// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 24, 2024
Signal Brief · Archived

Week of June 24, 2024

2024-06-24 — 2024-06-30 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 24, 2024, ColdRecon logged 7 public endpoint-security events from open-source reporting — 5 research pocs, 1 vuln disclosure, 1 incident. Vendors in the record this week: Microsoft, AppSealing, CoSoSys.

The Week's Public Record

Events

2024-06-30
research poc
EDRPrison Tool Uses WinDivert to Block EDR TelemetryEDRPrison
Researchers released EDRPrison, a proof-of-concept tool that blocks EDR agent telemetry by intercepting and filtering packets with WinDivert. It improves upon the earlier EDRSilencer by correlating packets to EDR processes more efficiently, potentially evading detection. The technique highlights a method to silence EDR communications without process manipulation.
2024-06-29
research poc
Xposed Module AppPealing Bypasses Inka AppSealing on Android 14AppPealing
A proof-of-concept Xposed module named AppPealing was released on XDA Forums that disables Inka AppSealing, a mobile application security solution. The module can dump encrypted Dex files, disable cheat detection, and bypass root detection. The developer received a DMCA takedown notice from AppSealing, indicating the tool's effectiveness against their protections.
2024-06-27
vuln disclosure
CVE-2024-36075: CoSoSys Endpoint Protector and Unify Agent Remote Code ExecutionCVE-2024-36075
A remote code execution vulnerability exists in CoSoSys Endpoint Protector through 5.9.3 and Unify agent through 7.0.6. The flaw stems from insecure extraction of an archive obtained from the server, allowing an attacker who can modify the server archive to execute arbitrary code as administrator on the endpoint.
2024-06-27
research poc
Using Signed Minifilters to Disable EDR SystemsMinifilter EDR Disable
A security researcher demonstrates a technique to disable EDR systems by loading a custom signed minifilter driver that blocks access to EDR-related files, preventing EDR processes from starting. The method was tested against Microsoft Defender and Elastic EDR, allowing execution of tools like Mimikatz without detection.
2024-06-27
research poc
Tool Published to Bypass Google Play Protect Integrity Checks via Pairipcorebypass_pairipcore
A GitHub repository offers a tool and paid service to remove Google Play Protect's integrity verification (pairipcore) from Android APKs, allowing repackaged or modified apps to run without signature or integrity checks. The tool targets offline Unity games and other apps, bypassing Google's app protection mechanisms. This demonstrates a practical method to defeat Google Play Protect's endpoint security features on Android devices.
2024-06-26
research poc
Signature-Based EDR Bypass Using XOR-Encrypted Shellcode in GoXOR-Encrypted Shellcode Loader
A red team article demonstrates bypassing signature-based detection in Windows Defender and Bitdefender by encrypting Meterpreter shellcode with XOR and executing it via a custom Go loader. The technique evades static signatures by obfuscating the payload, allowing execution on a live system. This highlights a common evasion method that relies on the absence of runtime behavioral detection.
Microsoft · Bitdefender ↗ kaganeglence.com (2024-06-26)
2024-06-26
incident
Snowblind malware abuses Android seccomp to bypass app anti-tamperingSnowblind
A novel Android malware named Snowblind abuses the Linux kernel seccomp feature to bypass anti-tampering protections in apps. It repackages target apps to steal credentials and gain remote control via accessibility services, remaining invisible to users. The technique has been observed in the wild targeting a Southeast Asian customer of i-Sprint.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →