Shodan Eye: What if I could see EVERYTHING connected to the internet?

That was my question for a long time… And that’s how Shodan Eye was born.

Most people think the internet is what you browse through a browser. Websites, social media, search engines. That part is called the World Wide Web, and it is just a thin layer on top of something much larger. Underneath it, directly connected to the internet, are billions of devices that have never heard of a web page. Routers, cameras, industrial control systems, medical devices, traffic lights, refrigerators, power plants. Even devices you would never suspect. They are all online. Most of them are never meant to be found. Some of them have no password at all. Shodan Eye was built to find them.

The command server is a botnet’s one real weak point. Take it down and the bots go quiet. Operators figured this out early and built their infrastructure to survive exactly that.

This article covers how they do it. How botnets hide their command infrastructure inside Tor and I2P, how they scan for new victims without exposing themselves, and what to look for to detect it. Technical and step by step.

Google tells you the key is gone. It keeps working for 23 more minutes. When you delete a Google API key, a dialog appears that says the following: “Once deleted, it can no longer be used to make API requests.” That is the message. It is printed there by Google, presented as fact at the exact moment you think the risk is gone. It is not true.

Security researcher Joe Leon at Aikido Security spent two days testing what actually happens after a key is deleted. He created keys, deleted them, and kept firing authenticated requests at Google’s servers at three to five per second until no valid response came back. He ran ten separate trials. The shortest window before a deleted key fully stopped working was nearly eight minutes. The median was sixteen minutes. The longest was just under twenty-three minutes. During all of that time, the key was authenticating successfully on Google’s infrastructure. A deleted key. Still working.

GhostTree makes Windows Defender stop scanning. Two lines of code, no admin rights, and malware sitting right next to it goes completely undetected. A Varonis researcher published it today, confirmed it works, and Microsoft’s first response was that this does not count as a security issue. Then they patched it anyway.

Windows lets you create a folder that points to another folder. The operating system follows that pointer as if the destination is real. Most applications and scanners follow junctions transparently unless they explicitly check for reparse points, which most do not. The feature has been built in for decades and has a perfectly legitimate purpose: backward compatibility, keeping old software happy when file locations change. The Windows name for it is an NTFS junction. The part that matters for this attack: any standard user account can create one. No admin rights needed. Write access to a folder is enough, and most users already have that in their own profile and in shared directories.

Chrome keeps saved passwords locked behind one master key. VoidStealer steals that key using a tool Chrome cannot block. It does not need administrator rights, does not touch the browser’s code, and when it is done, saved passwords, open login sessions, and stored payment cards are all readable. The technique had been sitting on GitHub as open-source research for over six months. Nobody had used it in the wild until now.

Reaper swipes macOS passwords and crypto wallets, backdoors the machine, and pretends to be Apple, Microsoft, and Google in the same attack. Apple shipped an update in March to stop exactly this. Reaper already bypasses it.

Reaper belongs to a malware family called SHub Stealer, active since April 2025. SHub grew out of an earlier macOS stealer called MacSync, which itself was built on a foundation called Mac.c, first spotted in April 2025. Within months it turned into a commercial crime service, meaning the people who built the infrastructure rent access to different operators who run their own campaigns with their own targets and lures. Researchers at Malwarebytes, Jamf, Moonlock, and Microsoft’s Defender Security Research team had already documented earlier variants, but this version of Reaper does things none of the earlier builds could: a bypass of Apple’s latest security update, a persistent backdoor that survives reboots, and a method for permanently hijacking installed crypto wallet applications without triggering a single security warning.

A Windows zero-day called MiniPlasma gives any standard user full SYSTEM access on a fully patched machine. Microsoft patched it in December 2020, assigned it CVE-2020-17103, and marked it as fixed. Five and a half years later, the original Google proof-of-concept runs on a machine with all current updates installed without changing a single line of code and opens a SYSTEM shell. Microsoft patched this in 2020. It’s still there.

Google caught a criminal group that used AI to find a zero-day in a popular web admin tool and had a working exploit ready for a mass attack against thousands of systems. Google has never named the tool. The attack never launched. What gave them away was a CVSS severity score inside the code for a vulnerability that has never been officially rated. The AI made up a number that does not exist.

ssh-keysign-pwn is a newly disclosed Linux kernel vulnerability that gives any unprivileged local user direct access to the SSH host private keys of a server and every password hash stored on the system. It was reported on May 14, 2026, and a working exploit was on GitHub within hours of the patch landing.

The bug lives in a piece of kernel code called __ptrace_may_access(). This is the security check the kernel runs every time one program wants to look inside another program: reading its memory, accessing its open files. The kernel runs this check and asks: is this target process marked as safe to inspect, and does the caller have the right to do this? If either answer is no, access is denied. That is how it is supposed to work.

A folder copied to a USB stick is enough to bypass BitLocker encryption on Windows 11 and Windows Server 2022 and 2025, giving an attacker with a few minutes of physical access a command prompt with unrestricted access to everything on the encrypted drive.

The tool is called YellowKey. It was published on May 12, 2026, as a working proof of concept on GitHub. Windows 10 is not affected. There is no patch. Microsoft has not assigned a CVE number. And the researcher who found it believes it looks like something that was put there deliberately.