// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of October 23, 2023
Signal Brief · Archived

Week of October 23, 2023

2023-10-23 — 2023-10-29 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of October 23, 2023, ColdRecon logged 7 public endpoint-security events from open-source reporting — 6 research pocs, 1 vuln disclosure. Vendors in the record this week: Microsoft, DANA, VMware.

The Week's Public Record

Events

2023-10-28
research poc
Xposed Module Bypasses DANA App Integrity ChecksBypassDANA
A proof-of-concept Xposed module named BypassDANA was published on GitHub, demonstrating how to bypass the DANA mobile payment app's root and tamper detection. The module hooks security check functions to disable integrity checks, potentially allowing the app to run on compromised devices. This highlights a weakness in client-side integrity enforcement for mobile financial applications.
2023-10-28
research poc
RealBlindingEDR: Kernel Callback Manipulation to Disable Windows Security AgentsRealBlindingEDR
RealBlindingEDR is a proof-of-concept technique that manipulates kernel callbacks to disable endpoint security products on Windows. It hijacks the callback arrays used by EDR/AV drivers to intercept system events, effectively blinding security agents without crashing the system. This demonstrates a novel method to bypass detection by tampering with the agent's kernel-level hooks.
2023-10-28
research poc
PayloadInResources: AV Bypass via Resource-Stored XOR-Encrypted ShellcodePayloadInResources
A proof-of-concept tool demonstrates antivirus bypass by storing XOR-encrypted shellcode in executable resources and using an unconventional process injection method. It includes a sandbox check based on executable path. The technique was tested against Microsoft Defender and may evade some EDRs.
2023-10-27
vuln disclosure
File Descriptor Hijack Vulnerability in open-vm-tools (CVE-2023-34059)CVE-2023-34059
A vulnerability in open-vm-tools allows a local unprivileged user to hijack privileged file descriptors (e.g., /dev/uinput) via ptrace or pidfd_getfd after the setuid-root wrapper drops privileges and executes vmtoolsd. This occurs because the process's dumpable attribute resets to 1, enabling the original user to access the privileged file descriptors. The issue affects most open-vm-tools installations since version 10.3.0.
VMware · open-vm-tools ↗ security.opensuse.org (2023-10-27)
2023-10-25
research poc
Proof-of-Concept Exploit for CVE-2023-41991 CoreTrust Bypass PublishedCVE-2023-41991
A proof-of-concept exploit for CVE-2023-41991 has been released as part of the ChOma library. The vulnerability allows bypassing Apple's CoreTrust code-signing checks, enabling unsigned binaries to appear as App Store-signed and gain arbitrary entitlements. This technique is used in tools like TrollStore and Dopamine for iOS jailbreaking.
2023-10-25
research poc
Malice: A Go-based Malware Development and EDR Evasion Toolkit Published on GitHubmalice
The 'malice' repository by redt1de provides a Go-based toolkit for malware development and EDR evasion, featuring multiple syscall techniques, call stack spoofing, and other evasion methods. It serves as a proof-of-concept demonstrating how attackers can bypass endpoint security products using advanced techniques. The toolkit includes implementations like direct/indirect syscalls, hardware breakpoint syscalls, and SilentMoonwalk desync, posing a threat to EDR detection capabilities.
2023-10-24
research poc
AMSI-Reaper: Open-Source Tool Bypasses Windows AMSI via Memory PatchingAMSI-Reaper
Security researcher h0ru released AMSI-Reaper, a PowerShell and C# tool that bypasses the Windows Antimalware Scan Interface (AMSI) by injecting code into AMSI component memory. The tool demonstrates that AMSI can be disabled in real-time, allowing previously blocked malicious scripts like Invoke-Mimikatz to execute. This proof-of-concept highlights a persistent evasion technique relevant to endpoint security testing.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →