// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 29, 2023
Signal Brief · Archived

Week of May 29, 2023

2023-05-29 — 2023-06-04 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 29, 2023, ColdRecon logged 7 public endpoint-security events from open-source reporting — 4 research pocs, 2 incidents, 1 vuln disclosure. Vendors in the record this week: Microsoft, Apple, Carbon Black.

The Week's Public Record

Events

2023-06-01
research poc
EDRSandblast-GodFault: EDR kernel callback removal without vulnerable driverEDRSandblast-GodFault
Security researcher Gabriel Landau released EDRSandblast-GodFault, a proof-of-concept tool that removes kernel callbacks from EDR drivers like Microsoft Defender (WdFilter.sys) without using a vulnerable driver. It leverages the GodFault technique to gain kernel-level access and disable process, thread, and image load notifications, as well as ETW Threat Intelligence. This demonstrates a driverless method to blind EDR sensors.
2023-06-01
research poc
LightsOut Tool Generates Obfuscated DLL to Disable AMSI and ETWLightsOut
Security researcher icyguider released LightsOut, an open-source Python tool that generates an obfuscated DLL to disable AMSI and ETW in Windows processes. The tool uses techniques like WinAPI randomization, XOR string encoding, and sandbox checks to evade AV detection. It is intended for penetration testing to execute malicious PowerShell scripts without being blocked.
2023-06-01
incident
Kaspersky Discovers Triangulation Spyware Targeting iOS Devices via Zero-Click iMessage ExploitTriangulation
Kaspersky detected a sophisticated spyware campaign, dubbed Triangulation, targeting iPhones of its employees via zero-click iMessage exploits. The spyware exfiltrates sensitive data including microphone recordings, photos, and geolocation. Detection was achieved through Kaspersky's SIEM, KUMA, which identified anomalous network activity from iOS devices.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
Carbon Black · CrowdStrike · Sophos · SentinelOne · Microsoft · Avast · ESET · Kaspersky · Cylance · Cortex · Trend Micro · Bitdefender · McAfee · Symantec · AVG · 360 Total Security · TOPSEC · Check Point · Malwarebytes · Panda Security · Cybereason · Webroot · VIPRE · Aliyun ↗ www.threatlocker.com (2023-06-01)
2023-05-31
incident
Terminator tool uses BYOVD with Zemana driver to terminate security productsTerminator
A threat actor is selling a tool called Terminator that uses a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate antivirus, EDR, and XDR processes. The tool drops a legitimate but vulnerable Zemana anti-malware driver (zamguard64.sys or zam64.sys) to gain kernel-level privileges and kill security software user-mode processes. CrowdStrike confirmed the technique is a BYOVD attack, not a novel bypass.
2023-05-30
vuln disclosure
macOS SIP bypass vulnerability 'Migraine' (CVE-2023-32369) disclosed by MicrosoftCVE-2023-32369
Microsoft discovered a macOS vulnerability named 'Migraine' that allows a root attacker to bypass System Integrity Protection (SIP) by exploiting the migration daemon's inheritable entitlement. The flaw, tracked as CVE-2023-32369, was patched by Apple on May 18, 2023. It could enable persistent malware, rootkit installation, and expanded attack surface.
2023-05-29
research poc
PatchBoot: UEFI Firmware Patching to Bypass Secure BootPatchBoot
A guide demonstrates patching AMI Aptio V UEFI firmware to disable image signature verification, allowing unsigned executables to load under Secure Boot. This bypasses a foundational platform security feature, potentially enabling malware or cheat software to run undetected.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →