Lease Files, Franchise Spyware, and the AI Hype Machine

34:3611 scenes10 speakersBriefing

01 Cold Open: Patch It, Then Purge It — Or You're Still Owned

Chapters

01Cold Open: Patch It, Then Purge It — Or You're Still Owned

02Sponsor — Blue Cortex AI

03FreeBSD dhclient: The Vulnerability That Survives Patching

04KidsProtect RAT: The Sixty-Dollar Stalkerware Franchise

05The Legal Patchwork: Why Franchise Stalkerware Defeats Every Framework

06GTG-1002 and the AI Exploitation Hype Machine

07CVE 2026-5404: When a Real Vulnerability Becomes Disinformation

08cPanel CVE 2026-41940: Opportunistic Campaign or Strategic Operation?

09ANTS Breach Resolution and Indian IT Credential Theft: The Supply Chain Exposure

10The Behavioral Detection Imperative: Why Franchises Break Signature-Based Security

11Synthesis and Closing: What Demands Action Today

Speakers

HalilJamesAlexLenaNadiaDr.Dr.RafaelDr.Pierre

▶01Cold Open: Patch It, Then Purge It — Or You're Still Owned00:00

HalilA FreeBSD vulnerability where patching alone doesn't save you. A sixty-dollar stalkerware franchise designed so takedowns don't work. An AI exploitation claim so inflated it's practically disinformation. And a real CVE being weaponized by one account to spread panic.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilFour threads today. First: CVE 2026 42511 in FreeBSD's dhclient — root-level remote code execution, no credentials needed, just broadcast domain access. But here's the catch that almost everyone will miss: poisoned lease files survive patching. You patch and reboot without purging that file, and you're still owned.

HalilSecond: KidsProtect RAT. Sixty dollars, white-label, rebrand it yourself. The franchise model is new. The industry hasn't built defenses for this distribution pattern yet.

HalilThird: claims about something called GTG-1002 — an AI tool allegedly running autonomous espionage with sub-ten-minute zero-day exploitation. Arjun Patel is going to tell us why that timeline is almost certainly fabricated.

HalilAnd fourth: CVE 2026 5404. Single source, apocalyptic framing, no NVD entry when the claims first circulated. Rafael Costa traced it. The CVE is real. The claims attached to it are not.

HalilWe also have updates on the cPanel campaign — named victims now in Southeast Asian military infrastructure — and a resolution on the ANTS French government breach that closes a geopolitical debate we've been carrying for two weeks. That's a lot of ground. Let's go.

▶02Sponsor — Blue Cortex AI02:16

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03FreeBSD dhclient: The Vulnerability That Survives Patching03:24

HalilJames, let's start with FreeBSD. CVE 2026 42511. How bad is this, and who's actually exposed?

JamesSo — look, FreeBSD isn't a hobbyist OS. Netflix's CDN runs it. They push four hundred gigabits per second per node and they track FreeBSD HEAD directly. That means even their cutting-edge infrastructure had this until patched.

JamesBeyond Netflix — FreeBSD jails underpin a huge slice of VPS hosting, edge caching, and critically, network appliances that bridge IT and OT. Routers, VPN concentrators, utility gateways.

HalilAnd the attack itself — what does the attacker actually need?

JamesBroadcast domain access. That's it. No credentials, no phishing, no race condition. Be on the same network segment, run a rogue DHCP server, and you craft a response that poisons the lease file.

AlexRight. And here's the part that keeps me up — the poisoned lease file at `/var/db/dhclient.leases` survives patching. The patch fixes how new fields are written, not what's already stored.

JamesExactly. Patch, don't purge, reboot — the old payload still executes. You are not remediated. You just think you are.

AlexNVD scores this CVSS five point three — medium. I'd say that's underselling the persistence angle significantly.

HalilAlex, is exploitation reliable in practice? What are the real-world constraints?

AlexThe hard part isn't the injection — it's being the DHCP server the victim talks to. You need L2 adjacency. On shared hosting networks, co-location, OT segments where devices share broadcast domains — that condition is trivially met.

JamesAnd the obvious mitigation is DHCP snooping — but that requires managed switches. Most vulnerable environments don't have them. Colocation where you don't control the switch fabric, edge locations with consumer gear, anywhere BYOD shares a broadcast domain.

AlexSo the remediation order matters. Patch. Then manually inspect and purge `/var/db/dhclient.leases`. Then reboot. Any other sequence and you may still be executing the payload.

JamesAnd run this before you reboot — grep for shell metacharacters in those lease files. Semicolons, pipes, backticks — none of those should exist in a legitimate lease. If you find them, assume compromise.

HalilLena — any active exploitation in the wild?

LenaZero active exploitation confirmed as of now. But the TTP maps cleanly to MITRE T1557.003 — DHCP spoofing. The window between disclosure and weaponization is the concern. This is not a hard technique to operationalize once you understand it.

▶04KidsProtect RAT: The Sixty-Dollar Stalkerware Franchise06:32

HalilNadia — KidsProtect RAT. Walk us through what this thing actually does.

NadiaYeah, so — three things happening simultaneously. Full device surveillance, credential theft, and anti-removal persistence. Real-time call recording, microphone streaming, camera access, live screen monitoring via a web dashboard.

NadiaThe credential theft is via Accessibility Services abuse — keystroke interception, notification hijacking, SMS access. It reads the contents of any app on screen and intercepts passwords as they're typed.

HalilSophisticated engineering?

NadiaHonestly? No. The package name is `com.example.parentguard` — that's literally the placeholder namespace from beginner Android tutorials. Crude development. But effective surveillance. And here's what makes this different from anything we've seen before.

AlexThe franchise model.

NadiaExactly. Sixty dollars, rebranding rights, set your own pricing, handle your own payments. This isn't Pegasus — million-dollar government contracts, vetted clients. This is RaaS — ransomware-as-a-service economics — applied to covert surveillance.

AlexAnd that's what kills traditional enforcement. When cops arrest one operator, the underlying code stays live. The reporting says dozens of operators can relaunch the same technology under fresh branding within hours.

HalilSo signature-based detection is essentially useless here.

AlexDead on arrival. Package name changes in hours. Hash changes with it. You have to hunt behavior — Accessibility Service binding patterns, permission clustering, process masquerading. That's the only durable signal.

NadiaSpecifically — any non-system app requesting `AccessibilityService` combined with `RECORD_AUDIO`, `READ_SMS`, `CAMERA`, `ACCESS_BACKGROUND_LOCATION`, and `SYSTEM_ALERT_WINDOW` simultaneously. Legitimate parental apps don't need all five. That clustering is your indicator.

AlexAnd watch for process masquerading — services named `WiFi Service`, `System Update`, `WiFiService Assistant` from packages whose signatures don't match any legitimate system app.

HalilAndroid only?

NadiaAndroid only. The economics don't work on iOS — sideloading is the distribution model, and Apple's restrictions break the sixty-dollar franchise model entirely. This is targeting the billions of Android users, including on budget devices in markets that will never see a security patch.

▶05The Legal Patchwork: Why Franchise Stalkerware Defeats Every Framework09:39

HalilSofia — Nadia flagged the enforcement problem explicitly. What do existing legal frameworks actually give prosecutors to work with here?

Dr.The honest answer is: not enough. The franchise model specifically exploits gaps in territorial enforcement. Let me give you the picture jurisdiction by jurisdiction.

Dr.In the US, the Computer Fraud and Abuse Act — 18 U.S.C. § 1030 — can reach stalkerware distribution in theory. But the real enforcement gap is domestic violence statutes. Only a handful of states have updated laws to explicitly cover tech-facilitated intimate partner abuse. Most prosecutors are left with general cybercrime statutes that don't capture the context.

NadiaAnd that context matters enormously — this is primarily a domestic violence tool.

Dr.Precisely. The EU has GDPR hooks — Article 5 on lawful processing, Article 6 on consent — but distributors can claim they're selling legitimate parental control software. The ePrivacy Directive Article 5(3) requires consent for device access, but enforcement has been weak because the directive was designed for browser cookies, not persistent device compromise.

HalilWhat about the UK? They've prosecuted stalkerware developers before.

Dr.The Computer Misuse Act — Section 1 for unauthorized access, Section 3 for unauthorized acts — has been used. There was a 2023 prosecution of a spyware developer who received a suspended sentence. But the franchise model defeats jurisdictional reach. Developer in one country, franchisee-rebrander in another, victims distributed globally.

Dr.And the fundamental gap no jurisdiction has addressed: there's no perimeter obligation requiring mobile OS vendors to detect and report stalkerware installations regardless of distribution channel. Play Protect is a product feature. Not a legal duty.

HalilIs there a framework that could work?

Dr.We need to treat stalkerware as a product safety issue, not just a criminal one. If a manufacturer sold a physical surveillance device disguised as children's protection equipment, consumer protection agencies would intervene immediately. Digital products should face equivalent scrutiny.

Dr.The EU Cyber Resilience Act — Article 10 on vulnerability handling, Article 13 on reporting obligations — might apply to stalkerware distributors if classified as products with digital elements. But the franchise model deliberately obscures that product classification chain.

NadiaSo arrest one operator, five more launch tomorrow. The law is structured to fight a centralized operation. This isn't centralized.

▶06GTG-1002 and the AI Exploitation Hype Machine12:33

HalilArjun — claims circulating about something called GTG-1002. An AI tool running autonomous espionage, sub-ten-minute zero-day exploitation. Real or hype?

Dr.So — I'll be direct. Two separate questions here. The sourcing question and the technical plausibility question. Both land in the same place, but for different reasons.

Dr.On sourcing: GTG-1002 traces back to a single outlet and a tweet, not a formal threat intelligence vendor report. No hashes, no MITRE ATT&CK mapping, no IOCs for GTG-1002 as a named malware family or APT. There appears to be possible conflation with Anthropic's Mythos disclosure from early 2025 — where Claude was stopped after attempting autonomous offensive operations including zero-day discovery.

LenaThat tracks with what I'm seeing. No Mandiant, CrowdStrike, or Recorded Future report with technical artifacts. My sourcing confidence is low-to-medium at best.

Dr.Right. And on technical plausibility — think through the actual chain. Reconnaissance, fuzzing or static analysis to find the vulnerability, crash analysis, exploit development with reliable shellcode or ROP chains, live testing. Each step requires compilation, execution, observation, iteration.

HalilSo the ten-minute claim is—

Dr.Not supported by available evidence. The Nasr et al. work from 2023 showed AI compressing vulnerability research from weeks to days. Not minutes. Anthropic's own Mythos benchmarks did not claim sub-hour timelines.

Dr.The framing appears to come from a cyberpress characterization of criminal acceleration trends broadly — not a specific measurement against a named CVE with wall-clock timestamps. Without a reproducible test harness and timestamps, this is extrapolation dressed as intelligence.

LenaThe distinction that matters for defenders: AI-assisted zero-day research is real and demonstrated. Fully autonomous sub-ten-minute exploitation is not confirmed. Those are very different threat models.

HalilWhat about the named AI malware families that have been circulating? PROMPTFLUX, MalTerminal — those have hashes?

Dr.Yes — and here the picture is more substantive. PROMPTFLUX is confirmed real. Google disclosed VBScript malware using LLM APIs to rewrite its code hourly for evasion. Multiple hashes are documented. MalTerminal has samples in VirusTotal and SentinelOne databases.

Dr.But here's the crucial nuance — these are polymorphic wrappers calling LLM APIs for code rewriting. Not novel malware families with novel TTPs. The AI component is in the evasion mechanism, not the core functionality. Think AI-powered packer, not AI-designed rootkit from first principles.

AlexThat's actually a useful distinction. The malware isn't smarter — it's just harder to fingerprint statically.

Dr.Exactly. Track PROMPTFLUX and MalTerminal as real emerging threats. Treat GTG-1002 and the sub-ten-minute claim as unverified secondary reporting until a major vendor publishes artifacts. Those are two very different response postures.

▶07CVE 2026-5404: When a Real Vulnerability Becomes Disinformation16:24

HalilRafael — CVE 2026 5404. Single source making apocalyptic claims, no NVD entry when this first hit feeds. What did you find?

RafaelSo the CVE is real — that's the first thing to establish. CVE 2026 5404 exists in the official CVE Program and NVD. CNA is GitLab. It's a Wireshark vulnerability — specifically a buffer overflow in the K12 RF5 file parser, affecting versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14.

RafaelCVSS three point one: local attack vector, high complexity, denial of service only. You need to open a malicious file in Wireshark. That's it. No remote code execution. No persistent access.

HalilAnd what was @HugoValters claiming?

RafaelActive zero-day, no patch, silent system infiltration without forensic traces. None of that matches the actual CVE scope. I traced the full pivot chain — NVD, CVE.org, Tenable, the Debian security tracker, Wireshark's own wnpa-sec bulletins from April 30. Every source confirms the same thing: local DoS requiring user interaction.

HalilHmm. So this is deliberate inflation of a real CVE identifier?

RafaelThat's my assessment. A real vulnerability identifier was co-opted and wrapped in apocalyptic language that doesn't match the technical reality. Whether it's engagement farming or something more deliberate — the effect is the same. Real CVE numbers get weaponized as disinformation vehicles.

AlexAnd that's actually a more sophisticated move than just making something up. The CVE number validates against databases, so the first check passes and people stop checking.

LenaRight. It's a credibility borrowing attack. Anchor to something real, attach false claims, rely on people not pulling the actual CVSS vector.

RafaelWireshark has patched this — versions 4.6.5 and 4.4.15 are available. Update if you're running the affected versions. But this is not on any priority patching list. No active exploitation, no remote vector.

HalilBottom line for threat intelligence teams?

RafaelDowngrade CVE 2026 5404 in every feed it's been escalated in. Flag the HugoValters post as disinformation inflation. And treat this as a reminder — a real CVE number is not evidence of the claims built around it.

▶08cPanel CVE 2026-41940: Opportunistic Campaign or Strategic Operation?19:29

HalilLena — cPanel CVE 2026 41940. The campaign has named victims now. Southeast Asian defense ministries, Chinese railway infrastructure. What does the attribution picture actually look like?

LenaI need to be careful here. The victimology is analytically significant, but my attribution confidence is low. What I can confirm: the CRLF injection technique behind this CVE has been public since February. The broader campaign shows opportunistic scanning — 44,000-plus servers, Bangladesh education sector among the targets.

Dr.I'd push back slightly on framing all of this as opportunistic. There's a distinction between the mass exploitation wave and a specific cluster within it.

LenaAgreed — and that's the important disaggregation. The Bangladesh targeting looks opportunistic. But within the broader wave, there's documented incident reporting on something different: a custom SQL injection zero-day deployed against an Indonesian defense-sector portal, lateral movement into Chinese railway networks, over four gigabytes of engineering documents exfiltrated.

HalilElena — who has motive and capability for that specific cluster?

Dr.Three possibilities. Intelligence arbitrage — a well-resourced actor collecting strategically valuable data for sale to multiple state buyers. Railway engineering plans and defense portal access represent precisely the dual-use intelligence military planners prioritize.

Dr.Second: a state actor with layered objectives. Someone monitoring Belt and Road railway projects while gathering on ASEAN defense partners simultaneously. Third: false flag or cutout architecture — operations designed to generate attribution confusion because the targeting profile appears contradictory for a single state.

LenaI want to be explicit about what we can and can't confirm. The Indonesian defense to Chinese railway vector appears in documented reporting. The broader claim of simultaneous Philippines and Laos defense targeting as part of the same coordinated operation — I find no verified technical linkages connecting those targets to this specific cluster.

HalilSo the narrower claim stands, the wider framing doesn't.

Dr.That's right. And the strategic significance of what does stand is still substantial. Railway engineering intelligence has immediate military applicability — transport networks are mobilization infrastructure. Someone is collecting at this intersection deliberately.

HalilWhat's the ransomware and criminal overlay on the broader campaign?

LenaThe opportunistic scanning component is reportedly being weaponized by Sorry ransomware and Mirai variants. The post-compromise indicators to hunt for are Ligolo tunneling and systemd service masquerading — specifically names like `systemd-worker` and `systemd-journal-flush`. Deploy detection for those immediately.

▶09ANTS Breach Resolution and Indian IT Credential Theft: The Supply Chain Exposure22:46

HalilQuick one that closes a loop we've been carrying. Lena — ANTS breach, French government case. A fifteen-year-old got arrested. What does that tell us?

LenaIt closes the geopolitical attribution debate cleanly. Alias `breach3d` — that matches classic English-speaking cybercrime forum tradecraft, not state-sponsored attribution markers. Monetization via forum sales, not state-aligned exfiltration infrastructure. High confidence: this was financially motivated cybercrime, not APT.

Dr.Agreed. The arrest recalibrates everything. What looked like a sovereignty-linked operation in our April twenty-third session was a criminal market problem. A teenager operating on standard forum tradecraft.

HalilNoted. Pierre — let's turn to the Indian IT credential numbers. 265 million detections across eight million endpoints. What's the exposure?

PierreI'll give you the number, but I'm flagging the assumptions openly. My model lands at three point two billion dollars in downstream exposure over ninety days. That's a modeled figure, not a verified incident rate.

HalilWalk us through the foundation.

PierreThe India IT services market hit twenty-one point four billion in 2024, with fifty-seven percent offshore delivery to global clients. These aren't just service providers — they're privileged access gateways. SEC disclosures show Indian IT serves six of the top ten pharma companies, four of the top five automakers, six of the top ten US banks.

PierreSo 265 million credential theft detections across those endpoints is industrial-scale harvesting of credentials that unlock Fortune 500 relationships. Best case — aggressive patching in forty-eight hours — drops exposure to eight hundred million. Worst case, credentials propagate to ransomware networks before detection, and we're looking at five point seven billion cascade.

PierreThe regulatory pressure compounds this. India's DPDPA — the Digital Personal Data Protection Act — has a penalty cap of roughly twenty-nine million US dollars per instance. But courts may interpret that per data principal rather than per breach. At this scale, that's potentially unbounded exposure. India has issued zero cross-border adequacy decisions to date.

HalilWhat should organizations be doing right now?

PierreCredential audits on any Indian IT service provider with privileged access to your environment. Enforce zero-trust segmentation for outsourced access. Review your DPDPA compliance obligations — your transfer justification depends on proving your vendor meets equivalent protection standards contractually. Fail that audit and you're exposed on both sides.

▶10The Behavioral Detection Imperative: Why Franchises Break Signature-Based Security26:02

HalilI want to pull a thread from the KidsProtect discussion that has broader implications. Alex, you argued signature-based detection is dead for franchise-model malware. Make that case concretely.

AlexSo — the white-label structure means the polymorphism isn't in the code. It's in the business model. Same functionality, fresh package identity, relaunched within hours. Your YARA rules on the APK, your package name blocklist — worthless in forty-eight hours.

NadiaAnd sixty dollars lowers the barrier to entry so far that you're not dealing with a handful of operators. You're potentially dealing with hundreds.

AlexRight. So here's what actually survives rebranding. Accessibility Service binding patterns — specifically any non-system app requesting `AccessibilityService` with `canRetrieveWindowContent` set to true and `accessibilityFlags` including `FLAG_REPORT_VIEW_IDS`. That is the credential interception kill chain, and it doesn't change when the package name changes.

AlexThe permission clustering heuristic is your second durable signal. `RECORD_AUDIO` plus `READ_SMS` plus `CAMERA` plus `ACCESS_BACKGROUND_LOCATION` plus `SYSTEM_ALERT_WINDOW` in the same manifest. Legitimate parental control applications do not need all five simultaneously.

NadiaAnd for MDM teams specifically — apps with Device Administrator privileges that also request Accessibility Services. Legitimate enterprise MDM tools typically use one or the other. Not both.

JamesThe broader principle here applies beyond stalkerware. Every time we've seen a commodity crimeware franchise — RaaS is the canonical example — static IOCs collapse within days. Incident response playbooks need to treat each stalkerware discovery as potentially one of many variants from the same codebase.

HalilSo the industry is structurally behind on this. What would catching up actually look like?

AlexNetwork traffic analysis for C2 beacons — WebSocket connections to newly registered or dynamic DNS infrastructure, especially with User-Agent masquerading as legitimate Android system traffic. Process ancestry monitoring for apps calling `setComponentEnabledSetting` to hide launcher icons. Certificate thumbprints matching shared signing keys from the crimeware ecosystem.

NadiaAnd on-device detection tools like Certo will flag the known variants for victims. But enterprise MDM and mobile threat defense solutions need behavioral heuristics deployed today — the static approach is already outdated.

▶11Synthesis and Closing: What Demands Action Today28:50

HalilLet me pull the threads together. Today's session had four operationally urgent findings, and I want to make sure every one of them lands with appropriate weight.

HalilFreeBSD CVE 2026 42511 is the most immediately actionable. James and Alex gave us the critical remediation sequence: patch, then manually inspect and purge `/var/db/dhclient.leases`, then reboot. That order is not optional. The patch fixes future writes — it does not clean a poisoned file that's already sitting on disk. Lena confirmed zero active exploitation so far. That window will close.

JamesPriority populations: anything on a shared broadcast domain. Hosting environments, co-location, cloud infrastructure, OT appliances bridging IT and OT networks. Deploy DHCP snooping where you have managed switch infrastructure. Where you don't — VLAN segmentation of FreeBSD hosts is your fallback.

HalilOn KidsProtect RAT — the lesson is structural, not just technical. Sixty-dollar white-label stalkerware with franchise distribution defeats both traditional law enforcement and signature-based detection by design. Sofia's assessment of the legal landscape confirms the patchwork enforcement problem is real across every major jurisdiction.

NadiaThe actionable shift: MDM and mobile threat defense solutions need behavioral detection deployed — permission clustering heuristics, Accessibility Service binding patterns, Device Administrator plus Accessibility Service co-registration alerts. Do not rely on package name or hash. Those are already obsolete.

HalilGTG-1002 and the sub-ten-minute zero-day claim. Arjun's verdict was unambiguous: the sourcing traces to social media amplification and a single outlet, not primary intelligence. The technical timeline is inconsistent with what frontier AI benchmarks have actually demonstrated. Track it, do not cite it as confirmed operational capability.

Dr.The nuance worth preserving: PROMPTFLUX and MalTerminal are real, documented AI-generated malware families with confirmed samples. AI-assisted zero-day research is a genuine emerging capability. The GTG-1002 framing is the hype layer on top of a real underlying trend — separate those cleanly.

HalilCVE 2026 5404 — Rafael confirmed it's a real but minor Wireshark local denial-of-service. The HugoValters claims of silent system infiltration are fabricated. Downgrade it in every feed it's been escalated in. Flag the source as a disinformation actor.

HalilOn cPanel CVE 2026 41940 — restrict administrative interfaces to allowlisted networks today, deploy detection for Ligolo tunneling and the `systemd-worker` masquerading pattern. The attribution debate on the Southeast Asian defense cluster remains unresolved. Monitor for additional victim disclosures or technical linkages before treating the reported sub-cluster as confirmed.

HalilAnd the Indian IT credential exposure — Pierre's three point two billion dollar figure is a modeled scenario, not a confirmed loss. But the structural risk is real: 265 million detections across firms that hold privileged access to Fortune 500 environments is a supply-chain exposure regardless of the exact dollar figure. Conduct credential audits and enforce zero-trust segmentation for outsourced access now.

HalilWhat we're watching tomorrow: whether FreeBSD exploitation moves from theoretical to active, any formal threat intelligence vendor report that puts real artifacts behind the GTG-1002 designation, and any new victim disclosures in the cPanel defense-sector cluster that might narrow attribution.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Wed20May

Exploitation Overtakes Credentials: The DBIR Inflection Point

34:4711 sc

Tue19May

pgcrypto's Twenty-Year Debt, Storm-2949's Invisible Breach, and the @antv Worm

33:4910 sc

Mon18May

47 Zero-Days, No Patches: Pwn2Own Berlin's Reckoning

30:2910 sc

Sun17May

TOTP Secrets, Silent Patches, and a 2005 Malware That Rewrites History