// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 17, 2025
Signal Brief · Archived

Week of March 17, 2025

2025-03-17 — 2025-03-23 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 17, 2025, ColdRecon logged 4 public endpoint-security events from open-source reporting — 2 incidents, 1 vuln disclosure, 1 research poc. Vendors in the record this week: Checkpoint, Palo Alto Networks.

The Week's Public Record

Events

2025-03-21
incident
Threat Actors Exploit Checkpoint ZoneAlarm Driver in BYOVD Attack to Bypass Windows SecurityBYOVD via Checkpoint vsdatant.sys
Attackers used a vulnerable Checkpoint ZoneAlarm driver (vsdatant.sys) in a Bring Your Own Vulnerable Driver (BYOVD) attack to gain kernel-level privileges, bypass Windows Memory Integrity, and disable endpoint security. The driver's valid digital signature allowed it to evade detection by EDR solutions. The attack enabled persistent RDP access and credential theft.
2025-03-21
incident
MEDUSA Ransomware Campaign Uses ABYSSWORKER Driver to Disable EDRABYSSWORKER
A financially motivated campaign deployed MEDUSA ransomware using a HEARTCRYPT-packed loader and the ABYSSWORKER driver, a revoked certificate-signed driver from a Chinese vendor. The driver disables EDR systems by manipulating system processes, removing security hooks, and terminating security drivers. Attackers bypassed certificate validation by disabling Windows Time Service and setting the system date to 2012.
2025-03-19
vuln disclosure
CVE-2025-0121: Cortex XDR Agent for Windows Null Pointer Dereference Allows Local Crash and Detection BypassCVE-2025-0121
A null pointer dereference vulnerability (CVE-2025-0121) in Palo Alto Networks Cortex XDR agent on Windows allows a low-privileged local user to crash the agent. Malware can exploit this to perform malicious activity without detection. The issue is fixed in agent versions 8.6.1, 8.5.2, and later hotfixes.
2025-03-18
research poc
PoC Tool Demonstrates Kernel Callback Removal to Bypass EDR Detectionskernel-callback-removal
A proof-of-concept tool demonstrates techniques to remove kernel callbacks used by EDR products, bypassing their detection mechanisms. It includes a new undisclosed method that overwrites callback functions with KCFG-compliant returns to evade integrity checks. The project targets kernel notify routines, minifilter, network callout, and ETW-TI callbacks.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →