// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 18, 2024
Signal Brief · Archived

Week of March 18, 2024

2024-03-18 — 2024-03-24 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 18, 2024, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 research pocs, 1 vuln disclosure, 1 incident. Vendors in the record this week: Fortinet, CrowdStrike, SentinelOne.

The Week's Public Record

Events

2024-03-22
vuln disclosure
FortiClientEMS SQL Injection in DAS Component Allows Remote Code ExecutionCVE-2023-48788
Fortinet disclosed CVE-2023-48788, a critical SQL injection vulnerability in the FortiClient Enterprise Management Server (EMS) DAS component. The flaw allows unauthenticated remote attackers to execute arbitrary code via crafted requests. Active exploitation has been observed in the wild, with attackers using xp_cmdshell to run commands and download malware.
2024-03-22
research poc
HookChain EDR Evasion Framework ReleasedHookChain
A new open-source evasion framework named HookChain has been published, designed to bypass Endpoint Detection and Response (EDR) solutions. It uses IAT hooking, dynamic system service number resolution, and indirect system calls to hide malicious payloads. The tool claims to evade detection by several major EDR products.
2024-03-22
research poc
Misery Loader Published as Open-Source EDR Bypass ToolMisery Loader
A new open-source tool called Misery Loader has been published on GitHub, designed to bypass modern EDR solutions. It implements techniques such as NTDLL unhooking, early bird injection, sandbox bypass via API hammering, and compile-time API hashing. The tool is intended for red team operations and demonstrates multiple evasion methods.
2024-03-21
research poc
Voidgate Technique Bypasses AV/EDR Memory Scanners via On-the-Fly Instruction DecryptionVoidgate
A new technique called Voidgate demonstrates bypassing AV/EDR memory scanners by keeping shellcode encrypted except for the single instruction currently executing. It uses hardware breakpoints and a vectored exception handler to decrypt and re-encrypt instructions on the fly. This renders memory scanning ineffective for the protected page, allowing known malicious shellcodes like msfvenom to evade detection.
2024-03-21
incident
Turla Deploys TinyTurla-NG Implant with Antivirus Exclusion BypassTinyTurla-NG
Russian espionage group Turla compromised a European NGO, deploying the TinyTurla-NG (TTNG) implant. Attackers first added exclusions to Microsoft Defender to evade detection, then established persistence via a malicious service. They used Chisel for tunneling and lateral movement, repeating the process on new systems.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →