Latest Insights

When Hospitality Software is Too Hospitable: an XSS Filter Bypass and a Curious SSRF in Oracle Hospitality OPERA (CVE-2026-21966, CVE-2026-21967)

Last autumn, while a typhoon hammered against the hotel windows, our offensive specialist found themselves locked into a different kind of storm – a pentest that refused to stay routine. What began as a run-of-the-mill exercise quickly spiralled into yet another thrilling adventure of vulnerability disclosure. This writeup walks through DarkLab’s discovery of a Cross-Site…

13th February 202616th February 2026

Reverse Engineering a Siemens Programmable Logic Controller for Funs and Vulns (CVE-2024-54089, CVE-2024-54090, & CVE-2025-40757)

Under the sweltering heat of the Hong Kong summer, we entered a looming building and kicked off what was supposed to be a simple penetration test. Little did we know, this ordeal would lead to panic-stricken emails, extra reports, and a few new CVEs. This is a tale of the unexpected discovery of three CVEs…

12th September 202516th February 2026

The Dark Side of SEO: Negative SEO Attacks Targeting Businesses in Asia

In June 2025, DarkLab discovered unusual search results indexed on a popular Hong Kong online platform. This led to our deep dive into another form of DNS abuse impacting legitimate entities; negative SEO. This form of SEO poisoning is known to be typically conducted by competitors as a means to damage reputation or ‘flood out’…

10th July 2025

Lurking Behind the Scenes: Keylogger Sites Impersonate Trusted Brokerage Firms for Account Takeover

In an era where digital security is rapidly evolving, cybercriminals are adapting just as quickly – finding new ways to exploit trust and user behaviour. Recent campaigns targeting stock trading accounts have revealed a critical truth: attackers are no longer just stealing credentials – they are orchestrating full account takeovers to commit high-impact financial fraud.…

6th June 202512th June 2025

Don’t do crime CRIME IS BAD – LockBit Ransomware Hacked, Exposing Operational Data

LockBit really can’t catch a break. Following a year of law enforcement disruptions and loss of affiliate base, the world mostly recently witnessed one of the most notorious Ransomware-as-a-Service (RaaS) gangs hit by yet another setback – they’ve been hacked. On a gloomy Thursday morning, our analysts awoke to news of LockBit’s hack – and…

12th May 202513th May 2025

Redirected, Taken Over, & Defaced: Breaking Down the Attacks Abusing Legitimate Hong Kong Websites

Last week, we shared our observations regarding active attacks weaponising trusted Hong Kong domains to serve users to suspicious content for SEO manipulation purposes. Collectively, we have observed over 70 cases of open redirect attacks, web defacements, and/or subdomain takeovers in Hong Kong between January and April 2025. These attacks, specifically those related to online…

22nd April 2025

Something went wrong. Please refresh the page and/or try again.