Publications

LinkPro: eBPF rootkit analysis

14/10/2025 During a digital investigation related to the compromise of an AWS-hosted infrastructure, a stealthy backdoor targeting GNU/Linux systems was discovered. This backdoor features functionalities relying on the installation of two eBPF modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a "magic packet". This article details the capabilities of this rootkit and presents the infection chain observed in this case, which allowed its installation on several nodes of an AWS EKS environment...

LLM Poisoning [1/3] - Reading the Transformer's Thoughts

08/10/2025 Your local LLM can hack you. This three-part series reveals how tiny weights edits can implant stealthy backdoors that stay dormant in everyday use, then fire on specific inputs, turning a "safe" offline model into an attacker. This article shows how transformers encode concepts and how to detect them in its internal activations.

What could go wrong when MySQL strict SQL mode is off?

02/10/2025 This article shows some examples of attacks that can abuse MySQL behavior when the strict SQL mode is disabled, especially when string characters are invalid in the current encoding. This happens when the encoding of the application (e.g. UTF-8) is wider than that of the database (e.g. ASCII).

Quantum readiness: Hybridizing signatures

29/09/2025 In light of new legal requirements being enacted in many countries for software providers to adopt hybrid post-quantum cryptography, Synacktiv has initiated research into these novel cryptographic algorithms. After having studied what makes post-quantum cryptography “post-quantum” in the previous articles, we now dissect the concept of hybridization, a vital mechanism for a safe transition. This first article focuses on hybridizing signature schemes, while a follow-up one will tackle key exchanges.

appledb_rs, a research support tool for Apple platforms

25/09/2025 Over the years, research on Apple platforms has become significantly more complex, largely due to the numerous countermeasures deployed by the Cupertino company. To address this challenge during our missions on these platforms, we developed appledb_rs: an open-source tool (https://github.com/synacktiv/appledb_rs) that extracts data from IPSW files (archives containing Apple firmware) and organizes it in a structured way, facilitating exploration and analysis.

The Phantom Extension: Backdooring chrome through uncharted pathways

23/09/2025 The increasing hardening of traditional Windows components such as LSASS has pushed attackers to explore alternative entry points. Among these, web browsers have emerged as highly valuable targets since they are now the primary gateway to sensitive data and enterprise cloud services. Numerous secrets, including tokens and credentials, flows through browsers, and their compromise can provide attackers with extensive access across an organization. This article presents a little-known technique for compromising Chromium-based browsers wi...

Exploring GrapheneOS secure allocator: Hardened Malloc

22/09/2025 GrapheneOS is a mobile operating system based on Android and focusing on privacy and security. To enhance further the security of their product, GrapheneOS developers introduced a new libc allocator : hardened malloc. This allocator has a security-focused design in mind to protect processes against common memory corruption vulnerabilities. This article will explain in details its internal architecture and how security mitigation are implemented from a security researcher point of view.

Dissecting DCOM part 1

15/09/2025 This is the first article on the "Dissecting DCOM" series. This article aims at giving an introduction to the base principles of COM and DCOM protocols as well as a detailed network analysis of DCOM. No previous knowledge is required. The following articles will dig into the authorization and enumeration mechanisms on COM/DCOM. This articles series aims to regroup known knowledge about DCOM in order to allow one to have the necessary tools for vulnerability research on DCOM.

2025 summer challenge writeup

12/09/2025 Last month we organised the Synacktiv Summer Challenge 2025, an event featuring an original challenge based on Podman archive formats. Many of you spent several hours working on it: we received over thirty attempts! This article aims to present and explain in detail the different steps involved in designing an optimal solution.

Extraction of Synology encrypted archives - Pwn2Own Ireland 2024

11/08/2025 This article features the reverse engineering of Synology encrypted archives extraction libraries and the release of a script able to decrypt these archives. The tool is available on Synacktiv's GitHub.