// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 24, 2025
Signal Brief · Archived

Week of February 24, 2025

2025-02-24 — 2025-03-02 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 24, 2025, ColdRecon logged 4 public endpoint-security events from open-source reporting — 2 incidents, 2 research pocs. Vendors in the record this week: Microsoft, Riot Games, Adlice Software.

The Week's Public Record

Events

2025-03-02
incident
Physical Memory Manipulation Exploit Bypasses Vanguard Anti-CheatVanguard-Physical-Memory-Bypass
A reverse-engineered exploit used physical memory manipulation to manually map an unsigned driver into kernel space, bypassing Vanguard's protections and Windows Driver Signature Enforcement. The technique was widely used in cheat clients approximately three months ago and has since been patched by Vanguard. The repository provides a technical analysis for educational purposes, with key components removed to prevent misuse.
2025-03-02
research poc
VBMetaDisguiser Magisk Module Released to Spoof Verified Boot PropertiesVBMetaDisguiser
A new Magisk module, VBMetaDisguiser, has been released to disguise vbmeta properties and other system attributes on rooted Android devices. It aims to bypass bootloader unlock detection and other integrity checks used by security apps. The module modifies system properties without flashing, potentially evading detection mechanisms that rely on these properties.
2025-02-28
research poc
Demonstration of EDR Evasion Against Microsoft Defender Using AMSI/ETW Bypass and DNS TunnelingEDR Evasion In Action: Evading Microsoft Defender
A proof-of-concept demonstration shows evasion of Microsoft Defender by downloading malicious code into memory via PowerShell from a trusted GitHub URL, then patching AMSI and ETW to prevent scanning and logging. DNS tunneling is used for C2, and the attack proceeds without Defender alerts, while the Lumu platform detects the anomaly.
2025-02-24
incident
Attackers Bypass Microsoft Driver Blocklist Using Tampered TrueSight.sys DriverLegacy Driver Exploitation via TrueSight.sys Certificate Padding Bypass
In June 2024, threat actors exploited a legacy version of the TrueSight.sys driver (v2.0.2.0) to bypass Microsoft's Vulnerable Driver Blocklist and terminate security processes. They tampered with the driver's WIN_CERTIFICATE padding area to maintain a valid signature, evading certificate verification. This allowed deployment of Gh0stRAT malware and disabling of endpoint defenses.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →