linneman
labs
building
breaking
observing
content
···
verified
home
/ glimmer
Glimmer
2026.05.15
Hello, my name is Orca
Any unprivileged app can claim Orca’s D-Bus name and read raw Wayland keystrokes - passwords included.
2026.04.24
Detection Below the Socket Layer
Malware that hand-builds its own packets slips past socket-level monitoring so the detection drops below the socket too.
2026.04.13
The DNF Numbers Station
C2 traffic indistinguishable from DNF update checks, with tasking hidden in the microseconds of Apache ETags.
2026.04.09
Building and Detecting a Rust C2 Beacon
Dual-layer encryption and a hardening pass from 1.4MB to 388K and the YARA rules that catch the beacon anyway.