I fought the LLVM and I lost
Obfuscation vs The Optimizer: A Battle in LLVM Middle End.
Robert Yates shows us how the continuous improvement of the LLVM optimizer defeats naive code obfuscation, and how the obfuscator can fight back.
An eternal fight in which all victories are ephemeral
blog.quarkslab.com/obfuscation-...
Rerversering of all the NSA things!
๐คEver wondered how your favorite tools work under the hood? During our work on SightHouse, we dug into BSIM, Ghidra's Binary function SIMilarity engine.
Many tools have been built around it, yet its internals remained undocumented. Until now ๐
blog.quarkslab.com/bsim-explain...
yep, it is a car and a TCU, and yes, it is AI generated. Sorry.
๐ We traced a carโs life from China to Poland.
By analyzing a BYD Telematic Control Unit, Romain Marchand econstructed its journey and identified a real-world event from GPS logs alone.
Embedded forensics + OSINT = real stories hidden in data.
๐ blog.quarkslab.com/tearing-down...
After Mathieu Farrell found 3 LPEs in Intego antivirus for macOS, Lucas Laise had to check the Windows version too.
Spoiler: it was vulnerable.
Here's the full write up of a symlink attack to achieve Local Privilege Escalation๐
blog.quarkslab.com/milking-the-...
Tired of reversing the same libc for the 100th time? ๐
Meet SightHouse, our open-source tool that automatically detects third-party library functions in binaries.
High-confidence function mapping. Works with any disassembler. By @Mad5quirrel & Sami.
๐ blog.quarkslab.com/sighthouse-a...
The dragon has a VM. Of course it does.
Our latest blog walks through the analysis of a complex C++ binary hiding behind a virtual machine, themed as a classic RPG fight.
QBDI & TritonDSE are your weapons of choice. The dragon doesn't stand a chance. ๐
๐ blog.quarkslab.com/qbdi-vs-trit...
Rule 1๏ธโฃ : "In WAF we (should not) trust"
Your WAF is doing its best. That's just not enough ๐ฎโ๐จ
A deep dive into Web Application Firewall bypass techniques, discovering why blocked โ doesn't always mean safe.
blog.quarkslab.com/in-waf-we-sh...
Too many skulls
"Intego X9: Never trust my updates"
Read Mathieu Farrell's research showing how XPC interprocess communications and the update mechanism of the Intego antivirus for MacOS can be abused for local privilege escalation.
blog.quarkslab.com/intego_lpe_m...
Look Ma, no sensors!
"How does it even work?"
The question that keeps hackers' hearts pumping, blood pressure rising, and curiosity growing.
This is Damien Cauquil's reverse engineering journey into a cheap smartwatch that measures at least one of those.
blog.quarkslab.com/nerd-life-we...
What if I flip this little thingie?
One bit flip to corrupt it all: Exploitation of an old Linux kernel vulnerability using PageJack, a modern technique to create Use After Free bugs.
Here Jean Vincent shows you how
blog.quarkslab.com/pagejack-in-...
If you glitch one, can you glitch many?
Extracting automotive firmware is a challenge.
@phil-barr3tt.bsky.social explains how he bypassed the IDCODE protection in several variants of the RH850 MCU family using both voltage glitching and side-channel analysis โก๏ธ๐
blog.quarkslab.com/bypassing-de...
Reverse engineers often spend a lot of time deciphering third-party firmware libraries. At RE//verse 2026 (Fri, 5 PM), Benoit & Sami will introduce SightHouse, an open-source tool to automatically identify third-party functions and speed up analysis.
Join us!
Another antivirus ๐ก๏ธ, another unfulfilled promise ๐ฃ. @kaluche_ turns Avira's protection into a privilege escalation playground. This time: 3 LPE vectors ๐ via symlink abuse (CVE-2026-27748, CVE-2026-27750) and unsafe deserialization (CVE-2026-27749).
Find out more: blog.quarkslab.com/avira-deseri...
Why macOS AVs shouldnโt trust PIDs ๐๐ - new post by @Coiffeur0x90
Intego X9: XPC validation falls back to PID โ PID reuse + posix_spawn() shenanigans ๐ โ confused deputy / privileged methods abused ๐คก๐งจ
Lesson: PID โ identity.
Check it out ๐ blog.quarkslab.com/intego_lpe_m...
Remember whnn you didnt need an AV on your Mac? It was today
You've never been more right to doubt your MacOS antivirus software ๐ฅ
Our latest research by Mathieu Farrell shows how Intego can be abused for Local Privilege Escalation
Yes, the antivirus.
Yes, as root.
blog.quarkslab.com/intego_lpe_m...
Java is bomb you ride backwards
"Dr. Bytecode or: How I Learned to Stop Worrying and Obfuscate Java"
A tale about how @farena.in started his journey in Java software obfuscation.
blog.quarkslab.com/how-to-write...
"Use a better system prompt" is the new "sanitize your inputs", but when your #AI agent's tools don't check permissions, you've got a problem and no amount of prompting will fix it.
Check Kaluche's blog post about #AgenticAI & the Confused Deputy issue โฌ๏ธ
blog.quarkslab.com/agentic-ai-t...
@lfenergy.bsky.social EVerest underwent a security engagement facilitated by us with auditing by @quarkslab.bsky.social. This holistic security work impacts millions of EV charging stations worldwide. Read more at our blog:
ostif.org/everest-secu...
We conducted the first public third-party security assessment of EVerest, an open-source firmware stack for electric vehicle charging stations, deployed in hundreds of thousands of charging points worldwide.
The audit was mandated by @ostifofficial.bsky.social ๐
blog.quarkslab.com/everest-secu...
A decade is an eternity in security. ๐ก๏ธ
Ten years ago, we released the Clang Hardening Cheat Sheet. Today, the landscape has changed. @0xTRIKKSS & @bcreusillet break down the latest mitigations to keep your code secure.
๐Read the update: blog.quarkslab.com/clang-harden...
A modern tale of Blinkenlights, cheap Christmas shopping and curiosity, narrated by Damien Cauquil
Firmware extraction and reverse engineering of a smartwatch FTW!
blog.quarkslab.com/modern-tale-...
โ๐ฅ๏ธโ cesi n'est pas une named pipe
K7 Antivirus: Named pipe abuse, registry manipulation and privilege escalation.
A story of endpoint post-exploitation by Lucas Laise
blog.quarkslab.com/k7-antivirus...
We've been a bit excited about this one.
We are excited and honored to have partnered with Bitcoin, brink, Chaincode Labs, and @quarkslab.bsky.social to collaborate on a security audit of Bitcoin Core. This was Bitcoin Core's first external audit.
Read more at our blog: ostif.org/bitcoin-core...
Quarkslab engineers Robin David, Mihail Kirov and Kaname just completed the first public security audit of Bitcoin Core, led by
@ostifofficial.bsky.social and funded by Brink.dev
Details on the blog post:
blog.quarkslab.com/bitcoin-core...
Congrats to developers for such software masterpiece !
We are pleased to announce that the KubeVirt Security Audit report has been published, in collaboration with @quarkslab.bsky.social and @ostifofficial.bsky.social
Check out our blog post for all the details: kubevirt.io/2025/Announc...
KubeVirt is open source virtualization technology for Kubernetes.
Recently we worked with the @kubevirt team on a security audit sponsored by @OSTIFofficial ๐
Read a summary of our findings and find the full report here:
blog.quarkslab.com/kubevirt-sec...
Our 2025-2026 internship season has started.
Check out the list of openings and apply for fun and knowledge!
blog.quarkslab.com/internship-offers-for-the-2025-2026-season.html
From kernel oops to kernel exploit: How two little bugs (CVE-2025-23330, CVE-2025-23280) in #NVIDIA open GPU #Linux driver can lead to full system compromise.
Full technical breakdown inside, #vmalloc exploitation technique included!
blog.quarkslab.com/nvidia_gpu_k...
Unsigned FTW!
Finding a buggy driver is one thing, abusing it is another๐ง
In his latest blog post, Luis Casvella shows you how BYOVD can be used as a Reflective Rootkit Loader ! ๐
โก๏ธ blog.quarkslab.com/exploiting-l...
Signal: Yo dawg! I heard you liked ratchets, so we added a ratchet to our Double Ratchet.
Quantum computers are not quite here yet, but now's the time to get ready. After updating their protocol in 2023, @signal.org is now proposing a post-quantum version of their Double Ratchet for message encryption.
Let's see what Signal looks like now!
blog.quarkslab.com/triple-threa...