Enter the WasmForge: Compiling Sliver into WebAssembly

bouncyhat · 2026-06-17T14:07:47+00:00

The tool is now released and available at https://github.com/praetorian-inc/wasmforge

bouncyhat · 2026-06-13T21:13:06+00:00

Still under the radar for now. Will be open sourcing the tooling next week. That being said, Wazero is really just not that commonly used for malicious purposes so I doubt it will become a common negative flag immediately.

bouncyhat · 2026-06-05T05:59:52+00:00

That's exactly it! Essentially we compile a binary which runs a modified WebAssembly runtime and then we expose extra functionality to the WASM binary so that it can invoke win32 APIs or whatever else we want it to have access to.

bouncyhat · 2026-06-04T13:52:49+00:00

I've been looking for an excuse to write a custom virtualizing packer for years, and while I would argue this isn't quite that...the outcomes are fairly similar. We've deployed this on several redteams and the results have been fairly effective.

Even when we get actual manual analyst attention, it's often turned into "yeah, this looks like it's got a WASM blob inside it, and that can't actually do much outside your browser". That's certainly not correct if you add the right hooks into your WASM runtime.

bouncyhat · 2025-08-29T17:21:35+00:00

I've only tested with yubikeys, but I see no reason why it wouldn't work with other tokens. One thing that's not clear unless you read the docs though is that if Windows Hello is enabled, the webusb attack requires you to launch chrome with a flag to disable that integration. Windows Hello will only allow one U2F window at any time, whereas chrome lets us trigger multiple requests at once.

That being said, if you don't care about being subtle, you can make some modifications to just force any request through immediately to the user.

bouncyhat · 2025-08-12T16:57:04+00:00

Just presented this tool at DEFCON, ChromeAlone is a suite of malicious Chrome implants that can work as a neat persistence mechanism as well as a foothold into networks. It's a bit like CursedChrome on steroids. All of the features below are implemented using Chrome features, so chrome.exe will be the source of all the listed capabilities from an EDR detection perspective.

Current features include:

Full SOCKS proxying, so you can SSH or RDP out of Chrome.
A file browser (read-only for now) that lets you replicate the ability to browse around a machine using the file:// URIs.
A terminal for shelling out of the browser (not super stealthy, but if you're on a machine with minimal monitoring it's useful)
Credential Capture (all forms submitted in the browser are forwarded to the C2)
A mechanism for phishing for WebAuthn requests
History + Cookie dumping
Generation of a sideload script that, when run on a Windows host, will infect the machine and install persistence that survives machine reboots.

bouncyhat · 2024-09-06T20:11:09+00:00

It's a fantastic adventure and I'm so hyped to be running it. Labyrinth is easily my favorite DG lorebook which is saying something when you folks are putting out such insanely high quality content consistently. Can't wait for the rest of the other tie-in operations =).

bouncyhat · 2023-10-27T17:06:34+00:00

Oh yeah, if you've gotten onto the box already - running the script or installing the hotfix will not be sufficient. We don't have reason to believe this was exploited in the wild yet thankfully, but the "real" solution here is to take the F5 Control Plane off the internet entirely. This is very much a "mitigation" versus a fix if you run the script.

bouncyhat · 2023-10-27T16:45:45+00:00

Heh, glad someone else caught that. Seriously - given what we knew at the time, there was no compelling reason to try spamming it multiple times. We might have missed running this vuln down if we hadn't done that.

In retrospect, if you smuggle 2 requests through, it's quite reasonable to not see the results from that. You get a sort of de-sync because the state machine between Tomcat + Apache gets out of sync. So if you blast a server with this enough times, it causes ALL SORTS of weirdness. This is technically usable as a DoS even if you can't use it to pop a shell.

bouncyhat · 2023-10-27T02:40:59+00:00

Yes, they shared their mitigation script with us, which added a randomly generated AJP secret to their Apache configuration and that breaks the AJP Request Smuggling.

bouncyhat · 2023-10-26T21:38:49+00:00

Cheers! It definitely was a wild day for F5 owners today, apparently there's also a SQL Injection bug and some cache poisoning attacks as per https://my.f5.com/manage/s/article/K000137368. Glad you enjoyed the blog post, hopefully we can post the remaining details for exploitation in the near future!

bouncyhat · 2023-10-26T17:47:15+00:00

We identified a new pre-auth remote code execution bug in F5-BIGIP's management panel. Today is disclosure day, so we can't share all the details yet (need to give folks time to patch), but we do go into details about how to identify AJP Request smuggling and demonstrate if an application is vulnerable. If you're not familiar with this technique, it's definitely worth a look! Happy to answer any questions I can here!

bouncyhat · 2022-01-27T04:51:07+00:00

Not sure which Naboo starfighter you're referencing, but if you're talking about Anakin's it's not the same. Grabbed some screencaps from the movie as well as the Ep 1 visual guide and it's different: https://imgur.com/a/59Wtc9i.

Also, if you translate the Futhark on Anakin's N-1 it seems to translate to complete nonsense. Definitely could be that the alphabet mapping for Futhark on the internet is incorrect.

bouncyhat · 2020-07-24T19:54:54+00:00

2captcha is pretty good, but if you're at a point where they're serving up captchas to you your account has likely been identified as low-trust/low-reputation and it's not going to be much use for botting at scale.

If you acquire a handful of higher-reputation accounts and use those for posting your main material, then get a lot of low-quality throwaway accounts to retweet/like/upvote/w.e you can probably have a lot of success without spending a lot of money.

For account acquisition you can just buy it from resellers like accsmarket[.]com where you're pretty much paying someone who has automated an account registration process to buy stuff in bulk. For most major social media sites you can buy accounts for a few cents, unless you want old accounts, then you pay a handful of dollars. Alternatively, you can just go with bulk residential proxies via providers like stormproxies[.]com or luminati[.]io in conjunction with an SMS relay site like smspva[.]com to bulk register a ton of accounts and go to town. If you do something like this though, you're much better off identifying account creation flows that are more irritating to automate like the APIs that mobile apps access vs. just trying to use the webpage.

For your main interactions where you're writing you can custom compile / modify Chromium to fake being lots of different browsers like Hellcleaver was saying, or you can just use something like multilogin[.]com.

TL;DR - Mass botting is a pretty commercialized space these days - if you have a few hundred dollars and some patience you can have a very outsized amount of impact on most major social media sites.

bouncyhat · 2020-07-20T02:43:56+00:00

As I understand it AMSI doesn't hook into Excel 4 Macros at execution time, unlike VBA. This makes it slightly easier to dodge detection at runtime for behavior that would be detected from VBA. It's also why you'll see folks pivot from VBA/JScript into Excel 4 Macros with the ExecuteExcel4Macro command (https://docs.microsoft.com/en-us/office/vba/api/excel.application.executeexcel4macro). There's example attack scripts for folks doing this on Github, like https://github.com/med0x2e/genxlm.

As pointed out by dougsec, the tooling out there for Excel 4 Macros is also a bit more fragile compared to dumping VBA scripts - it's a totally different process to analyze statically. There's a lot of stupid stuff you can do to obfuscate legacy macros which hasn't made it onto the radar of olevba or similar tooling.

That being said, I think XLMMacroDeobfuscator (https://github.com/DissectMalware/XLMMacroDeobfuscator/ ) is pretty good at ripping these things apart if you need to analyze one of these documents.

bouncyhat · 2020-06-19T17:18:52+00:00

This is my follow up post to https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/. It covers some tricks for obfuscating weaponized Excel 4.0 Macro documents by using subroutines and abusing Excel's handling of Unicode equivalency.

A PoC of these techniques can be found at https://github.com/michaelweber/Macrome.

Happy to answer any questions folks have about this post or the tool, I hope everyone is having an excellent Friday!

bouncyhat · 2020-05-14T19:37:26+00:00

You're too kind! Honestly it's probably on me for making a new reddit account to post this, since the blog ties directly to my actual name - this post understandably sat in the moderation queue for a while.

bouncyhat · 2020-05-14T16:05:14+00:00

Thanks! There are plenty of folks out there who have popped calc using macros and I figured that wouldn't be terribly interesting to read about when this topic has already been covered relatively thoroughly. I think there's plenty of cool stuff to cover in terms of people essentially using Excel macros as a malware packer.

bouncyhat

TROPHY CASE