All news with #defense evasion tag

🔒 Cisco Talos and Trend Micro say Qilin and Warlock ransomware groups have adopted a bring-your-own vulnerable driver (BYOVD) approach to disable endpoint security on compromised hosts. Talos identified a malicious DLL named msimg32.dll that side-loads a PE loader which decrypts and executes an in-memory EDR killer. The payload leverages renamed drivers such as rwdrv.sys (a repackaged ThrottleStop.sys) and hlpdrv.sys to access physical memory and terminate over 300 EDR drivers. Warlock has similarly used NSecKrnl.sys and a suite of legitimate tools to persist, move laterally, and exfiltrate data.

🍪 Microsoft Defender Security Research Team warns that threat actors are increasingly using HTTP cookies as a covert control channel for PHP-based web shells on Linux servers. Instead of passing commands via URL parameters or request bodies, attackers gate execution and convey instructions through values accessible in the PHP $_COOKIE superglobal. This technique keeps malicious code dormant during normal application activity and activates only when specific cookie values are present, reducing observable indicators. Microsoft observed multiple obfuscated loaders and a cron-driven 'self-healing' persistence model that recreates loaders and minimizes forensic visibility.

🔒 Threat actors are increasingly abusing HTTP cookies as a stealthy control channel for PHP webshells on Linux hosting platforms. By gating execution on specific cookie values, attackers keep loaders dormant during normal traffic and activate functionality only when exact cookie conditions are met. Variants range from multi-stage loaders that reconstruct functions at runtime to single-file interactive shells, often using base64 reconstruction and layered obfuscation to evade detection. Review Microsoft Defender guidance to detect, hunt, and mitigate these threats.

🔍 This Talos analysis dissects a malicious msimg32.dll used in Qilin ransomware attacks, detailing a multi-stage PE loader that evades and disables endpoint detection and response (EDR) solutions. The loader employs SEH/VEH obfuscation, syscall-stub reuse, and paging-file-backed sections to decrypt and map payloads entirely in memory without triggering hooks or ETW telemetry. The final EDR killer loads two helper drivers to perform physical memory R/W and to unprotect and terminate guarded processes, enabling it to neutralize over 300 vendor drivers.

🔒 The 2026 State of the SOC Report, based on more than 909,000 alerts observed via the Adlumin MDR at the N-able SOC between March and December 2025, lays out five practical steps to preserve operations when attackers strike. It urges layered, defense-in-depth designs that combine identity, endpoint, network, cloud, and perimeter visibility rather than relying on single-point solutions. The guidance highlights automation and SOAR to move containment and remediation to machine speed, modernized endpoint and ITDR identity controls to detect credential abuse, validated immutable backups to enable rapid recovery, and rigorous oversight of AI-driven processes to manage emerging attack surfaces.

⚠️ Apple has introduced a new security measure in macOS Tahoe 26.4 that delays execution when users paste commands into Terminal and displays a warning highlighting potential risks. The mechanism appears aimed at mitigating ClickFix social‑engineering attacks that trick users into pasting malicious commands. Users may cancel the paste or choose to proceed if they understand the command, and Apple has not yet published official documentation for the behavior.

🔒eSentire researchers disclosed on March 25 that a new campaign using a Node.js backdoor, dubbed EtherRAT, leverages Ethereum smart contracts to conceal command-and-control infrastructure. The technique, referred to as EtherHiding, stores C2 addresses on-chain and enables operators to rotate servers cheaply. The malware retrieves contract data via public RPC providers, mimics CDN traffic to blend in, collects detailed system fingerprints and steals cryptocurrency wallets and cloud credentials. Organizations are advised to restrict risky Windows utilities, train staff against IT support scams and consider blocking common crypto RPC endpoints.

🔒 Security researchers warn that the Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion, execution and anti-forensics capabilities. A Halcyon and Beazley Security analysis of a recent US healthcare provider incident describes interactive access via TeamViewer, credential theft with Mimikatz, LaZagne and ExtPassword, and host discovery using Advanced IP Scanner and ns.exe. Operators used the AD console (dsa.msc) to blend in, deployed an SFX payload (abc.exe) to encrypt systems within three hours, and removed a 'No Defender' toolkit to hide tracks. Report authors found no clear evidence of data exfiltration and warn defenders to monitor this unpredictable, politically motivated threat.

🔒 Gen Digital researchers describe a rapidly evolving info‑stealer named Torg Grabber that exfiltrates data from 850 browser extensions, including 728 cryptocurrency wallets. Initial access commonly uses a clipboard hijack and a ClickFix PowerShell trick; the payload runs in memory via reflective loading, direct syscalls and heavy obfuscation. Operators migrated exfiltration to HTTPS through Cloudflare and added an App‑Bound Encryption bypass to harvest Chromium cookie data.

🔎 Cybersecurity researchers analyzed Predator, a commercial spyware component developed by Intellexa, and revealed how it disables iOS camera and microphone recording indicators. The malware intercepts communications between the system component that tracks module activity and SpringBoard, exploiting Objective‑C behavior to suppress status signals so the green/orange dots never appear. The report outlines the techniques, traces earlier dead code attempts, and offers practical mitigations for users at elevated risk.

🔒 A new ESET analysis identified 54 EDR-killer tools that leverage BYOVD, abusing 34 signed vulnerable drivers to gain kernel-mode privileges and neutralize endpoint protection. These utilities are frequently reused in ransomware operations to disable defenses prior to encryption, decoupling evasion from the encryptor. ESET recommends blocking misused drivers and adopting layered detection to mitigate the threat.

🔍 Group-IB's March 19 report exposes operational details of the Gentlemen ransomware group after an affiliate known as hastalamuerte leaked internal information. The research describes a rapidly evolving RaaS that sprang from a Qilin ecosystem dispute and leverages a dual-extortion model, cross-platform encryption and automated lateral movement to maximize impact. Primary initial access stems from exposed FortiGate VPN devices, while advanced evasion such as BYOVD and aggressive log deletion are used to frustrate defenders and forensic analysis.

🔍 Exfiltration Framework examines how attackers repurpose legitimate OS utilities, third-party endpoint tools, and cloud clients to move sensitive data while evading traditional detections. The research shows that static IOCs and tool-blocking strategies are frequently ineffective when adversaries operate inside trusted software and infrastructure. By normalizing execution context, parent-child process relationships, network patterns, forensic artifacts, and destination characteristics, the framework exposes stable behavioral signals that persist despite masquerading, renaming, or relocation. It recommends correlating endpoint, network, and cloud telemetry, applying behavioral baselining, and focusing on cumulative transfer analysis rather than single-event or allow-list approaches.

🔒 ESET's research examines the prevalence and mechanics of EDR killers—separate tools attackers deploy to neutralize endpoint protection immediately before executing encryptors. Based on telemetry and incident analysis of nearly 90 active samples, the blogpost covers BYOVD, anti-rootkit abuse, driverless disruption, commercialization of kits, and indicators suggestive of AI-assisted development. The authors highlight predictable affiliate-driven tooling choices and warn that driver-based attribution is often misleading; they recommend prevention-focused, multilayered defenses and rapid containment.

🧟 Researchers disclosed a technique called 'Zombie ZIP' that manipulates ZIP headers to hide DEFLATE-compressed payloads so scanners treat them as uncompressed, producing widespread false negatives in antivirus and EDR tools. The author, Chris Aziz of Bombadil Systems, published proof-of-concept archives showing scanners trust the ZIP Method field and therefore scan raw bytes instead of compressed data. CERT/CC assigned CVE-2026-0866 and recommends stricter archive validation; end users should delete archives that raise 'unsupported method' or extraction errors.

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.

🛡️ Modern malware increasingly uses mathematical and timing checks to avoid analysis. The Picus Red Report™ 2026 found Virtualization/Sandbox Evasion (T1497) surged to the #4 technique in 2025, appearing in 20% of samples. Threats like Blitz and LummaC2 use system profiling, trigonometry-based mouse analysis, and CPU timing comparisons to detect sandboxes and abort execution. Organizations should shift from file analysis to continuous behavioral validation using AEV and BAS.

⚠ Attackers have shifted ClickFix phishing to use the Windows + X → I shortcut to open Windows Terminal, prompting victims to paste malicious PowerShell via fake CAPTCHAs and verification prompts. This avoids detections focused on Run (Win+R) and undermines basic security training. Microsoft says the campaign launches layered, persistent chains that decode embedded hex, download a renamed 7-Zip binary to extract payloads, establish persistence, apply Defender exclusions, and exfiltrate data.

🔒 Picus Security's annual red-teaming report finds ransomware operators shifting from noisy encryption to stealthy, long-term access, favoring persistence, defense evasion and data exfiltration. The firm reports a 38% drop in encryption as attackers prioritize double-extortion and silent leaks, often routing C2 traffic through trusted services like OpenAI and AWS. Experts urge stronger identity controls, monitoring of third-party integrations, and detections tuned to persistence and exfiltration.

🧭 Researchers disclosed a new botnet loader named Aeternum C2 that stores encrypted commands on the public Polygon blockchain, making its C2 infrastructure resistant to conventional takedowns. The native C++ loader (x86/x64) polls Polygon RPC endpoints to retrieve transactions written by a web panel implemented in Next.js. Operators can deploy multiple smart contracts, write immutable encrypted commands, and manage payloads with minimal operational cost while leveraging anti-analysis checks and AV-evasion scanning.