// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of August 12, 2024
Signal Brief · Archived

Week of August 12, 2024

2024-08-12 — 2024-08-18 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of August 12, 2024, ColdRecon logged 4 public endpoint-security events from open-source reporting — 2 research pocs, 1 incident, 1 vuln disclosure. Vendors in the record this week: Microsoft, TeamT5.

The Week's Public Record

Events

2024-08-18
research poc
DseDisabler: Tool to Disable Driver Signature Enforcement via g_CiOptions PatchDseDisabler
DseDisabler is a proof-of-concept tool that disables Windows Driver Signature Enforcement (DSE) by patching the g_CiOptions variable in the kernel. It uses a ring0 driver without IOCTL communication and supports manual mapping. The tool bypasses PatchGuard protection on CI.dll by suggesting methods like loading NoBsodDriver or using EfiGuard.
2024-08-16
research poc
PandaLoader: A WIP Shellcode Loader Bypassing AV/EDRPandaLoader
PandaLoader is a publicly available proof-of-concept shellcode loader written in C++ that employs multiple evasion techniques to bypass antivirus and EDR detection. It uses XOR encryption, APC injection, ETW patching, and anti-VM checks to stealthily execute payloads. The tool includes a builder for custom payload generation and is intended for red team use.
2024-08-14
incident
RansomHub Ransomware Integrates EDRKillShifter to Disable Endpoint SecurityEDRKillShifter
The RansomHub ransomware group, tracked as Water Bakunawa, has integrated the EDRKillShifter tool into its attack chain to disable endpoint detection and response (EDR) and antivirus protections. EDRKillShifter exploits vulnerable drivers to terminate security processes, enhancing persistence and evasion. This technique was observed in a recent incident analyzed by Trend Micro, highlighting the group's evolving capabilities to bypass traditional endpoint defenses.
2024-08-12
vuln disclosure
CVE-2024-7694: TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload Vulnerability Actively ExploitedCVE-2024-7694
CVE-2024-7694 is an unrestricted file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware that allows remote attackers with administrator privileges to upload malicious files and execute arbitrary system commands on the server. It has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The vulnerability has a CVSS 3.1 score of 7.2 (HIGH).
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →