linneman
labs
building
breaking
observing
content
···
verified
home
/ purple team
Purple Team
2026.05.15
Hello, my name is Orca
Any unprivileged app can claim Orca’s D-Bus name and read raw Wayland keystrokes - passwords included.
2026.05.13
Two Hops and a Shell on Ubuntu
Ubuntu’s userns AppArmor patch checks a pointer, not a property. Two profile hops chain a confined process to host root.
2026.05.11
Porting Dirty Frag to arm64
On aarch64 the rxrpc path oopses and AppArmor blocks the exploit over SSH. A complain-mode profile transition slips it through.
2026.04.24
Detection Below the Socket Layer
Malware that hand-builds its own packets slips past socket-level monitoring so the detection drops below the socket too.
2026.04.13
The DNF Numbers Station
C2 traffic indistinguishable from DNF update checks, with tasking hidden in the microseconds of Apache ETags.
2026.04.09
Building and Detecting a Rust C2 Beacon
Dual-layer encryption and a hardening pass from 1.4MB to 388K and the YARA rules that catch the beacon anyway.