// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of August 21, 2023
Signal Brief · Archived

Week of August 21, 2023

2023-08-21 — 2023-08-27 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of August 21, 2023, ColdRecon logged 3 public endpoint-security events from open-source reporting — 2 research pocs, 1 incident. Vendors in the record this week: ESET, Palo Alto Networks, Microsoft.

The Week's Public Record

Events

2023-08-25
research poc
Researchers Bypass ESET NOD32 Detection of Metasploit Meterpreter PayloadNOD32 Meterpreter Bypass (2018)
During a penetration test, researchers bypassed ESET NOD32 antivirus by modifying the Meterpreter DLL source and recompiling, and by embedding encoded shellcode in a custom executable with a filename check to evade signature detection. The technique demonstrates a practical AV evasion method using open-source tool customization.
2023-08-25
incident
Threat Actor Uses Modified EDRsandblast Tool to Bypass Cortex XDR in Extortion CampaignEDRsandblast
Unit 42 investigated an extortion attack where a threat actor used a modified version of the open-source EDRsandblast tool, named disabler.exe, to bypass Cortex XDR via a BYOVD technique. The attacker inadvertently exposed their toolkit and identity by connecting rogue endpoints to the victim's network. The tool disabled EDR to allow execution of Mimikatz for credential dumping.
2023-08-21
research poc
Percino: Evasive Golang Loader Using Process Hollowing to Bypass EDRPercino
Percino is an open-source Golang loader that executes shellcode via process hollowing with anti-sandbox and anti-analysis features. It encrypts shellcode with 3DES and claims full EDR bypass, tested against Microsoft Defender for Endpoint with Cobalt Strike.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →