// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 20, 2024
Signal Brief · Archived

Week of May 20, 2024

2024-05-20 — 2024-05-26 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 20, 2024, ColdRecon logged 4 public endpoint-security events from open-source reporting — 2 incidents, 1 research poc, 1 vuln disclosure. Vendors in the record this week: Sophos, Microsoft, ESET.

The Week's Public Record

Events

2024-05-26
research poc
BOAZ Multilayered AV/EDR Evasion Framework ReleasedBOAZ
BOAZ is a modular evasion framework that combines signature, heuristic, and behavioral bypass techniques to generate undetectable payloads. It was tested against 14 desktop AVs and 7 EDRs, including Sophos, Windows Defender, and ESET. The tool serves as both an evasion testing utility and a packer/obfuscator for researchers.
2024-05-22
incident
State-Sponsored Actor Abuses VMware VPXUSER Account for Rogue VM PersistenceVMware VPXUSER Abuse
A state-sponsored threat actor compromised MITRE's NERVE network via Ivanti zero-days, then abused VMware VPXUSER privileged account to create rogue VMs directly on ESXi hypervisors, evading vCenter detection. The actor deployed BRICKSTORM backdoor and BEEFLUSH web shell for persistence and C2. This technique bypasses centralized management visibility, allowing stealthy operations.
2024-05-22
incident
GHOSTENGINE Cryptojacking Attack Disables EDRs Using Vulnerable DriversGHOSTENGINE
A sophisticated cryptojacking campaign named GHOSTENGINE leverages vulnerable drivers to terminate endpoint detection and response (EDR) processes before deploying a cryptocurrency miner. The attack demonstrates a practical method for defeating security agents through BYOVD (Bring Your Own Vulnerable Driver) techniques.
2024-05-20
vuln disclosure
Memory Corruption Vulnerability in Fluent Bit Monitoring API (CVE-2024-4323)CVE-2024-4323
Tenable Research discovered a critical memory corruption vulnerability in Fluent Bit's built-in HTTP server, tracked as CVE-2024-4323. The flaw arises from improper validation of input data types in the /api/v1/traces endpoint, potentially leading to denial of service, information disclosure, or remote code execution. Fluent Bit is widely used in cloud monitoring infrastructures, with over 3 billion downloads.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →