// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 26, 2025
Signal Brief · Archived

Week of May 26, 2025

2025-05-26 — 2025-06-01 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 26, 2025, ColdRecon logged 7 public endpoint-security events from open-source reporting — 4 incidents, 2 research pocs, 1 vuln disclosure. Vendors in the record this week: Microsoft, SentinelOne, McAfee.

The Week's Public Record

Events

2025-06-01
research poc
Ebyte-ETW-Redirector: ETW Bypass via Runtime Function HookingEbyte-ETW-Redirector
A proof-of-concept tool named Ebyte-ETW-Redirector was published on GitHub, demonstrating a method to bypass Event Tracing for Windows (ETW) by injecting a custom assembly proxy into a target process. The tool hooks ETW functions like EtwEventWrite and NtTraceEvent to redirect or suppress event logging, potentially allowing malicious activity to evade detection by security products that rely on ETW. This technique highlights a weakness in endpoint detection mechanisms that depend on ETW for telemetry.
2025-05-31
vuln disclosure
Microsoft 365 Copilot Zero-Click Prompt Injection Vulnerability 'EchoLeak' DisclosedCVE-2025-32711
Researchers disclosed a critical zero-click vulnerability in Microsoft 365 Copilot that allowed prompt injection via email to exfiltrate sensitive data. The flaw, tracked as CVE-2025-32711, bypassed classifiers and markdown link redaction. Microsoft patched the issue before public disclosure, with no known exploitation.
2025-05-31
research poc
Vulnhuntr: LLM-Powered Zero-Shot Vulnerability Discovery ToolVulnhuntr
Vulnhuntr is an open-source tool that uses LLMs and static code analysis to autonomously discover remotely exploitable vulnerabilities in Python codebases. It has identified multiple zero-day vulnerabilities, including CVEs in popular repositories, by analyzing call chains from user input to server output. The tool supports vulnerability classes such as LFI, RCE, XSS, and SQL injection.
2025-05-30
incident
Conti Ransomware Gang Leaks Internal EDR Evasion Tier ListConti EDR Tier List Leak
The Conti ransomware group leaked an internal ranking of endpoint detection and response (EDR) products based on their ease of bypass during real-world attacks. The list places Microsoft Defender for Endpoint, McAfee, and Webroot in the lowest tier, while CrowdStrike is ranked highest. The leak highlights that even top-tier EDRs can be evaded, especially when poorly configured, and underscores the importance of defense-in-depth and proper security tool configuration.
Microsoft · McAfee · Webroot · CrowdStrike · SentinelOne · Bitdefender · VMware · Cisco ↗ threatlabsnews.xcitium.com (2025-05-30)
2025-05-29
incident
SentinelOne Global Service Interruption Due to Infrastructure Control System FlawSentinelOne Global Service Interruption May 2025
On May 29, 2025, SentinelOne experienced a global service disruption caused by a software flaw in an outgoing infrastructure control system that deleted critical network routes. Customer endpoints remained protected, but the management console and related services were unavailable, impacting security operations. The incident was not security-related and did not affect Federal GovCloud environments.
2025-05-29
incident
ConnectWise ScreenConnect Breach Linked to Nation-State Attackers Exploiting CVE-2025-3935CVE-2025-3935
ConnectWise disclosed a breach by a suspected nation-state actor that impacted a limited number of cloud-hosted ScreenConnect customers. The incident is linked to exploitation of CVE-2025-3935, a ViewState code injection vulnerability patched in April 2025. Attackers may have stolen machine keys to achieve remote code execution on ScreenConnect servers.
2025-05-27
incident
Play Ransomware Hits 900 Organizations, Exploits SimpleHelp VulnerabilitiesPlay Ransomware
The Play ransomware group has compromised approximately 900 organizations since June 2022, using double-extortion tactics. The group exploits SimpleHelp RMM vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) for initial access and recompiles ransomware per attack to evade detection. An ESXi variant also targets virtual machines.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →