model We’ve Relied on Is Starting to Break Over the past 20 years, I’ve seen the threat landscape evolve from opportunistic attackers, to organized cybercrime, to nation-state campaigns. Each shift forced security teams to adapt. What’s happening right now is different. AI models coming out of Anthropic, OpenAI, Google, and X are rewriting the […] The post Sara AI Pentesting Is Now Generally Available: The Model Is Changing appeared first on Synack.  ( 14 min )

Key Takeaways Why the Industry Is Moving from Detection to Validation Over the past year, the conversation around offensive security has changed faster than most enterprise programs have been able to adapt. AI is compressing attacker timelines; cloud and SaaS environments change daily; identity systems, APIs, and infrastructure shift continuously, not quarterly. And still, most […] The post Continuous Security Validation Is Replacing Periodic Penetration Testing appeared first on Synack.  ( 15 min )

After a small detour, the CloudSecTidbits series is back with new episodes. We had the opportunity to present them at the first DEFCON in Singapore few days ago during our DemoLabs sessions. Meeting Singapore’s community was indeed amazing - thanks again for having us! From the Previous Episodes CloudSec Tidbits is a blogpost series showcasing interesting bugs found by Doyensec during cloud security testing activities. We focus on vulnerabilities resulting from an insecure combination of web and cloud related technologies. Every article includes an Infrastructure as Code (IaC) laboratory that can be easily deployed to experiment with the described vulnerability. Time to get ready and dive into a new tidbit. Tidbit No. 4 - The Danger of Multi-SSO User Pools What is AWS Cognito? If you …  ( 9 min )

Microsoft 365 Backup now lets you recover individual files and folders from SharePoint and OneDrive backups without rolling back an entire site or account. This granular restore feature became generally available in late April 2026. You need the SharePoint Backup Administrator role to use it, and the service charges $0.15 per GB per month for protected data. This article explains how the feature works, its limitations, and how to perform a restore. Source

Red Canary's monthly roundup of upcoming security conferences and call for papers (CFP) submission deadlines May 2026  ( 25 min )

Get actionable best practices to shrink your attack surface, protect execution environments, control package ingestion, and catch compromises early.  ( 56 min )

Following your foundation, operationalize Wiz across development, detection and response, and program maturity so your security program never stops getting stronger.  ( 57 min )

Secure Microsoft 365 and the cloud it powers — one platform, one graph, complete context.  ( 54 min )

This is a writeup of my DEF CON Singapore talk that walks through vulnerabilities and exploits in M365 Copilot and Consumer Copilot. I disclosed these to Microsoft last year. MSRC assigned CVE-2026-24299 and the issues are now patched. Contents This turned out to be a long post, covering the 45 minute talk. I added an index page, so you know what’s in here. The talk had a more demos by the way, but I included videos here in this post also.  ( 12 min )

Cloudfoxable started as a hands-on AWS security training tool. Now it's expanding. Bishop Fox has launched the first set of Azure challenges, giving security professionals a safe, intentionally misconfigured environment to explore identity-driven attack paths and privilege escalation in Azure.  ( 7 min )

Elastic Security now lets analysts describe a threat behavior in plain language and receive a complete, validated Elasticsearch ES|QL detection rule in return, no query expertise required.  ( 28 min )

Conversational Entity Analytics delivers Entity Analytics features as rich inline attachments and Canvas previews into Agent Builder, so you don’t have to leave the conversation.

Elastic Security 9.4 introduces skills, modular AI capabilities that teach the Elastic AI Agent how to detect, investigate, and hunt like a specialist. This is how they work, and why they matter for the SOC.

Microsoft has released the Change Optics Report in public preview for Exchange Online. This new report, available in the Exchange Admin Center (EAC), identifies emails in your tenant that will be affected when Microsoft enforces an upcoming service change — before the change takes effect. Currently, it covers two scenarios: outbound mail sent from your default onmicrosoft.com domain, and incoming Direct Send traffic. This article explains what the report shows, how to access it, and what steps to take for each scenario. Source

Detect and mitigate Copy Fail (CVE-2026-31431), an easily exploitable vulnerability in the Linux kernel that allows escalation from an unprivileged local user account to root access.  ( 52 min )

Here is an overview of content I published in April: Blog posts: Update: cut-bytes.py Version 0.0.18 SANS ISC Diary entries: A .WAV With A Payload  ( 11 min )

Senior pentesters have a deeply refined intuition about what is vulnerable in an environment. The problem? That expertise is often siloed with an individual and trapped in their notes or Python scripts.  ( 7 min )

Learn how to perform distributed, real-time Digital Forensics and Incident Response (DFIR) using Osquery and Elastic to investigate threats at scale without relying on disk imaging.  ( 29 min )

As education technology evolves, schools need a complete Apple device management approach that unifies identity, security and insight to support better learning outcomes. Learn how Jamf helps.  ( 9 min )

Starting in mid-April 2026, Microsoft allows you to upgrade Windows Server 2019 and Windows Server 2022 directly to Windows Server 2025 through Windows Update — no installation media (ISO file or DVD) required. The process is called an in-place upgrade, meaning your installed applications, settings, and server roles remain unchanged while only the operating system version changes. This article covers the prerequisites, the exact registry change you need to make, the step-by-step procedure for both the graphical desktop and the text-only Server Core installation, and the important cases where you must not use this method. Source

Delivering enterprise-grade continuous AI-powered risk assessment to hundreds of customers through the combined power of Wiz and Anthropic  ( 51 min )

When AI meets CI/CD: permission bypasses, prompt injection, and what to do about it.  ( 62 min )

Attackers can already find, connect to, and probe your exposed AI agent infrastructure. AIMap gives defenders that same visibility. Built by Bishop Fox, this open-source tool discovers, scores, and tests exposed AI endpoints so you can understand your real attack surface before someone else does.  ( 9 min )

How AI Adoption, Autonomy, and Attacker Innovation Are Reshaping Cloud Security  ( 53 min )

Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign - Mini Shai Hulud.  ( 54 min )

Providing Application Security teams with visibility and guardrails to secure agentic software development and the modern software supply chain  ( 54 min )

How Wiz enables Australian government agencies to operationalise MDA with real-time context, zero trust enforcement, and end-to-end cloud visibility.  ( 54 min )

What Mythos Means for Penetration Testing as a Service When Anthropic announced the Claude Mythos Preview, the reaction from the security community was immediate. We’re not talking about the next best model. This model is such a leap forward and so capable at finding and exploiting vulnerabilities that Anthropic deemed it too dangerous to release […] The post  What GigaOm and Synack Got Right About AI Pentesting appeared first on Synack.  ( 16 min )

Windows 365 Reserve is Microsoft's short-term Cloud PC solution for users whose primary physical device becomes unavailable. Since its general availability in December 2025, only IT admins could provision these Cloud PCs through Microsoft Intune. A public preview announced on April 28, 2026 adds an optional setting that lets users start the provisioning process themselves from the Windows App, without waiting for IT intervention. Source

Microsoft announced agentic features for Copilot in Outlook, expanding from single-task assistance to continuous, multi-step automation of email and calendar work. These features let Copilot act independently on your behalf — prioritizing messages, drafting follow-ups, responding to meeting invites, and resolving scheduling conflicts. Access is currently limited to Microsoft's Frontier early-access program and requires a Microsoft 365 Copilot license. This article explains what the new features do, what your infrastructure must look like, and how you enable access as an administrator. Source

The beta release of Mac threat prevention simplifies how Jamf admins can defend their Mac fleets.  ( 7 min )

Hello! Yes, it's all a disaster again! Let's get this party started: 0:00 0:12 1× No comments today, so imagine this: We wrote something that we find very funny, Nobody else gets it, But everyone humors us Just like a typical watchTowr Labs  ( 14 min )

Atomic Red Team’s new MCP server helps you test more, faster as you validate your detection coverage against MITRE ATT&CK techniques  ( 29 min )

LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode. Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility. For these reasons, I set out to add LibAFL support to Ruzzy, our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing engine without changing how they write their fuzzing harnesses. Ruzzy was originally built on top of LLVM’s libFuzzer, so using LibAFL’s compatibility layer should be easy enough. However, digging around in the internals of complex systems is never quite as simple as it seems. In this post, I will inv…  ( 9 min )

Let's look at all the mac malware from 2017, for each - discussing their infection vector, persistence mechanism, features & goals.  ( 40 min )

How to build HackingTeam's OS X implant in Xcode  ( 42 min )

How reversing Apple's 'RootPipe' patch provided the means to secure TaskExplorer's XPC service  ( 42 min )

Why BlockBlock needs a kext (hint: process monitoring), and how the kext was created  ( 42 min )

Exploiting RootPipe on OS X 10.10.3  ( 42 min )

NSLog(@"Hello World"); objective-see.org is alive!  ( 42 min )

Learn how to leverage Apple's new Endpoint Security Framework to create a comprehensive (user-mode) Process Monitor for macOS 10.15!  ( 14 min )

Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more!  ( 41 min )

How to remotely kernel-debug a OS X 10.11 VM  ( 42 min )

A deeper dive into 'MacInstaller' and the adware it installs  ( 42 min )

Details on bypassing Apple's original rootpipe patch  ( 42 min )

Announcing the release of DHS; a tool to help detect (dylib) hijackers  ( 42 min )

Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more!  ( 26 min )

Getting process creation notifcations from kernel-mode to user-mode, via the undocumented kev_msg_post function  ( 8 min )

The website of a popular application was hacked, and the application trojaned with a new variant of osx/proton.  ( 3 min )

HackingTeam using native OS X crypto to protect malware -neat! New blog w/ sample + decryptions/dumpings/detections  ( 5 min )

Looks like somebody on the 'dark web' is offering 'Ransomware as a Service'...that's designed to infect Macs!  ( 6 min )

Does Shazam's Mac App keep recording even when you turn the app off? ...yes :/  ( 8 min )

Read how an attacker can bypass Apple's SIP, via the local OS upgrade process  ( 11 min )

OSX/MaMi (the first Mac malware of 2018) hijacks infected users' DNS settings and installs a malicious certificate into the System keychain, in order to give remote attackers 'access' to all network traffic  ( 9 min )

A massively popular app from the official Mac App Store, surreptitiously steals your browsing history! By fully reversing the application, we can fully expose its functionality and rather shady capabilities.  ( 13 min )

Apple's App Translocation broke several of my tools, but we can locally undo it to restore broken functionality!  ( 11 min )

Dissecting string obfuscations, junk code insertions, and anti-debugging logic of InstallCore  ( 5 min )

Learn how a Finder Sync can 'extend' Finder.app and how this could be abused for persistence  ( 5 min )

A Word document targets Mac users with malicious macros and an open-source payload.  ( 4 min )

How to verify that an application came from the official Mac App Store, via receipt validation  ( 7 min )

Turns out that writing security tools is a great way to inadvertently uncover bugs in macOS. How about a crash in Apple's 'Security' framework ... that can't be good!?  ( 7 min )

By monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes, can ransomware be generically detected?  ( 26 min )

Process monitoring via the KAuth Subsystem (and some limitations)  ( 5 min )

Analyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.  ( 5 min )

The 'Mac File Opener' adware is fairly normal, except for it how it persists via registered document handlers  ( 9 min )

Some undetected adware named "Mughthesec" is infecting Macs...let's check it out!  ( 5 min )

Apple recently updated the way login items are stored by the OS. In this post, we'll illustrate how to parse the (new) login item files to detect persistence

Here, we reverse, then 'extend' a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents will be automatically detected!  ( 14 min )

Today is our 2nd birthday! Let's look at our past, present, and future.  ( 2 min )

Reverse-engineering a 'Russian' implant reveals HackingTeam's code!?  ( 9 min )

Analysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware's capabilities  ( 10 min )

A new 'security' feature in macOS 10.13, is trivial to bypass.  ( 5 min )

The EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its persistence mechanisms, features, and network communications.  ( 13 min )

In this guest blog post @CodeColorist writes about a neat macOS vulnerability. Ironically, by abusing security mechanisms such as sandboxing, macOS can be coerced to load an untrusted library, into a SIP-entitled process!

A new macOS backdoor written by the infamous Lazarus APT group needs analyzing. Here, we examine it's infection vector, method of persistence, capabilities, and more!  ( 10 min )

Yet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the root account with a blank, or password, of their choosing!  ( 7 min )

Turns out the innocuously named "Calendar 2" app, found on the official Mac App Store, was surreptitiously turning Mac into cryptocurrency miners!  ( 4 min )

The Lazarus group's latest implant/loader supports in-memory loading of 2nd-stage payloads. In this post we describe exactly how to repurposing this 1st-stage loader to execute *our* custom 'fileless' payloads!  ( 14 min )

After the success of #OBTS v1.0, we decided to go international and plan #OBTS v2.0 in Europe! In this blog post, we re-live the highlights (from Monaco!) of "Objective by the Sea" v2.0.  ( 3 min )

Let's analyse the malware that appeared in 2016, discussing the infection vector, persistence mechanism, feature, and disinfection for each.  ( 12 min )

If you can programmatically generate synthetic mouse clicks, you can break macOS! Approving kernel extensions, dismissing privacy alerts, and much more more...  ( 8 min )

In Objective-See's first guest blog post, Amit Serper presents his detailed analysis of OSX/Pirrit  ( 10 min )

On my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding that Apple's AMDRadeonX4150 kext is responsible for the crash.  ( 7 min )

High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.  ( 12 min )

The macOS kernel had an (intentional?) off-by-one bug that could trigger a kernel panic.  ( 13 min )

The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let's (continue to) analyze their 1st-stage macOS implant: OSX.WindTail!  ( 8 min )

Apple's 'fix' for a macOS kernel panic, fixes nothing and worse, introduces a new bug.  ( 13 min )

Recently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.  ( 5 min )

In part one of a guest blog post, @CodeColorist writes about several neat macOS vulnerabilities.  ( 4 min )

Learn how to leverage Apple's new Endpoint Security Framework to create a comprehensive (user-mode) File Monitor for macOS 10.15!  ( 10 min )

I uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systems  ( 12 min )

Recently, an attacker targeted (Mac) users via a Firefox 0day. In this second post, we fully reverse OSX.NetWire.A, revealing (for the first time!), its inner workings and complex capabilities.  ( 12 min )

A new Mac malware targets the cryptocurrency community. In this post, we dive into the malware and illustrate how Objective-See's tools can generically thwart this new threat at every step of the way.

In macOS Mojave apps, to have to obtain user permission before using the Mac camera & microphone. We'll illustrate how this is trivial to bypass (at least in the current beta).  ( 4 min )

The WINDSHIFT APT group is successfully infecting Macs with a novel infection mechanism. By abusing custom URL scheme handlers and minimal user interaction, Macs can be remotely compromised!  ( 8 min )

The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let's analyze their 1st-stage macOS implant: OSX.WindTail!  ( 7 min )

@CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on macOS.  ( 4 min )

A malicious Word document targeting macOS users, was recently uncovered. Let's extract the embedded macros, decode an embedded downloader, and retrieve the 2nd-stage payload!  ( 4 min )

Apple wrote code to appease the Chinese government ...it was buggy. In certain configurations, iOS devices were vulnerable a "emoji-related" flaw that could be triggered remotely!

Are full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? ...yes :( Apple's 'QuickLook' cache is to blame.  ( 7 min )

The macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it's trivial to sidestep some of these protections, resulting in significant privacy implications!  ( 7 min )

Imagine you've gained remote code execution on a Mac via a malicious Word document. Turns out, you're still stuck in a sandbox. However, via a faulty regex, you can escape and persist!  ( 5 min )

In this guest blog post my friend Mikhail Sosonkin reverses Apple's screencapture utility, discusses Mac malware that captures desktop images, and suggests methods for screen-capture detection!  ( 11 min )

Let's tear apart a persistent piece of adware, decompiling, decoding, and decompressing it's code to uncover its methods and capabilities.  ( 8 min )

A massively popular iOS application turns out to be a government spy tool! Here, we analyze the app; decrypting its binary and studying its network traffic.  ( 12 min )

Did you know on macOS, notifications are stored in a unencrypted database? Which means that even 'disappearing' messages from apps such as Signal - may not really disappear. Yikes!  ( 4 min )

A core Mojave utility is rather disastrously broken - causing a full-system lockup. Let's find out why!  ( 6 min )

A 0day logic flaw in Microsoft Excel leads to 'remote' code execution on macOS, via malicious macros.  ( 6 min )

Recently, an attacker targeted (Mac) users via a Firefox 0day. In this third post, we analyze a second backdoor used in the attack, detailing its persistence, capabilities, and ultimate identify it a new variant of the cross-platform Mokes malware!  ( 6 min )

Recently, an attacker targeted (Mac) users via a Firefox 0day. In this first post, we triage and identify the malware (OSX.NetWire.A) utilized in this attack, identifying its methods of persistence, and more!  ( 6 min )

The rather infamous APT group, "Lazarus", continues to evolve their macOS capabilities. Today, we tear apart their latest 1st-stage implant that supports remote download & in-memory execution of secondary payloads!  ( 8 min )

In this guest blog post, "Objective by the Sea" speaker, Csaba Fitzl writes about an interesting way to get root via Apps from the official Mac App Store!  ( 17 min )

A sophisticated Lazarus Group implant has arrived on macOS. In this post, we deconstruct the Mac variant of a OSX.Dacls, detailing its install logic, persistence, and capabilities.  ( 11 min )

Today we uncover two (local) security flaws in Zoom's latest macOS client. First, a privilege escalation vulnerability, and second, a method to surreptitiously access a user's webcam and microphone (via Zoom).  ( 12 min )

CVE-2017-7170 was a local priv-esc vulnerability that affected OSX/macOS for over a decade! Here (for the first time!), we dive into the technical details of finding the bug, the core flaw, and exploitation.  ( 10 min )

How we built an open-source, drop-in CI template that uses signal extraction and LLM reasoning to catch CI/CD abuse in GitHub Actions, GitLab CI, and Azure DevOps pipelines.  ( 25 min )

CREST Helps Raise the Bar for the Researchers Behind Your Pentest When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest […] The post What CREST Means for Your Next Synack Engagement appeared first on Synack.  ( 12 min )

Windows 11 is getting a new recovery feature called point-in-time restore, currently available as a preview in the Canary Insider channel (build 29576). It lets you roll back an entire PC—including the operating system, apps, settings, and local files—to a snapshot taken within the last 72 hours. Unlike the older System Restore feature, point-in-time restore captures the full system state on a schedule and is designed to be managed remotely in the future. This article covers how it works, how to configure it, and where its current limitations lie. Source

Microsoft released a new policy in April 2026 that lets you remove the Microsoft Copilot consumer app from managed Windows 11 devices using Group Policy or Microsoft Intune. The policy is called RemoveMicrosoftCopilotApp and is part of the April 2026 Windows security update. Alternatively, you can uninstall Copilot with PowerShell or Intune. Source

Details on CVE-2026-3854: A critical flaw in GitHub’s internal git infrastructure enabling RCE on GitHub.com and GitHub Enterprise Server.  ( 63 min )

We’re proud to announce that PortSwigger recently won the Overall Judges’ Award at the Northern Tech Awards 2026. The Northern Tech Awards are run by GP Bullhound, the tech advisory and investment fir  ( 4 min )

Mac security updates lag due to legacy workflows. DDM enables faster patching, reducing vulnerability windows and manual effort for IT teams.  ( 7 min )

Microsoft is rolling out several long-requested changes to the Windows Update experience in Windows 11. You can now skip updates during initial device setup, pause them for up to 35 days with no limit on how many times you extend the pause, and restart or shut down your PC without being forced to install a pending update. Driver, .NET (Microsoft's application runtime framework), and firmware updates will be bundled into a single monthly restart cycle. These changes are currently rolling out to Windows Insiders in the Dev and Experimental channels. Source

The shift from static CVE scoring to risk-based prioritization signals a new era for Vulnerability Managers  ( 52 min )

﷽  ( 4 min )

Azure Fabric Backdoor With A Twist  ( 15 min )

State of the Art of Private Key Security in Blockchain Ops - 4. Approvals and Policies  ( 13 min )

No content preview  ( 7 min )

David Brauchler III delivers a fascinating Black Hat talk on the root cause of AI-based vulnerabilities and why security architecture is the real solution.  ( 7 min )

MCP Bridge Upgrade  ( 7 min )

Black Hole of Trust: SEO Poisoning in Silver Fox’s Space Odyssey  ( 7 min )

State of the Art of Private Key Security in Blockchain Ops - 3. Private Key Storage and Signing Module  ( 12 min )

The Symbols of Operation code data confusion ada lovelace  ( 6 min )

Public Report: AWS EKS Security Claims  ( 7 min )

Public Report: Google Private AI Compute Review  ( 7 min )

State of the Art of Private Key Security in Blockchain Ops - 2. Common Custody Solutions Architectures  ( 12 min )

Legacy Technology in Transport: More Than “Old Tech”  ( 7 min )

No content preview  ( 14 min )

Concepts, Types of Wallets and Signing Strategies  ( 12 min )

Bridging the Valley of Death: How Assurance Takes Us from Proof of Concept to Minimum Viable Product  ( 7 min )

Goal-Based Regulation  ( 7 min )

Unmasking Techno Sophists  ( 6 min )

Public Report: VetKeys Cryptography Review  ( 7 min )

Your point of departure for forensic readiness - Digital Forensics Incident Response  ( 10 min )

Euro 7, Anti-tampering, and the Expanding Cybersecurity Landscape  ( 6 min )

Discover how ransomware affects patient care, with insights from NCC Group on clinical vulnerabilities and sector trends.  ( 16 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 8 min )

No content preview  ( 6 min )

No content preview  ( 13 min )

This article details a vulnerability in Java Web Start that allows file inclusion through manipulated system properties.  ( 10 min )

No content preview  ( 7 min )

No content preview  ( 9 min )

No content preview  ( 8 min )

No content preview  ( 9 min )

No content preview  ( 7 min )

No content preview  ( 10 min )

Hackproofing Lotus Domino Web Server  ( 6 min )

No content preview  ( 24 min )

No content preview  ( 6 min )

Explore how a command injection flaw in Citrix Access Gateway could allow attackers to execute arbitrary system commands.  ( 9 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 9 min )

No content preview  ( 7 min )

No content preview  ( 10 min )

No content preview  ( 6 min )

No content preview  ( 9 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 11 min )

No content preview  ( 7 min )

No content preview

No content preview  ( 11 min )

No content preview  ( 7 min )

No content preview  ( 11 min )

No content preview

No content preview  ( 30 min )

No content preview  ( 8 min )

No content preview

No content preview

No content preview

No content preview

No content preview

Discover how LDAPFragger uses LDAP attributes to evade network restrictions and exfiltrate data covertly.  ( 15 min )

No content preview

No content preview  ( 11 min )

No content preview  ( 6 min )

No content preview  ( 8 min )

Advanced SQL Injection in SQL Server Applications  ( 6 min )

No content preview  ( 10 min )

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 12 min )

No content preview  ( 7 min )

No content preview  ( 19 min )

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview  ( 7 min )

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview  ( 7 min )

A practical approach to neutralizing Log4j’s JNDI vulnerability without upgrading the entire library.  ( 12 min )

No content preview  ( 20 min )

No content preview  ( 7 min )

No content preview  ( 9 min )

No content preview

No content preview

No content preview

No content preview  ( 8 min )

No content preview  ( 6 min )

No content preview  ( 8 min )

No content preview  ( 6 min )

No content preview  ( 9 min )

No content preview  ( 19 min )

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview  ( 10 min )

No content preview  ( 16 min )

No content preview  ( 17 min )

No content preview  ( 6 min )

No content preview  ( 12 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 10 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 8 min )

No content preview  ( 7 min )

No content preview  ( 9 min )

Explore the introduction to exploiting CVE-2018-8611 in Windows Kernel Transaction Manager (KTM) with NCC Group’s expert analysis.  ( 23 min )

No content preview  ( 12 min )

No content preview  ( 6 min )

No content preview  ( 12 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 9 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 19 min )

No content preview

This post reveals how a simulated attack demonstrated the ease of breaching hospital systems using basic resources.  ( 13 min )

No content preview  ( 17 min )

Learn how anti-fuzzing techniques enhance defence-in-depth strategies and protect applications from fuzzing-based vulnerabilities.  ( 13 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

Explore the remote code execution flaw in ImpressPages CMS and learn best practices for vulnerability remediation.  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 10 min )

Learn how forensic techniques can recover deleted entries from the Windows Registry for investigation and analysis.  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 10 min )

No content preview  ( 7 min )

Discover how multivariate cryptography fits into the future of secure communications and what makes it unique among quantum-safe algorithms.  ( 21 min )

No content preview  ( 11 min )

Understand the mechanics behind SMB hash hijacking and user tracking in MS Outlook. Our advisory covers attack vectors, testing methods, and fixes.  ( 12 min )

No content preview  ( 10 min )

No content preview  ( 14 min )

No content preview  ( 12 min )

No content preview  ( 9 min )

No content preview  ( 18 min )

No content preview  ( 8 min )

No content preview  ( 13 min )

Discover how attackers could exploit memory handling flaws in OpenOffice.org to compromise system integrity and user safety.  ( 9 min )

No content preview  ( 9 min )

No content preview  ( 29 min )

No content preview  ( 7 min )

Explore a detailed breakdown of the Bybit hack, uncovering attack methods, vulnerabilities, and security lessons learned.  ( 15 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

Explore known XML-based attack methods including DTD abuse, schema exploits, and entity expansion vulnerabilities.  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 8 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

Nagios XI Network Monitor is vulnerable to blind SQL injection. Learn the impact, exploitation risks, and mitigation steps.  ( 7 min )

No content preview  ( 6 min )

A technical overview of NFC chip vulnerabilities and protection strategies for secure communication.  ( 15 min )

No content preview  ( 11 min )

Learn why CVE-2021-3156 poses a threat to VMware vCenter and how to protect your infrastructure from attacks.  ( 30 min )

No content preview  ( 9 min )

Explore how Yara can detect Authenticode timestamp anomalies in PE files and enhance malware analysis.  ( 10 min )

No content preview  ( 17 min )

No content preview  ( 7 min )

No content preview  ( 9 min )

No content preview  ( 9 min )

No content preview  ( 18 min )

No content preview  ( 11 min )

No content preview  ( 12 min )

No content preview  ( 12 min )

No content preview  ( 10 min )

No content preview  ( 11 min )

No content preview  ( 25 min )

No content preview  ( 10 min )

No content preview  ( 10 min )

No content preview  ( 16 min )

No content preview  ( 13 min )

No content preview  ( 8 min )

No content preview  ( 9 min )

No content preview  ( 17 min )

No content preview  ( 13 min )

Discover how fuzzing RTSP streams uncovered vulnerabilities in VLC and advanced secure software development.  ( 11 min )

No content preview  ( 15 min )

No content preview  ( 8 min )

No content preview  ( 27 min )

Insights from honeypot research on F5 TMUI RCE vulnerability. Understand attack patterns and steps to strengthen your security posture.  ( 14 min )

Discover how early-stage security planning in hardware and embedded systems can dramatically reduce attack surfaces.  ( 12 min )

No content preview  ( 16 min )

No content preview  ( 15 min )

No content preview

No content preview  ( 10 min )

A brief look at Windows telemetry: CIT aka Customer Interaction Tracker  ( 24 min )

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 9 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 6 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 8 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

NCC Group explains why pen test prerequisites are essential for accurate, efficient, and secure web application assessments.  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 9 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 8 min )

E-mail Spoofing and CDONTS.NEWMAIL  ( 7 min )

No content preview  ( 8 min )

No content preview  ( 6 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 10 min )

No content preview  ( 7 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 8 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 7 min )

No content preview  ( 6 min )

No content preview  ( 11 min )

No content preview  ( 54 min )

Learn about multiple CVEs affecting Nuki Smart Locks and how to mitigate security risks for connected home devices.  ( 21 min )

No content preview  ( 11 min )

This technical advisory details how encoded URLs can be used to inject malicious HTTP headers in Oracle WebLogic Plug-in environments.  ( 12 min )

No content preview  ( 16 min )

No content preview  ( 12 min )

No content preview  ( 16 min )

No content preview  ( 10 min )

No content preview  ( 10 min )

No content preview  ( 11 min )

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview