// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 19, 2025
Signal Brief · Archived

Week of May 19, 2025

2025-05-19 — 2025-05-25 · 9 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 19, 2025, ColdRecon logged 9 public endpoint-security events from open-source reporting — 4 research pocs, 3 incidents, 2 vuln disclosures. Vendors in the record this week: Linux, Palo Alto Networks, Sophos.

The Week's Public Record

Events

2025-05-24
research poc
LoaderGate: C# Shellcode Loader Bypasses Cortex XDR and Sophos EDRLoaderGate
A security researcher released LoaderGate, a C# shellcode loader designed to bypass Palo Alto Cortex XDR and Sophos EDR. The tool demonstrates a specific evasion technique and was published with a detailed blog post. It highlights a potential detection gap in these endpoint security products.
Palo Alto Networks · Sophos ↗ github.com (2025-05-24)
2025-05-23
incident
3AM Ransomware Uses Spoofed IT Calls and Email Bombing to Deploy QDoor via Qemu VM3AM Ransomware Vishing Campaign
The 3AM ransomware group (a rebrand of BlackSuit/Royal) conducted a campaign using email bombing and spoofed IT support calls to trick employees into granting remote access via Microsoft Quick Assist. Attackers then deployed a pre-configured Windows 7 virtual machine with the QDoor trojan via Qemu, maintaining stealthy command and control for nine days while exfiltrating 868GB of data before attempting ransomware deployment. The attack was largely thwarted by Sophos network defenses.
2025-05-22
research poc
Deep Instinct Details LLM-Generated Malware BypassERWDirectSyscallShellcodeLoaderBypassERWDirectSyscallShellcodeLoader
Deep Instinct's DIANNA assistant analyzed a newly discovered malware sample named BypassERWDirectSyscallShellcodeLoader, which was generated using large language models (ChatGPT and DeepSeek). The malware employs multiple evasion techniques including anti-debug, anti-sandbox, process injection, privilege escalation, and ETW bypass to stealthily load shellcode. Deep Instinct claims its deep learning-based DSX platform detected and prevented the threat before other vendors.
2025-05-22
vuln disclosure
OpenAI o3 Model Discovers Remote Use-After-Free Zero-Day in Linux Kernel SMB ImplementationCVE-2025-37899
Security researcher Sean Heelan used OpenAI's o3 model to discover a previously unknown use-after-free vulnerability (CVE-2025-37899) in the Linux kernel's ksmbd SMB server. The vulnerability exists in the handler for the SMB 'logoff' command and involves a race condition where an object without reference counting is freed while still accessible by another thread. This marks one of the first public disclosures of an LLM autonomously finding a zero-day vulnerability.
2025-05-22
research poc
Novel Process Injection Technique Evades EDR by Skipping Memory Allocation and Write StepsCONTEXT-only attack surface
Researchers disclosed a new process injection method on Windows that bypasses EDR detection by using only execution primitives, avoiding the memory allocation and write operations typically monitored. The technique leverages existing strings in shared DLLs and thread context manipulation to load malicious code. A proof-of-concept tool, RedirectThread, was released to demonstrate the method.
2025-05-21
research poc
Proof-of-Concept Tool Claims to Bypass Faceit Anti-Cheat Using Process Cloaking and VirtualizationFaceit-AntiCheat-Bypass-Core
A public repository offers a tool that allegedly bypasses Faceit Anti-Cheat by masking input macros and external overlays through process redirection and virtual machine spoofing. The tool claims to disable Faceit AC detection, enabling cheats in CS2. This represents a potential threat to the integrity of the anti-cheat system.
2025-05-20
vuln disclosure
IBM Security ReaQta EDR Improper SSL Certificate ValidationCVE-2024-45641
CVE-2024-45641 is a vulnerability in IBM Security ReaQta EDR 3.12 that allows unauthorized actions due to improper SSL certificate validation. The flaw could enable an attacker to perform man-in-the-middle attacks or impersonate trusted servers. IBM has released a fix and recommends updating to a corrected version.
2025-05-20
incident
Qilin Ransomware Group Exploits SAP NetWeaver Zero-Day Before Public DisclosureCVE-2025-31324
The Qilin ransomware group exploited CVE-2025-31324, a critical zero-day in SAP NetWeaver Visual Composer, weeks before its public disclosure. The vulnerability allowed unauthenticated attackers to upload web shells for remote code execution. Defensive controls, including EDR, blocked post-exploitation activities, preventing lateral movement and data exfiltration.
2025-05-19
incident
Trojanized KeePass Installer Leads to ESXi Ransomware via Cobalt StrikeKeeLoader
A trojanized KeePass installer, dubbed KeeLoader, was distributed via malvertising for at least eight months, dropping Cobalt Strike beacons and stealing KeePass database credentials. The campaign led to ransomware deployment on VMware ESXi servers, with links to initial access brokers associated with Black Basta ransomware.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →