Hackercool Magazine May 2025

In this month’s “Red Team Hacking” feature, we bring you a payload creation framework that targets Dotnet on Windows targets. Why Dotnet? Because no matter which version of Windows you are running, there is always a version of Dotnet installed on it. The tool’s name is SharpShooter. Sharpshooter is a payload creation framework that creates payloads that retrieve CSHARP source code in the form of shell code and executes it on the target system. It can generate payloads in different formats like HTA, js, jse, vba, vbs, wsf, macro and slk. It can retrieve the second payload either through web or DNS or both. It can create both staged and stageless payloads and uses RC4 encryption with a random key for modest anti-virus evasion. It also has AM-SI bypass and…

If you use or manage Cisco AnyConnect VPN, then this article is for you. Cisco security team has detected a critical vulnerability in AnyConnect devices that can lead to DoS attacks by unauthenticated attackers. This vulnerability poses a signified risk to organizations that rely on secure access using Cisco AnyConnect VPN. About the vulnerability The vulnerability being tracked as CVE-2025-20271 with a CVSS score of 8.6 is due to errors in variable initialization while SSL VPN sessions are established on affected devices. The vulnerable products include Meraki MX Series: MX 64, MS64W, MX65, MX65W, MX67, MX67C, MX67W, MX68, MX68CW, MX68W, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX400, MX450, MX600, vMX, Z3, Z3C, Z4 and Z4C. Only the devices that have client certificate authentication enabled are vulnerable. Threat actors used…

In our last month’s Issue, you have learnt about AsyncRAT, its features and how to compile both server and client of AsyncRAT. In this Issue, you will see what all can we do with it practically. For this, we will be using Windows 10 as our target. So, we go to AsyncRAT server and build a client as shown below. This client executable should be sent to our target user of course through social engineering. “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,”-Jirí Kropác, Director of Threat Prevention Labs at ESET, As soon as our target user executes this client application, we get a connect back or…

National Cyber Security Centre (NCSC) of UK has recently issued a critical warning about a malware campaign targeting internet facing Fortinet FortiGate 100D series firewalls which are extensively used for enterprise security. Let’s study in detail of this threat. Threat Identification Threat Actor: Umbrella malware is a modular and new malware strain that has been observed recently spreading by exploiting vulnerabilities in network edge devices. Tactics Techniques & Procedures: Umbrella malware campaign is as very sophisticated malware campaign exploiting vulnerabilities in internet facing Fortinet 100D firewalls to establish long term persistence and shell execution capabilities. It communicates with its C2C server on port 443 using fake TLS handshakes. This blends its malicious traffic with legitimate HTTPS traffic originating form that port. This malware is modular. Basically, Umbrella malware is a set of…

The makers of Kali Linux have released the second release of this year, Kali Linux 2025.2. Without delay, let’s start learning what’s new in this release. Latest features to be excited about Bloodhound Community Edition (CE): If you have been following our magazine for a bit of time like 1 or 2 years, you already know that Bloodhound was added to Kali a few releases back. In this release, it got a major upgrade. It has been updated to the latest version of the software available, Bloodhound Community Edition (CE). TicWatch Pro 3 with Kali NetHunter installed now supports wireless injection, de-authentication, and able to capture WPA2 handshakes. It is a good thing as the legacy version of Bloodhound added earlier posed us a lot of problems. Bloodhound which is…

CISA has recently warned about a vulnerability in D-Link router that is being actively exploited in real-world. The real-world exploitation was detected on June 25, 2025 and CISA immediately added it its Known Exploits and Vulnerabilities (KEV). About the vulnerability This vulnerability was disclosed in January 2024 and was given a tracking ID of CVE-2024-0769 and has been rated critical with a CVSS 3.1 score of 9.8. This vulnerability affects D-Link DIR-859 1.06Bo1 model of router. The vulnerability is a path traversal vulnerability that allows hackers to bypass normal file access restrictions and gain unauthorized access to sensitive system files. It affects the /hedwig.cgi endpoint of the router. How this vulnerability can be exploited? Handler allowing hackers to directly compromise the network infrastructure. Component with the router’s HTTP POST requests…