// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 23, 2025
Signal Brief · Archived

Week of June 23, 2025

2025-06-23 — 2025-06-29 · 8 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 23, 2025, ColdRecon logged 8 public endpoint-security events from open-source reporting — 5 research pocs, 2 vuln disclosures, 1 vendor announcement. Vendors in the record this week: Microsoft, Riot Games, Sangfor.

The Week's Public Record

Events

2025-06-27
vendor announcement
Microsoft to Preview Windows Endpoint Security Platform Capabilities for Non-Kernel Security SolutionsMicrosoft-Windows-Endpoint-Security-Platform-Outside-Kernel
Microsoft announced a preview of new Windows endpoint security platform capabilities designed to enable security vendors to build solutions that operate outside the kernel. This architectural shift aims to improve system stability and security by reducing reliance on kernel-mode drivers. The move could reshape how endpoint detection and response products interact with the Windows OS.
2025-06-26
research poc
Valorant Vanguard TPM/Secure Boot Popup Bypass Tool PublishedValorantBypass
A proof-of-concept tool named ValorantBypass was published on GitHub, demonstrating how to temporarily disable and suspend Vanguard anti-cheat processes to bypass the TPM/Secure Boot requirement popup in Valorant. The tool stops the Vanguard service, suspends the watchdog process, and suspends svchost.exe instances loading tpmcore.dll to suppress the popup. It is intended for educational and security research purposes.
2025-06-25
research poc
Check Point Research Documents First Malware Using Prompt Injection to Evade AI DetectionAI Prompt Injection Malware Evasion
Check Point Research discovered the first documented case of malware embedding prompt injection to evade AI-based detection. The technique manipulates AI models into misclassifying malicious content as benign. This represents a novel evasion method targeting AI-powered security tools.
2025-06-25
research poc
Research Demonstrates Multi-Layered Techniques to Bypass Windows Defender for Metasploit PayloadsMetasploit Defender Bypass Techniques
A research article details multiple techniques to execute Metasploit Meterpreter payloads on a fully patched Windows 11 system with Defender enabled. The methods include remote mapping injection, AMSI bypass, sandbox evasion via delayed execution, PPID spoofing, and Defender exclusion abuse. These techniques exploit Windows API quirks rather than vulnerabilities, highlighting the need for layered endpoint defenses.
2025-06-24
vuln disclosure
Critical OS Command Injection in Sangfor EDR Management Platform (Chinese Builds)CVE-2025-34041
A critical OS command injection vulnerability (CVE-2025-34041) exists in the Chinese-language versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. Unauthenticated attackers can send malicious HTTP requests to the EDR Manager interface to achieve arbitrary command execution with elevated privileges. Exploitation was observed in the wild by the Shadowserver Foundation on 2025-02-04.
2025-06-24
research poc
TrampoLatte: Proof-of-Concept AMSI and ETW Bypass Using Trampoline HookingTrampoLatte
A proof-of-concept tool named TrampoLatte demonstrates bypassing AMSI and ETW by using trampoline hooks to alter function execution. It hooks AmsiScanBuffer to always return AMSI_RESULT_CLEAN and hooks EtwpEventWriteFull to return immediately, preventing detection. This technique could allow malicious code to evade endpoint security monitoring.
2025-06-23
research poc
Bypassing Carbon Black and Cortex XDR with InstallUtil Uninstall Method for Reverse ShellInstallUtil Uninstall Bypass
A security researcher demonstrated a technique to bypass Carbon Black's application whitelisting and Cortex XDR's detection by abusing InstallUtil.exe to execute arbitrary C# code, leading to process injection and a reverse shell on a hardened Windows 10 host. The method leverages the Uninstall() function in a crafted .NET executable to perform code injection without triggering endpoint defenses. This highlights a gap in monitoring for legitimate signed binaries used for living-off-the-land attacks.
Carbon Black · Cortex XDR ↗ www.drtcyber.com (2025-06-23)
2025-06-23
vuln disclosure
Hydroph0bia: Insyde H2O UEFI Secure Boot Bypass and DXE Volume ModificationHydroph0bia
A vulnerability in Insyde H2O UEFI firmware allows an attacker with local admin access to bypass Secure Boot and modify the DXE volume during firmware updates. By shadowing NVRAM variables, an attacker can make the firmware trust a self-signed certificate, enabling execution of arbitrary code in the firmware update context where write protections are removed. This can lead to persistent firmware compromise if the FlashDeviceMap is misconfigured.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →