似此星辰非昨夜

1. Recap – From PASSLLM Back to Semantics In the last post, From COMB to PASSLLM: Setting a Semantic Baseline, I plugged my cleaned COMB dataset into PASSLLM’s reuse pipeline and asked a simple question: If I give a model one of your old passwords, how often can it guess the next one within 1,000 tries? PASSLLM gave me a surprisingly strong baseline on semantic-looking reuse pairs, even after I aggressively removed email-based and name-based passwords. ...

0. Recap – From Raw Breaches to Semantic Password Pairs In the previous post, “Cleaning the Chaos”, I wrote about turning the COMB mega-breach into something that actually reflects human semantics instead of just random junk strings. The goal was simple: if we want to study whether passwords like darkness → midnight summer19 → sunshine20 are related at a conceptual level, then our dataset needs to be full of these “semantic siblings,” not hashes, email copies, or unreadable gibberish. ...

0. Internship Background During my research internship at the Digital Security Group (Radboud University), I worked on a project titled “Semantic-Aware Password Guessing”, under the supervision of Xavier de Carné de Carnavalet. The goal of this project was to explore whether semantic similarity—the kind of conceptual relation humans perceive between words like darkness and midnight—could be applied to model how users create new passwords. Existing password guessing models such as Pass2Path or Pass2Edit mainly rely on edit distance and structural transformations. They perform well when users make small tweaks, like password1 → password2, but fail when users create new passwords that carry similar meanings but very different characters. ...

As part of the Software Security course at Radboud University, I conducted a fuzzing project targeting pdfalto, a command-line tool that converts PDF files into structured XML representations (ALTO format). The tool is written in C++ and relies heavily on the xpdf library library, which is also implemented in C++. We chose pdfalto because the PDF format is notoriously complex and error-prone, and the project seemed to have practical relevance — used in real-world contexts but not widely tested with fuzzing tools. The goal was to explore the effectiveness of several fuzzers and to identify potential bugs or vulnerabilities. ...

0x00 Introduction REDIS-1.2-SNAPSHOT is a DDoS trojan that exploits Redis vulnerabilities to infiltrate and install itself. The attack leverages Redis replica (slave) backup mechanisms to write a .so file onto the target machine and then directly load that shared library to execute system commands, thereby achieving installation of the REDIS-1.2-SNAPSHOT trojan. The REDIS-1.2-SNAPSHOT DDoS trojan builds command-and-control on Redis and can launch TCP and UDP flood attacks; it can also carry out targeted DDoS attacks against Minicraft game servers’ handshake, login, and MTOD connections. The trojan also uses SLAVE backup and BYTE-write methods to attack other Redis servers. ...

LUMMA offers Malware-as-a-Service (MaaS) for information-stealing trojans, enabling its customers to directly build trojans on the platform. The MaaS platform also supports parsing, extracting, and retrieving stolen data such as databases and text files, significantly lowering the barrier to entry for data theft attacks. The LUMMA technical development team continues to refine the trojan’s data exfiltration capabilities, which currently include stealing browser data, cryptocurrency keys, KEEPASS password databases, and more. To effectively evade antivirus solutions, LUMMA does not employ VMProtect (VMP) packing technology but instead utilizes a string obfuscation method referred to by the technical team as the “MORPHER” solution. ...

0x00 Opening I didn’t set out to write about process injection. I was knee-deep in a reverse-engineering task when a sample named RustDog kept pulling me back — not because it was flashy, but because it quietly did what many modern trojans do: slip code into other processes and hide in plain sight. Over a few late-night debugging sessions I tracked how it reached into legitimate processes and manipulated them. That little detour turned into a full mini-project: I decided to map out common injection techniques, why many defenses miss them, and how the RustDog example ties everything together. ...

0x00 What’s UP Nuclei is one of my favorite security tools. But recently I ran into a strange and reproducible bug while using ProjectDiscovery’s Nuclei. A workflow that normally runs fine suddenly froze forever—but only under a very specific condition. Before diving into the issue, here’s a quick recap of the command we’re dealing with: nuclei -w test-workflow.yaml -u https://example.com -c 1 📝 What this command does -w test-workflow.yaml — loads a workflow file that orchestrates multiple templates -u https://example.com — specifies the target -c 1 — sets concurrency (number of parallel template executions) to 1 Workflows allow Nuclei to chain multiple templates together, making scanning smarter and more automated. However, using -c 1 with workflows used to trigger a curious deadlock, which is exactly what this blog post explores. ...

0x00 Introduction LAPLAS CLIPPER, an information-stealing trojan offered as a subscription-based MaaS (Malware-as-a-Service) cloud service (the service websites are shown below). Users can build trojan binaries directly on the platform and customize callback settings such as proxy servers and persistence configuration item names. The trojan continuously monitors the victim’s clipboard, and if the clipboard content matches a wallet-address regular expression it replaces it with the attacker’s wallet address, enabling fraudulent transfers and greatly lowering the technical barrier for attacks. ...

This post is a review of my notes on host collision (virtual host enumeration) – what it is, how it works, and why it still matters in nowadays. It also doubles as a “design doc” for my tool HostCollision. 0x00 Motivation: When ports are open but the site is “missing” Typical recon story: You do IP/port scanning, find lots of 80/443/8080/8443. You open them in a browser full of hope. You get 403, 404, “Welcome to nginx”, Tomcat default page, random WAF splash screens… Clearly, something is running there, but not necessarily the app you’re after. ...