Over Security

Cloud incidents drag on when analysts have to leave cases to hunt through AWS consoles and CLIs. Tines shows how automated agents pull AWS CLI data directly into cases, reducing MTTR and manual investigation work.

I ricercatori di iVerify, un’azienda specializzata in sicurezza informatica per dispositivi mobili, ha rivelato l’arrivo nel panorama delle minacce di un nuovo, preoccupante strumento: ZeroDayRAT. Questa piattaforma spyware è emersa nel sottobosco del cybercrime su Telegram, presentandosi come una soluzione completa per il controllo remoto di dispositivi Android e iOS. Lungi dall’essere un semplice estrattore …

Microsoft wants to introduce smartphone-style app permission prompts in Windows 11 to request user consent before apps can access sensitive resources such as files, cameras, and microphones.

Learn how SOCs scale threat hunting using real attack behavior, fresh intel, and TI Lookup to reduce business risk.

A new commercial mobile spyware platform dubbed ZeroDayRAT is being advertised to cybercriminals on Telegram as a tool that provides full remote control over compromised Android and iOS devices.

Cyble tracked 1,093 flaws in one week, including critical ICS vulnerabilities, with over 200 PoCs increasing ransomware risk.

The Discord teen-by-default settings rollout reflects a broader industry reality.

The ENISA International Strategy updates Europe’s approach to cybersecurity, boosting global cooperation while supporting EU policies.

The FIIG cyberattack exposed sensitive client data and led to a AU$2.5m Federal Court fine against FIIG Securities for cybersecurity failures.

Cybersecurity is a data problem—too much noise, not enough context. Learn how Binary Defense uses an attacker’s mindset, tailored detection, and continuous feedback to make sense of security data and improve threat response.

CVE-2025-53770 is a critical SharePoint RCE flaw. The goals certainly don’t. The Exploit Chain: Familiar Steps, Different Stage At its core, CVE-2025-53770 abuses how SharePoint handles WebParts, specifically how it deserializes compressed data embedded in payloads targeting endpoints like /ToolPane.aspx. The process is as follows: Initial Access via WebPart Injection A malicious HTTP POST is sent to a WebPart-enabled ASPX page (not just ToolPane.aspx, any page with a WebPartZone will do, like /SitePages/test.aspx). Deserialization and Execution SharePoint processes the payload using LosFormatter or BinaryFormatter, invoking the deserialization sink and executing arbitrary code, typically starting with a LOLBin (cmd.exe, powershell.exe, mshta.exe). Neither Have the Outcomes On July 22, 2025, Microsoft published an article attributing attacks on SharePoint server leveraging CVE-2025-53770 to Chinese nation-state groups Linen Typhoon and Violet Typhoon. While CVE-2025-53770 hasn’t yet been tied to ransomware (yet), it lines up nicely to ransomware operator objectives: Privileged access to enterprise data repository Privileged access to a domain-joined Microsoft Windows server Remote Command Execution We don’t need to look back too far to see how the use of this exploit will likely play out. However, within weeks of public disclosure and tooling release, the same attack paths were rapidly adopted by ransomware groups and access brokers. Don’t Play Whack-a-CVE for Detections Many orgs initially focused detections on: Requests to /ToolPane.aspx Dropped files like /LAYOUTS/spinstall0.aspx Referer headers spoofing /SignOut.aspx However, based on testing within ARC Labs, there is some assumed brittleness to these detections. Attackers don’t need new tools because defenders are still slow to learn the old ones. We’ve known for years that: Sharepoint, Exchange, and other Windows based web enabled services are high value targets Deserialization is a risky and recurring attack vector ViewState is abusable when secrets are compromised Initial access is more about exploiting behavior than code None of this is new. Ransomware actors, APTs, and access brokers don’t need cutting-edge tactics.

Rather than tampering with Defender processes or registry keys, DefendNot takes a different approach by registering a fake antivirus through the Windows Security Center (WSC) COM interface. Because Defender is built to step aside when third-party antivirus software is present, this spoofed registration triggers Windows’ own conflict resolution logic. Technical Breakdown: Abusing Windows’ Own Conflict Resolution At the core of DefendNot’s technique is the Windows Security Center (WSC), a native Windows component responsible for managing security products like antivirus and EDR solutions. It registers itself as a fake antivirus inside WSC, convincing Windows to do the work of disabling Defender on its behalf. These paths are normally used by Windows to track legitimate antivirus products. Once those keys are in place, WSC accepts the registration as valid and replaces the Defender entry with the spoofed antivirus. Detection Mechanisms Although Microsoft Defender for Endpoint’s logging is degraded once DefendNot is active, defenders can still detect its activity. Each of these contains a GUID that may appear arbitrary, but these GUIDs represent the spoofed antivirus registered by DefendNot alongside the legitimate Defender entry. The registry entries also store metadata pointing to the DLL responsible for handling antivirus or AMSI functions, giving defenders another way to confirm tampering. Detection Opportunities Monitoring for registry modification and creation events under the following keys can provide strong indicators of DefendNot’s presence: HKLM\SOFTWARE\Microsoft\Security Center\Provider\AV HKLM\SOFTWARE\Microsoft\AMSI\Providers\ WMI\AutoLogger\DefenderAuditLogger WMI\AutoLogger\DefenderApiLogger HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks We've published detection and threat hunting criteria to help security teams identify DefendNot activity. This involves: Deleting persistence-related registry keys under the TaskCache path Removing spoofed provider entries at: HKLM\SOFTWARE\Microsoft\Security Center\Provider\Av HKLM\SYSTEM\CurrentControlSet\Services\AMSI\Providers Deleting the associated DLL listed in the InProcServer32 path under the spoofed antivirus GUID Once these artifacts are removed, restart the machine and confirm Defender’s operational status by running: Get-MpComputerStatus This validation ensures that spoofed antivirus registrations have been cleared and that Microsoft Defender is once again actively protecting the system. Instead of disabling Microsoft Defender through brute force techniques, it convinces Windows that another antivirus product is already installed and trusted. Attackers are increasingly building tools designed to blind security products, whether through aggressive EDRKillers like KillerUltra or deceptive techniques like DefendNot.

EDR-Freeze is a recently published proof-of-concept that automates a flow to cause a dumper process to suspend an EDR/antivirus process (via minidump behavior) and then keep it suspended — effectively disabling the agent’s runtime hooks while the attacker performs follow-on actions. Targets protected processes via PPL/Protected Process Light plumbing. The PoC includes code to launch a child process at a Protected Process Light (PPL) level so the dumper can operate against PPL-protected EDR processes — this is the key trick that lets the flow target modern endpoint agents that use PPL to harden themselves. Because it leverages MiniDumpWriteDump/WER semantics (which suspend target threads while producing dumps) and then prevents the dumper from resuming the target, it achieves a “pause the watchdog” effect from user mode — a high-leverage primitive for attackers. Operational impact If an attacker can reliably suspend an EDR process for even a short window, they can perform sensitive tasks (credential dumps, persistence, file staging, or lateral movement) with greatly reduced detection probability. Launches WerFaultSecure.exe (the protected WER dumper) as a Protected Process Light (PPL) using extended startup attributes so WerFault can operate on protected processes. (This is implemented via a PPLProcessCreator helper.) Passes the inheritable handles to the dumper via command-line arguments (e.g., /encfile , /cancel ), plus /pid and /tid for the target process and thread. The dumper will suspend threads in the target process while creating the dump; a monitor thread in the PoC waits until the target is suspended, then suspends the dumper itself (or otherwise prevents the dumper from completing), leaving the target paused. Calls CreateProcessW(EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS) with bInheritHandles = TRUE to launch the dumper as a PPL process that inherits the dump file and cancel event handles. Tools within the repo: PPL helper, process helper, monitoring thread logic — the repo automates the timing/race needed to freeze the target. Protected EDR processes often require a dumper to run at a compatible protection level; the repo includes code to create a PPL process. The PoC adds a monitor thread that detects when the dump operation has suspended the target and then suspends the dumper so the target stays suspended — that race & timing logic is the core of keeping the agent “frozen.” Detection Opportunities WerFaultSecure.exe process creation with dump flags — the highest fidelity single indicator is WerFaultSecure.exe launched with /encfile, /cancel, and /type 268310 (in addition to /pid and /h).

At runtime the loader uses the current scope’s binding (the one visible where the code runs) to decide which function is used. This will allow the analyst to make notes of variables which contain encoded data used by decoding functions. Native decoding commands are often used in these JavaScript samples, so just identifying where these commands are used in the script is a great place to give analysts a starting point. If you see a Uint8Array/array, decode with TextDecoder to preview Manually decode the returned data using the native JavaScript decode() function Scan the returned values for common C2 keywords such as IP addresses, domains, common OS directories, etc using a JavaScript debug function Add TestC2 Function to Debug Console Add conditional break point to the .decode() line with the following expression to flag any hits again TestC2 Restart debugging session and set breakpoint on .decode() line. Step into the code until you reach the function where the return value is WL. Continue stepping into the code until you reach the line where const WM is updated with the values of WL.

The GlytchC2 framework uses plaintext IRC over port 6667 to connect to irc.chat.twitch.tv, where attacker-issued commands are delivered through an attacker-controlled Twitch channel. This approach allows GlytchC2 traffic to blend in with normal streaming-related activity, making traditional detection methods less effective. When intercepted using MiTMProxy, this traffic reveals detailed and distinguishable indicators of C2 behavior in the form of IRC welcome messages created by Twitch, as shown below: Detection Opportunities Correlating network traffic with endpoint logs provides the strongest points of detection for GlytchC2 style C2 Traffic. Conclusion GlytchC2 highlights how adversaries have consistently adapted to hide in the noise of popular network traffic.

Recently, Binary Defense researchers in ARC Labs took a deep dive into a fresh DeedRAT sample, dissecting its infection chain, sideloading tricks, and persistence mechanisms. Infection Timeline: How DeedRAT Gets In Our analysis began with a sample delivered via a .zip archive containing three files: MicRun.exe (a legitimate executable used for sideloading) SBAMRES.dll (the malicious payload) SBAMRES.DLL.CC (an encrypted file) The infection kicks off when MicRun.exe, which is a legitimate program that is part of the VIPRE Antivirus Premium suite, is executed. Persistence: Staying Power Once sideloaded, DeedRAT ensures it survives reboots and user logins through two redundant persistence mechanisms: Registry Run Key: The malware creates a value under ~\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicRun, causing MicRun.exe to auto-execute at logon. Service Creation: DeedRAT also creates a Windows service to launch MicRun.exe automatically: sc create "MicRun" DisplayName= "MicRun" binPath= "C:\ProgramData\Micro\Defaults\MicRun.exe type= own start= auto error=ignore These dual mechanisms provide redundancy so that if one fails, the other keeps DeedRAT alive.

Enter Phishing’s New Best Friend – Toolkits A Phishing Toolkit is a collection of pre-packaged software and resources that malicious actors will use to quickly configure attack paths to obtain compromised user credentials. Comparative to attacks of old where stolen credentials would be used days later – these automations can hijack a legitimate session live to compromise a user near-instantaneously. With this ability available to cybercriminals, there has been an insurgence of attacks focused on taking the abused credentials from a phishing URL to bypass or hijack MFA & conditional access policies. Binary Defense was alerted last week to an incident where we observed a risk event for an Entra ID user authenticating into their environment. What we observed was a bit of a strange authenticate chain for this user – we saw an established session within the environment as normal performing their daily duties. The authentication still failed due to an established Conditional Access policy; but just moments later a successful login occurred with the same device within an appropriate location. Thankfully MFA is not the only defense against malicious actors – and this organization had established Least Privilege for their accounts properly. The end user did not have access to any administrative groups or applications meaning that the actor did not have much to go on for additional routes. If the user clicked the link – it’s likely true that their credentials were provided to a fake login for Microsoft. Detection Opportunities Each of the opportunities below are still relevant to have protections around in your organization in related to automated Phishing Toolkits: Malicious Email Not Remediated – review and contain any malicious e-mails sent to your organization to ensure no user attempts to use them. Authentication from Non-US Country – review authentications to user accounts from countries that are atypical for legitimate users within the business (where applicable). This is critical for any phishing defense within any organization. Containment and Mitigation Immediate Containment Block offending IPs, rotate credentials, and force logouts of all active sessions in order to ensure the attackers cannot access the user. Phishing Education Ensure to provide yearly (or more often) phishing exercises for your organization.

Read the full blog WHAT CVE-2025-53770 TEACHES US ABOUT ZERO-DAY REALITY AND RANSOMWARE ROUTINE This blog reframes zero-day exploitation as an operational constant rather than an exceptional, rare event. Read the full blog DEFENDNOT: TURNING WINDOWS DEFENDER AGAINST ITSELF DefendNot highlights a shift in attacker methodology toward abusing operating system trust models instead of bypassing them. The blog explains how Windows security provider registration works, how attackers can abuse that logic to cause Defender to disable itself, and why this behavior often occurs without triggering traditional alerts. Read the full blog RMM TOOL CONVENIENCE AND CONTROL COMES WITH A COST Remote Monitoring and Management (RMM) tools are foundational to modern IT operations, but this blog details how attackers increasingly abuse them as a primary access, persistence, and execution mechanism. Rather than recommending the removal of RMM tooling, the blog calls out governance, logging, and monitoring gaps that attackers routinely exploit. Read the full blog Why These Insights Matter Across all four blogs, a consistent pattern emerges: Attackers target assumptions , not just vulnerabilities Defensive tooling is increasingly part of the attack surface Visibility gaps—not missing tools—drive dwell time Explore more insights from Binary Defense analysts here

Patching, or more specifically, NTDLL patching, is the process of re-re-writing NTDLL in memory and removing those hooks to blind the security agents. Figure 1 - NTDLL Patch Execution Flow Let's review Sliver's code to gain a further understanding of NTDLL patching. `x` holds a pointer to the address of NTDLL's `.text` (executable) section directed by `f.section(".text")`. Figure 3 - writeGoodBytes() Function Breakdown `writeGoodBytes()` takes several parameters: `b` is an unmodified copy of NTDLL, `pn` is the name of the DLL we wish to overwrite, `virtualoffset` is the virtual address of NTDLL's `.text` section, `secname` is unused, and `vsize` is the size of NTDLL's `.text` section. `dllOffset` equals the base address (the beginning) of in memory NTDLL summed with the virtual address of the `.text` section gathered earlier. If this is confusing, keep in mind that virtual memory is a contiguous block. Two copies of the same executable look nearly identical in virtual memory, pointer math between them should line up.

ARC Labs investigated a campaign that closely resembled publicly reported CrashFix activity but critically did not stop at initial access.

Initial access brokers sell information about or access to compromised computers. Here's how to threat hunt for a known attack behavior involving PowerShell that's used by a prolific initial access broker.

In this Studio 471, Michael Fletcher, a former Cybercrime Technical Analyst with the Australian Federal Police, describes the origin of The Com and how threat actors in this sphere pose a threat.

Payment card "checkers" are used by criminal hackers to check the validity of stolen payment card details. Here's how this in-demand underground service works.

Discover how the next phase of Intel 471’s Geopolitical Intelligence solution protects your organization against both physical and cyber threats arising from shifting global dynamics.

Black Friday kicks off retailers’ most profitable season—and also a peak period for cybercriminals, who exploit the surge in online shopping and payment activity.

Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.