#Ransomware #IAB abuses #EDR for stealthy #malware execution

https://www.bleepingcomputer.com/news/security/ransomware-iab-abuses-edr-for-stealthy-malware-execution/

#cybersecurity

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Pulse ID: 693a4866260a4aa086aeb335
Pulse Link: https://otx.alienvault.com/pulse/693a4866260a4aa086aeb335
Pulse Author: Tr1sa111
Created: 2025-12-11 04:28:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #InfoSec #OTX #OpenThreatExchange #Phishing #bot #Tr1sa111

#Ransomware gangs turn to #ShanyaEXE packer to hide #EDR killers

https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/

#cybersecurity #cybercrime

DeadLock ransomware now uses a new BYOVD loader exploiting Baidu driver CVE-2024-51324 to terminate EDR processes at the kernel level. Pre-encryption PowerShell scripting disables defenses and wipes shadow copies before deploying custom time-based encryption.
https://www.technadu.com/deadlock-ransomware-uses-new-byovd-loader-exploiting-driver-vulnerability-to-disable-edr/615498/

#Cybersecurity #Ransomware #BYOVD #DeadLock #EDR #ThreatIntel

Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation

Storm-0249, a seasoned initial access broker, has evolved from mass phishing to sophisticated post-exploitation tactics. The group now abuses legitimate Endpoint Detection and Response processes, particularly SentinelOne's SentinelAgentWorker.exe, through DLL sideloading. This allows them to conceal malicious activity as routine operations, bypass defenses, and maintain persistence. Their new tactics include Microsoft domain spoofing, curl-to-PowerShell piping, and fileless execution. Storm-0249's ability to weaponize trusted processes and conduct stealthy reconnaissance poses significant challenges for security teams. The group's evolution represents a broader trend in the ransomware-as-a-service ecosystem, lowering the technical barrier for attackers and accelerating the spread of ransomware across sectors.

Pulse ID: 69393ab7f0d78ccb11a14d9a
Pulse Link: https://otx.alienvault.com/pulse/69393ab7f0d78ccb11a14d9a
Pulse Author: AlienVault
Created: 2025-12-10 09:17:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Endpoint #EndpointDetectionandResponse #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RansomWare #RansomwareAsAService #Rust #SentinelOne #SideLoading #bot #AlienVault

Ransomware gangs are now using a packer‑as‑a‑service called Shanya to hide EDR‑killer payloads, abusing DLL sideloading and vulnerable drivers to silently shut down security tools before deploying ransomware.
🔗 https://zurl.co/HSfY9 #ransomware #EDR #BlueTeam #CyberSecurity

Zero Trust Security Model Explained: Is It Right for Your Organization?

1,135 words, 6 minutes read time.

When I first walked into a SOC that proudly claimed it had “implemented Zero Trust,” I expected to see a modern, frictionless security environment. What I found instead was a network still anchored to perimeter defenses, VPNs, and a false sense of invincibility. That’s the brutal truth about Zero Trust: it isn’t a single product or an off-the-shelf solution. It’s a philosophy, a mindset, a commitment to questioning every assumption about trust in your organization. For those of us in the trenches—SOC analysts, incident responders, and CISOs alike—the question isn’t whether Zero Trust is a buzzword. The real question is whether your organization has the discipline, visibility, and operational maturity to adopt it effectively.

Zero Trust starts with a principle that sounds simple but is often the hardest to implement: never trust, always verify. Every access request, every data transaction, and every network connection is treated as untrusted until explicitly validated. Identity is the new perimeter, and every user, device, and service must prove its legitimacy continuously. This approach is grounded in lessons learned from incidents like the SolarWinds supply chain compromise, where attackers leveraged trusted internal credentials to breach multiple organizations, or the Colonial Pipeline attack, which exploited a single VPN credential. In a Zero Trust environment, those scenarios would have been mitigated by enforcing strict access policies, continuous monitoring, and segmented network architecture. Zero Trust is less about walls and more about a web of checks and validations that constantly challenge assumptions about trust.

Identity and Access Management: The First Line of Defense

Identity and access management (IAM) is where Zero Trust begins its work, and it’s arguably the most important pillar for any organization. Multi-factor authentication, adaptive access controls, and strict adherence to least-privilege principles aren’t optional—they’re foundational. I’ve spent countless nights in incident response chasing lateral movement across networks where MFA was inconsistently applied, watching attackers move as if the organization had handed them the keys. Beyond authentication, modern IAM frameworks incorporate behavioral analytics to detect anomalies in real time, flagging suspicious logins, unusual access patterns, or attempts to elevate privileges. In practice, this means treating every login attempt as a potential threat, continuously evaluating risk, and denying implicit trust even to high-ranking executives. Identity management in Zero Trust isn’t just about logging in securely; it’s about embedding vigilance into the culture of your organization.

Implementing IAM effectively goes beyond deploying technology—it requires integrating identity controls with real operational processes. Automated workflows, incident triggers, and granular policy enforcement are all part of the ecosystem. I’ve advised organizations that initially underestimated the complexity of this pillar, only to discover months later that a single misconfigured policy left sensitive systems exposed. Zero Trust forces organizations to reimagine how users and machines interact with critical assets. It’s not convenient, and it’s certainly not fast, but it’s the difference between containing a breach at the door or chasing it across the network like a shadowy game of cat and mouse.

Device Security: Closing the Endpoint Gap

The next pillar, device security, is where Zero Trust really earns its reputation as a relentless defender. In a world where employees connect from laptops, mobile devices, and IoT sensors, every endpoint is a potential vector for compromise. I’ve seen attackers exploit a single unmanaged device to pivot through an entire network, bypassing perimeter defenses entirely. Zero Trust counters this by continuously evaluating device posture, enforcing compliance checks, and integrating endpoint detection and response (EDR) solutions into the access chain. A device that fails a health check is denied access, and its behavior is logged for forensic analysis.

Device security in a Zero Trust model isn’t just reactive—it’s proactive. Threat intelligence feeds, real-time monitoring, and automated responses allow organizations to identify compromised endpoints before they become a gateway for further exploitation. In my experience, organizations that ignore endpoint rigor often suffer from lateral movement and data exfiltration that could have been prevented. Zero Trust doesn’t assume that being inside the network makes a device safe; it enforces continuous verification and ensures that trust is earned and maintained at every stage. This approach dramatically reduces the likelihood of stealthy intrusions and gives security teams actionable intelligence to respond quickly.

Micro-Segmentation and Continuous Monitoring: Containing Threats Before They Spread

Finally, Zero Trust relies on micro-segmentation and continuous monitoring to limit the blast radius of any potential compromise. Networks can no longer be treated as monolithic entities where attackers move laterally with ease. By segmenting traffic into isolated zones and applying strict access policies between them, organizations create friction that slows or stops attackers in their tracks. I’ve seen environments where a single compromised credential could have spread malware across the network, but segmentation contained the incident to a single zone, giving the SOC time to respond without a full-scale outage.

Continuous monitoring complements segmentation by providing visibility into every action and transaction. Behavioral analytics, SIEM integration, and proactive threat hunting are essential for detecting anomalies that might indicate a breach. In practice, this means SOC teams aren’t just reacting to alerts—they’re anticipating threats, understanding patterns, and applying context-driven controls. Micro-segmentation and monitoring together transform Zero Trust from a static set of rules into a living, adaptive security posture. Organizations that master this pillar not only protect themselves from known threats but gain resilience against unknown attacks, effectively turning uncertainty into an operational advantage.

Conclusion: Zero Trust as a Philosophy, Not a Product

Zero Trust is not a checkbox, a software package, or a single deployment. It is a security philosophy that forces organizations to challenge assumptions, scrutinize trust, and adopt a mindset of continuous verification. Identity, devices, and network behavior form the pillars of this approach, each demanding diligence, integration, and cultural buy-in. For organizations willing to embrace these principles, the rewards are tangible: reduced attack surface, limited lateral movement, and a proactive, anticipatory security posture. For those unwilling or unprepared to change, claiming “Zero Trust” is little more than window dressing, a label that offers the illusion of safety while leaving vulnerabilities unchecked. The choice is stark: treat trust as a vulnerability and defend accordingly, or risk becoming the next cautionary tale in an increasingly hostile digital landscape.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• NIST Special Publication 800-207: Zero Trust Architecture
• CISA Zero Trust Maturity Model
• MITRE ATT&CK® Framework
• CrowdStrike: The Rise of Zero Trust Security
• Mandiant Threat Intelligence Reports
• Schneier on Security Blog
• KrebsOnSecurity
• Verizon Data Breach Investigations Report (DBIR)
• SANS Whitepaper: Zero Trust Security
• Black Hat Briefings: Zero Trust Talks
• DEF CON Conference Talks on Network Security
• Microsoft Security Blog: The Future of Zero Trust
• Palo Alto Networks: What is Zero Trust?
• Gartner Market Guide for Zero Trust Network Access
• IBM Zero Trust Security Resources

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

#accessManagement #adaptiveSecurity #attackSurfaceReduction #behavioralAnalytics #breachPrevention #byodSecurity #ciso #cloudSecurity #cloudFirstSecurity #colonialPipeline #complianceEnforcement #continuousMonitoring #cyberResilience #cybersecurityAwareness #cybersecurityCulture #cybersecurityReadiness #cybersecurityStrategy #deviceSecurity #digitalDefense #edr #endpointSecurity #enterpriseSecurity #iam #identityVerification #incidentResponse #internalThreats #iotSecurity #lateralMovement #leastPrivilege #mfa #microSegmentation #mitreAttck #multiFactorAuthentication #networkSecurity #networkSegmentation #networkVisibility #nistSp800207 #perimeterSecurity #privilegedAccessManagement #proactiveMonitoring #proactiveSecurity #ransomwarePrevention #riskManagement #secureAccess #securityAutomation #securityBestPractices2 #securityFramework #securityMindset #securityOperations #securityPhilosophy #siem #socAnalyst #solarwindsBreach #threatDetection #threatHunting #threatIntelligence #zeroTrust #zeroTrustArchitecture #zeroTrustImplementation #zeroTrustModel #zeroTrustSecurity

Inside Shanya, a packer-as-a-service fueling modern attacks

The Shanya crypter is a new packer-as-a-service offering gaining popularity among ransomware groups. It features advanced capabilities like non-standard module loading, unique stubs for each customer, AMSI bypass, anti-VM measures, and runtime protection. Early samples contained revealing artifacts, but later versions became more sophisticated. The packer has been used to deliver various malware families including an EDR killer and CastleRAT. It employs techniques like API hashing, anti-analysis checks, and DLL sideloading to evade detection. The EDR killer variant targets numerous security products and has been used in ransomware operations by groups like Akira, Qilin, and Crytox. A case study of CastleRAT distribution using Shanya to target hotels is also presented.

Pulse ID: 69358a30a9382057c9321cf0
Pulse Link: https://otx.alienvault.com/pulse/69358a30a9382057c9321cf0
Pulse Author: AlienVault
Created: 2025-12-07 14:07:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Akira #CyberSecurity #EDR #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #SideLoading #bot #AlienVault

10 популярных техник обхода EDR

Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.

https://habr.com/ru/companies/securityvison/articles/973172/

#edr #byovd #lolbas #обход_защиты #обход_антивируса

Мониторинг в Linux на уровне ядра. Краткое практическое введение в eBPF+Cilium

Добрый день, всем читающим данную статью. Недавно эксперементируя с eBPF для разработки нового функционала своей EDR для linux-серверов , я столкнулся с огромной проблемой: на просторах интернета есть огромный пласт статей по теории работы с eBPF, однако кратких практических статей как работать с BPF мной найдено не было. Если быть более точным, то такие статьи есть, однако, они не дают понимания функционала. В общем, в данной статье хотелось бы написать краткий гайд по работе с eBPF с уклоном в практику

https://habr.com/ru/articles/972602/

#eBPF #bpf #go #edr #разработка #мониторинг #трассировка #ядро #ядро_linux #linux

Hackers Moving to “Living Off the Land” Techniques to Attack Windows Systems Bypassing EDR
https://cyberpress.org/hackers-moving-to-living-off-the-land-techniques-to-attack-windows-systems-bypassing-edr/

#Infosec #Security #Cybersecurity #CeptBiro #LivingOffTheLandTechniques #WindowsSystems #EDR

How do companies deal with departments which need to use all kinds of data sets which are prone to false positives on EDR?

#infosec #EDR #malware #falsepositive #CISO #hugginface

Striking Panda Attacks: APT31 Today

APT31, a Chinese cyber espionage group, has been actively targeting the Russian IT sector from 2024 to 2025, particularly companies working as contractors for government agencies. The group uses sophisticated tactics to remain undetected, including leveraging cloud services as command and control infrastructure and deploying new malware samples. APT31 demonstrates knowledge of target organizations' workflows, timing attacks during holidays. They use a prepared script for lateral movement and have deployed new malware such as AufTime, COFFProxy, VtChatter, YaLeak, CloudyLoader and OneDriveDoor. The group employs various persistence techniques, credential access methods, and data exfiltration tools. APT31 continues to evolve its toolkit while maintaining some older tools, allowing them to remain undetected in victim networks for years while extracting sensitive data.

Pulse ID: 69289a7cffabb00782cbd6b7
Pulse Link: https://otx.alienvault.com/pulse/69289a7cffabb00782cbd6b7
Pulse Author: AlienVault
Created: 2025-11-27 18:37:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #Cloud #CyberSecurity #EDR #Edge #Espionage #Government #Holiday #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RAT #Russia #bot #AlienVault

Trong bối cảnh sự cố #CrowdStrike, một nhà phát triển đang xây dựng giải pháp EDR mới với kiến trúc User-Mode, ưu tiên ổn định và tự phục hồi, tránh sập hệ điều hành. MVP sắp hoàn thành. Anh ấy tìm kiếm đầu tư để mở rộng dự án.
#EDR #Cybersecurity #Startup #BảoMật #KhởiNghiệp #Stability

https://www.reddit.com/r/SaaS/comments/1p87rwq/building_a_usermode_edr_alternative/

Improve your threat detection speed and accuracy in our upcoming virtual workshop.

LimaCharlie 101 is one week away on December 3rd, 10am-12pm PT.

In this live hands-on session, you'll get practical experience deploying EDR agents, writing custom detection rules, and integrating threat intelligence feeds.

You'll also learn to create YARA rules for malware identification and automate response actions to stop threats faster.

This session will not be recorded, be sure to register: https://limacharlie.wistia.com/live/events/ie7myewivi?utm_campaign=limacharlie+101+virtual+workshop+12+3+25&utm_source=mastodon&utm_medium=social

#cybersecurity #edr #secops

ClickFix operators are now using fake full-screen “Windows Update” pages to push victims into running malicious commands. Combined with steganographic loaders and in-memory execution, these campaigns continue to evolve.

What detection or user-training approach do you think works best today?

Source: https://www.helpnetsecurity.com/2025/11/25/fake-windows-update-screen-clickfix/

Follow @technadu for ongoing threat-intel breakdowns and practical defense insights.

#Infosec #ThreatIntel #ClickFix #EDR #CyberHygiene #MalwareTrends #SecurityOps #WindowsSecurity #InfoStealer

Anyone got a recommendation for a good open source HIDS/HIPS or open source EDR/XDR?

Seems like most of them can do everything (which is as trustworthy as a kebab place offering sushi) or I find guides telling me that snort is an EDR 😓

#opensource #EDR #HIDS

Want to strengthen your EDR deployment and detection capabilities?

Join our LimaCharlie 101 Virtual Workshop on December 3rd, 10am-12pm PT for hands-on training covering EDR deployment, detection rules, and threat intelligence integration.

You'll learn to:

> Deploy EDR agents and collect comprehensive telemetry
> Write detection and response rules for real-world threats
> Integrate threat intelligence feeds into your security stack
> Create YARA rules for malware identification
> Automate response actions for faster threat mitigation

Walk away with practical skills you can apply immediately.

Register now: https://limacharlie.wistia.com/live/events/ie7myewivi?utm_campaign=limacharlie+101+virtual+workshop+12+3+25&utm_source=mastodon&utm_medium=social

Live session only - will not be recorded.

#cybersecurity #edr #threatintelligence #secops

RONINGLOADER: DragonBreath's New Path to PPL Abuse

Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation to disable Microsoft Defender. The infection chain begins with trojanized NSIS installers masquerading as legitimate software. RONINGLOADER leverages multiple stages to terminate antivirus processes, apply custom WDAC policies, and inject the final payload into trusted system processes. The campaign demonstrates an evolution in DragonBreath's tactics, showcasing adaptability and sophisticated evasion methods.

Pulse ID: 691d85c636ef7e742328d734
Pulse Link: https://otx.alienvault.com/pulse/691d85c636ef7e742328d734
Pulse Author: AlienVault
Created: 2025-11-19 08:54:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CyberSecurity #EDR #ElasticSecurityLabs #ICS #InfoSec #Malware #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RAT #Rust #Trojan #bot #AlienVault

EVALUSION Campaign Delivers Amatera Stealer and NetSupport...

The eSentire Threat Response Unit identified a malware campaign using ClickFix as an initial access vector to deploy Amatera Stealer and NetSupport RAT. Amatera Stealer is a rebranded version of ACR Stealer, with advanced evasion techniques like WoW64 SysCalls to bypass security solutions. It targets crypto-wallets, browsers, and messaging apps. The attack chain involves social engineering, PowerShell stages, and a .NET-based downloader. Amatera communicates with its C2 server using encrypted channels and can deploy additional payloads. The campaign selectively targets systems with valuable data or domain membership before deploying NetSupport RAT. Recommendations include disabling mshta.exe, restricting the Run prompt, implementing phishing awareness training, and using Next-Gen AV or EDR solutions.

Pulse ID: 691cf085ce463d915d5c5dc8
Pulse Link: https://otx.alienvault.com/pulse/691cf085ce463d915d5c5dc8
Pulse Author: AlienVault
Created: 2025-11-18 22:17:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #EDR #InfoSec #LUA #Malware #NET #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SocialEngineering #ThreatResponseUnit #bot #eSentire #AlienVault