haxrob

haxrob

About:

Haxrob is interested in mobile security and UNIX systems, documenting side projects on haxrob.net.

Website:

haxrob.net

Specializations:

Cybersecurity Analyst

Interests:

Mobile/telco security UNIX-like systems Mobile and IoT security research
Subscribe to RSS:
Link

7.3Hiding in plain sight (part 3) - Mount namespaces

2025-07-13 cybersecurity linux namespaces anti-forensics process hiding

This post discusses a technique in Linux using mount namespaces to conceal files and processes from all users, including root. It explains how to create a 'stashspace' using tmpfs to hide artifacts and perform process masquerading...

0BPFDoor Part 2 - The Present

2025-06-02 cybersecurity encryption malware analysis detection

The BPFDoor malware has been in the media spotlight again, with recent variants evading existing detections. This text provides a detailed analysis of the changes in the malware, including detection evasion improvements, file desc...

0BPFDoor: Past and present

2025-06-02 cybersecurity malware evasion strategies bpf door apt

The text discusses the BPFDoor malware, its origins, and evolution. It compares it to an earlier program called sniffdoor, and explores the changes and improvements made in BPFDoor over time. It also delves into the potential deve...

0FASTCash for Linux

2024-10-13

This post analyzes a newly identified variant of FASTCash 'payment switch' malware which specifically targets the Linux operating system. The term 'FASTCash' is used to refer to the DPRK attributed malware that is installed on pay...

0Hiding in plain sight (part 2) - Abusing the dynamic linker

2024-08-02

The post details a defence evasion technique that overcomes a pitfall on Solaris and the BSDs, discussed in part 1. The technique is extended to Linux with additional anti-forensic behaviours to provide additional stealth, such as...

0Hiding in plain sight: Modifying process names in UNIX-like systems (part 1)

2024-06-30

The post explores the defence evasion technique of dynamically modifying process names in UNIX-like systems. It discusses the history of the technique, its use by threat actors, and various ways to 'process masquerade' or 'process...

0How did Facebook intercept their competitor's encrypted mobile app traffic?

2024-04-14

The post discusses the class action lawsuit against Meta, claiming that Facebook intercepted user's encrypted HTTPS traffic using a MITM attack. It provides a technical summary of the Onavo Protect Android app and how it intercept...

0GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange

2024-02-27

GTPDOOR is a Linux-based malware designed to be deployed on telco networks adjacent to the GRX with the feature of communicating C2 traffic over GTP-C signalling messages. It can blend in with normal traffic and reuse already perm...

0Gamified tooth brushing

2024-02-10

The text is an investigation into the data a connected toothbrush app was sending out to the Internet. The author found that the app was well-behaved and did not send out sensitive data, but it did share data with third parties. T...

0Battling the dynamic linker with lazy bindings and the AFL++ fuzzer

2023-08-31

The text discusses a specific issue with AFL++ and how to solve it by setting LD_BIND_LAZY=1 when running afl-fuzz. It explains the dynamic linking process and how to avoid runtime linking errors. The author also provides backgrou...

0BM2 - Dumping and modifying the battery monitor firmware

2023-08-01

This post is a continuation of the research into the BM2 Battery Monitor product which was found to be covertly collecting a significant amount of location data. In this post we will look at two ways of obtaining the firmware from...

0That battery monitor that spied on it's users. What happened after it was exposed?

2023-07-23

The investigation was done live over X / Twitter to find out what changes had been made after the expose on a popular car battery monitor. The developer removed the 3rd party library that was siphoning up cell tower and Wi-Fi data...

0A smart Wi-Fi power plug that almost killed me (literally)

2023-07-09

The text is about a smart Wi-Fi plug that has some security issues and almost killed the author. The author explores the plug and discovers that it leaks Wi-Fi access point SSID directly from the device. The plug also requests loc...

0Mate, your smart lightbulb is tracking your location

2023-07-05

The post is a series of tweets from Twitter / X where the author live tweeted the activity of finding out why a connected lightbulb app was asking for location permissions. The author discovered that the app opportunistically siph...

0BM2 - Reversing the BLE protocol of the BM2 Battery Monitor

2023-05-30

The text is about reversing the BLE protocol of the BM2 Battery Monitor. It explores the Bluetooth Low Energy implementation of the BM2 application, decryption of characteristics messages, and the anti-piracy feature. It also disc...

0BM2 - An analysis of location tracking in the AMap mobile SDK

2023-05-22

The post provides an analysis of the AMap mobile location services SDK, including its functionality, network traffic, encryption, and outbound traffic. It discusses the process of collecting and encrypting location information, th...

0Discovering that your car battery monitor is siphoning up your location data

2023-05-21

The text discusses the discovery of a Bluetooth enabled battery monitor that covertly tracks users' physical location, collecting GPS coordinates, cell phone tower data, and nearby Wifi beacons. The data is sent to servers in Hong...

0TP-Link VR1600v2 / AC1600 router firmware extraction

2023-05-01

The post documents a method to extract the firmware from a TP-Link VR1600 router. It discusses the hidden super user account, the possibility to connect to the serial/UART of the Broadcom SoC, and the process of dumping the flash ...