- Vulnerable U
- Posts
- 🎓️ Vulnerable U | #176
🎓️ Vulnerable U | #176
Microsoft ID used to track hackers in court case, Vidar infostealer intel breakdown, Zero days to watch out for, and much more!
Read Time: 10 minutes

Brought to you by:
Howdy friends!
The BlackHat and DEFCON calendar invites have begun. I’m sure there won’t be 7 things I try to show up in the same 3 hour block on Tuesday. Who’s all going? Should I get the cabana by the pool again for us to do a meetup?
Did you see my big announcement this week? Me and Low Level started a podcast. We’ll be shipping weekly episodes and occasional guest interviews. We do film it for YouTube but you can find it on all your favorite podcast apps.
Check it out! Subscribe to help us get it off the ground on the new channels.

Thanks Maze for being an awesome launch partner on this new venture. 🤘
ICYMI
🎧️ Something I heard: The Low Down! We recorded this one at PlanetScale HQ out in SF where we were hosting a panel.
🎤 Something I said: I interviewed HD Moore about how hacking feels like its in the 90s again thanks to AI.
🔖 Something I read: Early signs of frontier cyber capabilities in Open-Weight models
Vulnerable News
One of the more interesting debates that came out of the recent Scattered Spider arrest wasn't actually about the alleged cybercrime itself. It was about how the suspect got caught. A lot of people latched onto the court documents discussing Microsoft's GDID identifier and immediately jumped to the conclusion that Microsoft has some secret tracking mechanism baked into Windows.
But when digging into what security researchers were saying, the reaction was almost the opposite. Several people who spend their lives tracking threat actors were basically saying, "Wait, you're surprised by this?" One of the strongest reactions came from Allison Nixon, who has spent years helping identify and track cybercriminal groups. Her argument: anonymity isn't something you have. It's something you maintain until you don't.
Nixon's comments were honestly some of the most fire takes I've seen on this story. She pointed out that the suspect allegedly sent her death threats years ago, which immediately put him on her radar. From there, she did what she does: shared intelligence with providers, incident responders, security teams, and investigators. Her broader point was that threat actors often have a completely unrealistic view of anonymity. They think they're invisible because they use a VPN, a burner account, or some OPSEC tricks. Meanwhile, the people tracking them are collecting evidence, building profiles, connecting dots, and watching patterns over the course of years. As she put it, saying you're anonymous is like saying you've won a marathon you haven't finished. The game doesn't end until your opponents either lose interest or catch you.

From my live stream here: https://www.youtube.com/live/5QmVWzh3JUs?si=h0SlCGJ8ERx08E3d&t=6260
The technical details around the GDID itself turned out to be less dramatic than some headlines suggested. Researchers such as Massgrave pointed out that the identifier is closely related to Microsoft's long-documented Passport User ID system. In other words, this wasn't some secret spyware identifier that suddenly surfaced. It was part of the ecosystem Microsoft uses to tie together accounts, devices, activation services, and telemetry. The browsing-history angle that got everyone excited also appears to have involved optional Microsoft Edge telemetry rather than some universal logging feature affecting every Windows user. The bigger story isn't that Microsoft can identify a device, but how many different systems, services, accounts, and telemetry sources can be correlated once investigators start looking. (read more here, here, here, and here)

Looking for a fast, free way to level up your resume and data security skills?
Varonis Threat Labs created Breach at the Beach, a new CTF that drops you into a live identity breach unfolding across Entra ID and M365. As the storm rolls in, you help Pixel the cat trace an AI threat actor who is quietly abusing legitimate features to move through the environment. You'll dig through real logs and audit trails to track them down the same way threat hunters do in the field, so you can save the day and bring the sunshine back.
The best part? It's free to play, browser-based, and each stage you complete earns you a CPE credit. Finish all four stages by August 6 for a shot at a $2,000 Marriott Gift Card.
Pixel's counting on you. Grab your sunglasses and play now.
*Sponsored

from my live stream here: https://www.youtube.com/live/5QmVWzh3JUs?si=7FRqGGnOIKjq4YLh&t=1872
I had to cover this one because it's such a perfect example of the privacy and surveillance conversations we keep having in cybersecurity. A Florida police officer is under investigation after allegedly using law enforcement databases and AI-powered license plate reader systems to stalk a woman he met while working security on the set of the Apple TV+ show Bad Monkey. According to reporting from 404 Media, he spent weeks harassing her, asking for her name and Instagram information, then used Florida's law-enforcement-only DMV database, called DAVID, to pull her vehicle information. From there, he allegedly added her license plate to a surveillance hot list so he would receive real-time notifications whenever AI-powered cameras spotted her vehicle. She wasn't suspected of a crime.
According to court records, he allegedly used government databases, automated license plate readers, surveillance alerts, and other law enforcement tools to track her movements and ultimately chase her down. At one point he allegedly told her, "I told you I'd find you and pull you over." That's an insane abuse of power. It's exactly why I roll my eyes whenever someone says we should be comfortable giving governments or corporations more surveillance capabilities because they'll only be used by the good guys. The “good guys” doing some heavy lifting here. (read more)
Krebs has a knack for finding stories that make you stop and say, "Wait, what?" This week's example is Iris C2, a self-described offensive security company that claims to sell cyber capabilities and phone-hacking services to government customers. Krebs dug into the company's background and found connections to Jacob Wohl and Jack Burkman, two political operatives better known for a long history of failed ventures, misinformation campaigns, lawsuits, and criminal convictions than cybersecurity research. Iris C2 emerged from a penetration-testing business before pivoting toward zero day peddling, with related corporate records pointing back to Burkman's lobbying operation.
One of the quotes Krebs highlighted was Wohl describing himself as highly technical and capable of building "spectacularly exquisite capabilities," despite acknowledging he has no formal education or training in computer science or information security. Maybe there's a legitimate business here. Maybe there isn't. But if you're a security researcher frustrated with bug bounty programs or looking for someone to buy your zero-days, I'd be asking a lot of questions before handing them over to a company whose founders are better known for political grift and felonies than cybersecurity. (read more)

Unit 42 with a great breakdown of Vidar stealer campaign they spotted spiking in April 2026. It uses malvertising which is always one of a delivery mechanism that makes my ears perk up. Pushing fake cracked software downloads - but the evasion tricks are worth noting. The loader binaries are inflated with null bytes up to 491MB (the actual malicious content is only 2.3MB) specifically to skip automated sandbox analysis, paired with a fake JustWatch code-signing certificate and an in-memory AMSI bypass. The whole thing is built on a MaaS framework called Factory-v3 that generates unique hashes per build, making hash-based detection pretty useless.
The payload is a two-fer: Vidar steals your browser creds and crypto wallets while XMRig mines Monero in the background using your CPU cycles. The operator gets a Telegram ping labeled "X3D MINER • NEW LOG" for every fresh infection. A second variant showed up April 24th swapping the fake JustWatch cert for one impersonating BleacherReport - same infrastructure, just iterating on the certificate approach. IOCs are in the full report if you want to go hunting, and defenders should prioritize stripping null byte padding before applying file size limits or you'll miss this one entirely. (read more)
If every reviewer clicks approve, the review didn't happen. Attestation fatigue is real: reviewers see 200 identical rows with no context and do the only reasonable thing. Opal's Paladin triages the queue before they ever open it — automating the routine 90% with a full audit trail, surfacing the 10% that needs a human call. Watch the on-demand demo.
*Sponsored
If you're running Ubiquiti gear, patch now. Ubiquiti just dropped fixes for seven critical vulns in UniFi OS, headlined by CVE-2026-50746, a max severity command injection flaw in the UniFi Connect Application. Anyone with network access could exploit it to run commands on the host device - no user interaction required. The fix is version 3.4.20, go get it.
The other six CVEs hit a wide range of Ubiquiti products - UniFi Talk, Access, Protect, their OS Server, and a bunch of routers, gateways, NAS and surveillance systems. With Censys tracking over 100,000 UniFi OS instances exposed to the internet (nearly half of them in the US), the blast radius here is significant. Worth noting that Ubiquiti gear has been a favorite target for state-sponsored groups before - Russia's GRU was caught using hijacked Ubiquiti routers as recently as 2024 to proxy espionage traffic. No confirmed exploitation in the wild yet, but given the history and the exposure numbers, that window probably won't stay open long. (read more)
This one's a fun unintended consequence story. Scammers have been hijacking .gov and .edu websites - over 2,000 of them across 80 countries - to host fake "leaked OnlyFans" pages that redirect victims to malware and scam sites. Gold mine since they can use the Google authority score from the old legit site. Plot twist! OnlyFans creators filing DMCA takedown requests are acting as a free threat detection service, with over 384,000 takedown requests helping surface compromised government sites they probably didn't even know were hacked.
UpGuard's research suggests that monitoring for adult content keywords on your .gov or .edu domain could serve as a solid early warning system for SEO injection attacks. What a weird and funny canary. One researcher noted that getting Google to remove the search results is surprisingly effective since these pages have virtually no visibility outside of search. The bulk of the DMCA requests are being fired off by one Estonian company called Rulta, which is raising some eyebrows about whether carpet-bombing compromised government sites with copyright notices is really the right approach - but hey, at least someone's finding these breaches. (read more)
Supply chain attacks on npm and days that end in y. This one's nasty because it targeted the Injective Labs SDK - a package with 50,000 weekly downloads used by developers building crypto wallets, trading bots, and DeFi apps. As per usual, an attacker compromised a legitimate contributor's GitHub account, snuck in malicious code on June 8, and published version 1.20.21 before anyone noticed. The good news is the real account owner caught it within minutes and pushed a clean release. The bad news is 310 downloads happened in that window, and the malicious GitHub artifacts are still sitting there.
The malware itself doesn't trigger on install, it waits until developers actually use wallet key generation or import functions, then quietly grabs the full mnemonic seed phrase and private key, bundles them up, and ships them out via HTTP POST to a legitimate-looking Injective Labs endpoint. Sneaky. If you're a developer who pulled that package, assume you're compromised - move your crypto to new wallets and rotate everything in your environment immediately.(read more)

Meta's spent a gazillion dollars on being a frontier AI lab and nobody is using their models. So why not just bake their new one into Instagram to force usage. Their new AI image model called Muse Image, and …wait for it… it's using your public Instagram photos by default to generate AI content - including letting other users @-mention your account to remix your photos into new images without notifying you. The opt-out is buried several menus deep in your settings, and here's the annoying part - anything already created with your photos before you disable it stays up. If you've got a public Instagram account, it's worth taking the two minutes to go turn that off now.
This is part of a broader trend of big tech companies quietly flipping AI training features to opt-out rather than opt-in. Google's doing the same thing with a new Search Services History setting that stores your images, audio, and video to train their models. Neither company is doing anything technically illegal here, but it’s concerning they didn’t have to. (read more)
Two spicy Linux kernel vulnerabilities this week, and Google's bug bounty program had to write some big ol’ checks. The bigger one, dubbed "Januscape" (CVE-2026-53359), is a guest VM escape in KVM that sat undetected for 16 years. The short version: if you're renting a single cloud instance and have root on your guest VM, you can potentially take down or fully compromise the host machine and every other tenant on it. That's a bad day for any cloud provider. Google paid $250K for this one.
The second bug, "GhostLock" (CVE-2026-43499), is a use-after-free in the kernel's futex priority-inheritance code that's been hiding since 2011 and lets low-privileged users escalate to root. That one netted $92K from Google's kernelCTF program. Both are patched in the kernel now, so go check your distro and make sure those fixes have actually landed on your systems. (read more)
China-linked hackers have been hitting Roundcube webmail servers at U.S. and Canadian universities since May, specifically targeting physics and engineering departments plus anyone touching astrophysics, particle physics, or national security research. Since May 2026, they've been chaining together n-day Roundcube vulnerabilities to steal credentials and drop either a webshell or VShell backdoor into server memory. The attack only requires the email to be opened in the webmail client, so the specific recipients may have been less important than the fact that those departments were running vulnerable Roundcube versions - suggesting prior recon.
Their custom JavaScript stealer (dubbed IceCube by Proofpoint) escapes iFrames, steals creds and 2FA material, then pivots to server-side exploitation via a deserialization vuln to plant a webshell. If that fails, there's a fallback that pulls down SNOWLIGHT and ultimately VShell. The tooling is verbose, well-commented, and likely LLM-assisted. (read more)
Researchers demonstrated a technique they call "GitLost," showing how an attacker could abuse GitHub's AI-powered issue-handling capabilities to retrieve information from private repositories. The attack starts with a public GitHub issue. Because the AI agent automatically reads issue titles and descriptions as part of its workflow, an attacker can embed instructions that look like legitimate questions but are actually prompts designed to manipulate the agent's behavior. In the proof of concept, the researchers simply asked the agent to retrieve information from both a public repository and a related private repository that the agent had access to. (read more)
Miscellaneous mattjay



How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay




