All news with #defense evasion tag

🔒 Cisco Talos attributes a previously undocumented activity cluster, tracked as UAT-10027, to an ongoing campaign targeting U.S. education and healthcare since December 2025. The actor deploys a novel backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for stealthy C2 and reflectively loads additional payloads into memory. Initial access is suspected to begin with social-engineering and a PowerShell script that retrieves a staged batch and malicious DLLs (observed as propsys.dll and batmeter.dll), which are launched via DLL side‑loading of legitimate executables. Talos observed the adversary fronting C2 behind Cloudflare to make traffic appear as legitimate HTTPS and unhooking user-mode API hooks in NTDLL.dll to evade EDR; follow-on payloads have been assessed as Cobalt Strike beacons.

🔔 Recent signals show attackers moving faster and hiding in plain sight. Kali Linux added an integration with Anthropic's Claude via the Model Context Protocol to translate natural-language prompts into technical commands, enabling AI-assisted command execution in a red‑team distro. Censys analyzed ResidentBat, an Android spyware implant used for mass surveillance that exfiltrates audio, messages and files. Alongside Bitpanda-themed phishing, ClickFix-based macOS stealers, ActiveMQ-enabled LockBit intrusions and a widespread WinRAR patch lag, these developments underscore shrinking breakout times, improved cloaking and persistent patching gaps that defenders must address.

🛡️ Cisco Talos reports an active campaign, observed since December 2025, in which actor UAT-10027 deployed a previously undocumented backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for covert C2. The multi-stage chain leverages phishing-delivered PowerShell to fetch a batch dropper that sideloads a disguised DLL into legitimate Windows binaries and tunnels C2 through Cloudflare’s edge. Dohdoor decrypts and reflectively executes payloads in memory, unhooks ntdll to evade EDR, and was observed targeting U.S. education and healthcare organizations.

🛡️ CrowdStrike reports that adversaries shifted in 2025 from expanding toolsets to prioritizing evasion, using AI to refine phishing, malware scripts, and reconnaissance while favoring malware-free techniques that blend with legitimate user activity. AI-enabled attacks rose 89% year over year and malware-free methods accounted for 82% of detections. Supply chain compromises, rapid zero-day weaponization, and cloud-focused intrusions amplified stealth, with big-game ransomware groups moving to remote encryption and credential abuse to minimize detection.

🔐 The author of Notepad++ says the recently released updates have hardened a previously compromised update mechanism so it is now effectively unexploitable. Releases from 8.8.9 through 8.9.2 add layered checks: the updater now verifies both the signed installer and the signed XML manifest with independent cryptographic signatures and aborts on any anomaly. The auto-updater was reinforced, though users can still opt out during installation. The developer warns no system is absolutely unbreakable, but the changes substantially raise attacker cost.

🛡️ Researchers at Check Point demonstrated that AI assistants with web browsing and URL-fetching capabilities can be abused as intermediaries for stealthy command-and-control (C2) communication. In their proof-of-concept, malware used Windows WebView2 to load AI services such as Grok and Microsoft Copilot, fetching attacker-controlled URLs whose content the assistant returned and the malware parsed for instructions. Because the PoC required no account or API keys, this relay can blend into trusted traffic and complicate network-level blocking and attribution; platform safeguards exist but can be evaded through obfuscation.

🔒 Notepad++ has released version 8.9.2 to remediate a hijacked update mechanism abused by an advanced China-linked actor to selectively deliver malware. The maintainer implemented a "double lock" design that verifies both the signed installer (added in 8.8.9+) and the signed XML returned by the update server. The WinGUp auto-updater was hardened by removing libcurl.dll, dropping insecure cURL SSL options, and restricting plugin-management execution to binaries signed with WinGUp's certificate. The update also fixes a high-severity Unsafe Search Path flaw (CVE-2026-25926); users should upgrade and download installers only from the official domain.

🛡️ This article presents a layered, AI-enhanced defense-in-depth architecture for protecting serverless microservices on AWS. It outlines seven security layers—from edge DDoS and WAF protections to identity, API gateway controls, network isolation, compute hardening, secrets management, and data encryption—integrating GuardDuty, Cognito, API Gateway, Secrets Manager, and DynamoDB. The guidance emphasizes continuous monitoring, automated incident response using Amazon Bedrock and EventBridge, and operational practices that balance security, compliance, and developer velocity.

🛡️ OysterLoader has continued to evolve into early 2026, refining its command-and-control infrastructure and obfuscation methods. The C++ loader—also tracked as Broomstick and CleanUp—is typically delivered via fraudulent sites impersonating IT tools like PuTTY and WinSCP and often arrives as a signed MSI. Its multi-stage chain uses a TextShell packer, a bespoke LZMA decompression routine, dynamic API hashing and a revised three-step C2 protocol that encodes JSON with a non-standard Base64 alphabet and per-message random shifts to hinder analysis.

⚠ Wietze Beukema disclosed four new LNK techniques that can mislead Windows users by showing harmless shortcut targets while executing different programs. He demonstrated how inconsistent fields in the LNK format — including TargetIDList, EnvironmentVariableDataBlock, LinkInfo, and paired ANSI/Unicode values — let attackers spoof visible destinations, hide command-line arguments, and run concealed binaries. These methods can enable phishing, USB-borne attacks, and stealthy initial access and rely on Windows' normal shortcut handling rather than a traditional software bug. Until mitigations or behavior changes are implemented, treat untrusted .LNK files as potentially dangerous.

🛡️ Huntress researchers report a threat actor abusing employee-monitoring software and an RMM platform to gain persistent access, tamper with defenses, and pursue ransomware and cryptocurrency theft. The attackers combined Net Monitor for Employees Professional and SimpleHelp, leveraging Net Monitor’s reverse connections and masquerading plus SimpleHelp’s lightweight agent and common-port operation. Incidents included an attempted Crazy ransomware deployment and targeted searches for crypto-related data; shared infrastructure and tradecraft suggest a single actor.

⚠️ Security researcher Wietze Beukema disclosed several techniques at Wild West Hackin' Fest that manipulate Windows .lnk shortcut files to display a benign target in Explorer while executing a different program, including use of malformed LinkTargetIDList and EnvironmentVariableDataBlock fields. These variants can hide command-line arguments and exploit forbidden path characters to show deceptive targets such as "invoice.pdf" while invoking PowerShell or other payloads. Microsoft told the researcher it will not treat the primary finding as a security vulnerability, saying exploitation requires user interaction and pointing to Microsoft Defender, Smart App Control, and built-in warnings for downloaded .lnk files. Beukema published lnk-it-up, an open-source toolkit to generate and detect such shortcuts for testing and research.

🛡️ Bitdefender has identified a sharp increase in LummaStealer infections driven by social‑engineering campaigns that use the ClickFix clipboard trick to deliver the CastleLoader malware. CastleLoader is a heavily obfuscated, script‑based loader that decrypts and executes payloads in memory while adapting persistence and file paths to evade detection. Researchers note a characteristic failed DNS lookup artifact that can aid detection and recommend avoiding pirated or untrusted software and never running PowerShell commands provided by web pages.

🔒 Researchers have identified a Reynolds ransomware campaign that embeds a vulnerable NsecSoft NSecKrnl driver as a built‑in BYOVD component to terminate EDR and antivirus processes from vendors such as CrowdStrike, Symantec, Palo Alto, Sophos and Avast. Unlike typical attacks that deploy BYOVD separately, Reynolds bundles the signed but flawed driver inside the ransomware payload to quietly disable defenses. The intrusion also involved a suspicious side‑loaded loader before deployment and a subsequent GotoHTTP remote access tool, suggesting persistence and further post‑compromise activity.

🦠 Picus Security's Red Report 2026 analyzed over 1.1 million malicious files and 15.5 million actions, finding attackers favor stealthy persistence and evasion to silently exfiltrate data for extortion. Process injection accounted for 30% of techniques, while adversaries routed C2 through high-reputation services like OpenAI and AWS and used stolen browser passwords to masquerade as users. The report warns that virtualization/sandbox evasion and increased technique counts make detection more challenging.

🔍 The Picus Red Report 2026 analyzed more than 1.1 million malicious files and 15.5 million adversarial actions across 2025 and finds attackers shifting from disruptive ransomware to long-lived, stealthy residency. Rather than encrypting systems, adversaries focus on credential theft, process injection, sandbox evasion and quiet data exfiltration. The report urges defenders to prioritize behavior-based detection, credential hygiene and continuous adversarial validation to restore visibility.

🔍 Most enterprise work now takes place in the browser, yet security architectures still center on endpoints, email, and network layers. Keep Aware calls this mismatch a "safe haven" that attackers exploit with user-driven flows that leave little forensic evidence. Common techniques include click‑prompt social engineering, malicious extensions, man‑in‑the‑browser variants, and HTML smuggling — all of which can appear legitimate to EDR, email security, or SASE. Without browser-level visibility, teams struggle to prevent, reconstruct, or learn from these incidents.

🛡️ Huntress reported attackers used a decade-old, signed EnCase kernel driver during an early 2026 intrusion to disable EDRs via a Bring Your Own Vulnerable Driver (BYOVD) technique. The incident began after compromised SonicWall SSL VPN credentials and involved a custom “EDR killer” that decoded and installed a kernel driver (OemHwUpd.sys) to terminate protected processes from kernel mode. Because the driver was timestamped while its certificate was valid, Windows still accepts its signature, allowing attackers to load the driver and repeatedly kill security tooling. Huntress recommends enabling Microsoft’s Vulnerable Driver Blocklist, enforcing MFA on VPNs, and enabling HVCI.

🔒 A newly disclosed campaign dubbed DEAD#VAX leverages IPFS-hosted VHD lures and extreme script obfuscation to mount a virtual drive disguised as a PDF and load an encrypted AsyncRAT payload entirely in memory. Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe a multi-stage chain using WSF, obscured batch scripts, and self-parsing PowerShell to decrypt and inject x64 shellcode into trusted, Microsoft-signed processes. The attack avoids writing a recognizable executable to disk, establishes persistence via scheduled tasks, and throttles activity to reduce detection and forensic footprint.

🔒 A custom EDR killer discovered by Huntress abused a long-revoked EnCase kernel driver to gain kernel-level access and repeatedly terminate security processes. The 64-bit tool leverages EnPortv.sys, registers as a fake OEM service for reboot persistence, and uses a kernel IOCTL kill loop to disable 59 EDR/AV processes every second. Huntress links the activity to ransomware and recommends MFA, HVCI/Memory Integrity, WDAC, and monitoring for OEM-masquerading kernel services.