Hadrian’s Post

Hadrians AI orchestration enables rapid scanning across services, reducing time-to-discovery and enabling proactive remediation before SSRF exploitation. Check out our video !!

The attacker unaware of the research LLM honeypot, literally chatted with an LLM without realizing it. 🤖 Yes, it really happened. At Beelzebub we put online an SSH research honeypot powered by an LLM. A real threat actor logged in with weak credentials (admin/123456), ran reconnaissance, and tried to infect the system with malware used in DDoS attacks. Without knowing it, they were talking to an LLM that replied like a “real” shell. What the attacker did (highlights): - Fast recon: uname -a; uptime; nproc - Download & unpack: wget …/emech.tar.gz && tar xvf … - Attempted execution/persistence (fake sshd & binaries) - C2 over IRC (channels #rootbox / #c0d3rs-TeaM) → reported to the IRC provider Why an LLM in a honeypot? 🔸 You don’t have to supervise it, and it replicates a real environment. 🔸 It’s easy to manage and maintain since it’s a fully virtualized system like a low interaction honeypot. 👉🏻 Full article: https://lnkd.in/dBQvAPPu

ESET researchers report an AI-assisted ransomware family referred to as PromptLock. It leverages a locally hosted LLM through the Ollama API to generate Lua scripts on the host in real time, reducing command-and-control dependencies. For Incident Response, collection should include Ollama installations, model artefacts and transient Lua files; traditional network indicators alone may be insufficient. Red Team and Pen Test exercises should incorporate on-device LLM behaviours to validate controls that restrict unapproved model runtimes and script execution. https://lnkd.in/gw3UiV7U #IncidentResponse #RedTeam #PenTesting #Ollama #Lua #Ransomware

Security researchers have discovered an open-source remote access trojan, AsyncRAT, being delivered through a multi-stage, in-memory loader as adversaries move to fileless techniques. (Story by Shweta Sharma) https://lnkd.in/ewppux6F

🚨 A new critical vulnerability in Wing FTP Server (CVE-2025-47812) is being actively exploited by attackers. This flaw allows remote code execution, giving hackers the ability to run malicious Lua scripts, create backdoor accounts, and steal data. 👉 The takeaway? Once attackers get execution rights, it’s already too late. Detect-and-respond strategies leave businesses scrambling after the damage begins. In our latest blog, we break down what happened, why this vulnerability is so dangerous, and why the security community needs to push harder toward isolation and containment strategies that stop attacks before they execute. 🔒 Staying informed is the first step. Protecting against these evolving threats requires rethinking the way we approach endpoint security. Read the full blog here 👇 https://buff.ly/0vrIQdL #cybersecurity #ransomware #endpointsecurity #dataprotection #zeroday #securityawareness #AppGuard #AppGuardistheAnswer #infosec #CHIPS

🚨 A new critical vulnerability in Wing FTP Server (CVE-2025-47812) is being actively exploited by attackers. This flaw allows remote code execution, giving hackers the ability to run malicious Lua scripts, create backdoor accounts, and steal data. 👉 The takeaway? Once attackers get execution rights, it’s already too late. Detect-and-respond strategies leave businesses scrambling after the damage begins. In our latest blog, we break down what happened, why this vulnerability is so dangerous, and why the security community needs to push harder toward isolation and containment strategies that stop attacks before they execute. 🔒 Staying informed is the first step. Protecting against these evolving threats requires rethinking the way we approach endpoint security. Read the full blog here 👇 https://buff.ly/0vrIQdL #cybersecurity #ransomware #endpointsecurity #dataprotection #zeroday #securityawareness #AppGuard #AppGuardistheAnswer #infosec #CHIPS

TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as CISA warns that other router flaws have been exploited in attacks. The zero-day vulnerability was discovered by independent threat researcher Mehrun (ByteRay), who noted that he first reported it to TP-Link on May 11, 2024. #staycurious #stayinformed #noble1 #tomshaw TOM SHAW

WHEN UPDATES BACKFIRE (DESPITE GOOD INTENTIONS): Researchers traced the exploit to a "race condition" triggered by rapid HTTP(S) requests, where barely timed headers let hackers impersonate the “crushadmin” user. The exploit went live shortly after a code update intended to fix an unrelated AS2 bug, unintentionally revealing the flaw to attackers. Over 30,000 installations were at risk; and as of late July, about 1,000 remained unpatched—even though fixes were available. This basically turned a housekeeping update into a zero-day weapon. And it highlights a vital lesson: even minor code changes can create major security gaps, and patching must be relentless. Otherwise, enjoy your labor day weekend, friends. https://lnkd.in/ggb8PfJA #auguryit #cysec #patching

Surprising nobody not hooked up to a firehose IV of VC money. "The malware did more than just steal SSH keys, npm tokens, and .gitconfig files - it weaponized AI CLI tools (including Claude, Gemini, and q) to aid in reconnaissance and data exfiltration. This marks the first known case where attackers have turned developer AI assistants into tools for supply chain exploitation." https://lnkd.in/gYws7CHV

Adversaries are evolving their tactics by utilizing legitimate tools such as Impacket to maneuver undetected across networks, blending into the normal traffic flow. This method, known as "living off the land," poses significant challenges for security teams as malicious activities like commands and file transfers remain concealed within encrypted east-west traffic. Learn more about detecting Impacket's stealthy lateral movements in the article: [How to Detect Impacket's Hidden Lateral Movement East-West](https://lnkd.in/gWfkpx63).