< ciso
brief />
Tag Banner

All news with #defense evasion tag

148 articles · page 2 of 8

GhostTree attack uses NTFS junctions to hide malware

🛡️ Attackers abuse NTFS junctions to create recursive directory loops that generate effectively infinite file paths, causing recursive scans and EDR products to hang. With only write access, an attacker can create junctions that point back to parent folders, producing GhostBranch or the more expansive GhostTree structures. These loops multiply possible paths exponentially, preventing file scanners from reaching malicious files and enabling evasion. Microsoft was notified and later patched the issue.
read more →

Fake AI Guides Used to Deliver AsyncRAT Trojan

🛡️ Fortinet researchers uncovered a campaign where threat actors disguise malware as AI study guides and developer resources to deliver a multi-stage attack culminating in the AsyncRAT trojan. The booby-trapped archives contain shortcut (LNK) files and hidden documents that trigger staged scripts, using trusted system tools and AutoHotkey repurposed as an execution engine to evade detection. Attackers deploy scheduled tasks disguised as Realtek services, process hollowing to run payloads inside legitimate .NET processes, and hide components in decoy files to keep victims unaware while PowerShell stages execute silently.
read more →

Miasma worm source code briefly leaked on GitHub

🛡️ The Miasma credential-stealing worm, an evolution of the Shai-Hulud toolkit, was briefly published on GitHub after threat actors uploaded it to multiple compromised accounts. The framework steals developer build and cloud credentials, compromises package registries and repositories, and propagates autonomously without C2 by abusing GitHub. Researchers note destructive 'dead-man switch' behavior and a build pipeline that randomizes payloads to evade detection, increasing supply-chain risk.
read more →

Attack Techniques Targeting Cloud Logging Services

🔍 Cloud logging services like AWS CloudTrail and Google Cloud Logging offer essential visibility into cloud activity but are also high-value targets for attackers. This article examines two primary attack goals—defense evasion and establishing continuous visibility—and demonstrates methods attackers use to disrupt or exfiltrate logs. It outlines practical attack techniques such as stopping logging, deleting storage or routers, abusing encryption keys, and log poisoning, and highlights detection and mitigation approaches.
read more →

AI-assisted toolkit used to evade EDR defenses

🔍 Sophos X-Ops uncovered a lab where a threat actor used AI coding tools to develop and test malware aimed at evading EDR products. The files and Git repository showed Python scripts—many partially AI-generated—used to build and iterate evasion modules against vendors including Sophos, CrowdStrike and Microsoft. Humans retained control of the workflow, using AI to accelerate building, testing and refinement while operating inside an AI-native environment.
read more →

Analysis of The Gentlemen self‑propagating ransomware

🛡️ This Microsoft Threat Intelligence blog dissects The Gentlemen, a Go-based RaaS that combines per-file ephemeral Curve25519/XChaCha20 encryption with aggressive self-propagation across networks. The post details operator models, command-line controls, speed modes, privilege elevation via scheduled tasks, and extensive defense-evasion steps including disabling Defender, deleting shadow copies, clearing logs, and terminating backup, database, virtualization, and EDR services. Practical mitigations, Defender detections, hunting queries, and IOCs are provided for defenders and incident responders.
read more →

Microsoft previews automatic device isolation feature

🛡️ Microsoft is previewing an automatic device isolation feature in Defender for Endpoint to help contain active cyberattacks by severing most network traffic while preserving connections to security services. The capability is part of its auto attack disruption tool within Defender XDR, and Microsoft says actions are time-limited and can be tuned or reversed by administrators. A new SANS Institute paper warns threshold-driven autonomous containment can be weaponized to disable user accounts, underscoring the need for careful configuration and governance.
read more →

ROADtools misuse in cloud identity attacks

🔍 ROADtools is an open-source Python toolkit for red teams and researchers that attackers have repurposed to target Microsoft Entra ID. It enumerates tenants, registers devices, and acquires or manipulates OAuth2/OpenID Connect tokens while using legitimate Microsoft APIs and configurable request attributes to evade detection. Nation-state actors have used ROADtools for discovery, persistence and defense evasion, and Palo Alto Networks outlines detection queries, mitigation recommendations and protections available via Cortex Cloud, Cortex XDR and Unit 42 services.
read more →

Fox Tempest MSaaS Disruption and Artifact Signing Abuse

🔒 Fox Tempest operated a malware-signing-as-a-service that abused Microsoft Artifact Signing to generate short-lived fraudulent code-signing certificates, allowing signed malware to bypass controls. Microsoft tracked the actor since September 2025 and disrupted the MSaaS in May 2026, revoking over one thousand certificates and targeting the infrastructure. The group used hundreds of Azure tenants, preconfigured VMs on Cloudzy, and charged customers thousands for signing malicious binaries; Microsoft provides detections, IOCs, and mitigations to help defenders respond.
read more →

Legacy MSHTA Utility Still Widely Abused by Malware

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.
read more →

Microsoft Edge to stop loading cleartext passwords

🔒 Microsoft will change Edge so saved passwords are not loaded into process memory in clear text at startup. Security researcher Tom Jøran Sønstebyseter Rønning disclosed on May 4 that Edge decrypted all stored credentials at launch and released a proof-of-concept showing how attackers with Administrator privileges could dump other users' passwords. Microsoft initially described the behavior as "by design" but now says a defense-in-depth change will roll out across Stable, Beta, Dev, Canary and Extended Stable; the fix is live in Canary and will be in build 148 and newer.
read more →

Fired Employee Used AI to Hide Deletion of Federal Data

🔒 Two former hosting-company employees allegedly deleted dozens of customer and federal databases after being fired; one brother was convicted on computer-fraud and related charges. Investigators say one used a public AI chatbot to ask how to clear SQL and Windows logs, aiding evidence destruction. Experts warn this underscores failures in off-boarding and privileged access controls and call for stronger AI guardrails and real-time revocation.
read more →

ClickFix Abuses PySoxy for Dual-Channel Persistence

🛡️ReliaQuest researchers observed ClickFix intrusions that now leverage the open-source proxy PySoxy to establish a secondary encrypted C2 path alongside an initial PowerShell controller. The April campaign used scheduled tasks for persistence and deployed Python tooling to C:\ProgramData to execute compiled .pyc modules, turning endpoints into proxy relays. This dual-channel design preserves access if the PowerShell channel is disrupted, forcing broader containment and new hunting approaches.
read more →

Malicious Claude Code Installer Steals Browser Keys

🛡️Researchers at Ontinue warn that attackers are impersonating Anthropic’s Claude Code installer to deploy a previously undocumented PowerShell loader that evades detection and extracts browser encryption material. The campaign swaps the legitimate one-line install command for an attacker-controlled PowerShell chain, establishing stealthy persistence and exfiltration. It also abuses Chrome’s IElevator2 elevation interface to recover Application-Bound Encryption (ABE) keys introduced in Chrome 127.
read more →

Deep#Door Python Backdoor Evades Detection On Windows

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.
read more →

Inside an OPSEC Playbook: How Actors Evade Detection

🔍 Flare researchers examined a recent forum post in which a threat actor details a structured OPSEC framework aimed at sustaining high-volume carding operations while avoiding detection. The actor prescribes a three-tier architecture—public, operational, and extraction layers—with strict identity compartmentalization, residential IP rotation, and isolated cashout channels. The post highlights recurring failures like identity reuse, metadata leakage, and weak anti-fingerprinting, and recommends resilience measures such as time-delayed triggers and dead man's switches. For defenders, it underscores the need to link cross-platform identities, evolve behavioral detection, and monitor the full attack chain.
read more →

macOS LOTL Techniques Enable Stealthy Enterprise Attacks

🔍 Cisco Talos research (published 21 April) details how attackers are repurposing native macOS features to execute code, move laterally and evade detection across enterprise environments. Built-in capabilities such as Remote Application Scripting (RAS), Spotlight metadata and AppleScript can be abused to run commands, hide payloads and perform covert data transfer. The findings show gaps in visibility and recommend shifting to process-lineage analysis and tighter MDM controls to reduce exposure.
read more →

The Gentlemen RaaS Expands, Targeting Enterprise Systems

🔐 Check Point researchers report that The Gentlemen, a ransomware-as-a-service operation first identified in mid-2025, has claimed over 320 victims with the majority of attacks occurring in early 2026. Affiliates are supplied with cross-platform ransomware written in Go for Windows, Linux, NAS and BSD, plus a C-based ESXi encryptor. The toolkit enables automated lateral movement, Group Policy deployment and credential reuse to achieve rapid, domain-wide encryption, and incidents frequently show defense evasion and post-exploitation tools such as SystemBC and Cobalt Strike.
read more →

Weaponizing macOS Primitives for Movement and Execution

🔐 Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channels—including SMB, netcat, Git, TFTP, and SNMP—and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.
read more →

Payouts King Abuses QEMU VMs to Evade Endpoint Security

🛡️ Researchers report the Payouts King ransomware is leveraging QEMU as a covert reverse SSH backdoor, running hidden Alpine Linux VMs to execute tools and bypass host security. Operators create a scheduled task named TPMProfiler to launch the VM as SYSTEM, use virtual disks disguised as benign files, and forward ports for remote access. The campaign—linked to STAC4713 and observed alongside a separate STAC3725 activity exploiting CitrixBleed 2—employs credential theft, robust obfuscation, and AES-256/RSA-4096 encryption. Sophos recommends hunting for unauthorized QEMU installs, suspicious SYSTEM tasks, and unusual SSH tunnels.
read more →