ITSEC Newsletter 2025-12-18

Author

Henrik Falk
December 18, 2025

How to detect Mythic activity with NDR-class solutions

This article examines methods for detecting the Mythic framework within an infrastructure by analyzing network traffic. This framework has gained significant traction among various threat actors, including Mythic Likho (Arcane Wolf) и GOFFEE (Paper Werewolf), and continues to be used in APT and other attacks.

securelist.com/detecting-mythic-in-network-traffic/118291

The Fragile Lock: Novel Bypasses For SAML Authentication

This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusion, and a new class of Void Canonicalization attacks. These techniques allow an attacker to completely bypass XML Signature validation while still presenting a perfectly valid SAML document to the application.

portswigger.net/research/the-fragile-lock

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL

This year at Black Hat Europe, Piotr Bazydlo presented “SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL”. This research ultimately led to the identification of new primitives in the .NET Framework that, while Microsoft decided deserved DONOTFIX (repeatedly), were successfully weaponized against enterprise-grade appliances to achieve Remote Code Execution.

labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl