All news with #defense evasion tag

🛡️ Today, CISA, the NSA, and the Canadian Centre for Cyber Security released an update to the Malware Analysis Report for the BRICKSTORM backdoor. The update adds indicators of compromise (IOCs) and two new YARA detection signatures to cover additional samples, including Rust-based variants. Analysts observed advanced persistence and defense-evasion behaviors (including running as background services) and improved command-and-control via encrypted WebSocket channels. Organizations are strongly urged to deploy the updated IOCs and signatures, follow the detection guidance to scan and remediate affected systems, and report suspected infections to CISA’s 24/7 Operations Center.

🔐 OpenAI says rapid model gains have reshaped its planning and prompted expanded defensive measures. Internal CTF assessments rose from 27% on GPT-5 in August 2025 to 76% on GPT-5.1-Codex-Max in November 2025, leading the company to warn some systems may reach 'High' levels on its Preparedness Framework. OpenAI outlined a layered defense-in-depth strategy — including access controls, infrastructure hardening, egress monitoring, model steering, detection tools and end-to-end red teaming — and is preparing a trusted access program alongside private-beta tools such as Aardvark to steer capabilities toward defensive outcomes.

🛡️ Shanya is a packer-as-a-service used by multiple ransomware gangs to conceal payloads that disable endpoint detection and response (EDR) tools. The service returns a custom, encrypted wrapper that decrypts and decompresses the payload entirely in memory and inserts it into a memory-mapped copy of shell32.dll, avoiding disk artifacts. Sophos telemetry links Shanya-packed samples to Medusa, Qilin, Crytox and Akira, and notes techniques that crash user-mode debuggers and facilitate DLL side-loading to deploy EDR killers.

🔒 Microsoft has quietly altered how Windows displays .lnk shortcut Targets, addressing a long‑abused technique attackers used to hide malicious commands in trailing whitespace. The issue (tracked as CVE-2025-9491) stemmed from Explorer showing only the first 260 characters of a Target field, allowing long PowerShell or BAT scripts to be concealed. Third‑party vendor 0patch acknowledges the UI change but says Microsoft’s fix doesn't prevent execution and offers a micropatch that truncates long Targets and warns users.

🛡️ A recently patched WSUS deserialization flaw, CVE-2025-59287, has been weaponized to install the ShadowPad backdoor on Windows servers. AhnLab's ASEC reports attackers used PowerCat to spawn a CMD shell and then leveraged certutil and curl to retrieve payloads from 149.28.78.189:42306. ShadowPad was deployed via DLL side-loading of ETDApix.dll by ETDCtrlHelper.exe and runs as an in-memory loader with plugin support, anti-detection, and persistence.

🤖 FortiGuard Labs warns that by 2026 cybercrime will transition from ad hoc innovation to industrialized throughput, driven by AI, automation, and a mature supply chain. Attackers will automate reconnaissance, lateral movement, and data monetization, shrinking attack timelines from days to minutes. Defenders must adopt machine-speed operations, continuous threat exposure management, and identity-centric controls to compress detection and response. Global collaboration and targeted disruption will be essential to deter large-scale criminal infrastructure.

🔍 Morphisec observed an AI-enhanced intrusion in October 2025 that targeted a major US real estate firm using the modular Tuoni C2 framework. The campaign began with a Microsoft Teams impersonation and a PowerShell one-liner that spawned a hidden process to retrieve a secondary script. That loader downloaded a BMP file and used least significant bit steganography to extract shellcode, executing it entirely in memory and reflectively loading TuoniAgent.dll. Researchers noted AI-generated code patterns and an encoded configuration pointing to two C2 servers; Morphisec's AMTD prevented execution.

🔒 Cybersecurity researchers disclosed an attempted intrusion against a major U.S. real-estate firm that leveraged the emerging Tuoni C2 and red-team framework. The campaign, observed in mid-October 2025, used Microsoft Teams impersonation and a PowerShell loader that fetched a BMP-steganographed payload from kupaoquan[.]com and executed shellcode in memory. That sequence spawned TuoniAgent.dll, which contacted a C2 server but ultimately failed to achieve its goals. The incident highlights the risk of freely available red-team tooling and AI-assisted code generation being abused by threat actors.

🕒 This post introduces Time Travel Debugging (TTD) via WinDbg as a high-value tool for accelerating analysis of obfuscated, multi-stage .NET droppers that perform process hollowing. The authors demonstrate recording a TTD trace, querying the Debugger Data Model with LINQ to find CreateProcess and WriteProcessMemory calls, and extracting a hidden AgentTesla payload. It highlights practical tips, tooling (TTD.exe, FLARE-VM), and limitations such as user-mode scope and proprietary trace formats.

🔍 Huntress observed the return of GootLoader infections beginning October 27, 2025, with two cases leading to hands-on keyboard intrusions and domain controller compromise within 17 hours. The loader now embeds a custom WOFF2 font using Z85 encoding to substitute glyphs and render obfuscated filenames readable only in the victim browser. Actors deliver XOR-encrypted ZIPs via compromised WordPress comment endpoints and SEO-poisoned search results, and the archive is crafted to appear as benign text to many automated analysis tools while extracting a JavaScript payload on Windows.

🔒 FileFix is a social‑engineering technique that tricks users into pasting a malicious command into the Windows File Explorer address bar instead of the Run dialog. Attackers hide a long payload before a benign-looking file path using leading spaces so only the harmless path is visible, then invoke a PowerShell script (for example via conhost.exe) to retrieve and run malware. Defenses emphasize robust endpoint protection and ongoing employee awareness training, since blocking shortcuts alone is insufficient.

🔒 Small and medium-size businesses face rising, measurable cyber risk as ransomware incidents increase and attacks spike during the holiday season. Resource constraints and end-of-life Windows 10 devices magnify exposure, while firmware-level and endpoint gaps can defeat traditional defenses. A layered, defense-in-depth approach across silicon, the operating system, and endpoints reduces attack surfaces. Business-grade devices such as the ASUS Expert Series integrate these protections to turn necessary upgrades into strategic security investments.

🔒 Bitdefender researchers report that the threat actor Curly COMrades enabled Windows Hyper-V on compromised hosts to run a lightweight Alpine Linux VM (≈120MB disk, 256MB RAM). The hidden VM hosted custom tooling, notably the C++ reverse shell CurlyShell and the reverse proxy CurlCat. By isolating execution inside a VM the attackers evaded many host-based EDRs and maintained persistent, encrypted command channels.

🛡️ Bitdefender researchers describe how the Russia-aligned APT group Curly COMrades enabled Windows Hyper-V to deploy a minimal Alpine Linux VM on compromised Windows 10 hosts, creating a hidden execution environment. The compact VM (≈120MB disk, 256MB RAM) hosted two libcurl-based implants, CurlyShell (reverse shell) and CurlCat (HTTP-to-SSH proxy), enabling C2 and tunneling that evaded many host EDRs. Attackers used DISM and PowerShell to enable and run the VM under the deceptive name "WSL," and also employed PowerShell and Group Policy for credential operations and Kerberos ticket injection. Bitdefender warns that VM isolation can bypass EDR and recommends layered defenses including host network inspection and proactive hardening.

🔒 Microsoft confirmed that Microsoft Defender Application Guard (MDAG) for Office will be removed from enterprise Office builds, with phased removal beginning in 2026 and final cut-offs through 2027. MDAG used Hyper‑V sandboxing to isolate malicious Office documents but incurred slower load times and carried sandbox escape risks. Microsoft advises enabling Attack Surface Reduction (ASR) rules and Windows Defender Application Control (WDAC), and reviewing any automation, workflows, or SIEM integrations that depended on MDAG’s isolation logs.

🛡️The Russian-linked threat group Curly COMrades abused Microsoft Hyper-V on Windows hosts to deploy a hidden, minimal Alpine Linux VM that hosted custom implants: CurlyShell (reverse shell) and CurlCat (reverse proxy). By using the Hyper-V Default Switch and naming the VM "WSL," outbound C2 traffic appeared to originate from the legitimate host IP, enabling evasion of host-based EDRs. The campaign — active since mid-2024 and observed by Bitdefender with help from the Georgian CERT — also employed PowerShell scripts for LSASS Kerberos ticket injection and Group Policy-based account creation, leaving few forensic traces. Organizations are advised to monitor unexpected Hyper-V activation, abnormal LSASS access or tampering, PowerShell GPO deployments, and to implement network-level inspection and layered defenses.

🔒 Attackers are deploying a persistent backdoor using OpenSSH and a customized Tor hidden service to target defense-related organizations in Russia and Belarus. The Operation SkyCloak campaign uses weaponized ZIP attachments and LNK-triggered PowerShell stagers that perform sandbox evasion and write an .onion hostname into the user's roaming profile. Persistence is established via scheduled tasks that run a renamed sshd.exe and a bespoke Tor binary using obfs4, enabling SSH, SFTP, RDP and SMB access over Tor.

🛡️ Rhysida ransomware operators have shifted to malvertising and the abuse of Microsoft Trusted Signing certificates to slip malware past defenses. By buying Bing search ads that point to convincing fake download pages for Microsoft Teams, PuTTY and Zoom, they deliver initial access tools such as OysterLoader (formerly Broomstick/CleanUpLoader) and Latrodectus. Signed, packaged binaries evade static detection and often run without scrutiny on Windows endpoints.

🔒 During economic downturns, organizations must preserve cybersecurity with constrained budgets by prioritizing risk-based controls, hardening existing systems, and blending open- and closed-source tools. The blog recommends defense-in-depth, isolating legacy hardware, disabling unnecessary features, and tuning EDR/AV, logging, and network filters to reduce exposure. It also advises retaining skilled incident response partners and investing selectively in early-to-mid career talent to maintain long-term resilience.

🛡️ Trend Micro reports that the Agenda (Qilin) ransomware group is running a Linux-based encryptor on Windows hosts to evade Windows-only detections. The actors abused legitimate RMM and file-transfer tools — including ScreenConnect, Splashtop, Veeam, and ATERA — to maintain persistence, move laterally, and execute payloads. They combined social engineering, credential theft, SOCKS proxy injection, and BYOVD driver tampering to disable EDR and compromise backups, impacting more than 700 victims since January 2025.