< ciso
brief />
Tag Banner

All news with #defense evasion tag

148 articles

ACR Stealer campaigns use ClickFix lures and fileless tradecraft

🔍 Microsoft Defender Experts observed heightened ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering to lure users into running commands that ultimately harvest browser credentials, tokens, and sensitive documents. Two prevalent campaigns were detailed: one using WebDAV-delivered DLLs, staged PowerShell, Python loaders, and optional blockchain-backed dead-drop C2 resolution; the other using fileless MSHTA, obfuscated PowerShell, and steganography-assisted in-memory execution. Both aim to exfiltrate credentials and enterprise data, and Microsoft recommends monitoring for ClickFix lures, suspicious WebDAV/MSHTA activity, obfuscated PowerShell, and attempts to access browser credential stores while leveraging Defender capabilities to detect and respond.
read more →

New Windows Bind Link techniques can evade EDR

🛡️ Bitdefender researchers disclosed three techniques abusing Windows Bind Links — File-Binding, Process-Binding, and Silo-Binding — that let attackers with admin rights redirect file paths in memory so security tools see benign files while malicious payloads run. The methods exploit the bindflt.sys driver and can blind EDRs and bypass defenses like AMSI and AppLocker, though Microsoft assessed the issues as low severity because admin privileges are required.
read more →

Cursor flaw allows repo-root binaries to run

🛡️ Open a repository in Cursor on Windows and, if a file named git.exe is in the project root, Cursor runs it automatically without prompt. Whatever that binary does executes as the logged-in user and Cursor repeatedly spawns it while the project remains open. Mindgard reported the issue in December 2025, published full details seven months later, and no patch or Cursor advisory had been issued as of July 15, 2026.
read more →

LabubaRAT Rust RAT Masquerades as NVIDIA Runtime

🛡️ Cybersecurity researchers disclosed a previously undocumented Rust-based remote access trojan, LabubaRAT, which impersonates an NVIDIA runtime executable to evade detection and establish persistent access. The implant supports multiple communication channels including HTTPS, WebView2, and DNS tunneling, accepts runtime configuration via command-line arguments or Base64 payloads, and stores its settings in a local SQLite database. Once active, it profiles hosts for browsers and security products, captures screenshots, executes commands, handles files and archives, and proxies traffic via SOCKS5, enabling hands-on operations without a separate loader.
read more →

Old Microsoft-signed UEFI shims expose Secure Boot

🔒 Researchers found 11 Microsoft-signed UEFI shim bootloaders that can be abused to bypass Secure Boot on many systems, enabling execution of untrusted code during early boot. ESET and CERT/CC detail how outdated shims (mostly v0.9 and earlier) remained trusted because they were not revoked, allowing attackers to deploy UEFI bootkits and persist below the OS. Microsoft revoked affected certificates in June 2026 following disclosures.
read more →

Ransomware family exploits signed drivers to evade

🛡️ Symantec details how the GodDamn ransomware, a 2026 evolution of the Hyadina family, uses Microsoft-signed malicious drivers to disable endpoint defenses. The attackers deployed AnyDesk covertly, dropped a signed kernel driver named PoisonX disguised as a Symantec product, and used credential-stealing tools like Mimikatz to escalate access. After weakening defenses and harvesting credentials, the threat actors executed file encryption and displayed a ransom note, demonstrating continued tactical evolution.
read more →

GodDamn ransomware uses signed PoisonX kernel driver

🛡️ GodDamn is a newly observed ransomware family that employs a signed PoisonX kernel driver and a Symantec‑masquerading user‑mode tool to disable endpoint protections. First spotted on May 21, 2026, Broadcom's Threat Hunter Team attributes the lineage to the Hyadina developer and links it to earlier Beast and Monster variants. Attacks used AnyDesk, PsExec, credential harvesters and lateral movement to compromise multiple hosts before deploying the encryptor.
read more →

AI coding agents trigger endpoint behavioral detections

🛡️ Sophos analyzed a week of June 2026 telemetry and found AI coding agents like Claude Code, Cursor, and OpenAI Codex frequently trigger behavioral detection rules designed to catch human attackers. The agents perform actions—decrypting browser credentials, enumerating Windows Credential Manager, downloading files via LOLBins, and writing startup scripts—that look like malicious behavior to endpoint engines. While often benign developer automation, these behaviors overlap precisely with attacker techniques and can generate false positives. Sophos recommends scoping rules to agent parents, workspaces, and download reputations while keeping credential access tightly controlled.
read more →

Gentlemen ransomware tests identity and recovery controls

🔍 The Gentlemen ransomware highlights challenges for CISOs in stopping attackers after an initial foothold. Researchers report the malware self-propagates using legitimate Windows management tools while attempting to disable security and recovery systems. Picus Security notes the encryptor, written in Go and obfuscated with Garble, leverages multiple lateral-movement methods and targets backups, EDR, and virtualization services to hinder recovery.
read more →

TrojPix: High‑Speed Air‑Gap Data Exfiltration

🖥️ Researchers at Shandong University demonstrated TrojPix, a novel covert channel that modulates otherwise imperceptible on-screen pixels so the video cable emits a faint radio signal a nearby receiver can decode. The technique requires only user-level malware that can draw to the screen and achieved a peak throughput of 8.1 Mbps and a laboratory range reported up to 208 meters. TrojPix works without hardware changes, can hide transmissions under normal-looking content or a fake powered-off display, and was tested across multiple monitor brands and cable types.
read more →

Opera adds Paste Protect to block ClickFix attacks

🛡️ Opera has added Paste Protect, a feature that intercepts and blocks ClickFix-style attacks which trick users into copying and running malicious commands. The mechanism builds on existing Hijack protection and a new Injection protection to detect and prevent harmful content from reaching the browser clipboard across Windows, macOS, and Linux. When suspicious content is blocked, Opera shows a warning, a red indicator in the address bar, and permits viewing the first 120 characters or approving the copy after a 5-second delay. The feature is enabled by default and can be managed via Settings → Privacy & Security → Paste Protect.
read more →

ClickFix Emerges as Dominant Malware Delivery Method

🔒 Analysis by ReliaQuest shows the ClickFix social engineering technique dominated malware delivery from March to May 2026. ClickFix tricks users into pasting attacker-supplied commands into trusted dialogs like Run, Terminal, or Script Editor, allowing payloads such as infostealers to execute while evading many defenses. The method has been used to deliver Windows malware and, notably, to deploy AMOS/Atomic Stealer to macOS via Script Editor. ReliaQuest urges equal monitoring for macOS and recommends user training and administrative restrictions to mitigate ClickFix risks.
read more →

ClickFix: New social engineering that forces execution

🛡️ The ClickFix technique tricks users into executing malicious commands themselves by presenting convincing prompts like fake CAPTCHAs, Cloudflare checks, or “browser update” notices. Attackers rely on clipboard copy and instruct victims to paste commands into the Windows Run dialog, bypassing endpoint defenses that see the activity as legitimate user action. Check Point’s ThreatCloud AI team developed the ClickFix Engine, integrated into Gateways, Email Security, and Browse Security, to detect behavioral signals in page HTML and block such attacks irrespective of domain reputation.
read more →

Spyware embeds forbidden text to disrupt AI analysis

🛡️ A malware developer has begun embedding provocative text about nuclear and biological weapons inside large JavaScript block comments in spyware payloads to confuse AI-based scanners. The commented header is ignored at runtime but aims to trigger refusals or misclassification in naive LLM-powered triage systems that ingest file starts without isolating untrusted content. Traditional detection methods—YARA, entropy checks, AST parsing, and behavioral analysis—remain effective, but the technique is a practical anti-analysis tactic against weak AI-first pipelines.
read more →

GitHub updates actions/checkout to block pwn requests

🔒 GitHub is updating the official actions/checkout action to refuse common pwn request patterns by default, effective June 18, 2026, with backports planned for July 16, 2026. The change prevents checking out forked pull request head or merge commits in pull_request_target and certain workflow_run events unless authors explicitly set allow-unsafe-pr-checkout to true. This aims to reduce attacks that exploit privileged workflows to steal secrets or the GITHUB_TOKEN.
read more →

One intrusion, two attackers: uncovering parallel threats

🔍 Microsoft DART describes a complex multi-stage intrusion where two unrelated threat actors operated simultaneously, blending ransomware tactics with stealthy reconnaissance and persistence. Investigators observed exploitation attempts against on-premises SharePoint, use of legitimate tools like Velociraptor, cloud tunneling, credential misuse, and DLL sideloading to maintain access and evade detection. Coordinated telemetry correlation and threat intelligence enabled containment and targeted remediation guidance.
read more →

Weekly Recap: Browser Bugs, EDR Killers, FortiBleed

📰 This week’s recap highlights recurring attack patterns: abused integrations, poisoned websites, fake tools, and ransomware groups disabling security products. Notable incidents include the large-scale FortiBleed campaign compromising FortiGate devices, the Gentlemen RaaS developing the GentleKiller EDR-killing suite, and active exploitation of a critical Splunk flaw. Mobile and crypto-related malware campaigns also featured prominently.
read more →

RaaS group equips affiliates with EDR-killing toolkit

🔍 New research from ESET reveals that The Gentlemen ransomware-as-a-service platform now supplies affiliates with an advanced EDR killer framework called GentleKiller, alongside third-party tools like HexKiller, ThrottleBlood and HavocKiller. The leak shows affiliates can deploy bring-your-own vulnerable driver (BYOVD) techniques to gain kernel privileges and disable hundreds of EDR processes across many vendors. ESET warns this lowers the bar for less skilled attackers and urges organizations to enforce protections such as HVCI and KMCI, apply strict driver allow/block policies, and regularly audit drivers.
read more →

Spyware embeds forbidden text to foil AI analysis

🛡️ At least one malware author is inserting large comment blocks with policy-triggering content about nuclear and biological weapons into JavaScript payloads to disrupt AI-driven analysis. The decoy text sits inside comments so execution is unchanged while early-stage LLM-based triage can be confused or refuse to process the file. Traditional detection methods like YARA rules, entropy checks, and deobfuscation remain effective. This tactic targets naive pipelines that expose untrusted file starts to language models.
read more →

ClickFix campaigns expand modular malware delivery

🛡️ Multiple ClickFix campaigns have been linked to three distinct loaders — BabaDeda Loader, Lorem Ipsum Loader, and Potemkin — delivering information stealers, backdoors, RATs, and other payloads against diverse sectors. The attacks rely on social-engineered ClickFix lures that trick victims into running PowerShell or command sequences, then use staged techniques such as hidden PowerShell, DLL side-loading, in-memory shellcode, and external payload storage to evade detection. Researchers from Morphisec, BlueVoyant, and Huntress attribute the campaigns to evolving, modular loader frameworks that separate delivery, storage, execution, and payload deployment for greater stealth.
read more →