ZeroDay Field Notes - Tricks, Treats, and Fresh Shells

Happy Halloween, operators. While the blue team is distracted by cheap candy and questionable costumes, the rest of us have been gifted a cauldron of new techniques and actively exploited bugs. It’s a good week for a little tricks and a lot of treats in the form of fresh shells and novel tradecraft.

It’s UncleSp1d3r. Let's get to the good stuff.

Hypervisor Hysterics: The Great VM Escape

For those of you who enjoy popping out of virtualized sandboxes, Oracle and ZDI dropped a few treats just for you. A trio of vulnerabilities in VirtualBox’s VMSVGA graphics device has been patched, but we all know hypervisor patching isn’t exactly instantaneous.

• First up is an integer overflow (CVE-2025-62589) that allows a high-privileged guest to escalate to the hypervisor context.
• It's joined by a classic stack-based buffer overflow (CVE-2025-62590) in the same component, also leading to a guest-to-host escape.
• And to round out the trifecta, an out-of-bounds read (CVE-2025-62591) can be used to leak memory from the host—perfect for bypassing ASLR on your way to exploitation.

All three were patched in Oracle's October 2025 Critical Patch Update, but require local, privileged access within the guest. Still, for any VDI or lab environment, this is prime territory.

Living Off The Compromised Land

KryptoKat here for a moment. Some of the most elegant and frustrating attacks are the ones that use the system's own tools against it. This week brought a few beauties to my attention.

TrustedSec published a fantastic piece on a reliable DLL hijack targeting the Windows Narrator. By planting a malicious msttsloc_onecoreenus.dll in a specific Speech_OneCore directory, an attacker with local admin rights can get arbitrary code execution. The really clever part is using the Accessibility "Configuration" registry key to achieve persistence, either at user logon or even as SYSTEM on the sign-in screen. The author also details a method to trigger this over RDP. It's a beautiful, built-in mechanism for staying put.

And for the operators running phishing campaigns, the SANS Internet Storm Center detailed how attackers are using invisible Unicode characters to bypass email filters. By embedding soft hyphens (U+00AD) inside a Base64-encoded subject line, keyword-based scanners miss the bait, but email clients like Outlook render the subject perfectly. It's a simple, effective trick to make sure your payloads land in the inbox.

Browser Bugs and AI Agent Antics

It’s UncleSp1d3r again. The browser remains one of the most fertile grounds for exploitation, and now we have AI-powered browsers to make things even more interesting.

Brave's research team and The Register have been having a field day with so-called "agentic" AI browsers like OpenAI's Atlas and Perplexity's Comet. Their latest findings show how indirect prompt injection can coerce these browsers into exfiltrating data from a user's authenticated sessions. By hiding instructions in web content (even in screenshots!), they can make the agent open the user's Gmail and send the latest email subject to an attacker-controlled URL. In a similar vein, researchers at LayerX found a CSRF-based flaw in ChatGPT Atlas that lets an attacker plant malicious instructions in the browser's persistent memory, ready to be triggered later.

If subtlety isn't your style, a new proof-of-concept called "Brash" demonstrates a simple denial-of-service attack against all Chromium-based browsers. By flooding document.title with updates, a single malicious URL can freeze and crash Chrome, Edge, Brave, and others within about 15 seconds. It’s low-complexity, high-impact, and a great way to disrupt anything from a trading terminal to a SOC analyst's workflow.

Ransomware Gets a Linux-on-Windows Upgrade

The Qilin ransomware crew (also known as Agenda) is showing some impressive operational flexibility. According to Trend Micro, their latest campaigns are a masterclass in hybrid-environment compromise. Affiliates are gaining access via stolen creds, then abusing RMM tools like Atera, AnyDesk, and ScreenConnect to move laterally.

Here’s where it gets interesting for us. They use a "Bring Your Own Vulnerable Driver" attack with eskle.sys to kill EDR and AV processes. Then, they transfer a Linux ransomware binary to the compromised Windows hosts and execute it—likely via the Windows Subsystem for Linux (WSL). This allows them to encrypt not just Windows files, but also workloads on VMware ESXi and Nutanix AHV, all from a single compromised Windows endpoint. It's a smart, efficient way to cause maximum damage across a hybrid environment.

That's your lot for this week. It's a good time to be on offense. Go out there and get your shells. And try not to eat too much of the blue team's candy on your way out.

— UncleSp1d3r