Show HN: Live iOS 26.3 exploit detection (CVE-2026-20700) – Multi-region C2 https://ift.tt/AjMsJ0Z

Show HN: Live iOS 26.3 exploit detection (CVE-2026-20700) – Multi-region C2 Public release of *ZombieHunter*, a forensics tool detecting live exploitation of CVE‑2026‑20700 (dyld memory corruption) in iOS 26.3. Analysis of sysdiagnose archives shows identical exploit shells showing different C2 endpoints: US Device 1 → 83.116.114.97 (EU/US) US Device 2 → 101.99.111.110 (CN) The rogue dyld_shared_cache slice triggers overflow via malformed `mappings_count`, executes shellcode (BL #0x15cd), and applies an AMFI bypass (`DYLD_AMFI_FAKE`) enabling unsigned code persistence. Apple PSIRT + CISA were notified; public disclosure follows. Sample: https://drive.google.com/file/d/1rYNGtKBMb34FQT4zLExI51sdAYR... SHA256 artifact: ac746508938646c0cfae3f1d33f15bae718efbc7f0972426c41555e02e6f9770 Usage: `python3 zombie_auditor.py sysdiagnose_xxx.tar.gz` (Needs capstone) Reproducible PoC confirms CVE‑2026‑20700 bypass, AMFI neutralization, and live C2 connectivity in production iOS 26.3. https://ift.tt/62Yeg0Q February 25, 2026 at 11:32PM