// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 3, 2025
Signal Brief · Archived

Week of February 3, 2025

2025-02-03 — 2025-02-09 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 3, 2025, ColdRecon logged 6 public endpoint-security events from open-source reporting — 5 research pocs, 1 incident. Vendors in the record this week: Palo Alto Networks, CrowdStrike, Sophos.

The Week's Public Record

Events

2025-02-07
research poc
Cortex EDR Ransomware Protection Bypass Proof of Concept ReleasedCortexRansomBypass
A proof-of-concept tool named CortexRansomBypass demonstrates a method to bypass Palo Alto Networks Cortex EDR ransomware protection. The repository includes C# code and links to a detailed blog post explaining the technique. This highlights a potential detection gap in Cortex's anti-ransomware capabilities.
Palo Alto Networks ↗ github.com (2025-02-07)
2025-02-07
research poc
Dark Web Actor Claims to Sell EDR Evasion ToolUnnamed EDR Evasion Tool
A threat actor on the dark web claims to sell a tool that bypasses EDR solutions using advanced cryptographic techniques. The tool reportedly targets CrowdStrike, Sophos, SentinelOne, and FortiClient. This highlights the growing black market for EDR evasion tools.
CrowdStrike · Sophos · SentinelOne · Fortinet ↗ cyberpress.org (2025-02-07)
2025-02-06
research poc
New PoC Shellcode Loader Bypasses ETW and Uses Direct SyscallsBypassETWDirectSyscallShellcodeLoader
A proof-of-concept Windows shellcode loader named BypassETWDirectSyscallShellcodeLoader was published on GitHub. It demonstrates ETW bypass by patching EtwEventWrite, anti-debugging/sandbox checks, dynamic API resolution, and process injection via direct syscalls. The tool is intended for security research and penetration testing.
2025-02-04
research poc
Null Routing Technique Silences EDR CommunicationsNull Routing EDR Disruption
A proof-of-concept demonstrates using null routing (route to 0.0.0.0) to block EDR telemetry by dropping outbound packets to EDR infrastructure IPs. This technique, similar to WFP-based EDRSilencer, prevents alerts from reaching security consoles without disabling the sensor, and was confirmed against multiple top-tier EDR products.
2025-02-04
research poc
New Technique Uses Unicode Path Obfuscation to Bypass EDR as Low-Privileged UserUnicode Path Obfuscation EDR Bypass
A novel attack technique allows a low-privileged standard user to bypass EDR detection by creating a spoofed directory path using Unicode whitespace characters that mimic legitimate security software paths. This masquerading method deceives both automated detection and human analysts, enabling malicious payloads to appear as trusted processes. The technique highlights a gap in endpoint monitoring that relies on process creation paths.
2025-02-03
incident
BeyondTrust Zero-Day Breach Compromises API Key, Affecting 17 Remote Support SaaS CustomersBeyondTrust Zero-Day Breach
BeyondTrust disclosed a zero-day breach where attackers exploited a third-party application vulnerability to access an AWS asset containing an infrastructure API key. The key was used to reset local application passwords in 17 Remote Support SaaS instances. No ransomware or further unauthorized access was detected, and affected instances were quarantined and replaced.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →