Pentesting
Penetration Testing LLM Web Apps: Common Pitfalls
April 14, 2026 – This article focuses exclusively on penetration testing applications that use off-the-shelf LLM models through inference APIs.
Author: Felix Friedberger
Updates
Blog
Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day-vulnerabilities.
All blog articles
Azure
Auditieren von M365 und Azure
March 24, 2026 – Entra ID und Azure sind ein eigener Kosmos, der viele Möglichkeiten aber auch viele Stolperfallen hinsichtlich der Sicherheit mit sich bringt. Entra ID und Azure sicher zu betreiben, ist eine Kunst für sich und stellt viele IT-Abteilungen vor große Herausforderungen. In diesem Blogpost soll es darum gehen, wie man diesem Problem Herr werden kann.
Author: Constantin Wenz
Forensic
How Attackers Abuse Bubbleapps.io to Phish German Businesses
February 25, 2026 – This post breaks down the full attack chain, from initial phishing emails to credential harvesting and remote access malware and maps out some of the infrastructure behind it.
Author: Felix Friedberger
Red Teaming
Windows Instrumentation Callbacks – Part 4
February 10, 2026 – In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.
Author: Lino Facco
Reverse Engineering
Windows Instrumentation Callbacks – Part 3
January 28, 2026 – In this third part of the blog series, you will learn how to inject shellcode into processes with ICs as an execution mechanism without creating any new threads for your payload and without installing a vectored exception handler.
Author: Lino Facco
Command-and-Control
Beacon Object Files for Mythic – Part 3
December 4, 2025 – This is the third post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this final post, we will provide insights into the development of our BOF loader as implemented in our Mythic beacon. We will demonstrate how we used the experimental Mythic Forge to circumvent the dependency on Aggressor Script – a challenge that other C2 frameworks were unable to resolve this easily.
Author: Leon Schmidt
Digitalization
Die neue i-Kfz-App für den digitalen Fahrzeugschein
December 3, 2025 – Last week, the German Kraftfahrt-Bundesamt (German Federal Motor Transport Authority) presented the new i-Kfz app. This is linked to the hope that it will reduce bureaucracy. Read here to find out if it works as intended.
Author: Julian Lemmerich
Command-and-Control
Beacon Object Files for Mythic – Part 2
November 27, 2025 – This is the second post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this second post, we will present some concrete BOF implementations to show how they are used in the wild and how powerful they can be.
Author: Leon Schmidt
Forensic
A collection of Shai-Hulud 2.0 IoCs
November 26, 2025 – Regarding the Node Package Manager (npm) supply chain attack that started November 21, 2025, and affected thousands of packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.
Author: Niklas Vömel, Felix Friedberger
Command-and-Control
Beacon Object Files for Mythic – Part 1
November 19, 2025 – This is the first post in a series of blog posts on how we implemented support for Beacon Object Files into our own command and control (C2) beacon using the Mythic framework. In this first post, we will take a look at what Beacon Object Files are, how they work and why they are valuable to us.
Author: Leon Schmidt
Pentesting
Penetration Testing LLM Web Apps: Common Pitfalls
April 14, 2026 – This article focuses exclusively on penetration testing applications that use off-the-shelf LLM models through inference APIs.
Author: Felix Friedberger
Azure
Auditieren von M365 und Azure
March 24, 2026 – Entra ID und Azure sind ein eigener Kosmos, der viele Möglichkeiten aber auch viele Stolperfallen hinsichtlich der Sicherheit mit sich bringt. Entra ID und Azure sicher zu betreiben, ist eine Kunst für sich und stellt viele IT-Abteilungen vor große Herausforderungen. In diesem Blogpost soll es darum gehen, wie man diesem Problem Herr werden kann.
Author: Constantin Wenz
Forensic
How Attackers Abuse Bubbleapps.io to Phish German Businesses
February 25, 2026 – This post breaks down the full attack chain, from initial phishing emails to credential harvesting and remote access malware and maps out some of the infrastructure behind it.
Author: Felix Friedberger
Red Teaming
Windows Instrumentation Callbacks – Part 4
February 10, 2026 – In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.
Author: Lino Facco
Reverse Engineering
Windows Instrumentation Callbacks – Part 3
January 28, 2026 – In this third part of the blog series, you will learn how to inject shellcode into processes with ICs as an execution mechanism without creating any new threads for your payload and without installing a vectored exception handler.
Author: Lino Facco
Command-and-Control
Beacon Object Files for Mythic – Part 3
December 4, 2025 – This is the third post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this final post, we will provide insights into the development of our BOF loader as implemented in our Mythic beacon. We will demonstrate how we used the experimental Mythic Forge to circumvent the dependency on Aggressor Script – a challenge that other C2 frameworks were unable to resolve this easily.
Author: Leon Schmidt
Digitalization
Die neue i-Kfz-App für den digitalen Fahrzeugschein
December 3, 2025 – Last week, the German Kraftfahrt-Bundesamt (German Federal Motor Transport Authority) presented the new i-Kfz app. This is linked to the hope that it will reduce bureaucracy. Read here to find out if it works as intended.
Author: Julian Lemmerich
Command-and-Control
Beacon Object Files for Mythic – Part 2
November 27, 2025 – This is the second post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this second post, we will present some concrete BOF implementations to show how they are used in the wild and how powerful they can be.
Author: Leon Schmidt
Forensic
A collection of Shai-Hulud 2.0 IoCs
November 26, 2025 – Regarding the Node Package Manager (npm) supply chain attack that started November 21, 2025, and affected thousands of packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.
Author: Niklas Vömel, Felix Friedberger
Command-and-Control
Beacon Object Files for Mythic – Part 1
November 19, 2025 – This is the first post in a series of blog posts on how we implemented support for Beacon Object Files into our own command and control (C2) beacon using the Mythic framework. In this first post, we will take a look at what Beacon Object Files are, how they work and why they are valuable to us.
Author: Leon Schmidt
Research
Pentesting
Penetration Testing LLM Web Apps: Common Pitfalls
April 14, 2026 – This article focuses exclusively on penetration testing applications that use off-the-shelf LLM models through inference APIs.
Author: Felix Friedberger
Azure
Auditieren von M365 und Azure
March 24, 2026 – Entra ID und Azure sind ein eigener Kosmos, der viele Möglichkeiten aber auch viele Stolperfallen hinsichtlich der Sicherheit mit sich bringt. Entra ID und Azure sicher zu betreiben, ist eine Kunst für sich und stellt viele IT-Abteilungen vor große Herausforderungen. In diesem Blogpost soll es darum gehen, wie man diesem Problem Herr werden kann.
Author: Constantin Wenz
Forensic
How Attackers Abuse Bubbleapps.io to Phish German Businesses
February 25, 2026 – This post breaks down the full attack chain, from initial phishing emails to credential harvesting and remote access malware and maps out some of the infrastructure behind it.
Author: Felix Friedberger
Advisories
Vulnerability in Two App Studio Journey (CVE-2025-41459)
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
Vulnerability in Two App Studio Journey (CVE-2025-41458)
July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.
Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2306)
May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.
Vulnerabilities
cirosec follows this responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our Responsible Disclosure Policy could be found here.
Do you want to protect your systems? Feel free to get in touch with us.