// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 16, 2025
Signal Brief · Archived

Week of June 16, 2025

2025-06-16 — 2025-06-22 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 16, 2025, ColdRecon logged 3 public endpoint-security events from open-source reporting — 2 research pocs, 1 vuln disclosure. Vendors in the record this week: Microsoft, Palo Alto Networks, Trend Micro.

The Week's Public Record

Events

2025-06-19
research poc
Signature Kid Tool Demonstrates Digital Signature Spoofing to Bypass Kernel-Mode ProtectionsSignature Kid
Security researcher David Lee released a proof-of-concept tool called Signature Kid that spoofs digital signatures on PE files. The tool copies a valid signature from a signed file to an unsigned one and manipulates registry keys to bypass Windows signature validation. This allows attackers to load malicious DLLs into protected processes, evading EDR, anti-cheat, and kernel-mode callbacks.
2025-06-18
research poc
Red Team Evasion of Cortex XDR via COM Profiler Injection and AMSI BypassCortex XDR COM Profiler AMSI Bypass
A red team engagement demonstrated a multi-stage evasion chain against Cortex XDR, bypassing PowerShell execution policies, injecting a malicious .NET profiler via COM hooks, and disabling AMSI in memory without admin privileges. The attack went undetected by default Cortex XDR analytics, prompting a forensic report to the vendor and subsequent patching.
Palo Alto Networks ↗ medium.com (2025-06-18)
2025-06-17
vuln disclosure
Trend Micro Deep Security Agent 20.0 Link Following Denial of Service VulnerabilityCVE-2025-30642
CVE-2025-30642 is a link following vulnerability in Trend Micro Deep Security Agent 20.0 that allows a local low-privileged attacker to cause a denial of service on Windows systems. The flaw stems from improper handling of symbolic links during privileged file operations, enabling service disruption without user interaction. This vulnerability affects agent availability and security monitoring capabilities.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →