Detection of EntryPoint Hijacking consists of the following: 1️⃣ EntryPoint address escapes the module’s DllBase range 2️⃣ MEM_IMAGE → MEM_PRIVATE transition 3️⃣ OriginalBase fails validation ✒️ Read More: ipurple.team/2026/05/13/e...

🎙️ EntryPoint Hijacking introduces a stealthier approach to code injection. 🛠️ 𝐀 𝐍𝐞𝐰 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧‑𝐂𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲 is introduced that monitors: 🧠 The memory address of the EntryPoint 🧬 Changes to the EntryPoint memory type 🛑 OriginalBase validity ✒️ 𝐑𝐞𝐚𝐝 𝐭𝐡𝐞 𝐟𝐮𝐥𝐥 𝐚𝐫𝐭𝐢𝐜𝐥𝐞 ipurple.team/2026/05/13/e...

🚨 Cross‑Session Activation is a detection gap hiding in plain sight. 💡 The technique abstract below highlights the minimum viable signals for defenders. 💭 Interesting to know if this technique is part of your threat emulation library. #detectionengineering #purpleteam #blueteam

📉 𝐂𝐲𝐛𝐞𝐫 𝐬𝐢𝐠𝐧𝐚𝐥 𝐢𝐬 𝐝𝐫𝐨𝐩𝐩𝐢𝐧𝐠. 📈 𝐀𝐈 𝐧𝐨𝐢𝐬𝐞 𝐢𝐬 𝐫𝐢𝐬𝐢𝐧𝐠. To help, I created a list of active cybersecurity blogs written by people who still publish real research. If you follow any of these already (or have gems I should add), let me know. github.com/netbiosX/Cyb...

Yesterday, I published a deep‑dive into how adversaries abuse the 𝐂𝐫𝐨𝐬𝐬-𝐒𝐞𝐬𝐬𝐢𝐨𝐧 𝐀𝐜𝐭𝐢𝐯𝐚𝐭𝐢𝐨𝐧 mechanism for lateral movement. 🛠️ 𝐒𝐞𝐬𝐬𝐢𝐨𝐧𝐄𝐧𝐮𝐦𝐞𝐫𝐚𝐭𝐢𝐨𝐧 (New Tool) 🔍 Enumeration of active sessions 𝐚𝐜𝐫𝐨𝐬𝐬 𝐚𝐧 𝐞𝐧𝐭𝐢𝐫𝐞 𝐈𝐏 𝐫𝐚𝐧𝐠𝐞 (quser limitation) ✒️ 𝐑𝐞𝐚𝐝 𝐭𝐡𝐞 𝐟𝐮𝐥𝐥 𝐚𝐫𝐭𝐢𝐜𝐥𝐞 🟪 ipurple.team/2026/05/04/c...

Phantom-Evasion-Loader - a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-level monitors like Falco (eBPF)

📝 Missed the write‑up on abusing SpeechRuntime for lateral movement? This diagram summarizes the chain.⤵️ ✒️ ipurple.team/2026/04/07/m...

Offensive Cases about Credential Guard & Detection Strategies #purpleteam

Generate DLL proxy/sideload projects. Automatically parses PE export tables and generates ready-to-compile project for red team engagements github.com/Whitecat18/L...

Proof of Concept (PoC) implant for creating custom Cobalt Strike Beacons github.com/EricEsquivel... #redteam

Automated Pass-the-Ticket (PtT) attack. Standalone alternative to Rubeus and Mimikatz for this attack, implemented in C++ and Python github.com/ricardojoser... #redteam

Creation of multiple Malware tools consisting of evasion, enumeration and exploitation github.com/CaptMag/MalDev

📢 New article about GAC Hijacking to perform Code Execution and Persistence 📖 1x Playbook - A structured breakdown of the full approach 💡 3x Detection Opportunities 🏹 2x Threat Hunting Queries - Defender & Splunk ipurple.team/2026/02/10/g...

CustomDpapi: Calling the undocumented DPAPI RPC interface directly, no more calling public CryptUnprotectData! github.com/EvilBytecode...

An open-source port/reimplementation of the Cobalt Strike BOF Loader

Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern Chromium-based and Gecko-based browsers (Chrome, Microsoft Edge, Firefox, Opera, Opera GX, and Vivaldi)

DbgNexum - a Proof-of-Concept for injecting shellcode using the Windows Debugging API and Shared Memory (File Mapping).

Aether C2 - Aether project operates on a Full Duplex, End-to-End Encrypted channel, utilizing direct WinAPI syscalls for evasion and a modular architecture for scalability github.com/256AndreiAES...

Ghostly Hollowing Via Tampered Syscalls github.com/Maldev-Acade...