// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 21, 2025
Signal Brief · Archived

Week of April 21, 2025

2025-04-21 — 2025-04-27 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 21, 2025, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 research pocs, 2 vuln disclosures, 1 incident. Vendors in the record this week: Microsoft, FireEye, Trellix.

The Week's Public Record

Events

2025-04-24
research poc
AMSI Bypass via Hardware Breakpoints Proof-of-Concept ReleasedHBP-Amsi-Bypass
A proof-of-concept technique was published that bypasses the Windows Antimalware Scan Interface (AMSI) by using hardware breakpoints to modify AmsiScanBuffer behavior at runtime. The method avoids patching AMSI DLLs on disk and leverages CPU debug registers for stealthy memory modification. This demonstrates a novel evasion approach against endpoint security products relying on AMSI.
2025-04-24
incident
Mimic v7.5 Ransomware Targets Healthcare via Clipper Credential HarvestingMimic v7.5 (ELENOR-corp)
Morphisec investigated a healthcare ransomware incident involving Mimic version 7.5, where attackers used previously deployed Clipper malware for credential harvesting and reentry. The attackers employed RDP lateral movement, deployed tools like Mimikatz and Process Hacker, and exfiltrated data via Mega.nz before encrypting files.
2025-04-23
vuln disclosure
CVE-2025-0618: FireEye EDR Agent Persistent Denial of Service VulnerabilityCVE-2025-0618
A persistent denial of service vulnerability in the FireEye EDR agent (now Trellix) allows attackers to permanently disable tamper protection by sending a malformed event. The flaw persists across reboots, leaving endpoints unprotected. Mitigation requires applying vendor patches.
2025-04-22
research poc
Research Reveals WDAC Can Be Weaponized to Disable EDRWDAC Weaponization for EDR Disablement
Security research demonstrates that attackers with administrative privileges can craft malicious Windows Defender Application Control (WDAC) policies to block EDR software from running, effectively disabling endpoint detection. The technique involves placing a custom policy file in the CodeIntegrity folder and rebooting, which can be scaled via Group Policy to affect entire domains. This highlights the need for proactive WDAC policy enforcement and layered defenses.
2025-04-22
vuln disclosure
CVE-2025-32955: Harden-Runner disable-sudo bypass via docker group membershipCVE-2025-32955
Sysdig TRT discovered a vulnerability in the Harden-Runner GitHub Action that allows bypassing its disable-sudo security mechanism. The issue arises because the runner user is a member of the docker group, granting root-equivalent access, which can be exploited to regain sudo privileges. The vulnerability is patched in the latest version.
2025-04-21
research poc
Proof-of-Concept Tool Bypasses libpairipcore Tamper and Signature Protection in Android Appslibpairipcore-bypass
A public GitHub repository provides a Python-based method to bypass libpairipcore, a security component used in Android applications for tamper and signature verification. The technique involves modifying the AndroidManifest.xml to replace a reference to the pairip application class and patching CRC32 checks. This allows attackers to repackage and tamper with protected apps, potentially evading integrity checks.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →