// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 22, 2024
Signal Brief · Archived

Week of April 22, 2024

2024-04-22 — 2024-04-28 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 22, 2024, ColdRecon logged 5 public endpoint-security events from open-source reporting — 2 vuln disclosures, 2 incidents, 1 research poc. Vendors in the record this week: Microsoft, eScan, Kaspersky.

The Week's Public Record

Events

2024-04-26
research poc
Research Demonstrates RASP Bypass in Java via Process InjectionRASP Bypass via JVM Process Injection
A security researcher published a proof-of-concept showing how Runtime Application Self-Protection (RASP) in Java applications can be bypassed using process injection. The technique hijacks the JVM from another process to remove RASP instrumentation probes, undermining the protection. This highlights a weakness in instrumentation-based RASP when the underlying OS environment is compromised.
2024-04-26
vuln disclosure
Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2023-24880)CVE-2023-24880
CVE-2023-24880 is a zero-day vulnerability in Windows SmartScreen that allows attackers to bypass Mark of the Web (MOTW) defenses. Exploited in the wild by financially motivated actors to distribute Magniber ransomware via crafted MSI files with invalid Authenticode signatures. The flaw stems from an incomplete fix for CVE-2022-44698.
2024-04-24
incident
CoralRaider Uses Malicious LNK Files to Evade Antivirus and Deliver InfostealersCoralRaider LNK Antivirus Evasion Campaign
The CoralRaider threat group is conducting a campaign using malicious LNK files to evade antivirus detection and deliver infostealer malware. The attack chain leverages PowerShell, HTA files, and FoDHelper.exe to bypass UAC and add Windows Defender exclusions, ultimately deploying CryptBot, LummaC2, or Rhadamanthys payloads.
2024-04-23
incident
eScan Antivirus Update Mechanism Abused via MitM to Distribute GuptiMiner MalwareGuptiMiner
Hackers performed man-in-the-middle attacks on eScan antivirus updates delivered over HTTP, replacing genuine updates with malware tracked as GuptiMiner. The operation lasted at least five years, leveraging DLL hijacking and custom DNS for stealth. Avast researchers disclosed the issue, and eScan confirmed a fix on 2023-07-31.
2024-04-22
vuln disclosure
Microsoft Defender and Kaspersky EDR File Deletion Vulnerabilities DisclosedCVE-2023-24860
SafeBreach researchers disclosed vulnerabilities in Microsoft Defender and Kaspersky EDR that allow attackers to remotely delete legitimate files by inserting malware byte signatures into them, causing false-positive detections. Microsoft issued patches (CVE-2023-24860, CVE-2023-3601) but initial fixes were bypassed, while Kaspersky acknowledged the issue as a design limitation. The flaws highlight risks in signature-based detection and the difficulty of fully mitigating such design-level weaknesses.
Microsoft · Kaspersky ↗ winbuzzer.com (2024-04-22)
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →