All news with #defense evasion tag

🔍 Sophos X-Ops uncovered a lab where a threat actor used AI coding tools to develop and test malware aimed at evading EDR products. The files and Git repository showed Python scripts—many partially AI-generated—used to build and iterate evasion modules against vendors including Sophos, CrowdStrike and Microsoft. Humans retained control of the workflow, using AI to accelerate building, testing and refinement while operating inside an AI-native environment.

🛡️ This Microsoft Threat Intelligence blog dissects The Gentlemen, a Go-based RaaS that combines per-file ephemeral Curve25519/XChaCha20 encryption with aggressive self-propagation across networks. The post details operator models, command-line controls, speed modes, privilege elevation via scheduled tasks, and extensive defense-evasion steps including disabling Defender, deleting shadow copies, clearing logs, and terminating backup, database, virtualization, and EDR services. Practical mitigations, Defender detections, hunting queries, and IOCs are provided for defenders and incident responders.

🛡️ Microsoft is previewing an automatic device isolation feature in Defender for Endpoint to help contain active cyberattacks by severing most network traffic while preserving connections to security services. The capability is part of its auto attack disruption tool within Defender XDR, and Microsoft says actions are time-limited and can be tuned or reversed by administrators. A new SANS Institute paper warns threshold-driven autonomous containment can be weaponized to disable user accounts, underscoring the need for careful configuration and governance.

🔍 ROADtools is an open-source Python toolkit for red teams and researchers that attackers have repurposed to target Microsoft Entra ID. It enumerates tenants, registers devices, and acquires or manipulates OAuth2/OpenID Connect tokens while using legitimate Microsoft APIs and configurable request attributes to evade detection. Nation-state actors have used ROADtools for discovery, persistence and defense evasion, and Palo Alto Networks outlines detection queries, mitigation recommendations and protections available via Cortex Cloud, Cortex XDR and Unit 42 services.

🔒 Fox Tempest operated a malware-signing-as-a-service that abused Microsoft Artifact Signing to generate short-lived fraudulent code-signing certificates, allowing signed malware to bypass controls. Microsoft tracked the actor since September 2025 and disrupted the MSaaS in May 2026, revoking over one thousand certificates and targeting the infrastructure. The group used hundreds of Azure tenants, preconfigured VMs on Cloudzy, and charged customers thousands for signing malicious binaries; Microsoft provides detections, IOCs, and mitigations to help defenders respond.

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.

🔒 Microsoft will change Edge so saved passwords are not loaded into process memory in clear text at startup. Security researcher Tom Jøran Sønstebyseter Rønning disclosed on May 4 that Edge decrypted all stored credentials at launch and released a proof-of-concept showing how attackers with Administrator privileges could dump other users' passwords. Microsoft initially described the behavior as "by design" but now says a defense-in-depth change will roll out across Stable, Beta, Dev, Canary and Extended Stable; the fix is live in Canary and will be in build 148 and newer.

🔒 Two former hosting-company employees allegedly deleted dozens of customer and federal databases after being fired; one brother was convicted on computer-fraud and related charges. Investigators say one used a public AI chatbot to ask how to clear SQL and Windows logs, aiding evidence destruction. Experts warn this underscores failures in off-boarding and privileged access controls and call for stronger AI guardrails and real-time revocation.

🛡️ReliaQuest researchers observed ClickFix intrusions that now leverage the open-source proxy PySoxy to establish a secondary encrypted C2 path alongside an initial PowerShell controller. The April campaign used scheduled tasks for persistence and deployed Python tooling to C:\ProgramData to execute compiled .pyc modules, turning endpoints into proxy relays. This dual-channel design preserves access if the PowerShell channel is disrupted, forcing broader containment and new hunting approaches.

🛡️Researchers at Ontinue warn that attackers are impersonating Anthropic’s Claude Code installer to deploy a previously undocumented PowerShell loader that evades detection and extracts browser encryption material. The campaign swaps the legitimate one-line install command for an attacker-controlled PowerShell chain, establishing stealthy persistence and exfiltration. It also abuses Chrome’s IElevator2 elevation interface to recover Application-Bound Encryption (ABE) keys introduced in Chrome 127.

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.

🔍 Flare researchers examined a recent forum post in which a threat actor details a structured OPSEC framework aimed at sustaining high-volume carding operations while avoiding detection. The actor prescribes a three-tier architecture—public, operational, and extraction layers—with strict identity compartmentalization, residential IP rotation, and isolated cashout channels. The post highlights recurring failures like identity reuse, metadata leakage, and weak anti-fingerprinting, and recommends resilience measures such as time-delayed triggers and dead man's switches. For defenders, it underscores the need to link cross-platform identities, evolve behavioral detection, and monitor the full attack chain.

🔍 Cisco Talos research (published 21 April) details how attackers are repurposing native macOS features to execute code, move laterally and evade detection across enterprise environments. Built-in capabilities such as Remote Application Scripting (RAS), Spotlight metadata and AppleScript can be abused to run commands, hide payloads and perform covert data transfer. The findings show gaps in visibility and recommend shifting to process-lineage analysis and tighter MDM controls to reduce exposure.

🔐 Check Point researchers report that The Gentlemen, a ransomware-as-a-service operation first identified in mid-2025, has claimed over 320 victims with the majority of attacks occurring in early 2026. Affiliates are supplied with cross-platform ransomware written in Go for Windows, Linux, NAS and BSD, plus a C-based ESXi encryptor. The toolkit enables automated lateral movement, Group Policy deployment and credential reuse to achieve rapid, domain-wide encryption, and incidents frequently show defense evasion and post-exploitation tools such as SystemBC and Cobalt Strike.

🔐 Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channels—including SMB, netcat, Git, TFTP, and SNMP—and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.

🛡️ Researchers report the Payouts King ransomware is leveraging QEMU as a covert reverse SSH backdoor, running hidden Alpine Linux VMs to execute tools and bypass host security. Operators create a scheduled task named TPMProfiler to launch the VM as SYSTEM, use virtual disks disguised as benign files, and forward ports for remote access. The campaign—linked to STAC4713 and observed alongside a separate STAC3725 activity exploiting CitrixBleed 2—employs credential theft, robust obfuscation, and AES-256/RSA-4096 encryption. Sophos recommends hunting for unauthorized QEMU installs, suspicious SYSTEM tasks, and unusual SSH tunnels.

🔒 Huntress researchers uncovered a digitally signed adware campaign that deployed SYSTEM‑privilege payloads to disable antivirus protections on thousands of endpoints. The binaries, signed by Dragon Boss Solutions LLC and bundled in browser-like PUPs such as Chromstera and WorldWideWeb, used an Advanced Installer MSI to drop a PowerShell script, ClockRemoval.ps1, which stops services, uninstalls AVs, edits the hosts file and persists via WMI and scheduled tasks. After registering the operator’s unclaimed update domain, Huntress sinkholed infrastructure and observed over 23,500 infected hosts checking in across 124 countries, including hundreds in high-value networks. Administrators are urged to search for specific WMI subscriptions, scheduled tasks, blocked vendor domains in hosts, and processes signed by the publisher.

⚠️ Huntress has identified a signed adware operation linked to Dragon Boss Solutions LLC that has disabled antivirus products on approximately 23,565 endpoints worldwide. The campaign leverages a legitimate code‑signing certificate and an MSI update mechanism to deploy a PowerShell payload, ClockRemoval.ps1, which systematically kills, uninstalls and blocks reinstallation of AVs. Targets include Malwarebytes, Kaspersky, McAfee and ESET, and persistence is maintained via scheduled tasks and WMI event subscriptions. Researchers sinkholed an unregistered update domain and observed infections across 124 countries, including universities, utilities and government networks.

🔐 eSentire's Threat Response Unit identified a previously undocumented remote access trojan, STX RAT, after an attempted deployment in a financial services environment in late February 2026. The malware uses multi-stage, script-based delivery and in-memory execution to evade detection, leveraging XXTEA encryption, Zlib compression and reflective PowerShell loaders. It delays credential theft until instructed by an encrypted C2 channel and implements registry autoruns and COM hijacking for persistence. Organizations should strengthen endpoint protections and limit exposure to script-based attack vectors.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.