All news with #defense evasion tag

🛡️ Modern malware increasingly uses mathematical and timing checks to avoid analysis. The Picus Red Report™ 2026 found Virtualization/Sandbox Evasion (T1497) surged to the #4 technique in 2025, appearing in 20% of samples. Threats like Blitz and LummaC2 use system profiling, trigonometry-based mouse analysis, and CPU timing comparisons to detect sandboxes and abort execution. Organizations should shift from file analysis to continuous behavioral validation using AEV and BAS.

⚠ Attackers have shifted ClickFix phishing to use the Windows + X → I shortcut to open Windows Terminal, prompting victims to paste malicious PowerShell via fake CAPTCHAs and verification prompts. This avoids detections focused on Run (Win+R) and undermines basic security training. Microsoft says the campaign launches layered, persistent chains that decode embedded hex, download a renamed 7-Zip binary to extract payloads, establish persistence, apply Defender exclusions, and exfiltrate data.

🔒 Picus Security's annual red-teaming report finds ransomware operators shifting from noisy encryption to stealthy, long-term access, favoring persistence, defense evasion and data exfiltration. The firm reports a 38% drop in encryption as attackers prioritize double-extortion and silent leaks, often routing C2 traffic through trusted services like OpenAI and AWS. Experts urge stronger identity controls, monitoring of third-party integrations, and detections tuned to persistence and exfiltration.

🧭 Researchers disclosed a new botnet loader named Aeternum C2 that stores encrypted commands on the public Polygon blockchain, making its C2 infrastructure resistant to conventional takedowns. The native C++ loader (x86/x64) polls Polygon RPC endpoints to retrieve transactions written by a web panel implemented in Next.js. Operators can deploy multiple smart contracts, write immutable encrypted commands, and manage payloads with minimal operational cost while leveraging anti-analysis checks and AV-evasion scanning.

🔒 Cisco Talos attributes a previously undocumented activity cluster, tracked as UAT-10027, to an ongoing campaign targeting U.S. education and healthcare since December 2025. The actor deploys a novel backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for stealthy C2 and reflectively loads additional payloads into memory. Initial access is suspected to begin with social-engineering and a PowerShell script that retrieves a staged batch and malicious DLLs (observed as propsys.dll and batmeter.dll), which are launched via DLL side‑loading of legitimate executables. Talos observed the adversary fronting C2 behind Cloudflare to make traffic appear as legitimate HTTPS and unhooking user-mode API hooks in NTDLL.dll to evade EDR; follow-on payloads have been assessed as Cobalt Strike beacons.

🔔 Recent signals show attackers moving faster and hiding in plain sight. Kali Linux added an integration with Anthropic's Claude via the Model Context Protocol to translate natural-language prompts into technical commands, enabling AI-assisted command execution in a red‑team distro. Censys analyzed ResidentBat, an Android spyware implant used for mass surveillance that exfiltrates audio, messages and files. Alongside Bitpanda-themed phishing, ClickFix-based macOS stealers, ActiveMQ-enabled LockBit intrusions and a widespread WinRAR patch lag, these developments underscore shrinking breakout times, improved cloaking and persistent patching gaps that defenders must address.

🛡️ Cisco Talos reports an active campaign, observed since December 2025, in which actor UAT-10027 deployed a previously undocumented backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for covert C2. The multi-stage chain leverages phishing-delivered PowerShell to fetch a batch dropper that sideloads a disguised DLL into legitimate Windows binaries and tunnels C2 through Cloudflare’s edge. Dohdoor decrypts and reflectively executes payloads in memory, unhooks ntdll to evade EDR, and was observed targeting U.S. education and healthcare organizations.

🛡️ CrowdStrike reports that adversaries shifted in 2025 from expanding toolsets to prioritizing evasion, using AI to refine phishing, malware scripts, and reconnaissance while favoring malware-free techniques that blend with legitimate user activity. AI-enabled attacks rose 89% year over year and malware-free methods accounted for 82% of detections. Supply chain compromises, rapid zero-day weaponization, and cloud-focused intrusions amplified stealth, with big-game ransomware groups moving to remote encryption and credential abuse to minimize detection.

🔐 The author of Notepad++ says the recently released updates have hardened a previously compromised update mechanism so it is now effectively unexploitable. Releases from 8.8.9 through 8.9.2 add layered checks: the updater now verifies both the signed installer and the signed XML manifest with independent cryptographic signatures and aborts on any anomaly. The auto-updater was reinforced, though users can still opt out during installation. The developer warns no system is absolutely unbreakable, but the changes substantially raise attacker cost.

🛡️ Researchers at Check Point demonstrated that AI assistants with web browsing and URL-fetching capabilities can be abused as intermediaries for stealthy command-and-control (C2) communication. In their proof-of-concept, malware used Windows WebView2 to load AI services such as Grok and Microsoft Copilot, fetching attacker-controlled URLs whose content the assistant returned and the malware parsed for instructions. Because the PoC required no account or API keys, this relay can blend into trusted traffic and complicate network-level blocking and attribution; platform safeguards exist but can be evaded through obfuscation.

🔒 Notepad++ has released version 8.9.2 to remediate a hijacked update mechanism abused by an advanced China-linked actor to selectively deliver malware. The maintainer implemented a "double lock" design that verifies both the signed installer (added in 8.8.9+) and the signed XML returned by the update server. The WinGUp auto-updater was hardened by removing libcurl.dll, dropping insecure cURL SSL options, and restricting plugin-management execution to binaries signed with WinGUp's certificate. The update also fixes a high-severity Unsafe Search Path flaw (CVE-2026-25926); users should upgrade and download installers only from the official domain.

🛡️ This article presents a layered, AI-enhanced defense-in-depth architecture for protecting serverless microservices on AWS. It outlines seven security layers—from edge DDoS and WAF protections to identity, API gateway controls, network isolation, compute hardening, secrets management, and data encryption—integrating GuardDuty, Cognito, API Gateway, Secrets Manager, and DynamoDB. The guidance emphasizes continuous monitoring, automated incident response using Amazon Bedrock and EventBridge, and operational practices that balance security, compliance, and developer velocity.

🛡️ OysterLoader has continued to evolve into early 2026, refining its command-and-control infrastructure and obfuscation methods. The C++ loader—also tracked as Broomstick and CleanUp—is typically delivered via fraudulent sites impersonating IT tools like PuTTY and WinSCP and often arrives as a signed MSI. Its multi-stage chain uses a TextShell packer, a bespoke LZMA decompression routine, dynamic API hashing and a revised three-step C2 protocol that encodes JSON with a non-standard Base64 alphabet and per-message random shifts to hinder analysis.

⚠ Wietze Beukema disclosed four new LNK techniques that can mislead Windows users by showing harmless shortcut targets while executing different programs. He demonstrated how inconsistent fields in the LNK format — including TargetIDList, EnvironmentVariableDataBlock, LinkInfo, and paired ANSI/Unicode values — let attackers spoof visible destinations, hide command-line arguments, and run concealed binaries. These methods can enable phishing, USB-borne attacks, and stealthy initial access and rely on Windows' normal shortcut handling rather than a traditional software bug. Until mitigations or behavior changes are implemented, treat untrusted .LNK files as potentially dangerous.

🛡️ Huntress researchers report a threat actor abusing employee-monitoring software and an RMM platform to gain persistent access, tamper with defenses, and pursue ransomware and cryptocurrency theft. The attackers combined Net Monitor for Employees Professional and SimpleHelp, leveraging Net Monitor’s reverse connections and masquerading plus SimpleHelp’s lightweight agent and common-port operation. Incidents included an attempted Crazy ransomware deployment and targeted searches for crypto-related data; shared infrastructure and tradecraft suggest a single actor.

⚠️ Security researcher Wietze Beukema disclosed several techniques at Wild West Hackin' Fest that manipulate Windows .lnk shortcut files to display a benign target in Explorer while executing a different program, including use of malformed LinkTargetIDList and EnvironmentVariableDataBlock fields. These variants can hide command-line arguments and exploit forbidden path characters to show deceptive targets such as "invoice.pdf" while invoking PowerShell or other payloads. Microsoft told the researcher it will not treat the primary finding as a security vulnerability, saying exploitation requires user interaction and pointing to Microsoft Defender, Smart App Control, and built-in warnings for downloaded .lnk files. Beukema published lnk-it-up, an open-source toolkit to generate and detect such shortcuts for testing and research.

🛡️ Bitdefender has identified a sharp increase in LummaStealer infections driven by social‑engineering campaigns that use the ClickFix clipboard trick to deliver the CastleLoader malware. CastleLoader is a heavily obfuscated, script‑based loader that decrypts and executes payloads in memory while adapting persistence and file paths to evade detection. Researchers note a characteristic failed DNS lookup artifact that can aid detection and recommend avoiding pirated or untrusted software and never running PowerShell commands provided by web pages.

🔒 Researchers have identified a Reynolds ransomware campaign that embeds a vulnerable NsecSoft NSecKrnl driver as a built‑in BYOVD component to terminate EDR and antivirus processes from vendors such as CrowdStrike, Symantec, Palo Alto, Sophos and Avast. Unlike typical attacks that deploy BYOVD separately, Reynolds bundles the signed but flawed driver inside the ransomware payload to quietly disable defenses. The intrusion also involved a suspicious side‑loaded loader before deployment and a subsequent GotoHTTP remote access tool, suggesting persistence and further post‑compromise activity.

🦠 Picus Security's Red Report 2026 analyzed over 1.1 million malicious files and 15.5 million actions, finding attackers favor stealthy persistence and evasion to silently exfiltrate data for extortion. Process injection accounted for 30% of techniques, while adversaries routed C2 through high-reputation services like OpenAI and AWS and used stolen browser passwords to masquerade as users. The report warns that virtualization/sandbox evasion and increased technique counts make detection more challenging.

🔍 The Picus Red Report 2026 analyzed more than 1.1 million malicious files and 15.5 million adversarial actions across 2025 and finds attackers shifting from disruptive ransomware to long-lived, stealthy residency. Rather than encrypting systems, adversaries focus on credential theft, process injection, sandbox evasion and quiet data exfiltration. The report urges defenders to prioritize behavior-based detection, credential hygiene and continuous adversarial validation to restore visibility.