All news with #defense evasion tag

🔐 The maintainer of Notepad++ disclosed that state-sponsored actors compromised the app’s update delivery by hijacking infrastructure at the hosting-provider level, redirecting update traffic to malicious servers. The flaw affected the WinGUp updater’s verification logic, enabling intercepted traffic to fetch poisoned executables. In response, the site has been migrated to a new host and investigations are ongoing.

⚠️ The UK threat landscape changed markedly in 2025: the country became the most targeted in Europe, receiving about 16% of recorded attacks. The dominant intent shifted from monetization to disruption, with defacement comprising nearly half of incidents and overtaking ransomware as the primary concern. Many organizations that built defenses around extortion found their threat models misaligned. Security teams must broaden detection, harden web-facing assets, and update incident response playbooks to address disruption-focused adversaries.

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.

🔒 AppGuard critiques heavy reliance on AI-enhanced detection and promotes a controls-first, default-deny approach to shrink the endpoint attack surface. CEO Fatih Comlekoglu argues that AI-driven detection cannot "parse infinity," leaving defenders overwhelmed by alerts as organizations limit data ingestion. AppGuard positions its controls-based agent as requiring 10–100× fewer policy rules while auto-adapting to endpoint changes and malware techniques. The company has reopened an Insider Release for MSSPs and experienced operators to test its reengineered lightweight agent and cloud console.

🛡️ Expel researchers report that the JavaScript loader GootLoader is using deliberately malformed ZIP archives — concatenating 500–1,000 archives and truncating the EOCD — to evade analysis while remaining extractable by the default Windows unarchiver. The technique, described as hashbusting, ensures each archive is unique and frustrates automated tooling like WinRAR or 7-Zip. Distribution relies on SEO poisoning and malvertising, and the payload executes via wscript.exe, establishing persistence and launching PowerShell activity. Recommended mitigations include blocking wscript.exe/cscript.exe for downloaded content and configuring Group Policy to open .js in Notepad by default.

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.

🛡️ Gootloader operators now deliver malformed ZIP archives that concatenate up to 1,000 parts to evade analysis and detection. The archived JScript unpacks successfully with Windows' built-in extractor while tools relying on 7-Zip and WinRAR often crash. Samples employ truncated EOCD entries, randomized disk fields, metadata mismatches and XOR-encoded blobs appended client-side. Researchers devised a YARA rule and advise changing the default .js opener to Notepad and blocking wscript.exe/cscript.exe where possible.

🔎 A multi-stage Windows malware campaign, tracked as SHADOW#REACTOR, uses obfuscated VBS and heavily encoded PowerShell to stage payloads entirely in memory and avoid disk-based indicators. Attackers fetch repeated text-based fragments over HTTP, reconstruct them into a reflectively loaded .NET assembly protected with .NET Reactor, and abuse signed Microsoft binaries such as MSBuild.exe to execute the final Remcos RAT. The chain emphasizes living-off-the-land techniques, persistence and anti-analysis measures to complicate detection.

🔍Researchers described a newly observed SHADOW#REACTOR campaign that uses an evasive, multi-stage chain to deliver the commercial Remcos RAT and maintain covert persistence. An obfuscated win64.vbs launcher invokes a Base64 PowerShell stager that retrieves fragmented, text-only payloads and reconstructs loaders in memory using a .NET Reactor–protected reflective assembly. The final stage abuses MSBuild.exe to execute the Remcos backdoor, and wrapper scripts ensure re-execution, all designed to frustrate detection and analysis.

📧 Phishing actors are exploiting complex mail routing and misconfigured spoof protections to send messages that appear to originate internally, frequently using PhaaS platforms such as Tycoon2FA. Microsoft observed increased use of this vector since May 2025, including nested redirect chains and AiTM techniques to harvest credentials. Tenants with MX records pointed to Office 365 benefit from built-in protections; others must enforce strict SPF hard-fail, DKIM signing, and DMARC reject policies and correctly configure connectors to prevent these spoofing campaigns.

🔒 NETSCOUT's Arbor Edge Defense (AED) complements CDN-based DDoS mitigation by providing inline, on-premises protection for attacks that cloud scrubbing can miss. AED uses AI/ML-driven stateless packet processing and ATLAS threat intelligence to address application-layer, TCP state-exhaustion, and outbound threats. Together, CDN protections and AED form a layered, adaptive defense-in-depth strategy that preserves bandwidth and safeguards availability.

⚠️ A new ToneShell backdoor sample attributed to the Mustang Panda group was delivered via a kernel‑mode mini‑filter driver, ProjectConfiguration.sys, in attacks against government organizations in Asia. The signed driver operates as a rootkit: it injects two user‑mode payloads, blocks deletion and renaming, protects service registry keys, and alters WdFilter to interfere with Microsoft Defender. Kaspersky notes this is the first observed kernel‑mode loader for ToneShell and recommends memory forensics and provided IoCs to detect infections. The actor also updated network stealth, moving to a 4‑byte host ID and fake TLS headers.

🔍 This week's ThreatsDay bulletin documents how attackers increasingly hide malicious activity inside everyday tools, trusted applications, and AI assistants. Investigations highlight abuse of open-source monitoring tools like Nezha, an 87% rise in NFC‑abusing Android malware, late‑2025 GuLoader waves, and prompt‑injection flaws in AI chat frontends. The report underscores the need for layered defenses, strict input validation, and rapid patching.

🛡️ Jamf researchers found a new MacSync variant delivered as a code-signed, notarized Swift application inside a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, enabling it to bypass macOS Gatekeeper checks without any direct Terminal interaction. The Mach-O binary carried a valid signature tied to Developer Team ID GNJLS3UYZ4, which Apple revoked after a report. The dropper decodes an encoded payload on disk and the stealer uses multiple evasions — inflating the DMG with decoy PDFs, wiping execution scripts, and performing internet checks to avoid sandboxed analysis — before harvesting credentials, browser data, iCloud keychain items, cryptocurrency wallet data, and files.

🔒 Cybersecurity teams disclosed linked campaigns that abuse cracked-software sites and compromised YouTube accounts to deliver modular loaders CountLoader and GachiLoader. CountLoader 3.2 is distributed via malicious ZIPs hosted on MediaFire and uses a renamed Python binary invoked through mshta.exe to establish persistence with scheduled tasks that mimic Google and fetch next-stage payloads. Check Point described GachiLoader, an obfuscated Node.js loader spread through a "YouTube Ghost Network" that deploys novel PE injection via a Kidkadi stage. Both campaigns emphasize in-memory execution, signed-binary abuse, removable-media spread, and sophisticated evasion.

🛡️ Today, CISA, the NSA, and the Canadian Centre for Cyber Security released an update to the Malware Analysis Report for the BRICKSTORM backdoor. The update adds indicators of compromise (IOCs) and two new YARA detection signatures to cover additional samples, including Rust-based variants. Analysts observed advanced persistence and defense-evasion behaviors (including running as background services) and improved command-and-control via encrypted WebSocket channels. Organizations are strongly urged to deploy the updated IOCs and signatures, follow the detection guidance to scan and remediate affected systems, and report suspected infections to CISA’s 24/7 Operations Center.

🔐 OpenAI says rapid model gains have reshaped its planning and prompted expanded defensive measures. Internal CTF assessments rose from 27% on GPT-5 in August 2025 to 76% on GPT-5.1-Codex-Max in November 2025, leading the company to warn some systems may reach 'High' levels on its Preparedness Framework. OpenAI outlined a layered defense-in-depth strategy — including access controls, infrastructure hardening, egress monitoring, model steering, detection tools and end-to-end red teaming — and is preparing a trusted access program alongside private-beta tools such as Aardvark to steer capabilities toward defensive outcomes.

🛡️ Shanya is a packer-as-a-service used by multiple ransomware gangs to conceal payloads that disable endpoint detection and response (EDR) tools. The service returns a custom, encrypted wrapper that decrypts and decompresses the payload entirely in memory and inserts it into a memory-mapped copy of shell32.dll, avoiding disk artifacts. Sophos telemetry links Shanya-packed samples to Medusa, Qilin, Crytox and Akira, and notes techniques that crash user-mode debuggers and facilitate DLL side-loading to deploy EDR killers.

🔒 Microsoft has quietly altered how Windows displays .lnk shortcut Targets, addressing a long‑abused technique attackers used to hide malicious commands in trailing whitespace. The issue (tracked as CVE-2025-9491) stemmed from Explorer showing only the first 260 characters of a Target field, allowing long PowerShell or BAT scripts to be concealed. Third‑party vendor 0patch acknowledges the UI change but says Microsoft’s fix doesn't prevent execution and offers a micropatch that truncates long Targets and warns users.