UP-TO-DATE

Blog

Our employees frequently engage in research projects to live up to the high standard. They analyze the latest topics, methods and tools in interesting information security areas and prepare them in this context. The results of these activities contribute, for example, to projects, lectures at conferences, market overviews and articles for technical journals as well in advisories and zero-day vulnerabilities.

Blog Articles

Forensic

Analysis of a credential stealer malware campaign – Part II

June 23, 2026 – Researchers have uncovered an evolved credential-stealing malware campaign that lures Windows users through fake software download pages appearing in Bing search results. The updated malware deploys a malicious Chrome extension disguised as “Microsoft Teams Helper,” capable of keystroke logging, real-time screen recording, cryptocurrency clipboard hijacking, and full remote code execution on the victim’s machine.

Author: Colin Glätzer, Konrad Weyhing

AD Security

Microsoft Defender for Identity evasions in 2026 – Part II

June 17, 2026 – The first blogpost highlighted the detection capabilities and the resulting evasion options for Microsoft Defender for Identity (DfI). To complement the first part, the second part will present some alternative detection possibilities for the defensive side to improve visibility and security, as well as the upgrade from DfI version 2.2 to DfI version 3.0.

Author: Jakob Scholz

Red Teaming

Microsoft Defender for Identity evasions in 2026 – Part I

June 16, 2026 – Microsoft Defender for Identity (DfI) is one of Microsoft’s key solutions for detecting identity-based attacks in Active Directory environments – but how well does it hold up against a skilled attacker? This two-part blog post dives into DfI’s detection capabilities for high-impact attacks such as shadow credentials, pass-the-cert, ESC8, and DCSync. Additionally, it uncovers a spoofing and relaying vulnerability in DfI’s Network Name Resolution component that can be used to evade multiple alerts, and offers blue team perspectives on closing these gaps.

Author: Jakob Scholz

Pentesting

Fuzzing vhosts with SNI(tch)

June 10, 2026 – Host header fuzzing stops at the HTTP layer and can’t find services hardened at the TLS handshake via SNI validation. SNItch fills that gap by fuzzing the SNI field directly – and doubles as a tool to verify your own servers don’t leak hostnames to IP-based reconnaissance.

Author: Felix Friedberger

Forensic

Analysis of a credential-stealer malware campaign – Part I

May 20, 2026 – In March 2026, cirosec identified an ongoing malware campaign targeting developers, IT professionals, and power users who rely on popular open-source and productivity tools. The campaign is only accessible using the Bing search engine. Once executed, the malware exfiltrates browser credential stores, cryptocurrency wallet data, authentication tokens, VPN and SSH configurations, and sensitive documents.

Author: Colin Glätzer, Konrad Weyhing, Felix Friedberger

Pentesting

Reifegrad für Sicherheitsüberprüfungen

11. Mai 2026 – Eine kurze Zusammenfassung unseres Vortrags bei den cirosec-TrendTagen zu Pentesting, Assumed Breach, Red Teaming, TLPT & Co.

Author: Michael Brügge

Advisories

Vulnerability in Two App Studio Journey (CVE-2025-41459)

July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.

Vulnerability in Two App Studio Journey (CVE-2025-41458)

July 21, 2025 – Journey is a journaling app for iOS that stores personal entries and media.

Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2306)

May 15, 2025 – An improper access control vulnerability was identified in the file download functionality.

Vulnerability in SYNCPILOT LIVE CONTRACT (CVE-2025-2305)

May 15, 2025 – A path traversal vulnerability in the file download functionality was identified.

Vulnerability in Mobatek MobaXterm (CVE-2025-0714)

February 17, 2025 – MobaXterm is a toolbox for remote computing.

Vulnerability in Trend Micro Apex One (CVE-2024-55631)

January 8, 2025 – Our colleagues Frederik Reiter and Jan-Luca Gruber found a vulnerability in the Damage Cleanup Engine of Trend Micro Apex One, which allows and attacker to delete a folder with high privileges. This can be leveraged to escalate privileges in the context of SYSTEM.

Vulnerabilities

cirosec conducts vulnerability research into products and services, which at times results in zero-day vulnerabilities being discovered.

cirosec follows a responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices. Our responsible disclosure policy can be found here.

Below is a list of CVEs vulnerabilities identified or assigned by cirosec and presented here for reference and cataloguing.

Vulnerability	CVE	CVSS Score	Publication Date	More Details
Vulnerability in Two App Studio Journey	CVE-2025-41459	7.8 (CVSS v3.1)	July 21, 2025	Advisory
Vulnerability in Two App Studio Journey	CVE-2025-41458	5.5 (CVSS v3.1)	July 21, 2025	Advisory
Vulnerability in SYNCPILOT LIVE CONTRACT	CVE-2025-2306	5.9 (CVSS v3.1)	May 15, 2025	Advisory
Vulnerability in SYNCPILOT LIVE CONTRACT	CVE-2025-2305	8.6 (CVSS v3.1)	May 15, 2025	Advisory
Vulnerability in Elaborate Bytes Virtual Clone Drive [ext]	CVE-2025-1865	7.8 (CVSS v3.1)	April 4, 2025	Changelog
Vulnerability in Mobatek MobaXterm	CVE-2025-0714	6.5 (CVSS v3.1)	February 17, 2025	Advisory
Vulnerability in Intel AMT	CVE-2024-38307	7.7 (CVSS v3.1)	February 11, 2025	Intel
Vulnerability in G DATA Management Server [ext]	CVE-2025-0542	7.8 (CVSS v3.1)	January 24, 2025	Advisory
Vulnerability in G DATA Security Client [ext]	CVE-2025-0543	7.8 (CVSS v3.1)	January 24, 2025	Advisory
Vulnerability in Trend Micro Apex One	CVE-2024-55631	7.8 (CVSS v3.1)	January 8, 2025	Advisory, Trend Micro
Vulnerability in HP Hotkey Support	CVE-2024-27458	8.8 (CVSS v3.1)	October 4, 2024	Advisory, HP
Vulnerability in AVG Internet Security	CVE-2024-6510	7.8 (CVSS v3.1)	September 12, 2024	Advisory
Vulnerability in Overwolf	CVE-2024-7834	7.8 (CVSS v3.1)	September 4, 2024	Advisory
Vulnerability in baramundi Management Agent	CVE-2024-6689	7.8 (CVSS v3.1)	July 15, 2024	Advisory, baramundi
Vulnerability in Trend Micro Apex One	CVE-2024-36302	7.8 (CVSS v3.1)	July 1, 2024	ZDI-Advisory, Trend Micro
Vulnerability in Checkpoint Harmony	CVE-2024-24912	7.8 (CVSS v3.1)	May 1, 2024	Advisory, Checkpoint
Vulnerability in Webroot Antivirus	CVE-2023-7241	7.8 (CVSS v3.1)	May 1, 2024	Advisory, Webroot
Vulnerability in Bitdefender	CVE-2023-6154	7.8 (CVSS v3.1)	April 1, 2024	Advisory, Bitdefender
Vulnerability in neo42 Sumatra PDF Package		7.8 (CVSS v3.1)	November 7, 2023	Advisory
Vulnerability in Bytello Share		7.8 (CVSS v3.1)	November 6, 2023	Advisory
Vulnerability in Kiteworks OwnCloud	CVE-2023-7273	6.8 (CVSS v3.1)	November 4, 2023	Advisory
Vulnerability in VMware Workstation	CVE-2023-20854	7.8 (CVSS v3.1)	February 3, 2023	Advisory, VMware
Vulnerability in Remote Access Software from RealVNC	CVE-2022-41975	7.8 (CVSS v3.1)	September 30, 2022	Advisory, RealVNC

Blogs - Overview

Title	Author	Publication Date	Category
Analysis of a credential stealer malware campaign – Part II	Colin Glätzer, Konrad Weyhing	June 23, 2026	Forensic
Microsoft Defender for Identity evasions in 2026 – Part II	Jakob Scholz	June 17, 2026	AD Security, Windows
Microsoft Defender for Identity evasions in 2026 – Part I	Jakob Scholz	June 16, 2026	Red Teaming
Fuzzing vhosts with SNI(tch)	Felix Friedberger	June 10, 2026	Pentesting
Analysis of a credential-stealer malware campaign – Part 1	Colin Glätzer, Konrad Weyhing, Felix Friedberger	May 20, 2026	Forensic
Reifegrad für Sicherheitsüberprüfungen	Michael Brügge	May 11, 2026	Pentesting
The seven seas of Kubernetes security	Christoffer Albrecht	May 5, 2026	Kubernetes
Penetration Testing LLM Web Apps: Common Pitfalls	Felix Friedberger	April 14, 2026	Pentesting
Auditieren von M365 und Azure	Constantin Wenz	March 24, 2026	Azure, EntraID
How Attackers Abuse Bubbleapps.io to Phish German Businesses	Felix Friedberger	February 10, 2026	Forensic
Windows Instrumentation Callbacks – Part 4	Lino Facco	February 10, 2026	Red Teaming, Reverse Engineering, Windows
Windows Instrumentation Callbacks – Part 3	Lino Facco	January 28, 2026	Red Teaming, Reverse Engineering, Windows
Die neue i-Kfz-App für den digitalen Fahrzeugschein	Julian Lemmerich	December 3, 2025	Digitalization, Identity, Mobile Security
Beacon Object Files for Mythic – Part 2	Leon Schmidt	November 27, 2025	Red Teaming, Command-And-Control
A collection of Shai-Hulud 2.0 IoCs	Niklas Vömel & Felix Friedberger	November 27, 2025	Forensic, Incident Handling
Beacon Object Files for Mythic – Part 1	Leon Schmidt	November 19, 2025	Red Teaming, Command-And-Control
Windows Instrumentation Callback – Part 2	Lino Facco	November 12, 2025	Red Teaming, Reverse Engineering, Windows
Windows Instrumentation Callbacks – Part 1	Lino Facco	November 5, 2025	Red Teaming, Reverse Engineering, Windows
IOCs of the npm crypto stealer supply chain incident	Niklas Vömel	September 25, 2025	Forensic, Incident Handling
Effektive Governance-Strategien im Red Teaming	Hannes Allmann	June 30, 2025	Red Teaming
The Key to COMpromise – Part 4	Alain Rödel and Kolja Grassmann	February 26, 2025	Red Teaming
The Key to COMpromise – Part 3	Alain Rödel and Kolja Grassmann	February 12, 2025	Red Teaming
The Key to COMpromise – Part 2	Alain Rödel and Kolja Grassmann	January 15, 2025	Red Teaming
TLPT: Bedrohungsorientierte Penetrationstests nach DORA	Michael Brügge	January 24, 2025	Red Teaming
The Key to COMpromise Part 1	Alain Rödel and Kolja Grassmann	January 15, 2025	Red Teaming
Wer hat das Elster-Zertifikat weitergegeben?	Benjamin Häublein	December 3, 2024	Identity
Google DoC2	Frederik Reiter	November 7, 2024	Command-and-Control, Red Teaming
Abusing Microsoft Warbird for Shellcode Execution	Jan-Luca Gruber & Frederik Reiter	November 7, 2024	Red Teaming, Reverse Engineering, Windows
Inside the NAC Pi	Leon Schmidt	July 5, 2024	Red Teaming
Loader Dev. 5 – Loading our payload	Kolja Grassmann	May 10, 2024	Red Teaming
Loader Dev. 4 – AMSI and ETW	Kolja Grassmann	April 30, 2024	Red Teaming
Loader Dev. 3 – Evading userspace hooks	Kolja Grassmann	April 10, 2024	Red Teaming
Loader Dev. 2 – Dynamically resolving functions	Kolja Grassmann	March 10, 2024	Red Teaming
Loader Dev. 1 – Basics	Kolja Grassmann	February 10, 2024	Red Teaming
Microsoft Tiering Model – Part 3/3	Hagen Molzer	January 10, 2024	AD Security
Microsoft Tiering Model – Part 2/3	Hagen Molzer	December 10, 2023	AD Security
Microsoft Tiering Model – Part 1/3	Hagen Molzer	November 10, 2023	AD Security

Your contact person

Daniela Strobel
daniela.strobel@cirosec.de
+49 7131 59455-60

Do you want to protect your systems? Feel free to get in touch with us.