All news with #defense evasion tag

🔍 Most enterprise work now takes place in the browser, yet security architectures still center on endpoints, email, and network layers. Keep Aware calls this mismatch a "safe haven" that attackers exploit with user-driven flows that leave little forensic evidence. Common techniques include click‑prompt social engineering, malicious extensions, man‑in‑the‑browser variants, and HTML smuggling — all of which can appear legitimate to EDR, email security, or SASE. Without browser-level visibility, teams struggle to prevent, reconstruct, or learn from these incidents.

🛡️ Huntress reported attackers used a decade-old, signed EnCase kernel driver during an early 2026 intrusion to disable EDRs via a Bring Your Own Vulnerable Driver (BYOVD) technique. The incident began after compromised SonicWall SSL VPN credentials and involved a custom “EDR killer” that decoded and installed a kernel driver (OemHwUpd.sys) to terminate protected processes from kernel mode. Because the driver was timestamped while its certificate was valid, Windows still accepts its signature, allowing attackers to load the driver and repeatedly kill security tooling. Huntress recommends enabling Microsoft’s Vulnerable Driver Blocklist, enforcing MFA on VPNs, and enabling HVCI.

🔒 A newly disclosed campaign dubbed DEAD#VAX leverages IPFS-hosted VHD lures and extreme script obfuscation to mount a virtual drive disguised as a PDF and load an encrypted AsyncRAT payload entirely in memory. Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe a multi-stage chain using WSF, obscured batch scripts, and self-parsing PowerShell to decrypt and inject x64 shellcode into trusted, Microsoft-signed processes. The attack avoids writing a recognizable executable to disk, establishes persistence via scheduled tasks, and throttles activity to reduce detection and forensic footprint.

🔒 A custom EDR killer discovered by Huntress abused a long-revoked EnCase kernel driver to gain kernel-level access and repeatedly terminate security processes. The 64-bit tool leverages EnPortv.sys, registers as a fake OEM service for reboot persistence, and uses a kernel IOCTL kill loop to disable 59 EDR/AV processes every second. Huntress links the activity to ransomware and recommends MFA, HVCI/Memory Integrity, WDAC, and monitoring for OEM-masquerading kernel services.

🔐 The maintainer of Notepad++ disclosed that state-sponsored actors compromised the app’s update delivery by hijacking infrastructure at the hosting-provider level, redirecting update traffic to malicious servers. The flaw affected the WinGUp updater’s verification logic, enabling intercepted traffic to fetch poisoned executables. In response, the site has been migrated to a new host and investigations are ongoing.

⚠️ The UK threat landscape changed markedly in 2025: the country became the most targeted in Europe, receiving about 16% of recorded attacks. The dominant intent shifted from monetization to disruption, with defacement comprising nearly half of incidents and overtaking ransomware as the primary concern. Many organizations that built defenses around extortion found their threat models misaligned. Security teams must broaden detection, harden web-facing assets, and update incident response playbooks to address disruption-focused adversaries.

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.

🔒 AppGuard critiques heavy reliance on AI-enhanced detection and promotes a controls-first, default-deny approach to shrink the endpoint attack surface. CEO Fatih Comlekoglu argues that AI-driven detection cannot "parse infinity," leaving defenders overwhelmed by alerts as organizations limit data ingestion. AppGuard positions its controls-based agent as requiring 10–100× fewer policy rules while auto-adapting to endpoint changes and malware techniques. The company has reopened an Insider Release for MSSPs and experienced operators to test its reengineered lightweight agent and cloud console.

🛡️ Expel researchers report that the JavaScript loader GootLoader is using deliberately malformed ZIP archives — concatenating 500–1,000 archives and truncating the EOCD — to evade analysis while remaining extractable by the default Windows unarchiver. The technique, described as hashbusting, ensures each archive is unique and frustrates automated tooling like WinRAR or 7-Zip. Distribution relies on SEO poisoning and malvertising, and the payload executes via wscript.exe, establishing persistence and launching PowerShell activity. Recommended mitigations include blocking wscript.exe/cscript.exe for downloaded content and configuring Group Policy to open .js in Notepad by default.

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.

🛡️ Gootloader operators now deliver malformed ZIP archives that concatenate up to 1,000 parts to evade analysis and detection. The archived JScript unpacks successfully with Windows' built-in extractor while tools relying on 7-Zip and WinRAR often crash. Samples employ truncated EOCD entries, randomized disk fields, metadata mismatches and XOR-encoded blobs appended client-side. Researchers devised a YARA rule and advise changing the default .js opener to Notepad and blocking wscript.exe/cscript.exe where possible.

🔎 A multi-stage Windows malware campaign, tracked as SHADOW#REACTOR, uses obfuscated VBS and heavily encoded PowerShell to stage payloads entirely in memory and avoid disk-based indicators. Attackers fetch repeated text-based fragments over HTTP, reconstruct them into a reflectively loaded .NET assembly protected with .NET Reactor, and abuse signed Microsoft binaries such as MSBuild.exe to execute the final Remcos RAT. The chain emphasizes living-off-the-land techniques, persistence and anti-analysis measures to complicate detection.

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.

📧 Phishing actors are exploiting complex mail routing and misconfigured spoof protections to send messages that appear to originate internally, frequently using PhaaS platforms such as Tycoon2FA. Microsoft observed increased use of this vector since May 2025, including nested redirect chains and AiTM techniques to harvest credentials. Tenants with MX records pointed to Office 365 benefit from built-in protections; others must enforce strict SPF hard-fail, DKIM signing, and DMARC reject policies and correctly configure connectors to prevent these spoofing campaigns.

🔒 NETSCOUT's Arbor Edge Defense (AED) complements CDN-based DDoS mitigation by providing inline, on-premises protection for attacks that cloud scrubbing can miss. AED uses AI/ML-driven stateless packet processing and ATLAS threat intelligence to address application-layer, TCP state-exhaustion, and outbound threats. Together, CDN protections and AED form a layered, adaptive defense-in-depth strategy that preserves bandwidth and safeguards availability.

⚠️ A new ToneShell backdoor sample attributed to the Mustang Panda group was delivered via a kernel‑mode mini‑filter driver, ProjectConfiguration.sys, in attacks against government organizations in Asia. The signed driver operates as a rootkit: it injects two user‑mode payloads, blocks deletion and renaming, protects service registry keys, and alters WdFilter to interfere with Microsoft Defender. Kaspersky notes this is the first observed kernel‑mode loader for ToneShell and recommends memory forensics and provided IoCs to detect infections. The actor also updated network stealth, moving to a 4‑byte host ID and fake TLS headers.

🔍 This week's ThreatsDay bulletin documents how attackers increasingly hide malicious activity inside everyday tools, trusted applications, and AI assistants. Investigations highlight abuse of open-source monitoring tools like Nezha, an 87% rise in NFC‑abusing Android malware, late‑2025 GuLoader waves, and prompt‑injection flaws in AI chat frontends. The report underscores the need for layered defenses, strict input validation, and rapid patching.

🛡️ Jamf researchers found a new MacSync variant delivered as a code-signed, notarized Swift application inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, enabling it to bypass macOS Gatekeeper checks without any direct Terminal interaction. The Mach-O binary carried a valid signature tied to Developer Team ID GNJLS3UYZ4, which Apple revoked after a report. The dropper decodes an encoded payload on disk and the stealer uses multiple evasions — inflating the DMG with decoy PDFs, wiping execution scripts, and performing internet checks to avoid sandboxed analysis — before harvesting credentials, browser data, iCloud keychain items, cryptocurrency wallet data, and files.

🔒 Cybersecurity teams disclosed linked campaigns that abuse cracked-software sites and compromised YouTube accounts to deliver modular loaders CountLoader and GachiLoader. CountLoader 3.2 is distributed via malicious ZIPs hosted on MediaFire and uses a renamed Python binary invoked through mshta.exe to establish persistence with scheduled tasks that mimic Google and fetch next-stage payloads. Check Point described GachiLoader, an obfuscated Node.js loader spread through a "YouTube Ghost Network" that deploys novel PE injection via a Kidkadi stage. Both campaigns emphasize in-memory execution, signed-binary abuse, removable-media spread, and sophisticated evasion.