Doppelganger: An Advanced LSASS Dumper with Process Cloning

Github Repo: https://github.com/vari-sh/RedTeamGrimoire/tree/main/Doppelganger

What is LSASS?

The Local Security Authority Subsystem Service (LSASS) is a core component of the Windows operating system, responsible for enforcing the security policy on the system. LSASS is a process that runs as lsass.exe and plays a fundamental role in: User authentication: It verifies users logging into the system, interacting with authentication protocols such as NTLM and Kerberos. Credential management: It...

Exploring the LockBit Panel Breach – What Logs and Chats Reveal About Ransomware-as-a-Service

On May 7, 2025, a number of domains associated with the LockBit ransomware group were subjected to a web defacement attack by an unknown individual. Visitors to the compromised domains encountered the following message, replacing the original website content: Don’t do crime. CRIME IS BAD. xoxo from Prague On the same page, a file named “paneldb_dump.zip” was available for download. This archive...

Behind The Scenes: Yarix Approach to Physical Security

TL;DR: In our experience, even organizations that you'd think are really solid often have serious gaps in their physical securitys—simply because they’ve never put their defenses to the test. And those that have invested heavily in technology frequently overlook the human factor, which remains one of the weakest links. In this post, we share a practical framework for building a physical...

Inside the Attack: The Javascript Code Behind Credit Card Theft

Introduction

This paper will describe the analysis of a JavaScript script found during the activities of the Incident Response Team. The script found turned out to be designed to steal credit card data to exfiltrate sensitive information during online transactions on an e-commerce site. The script was later found to be connected to a type of attack known as “web skimming”...