// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of July 7, 2025
Signal Brief · Archived

Week of July 7, 2025

2025-07-07 — 2025-07-13 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of July 7, 2025, ColdRecon logged 3 public endpoint-security events from open-source reporting — 2 research pocs, 1 vuln disclosure. Vendors in the record this week: Microsoft, CrowdStrike, SentinelOne.

The Week's Public Record

Events

2025-07-13
research poc
PhantomLoad: Stealthy Fileless Shellcode Loader with EDR/AV Evasion ReleasedPhantomLoad
PhantomLoad is a newly released open-source, fileless shellcode loader designed for red team operations. It implements multiple evasion techniques including syscall unhooking, ETW patching, AMSI bypass, and PPID spoofing to bypass endpoint security products. The tool supports payloads from Cobalt Strike, Meterpreter, and BruteRatel, and is explicitly stated to bypass Defender, CrowdStrike, and SentinelOne.
Microsoft · CrowdStrike · SentinelOne ↗ github.com (2025-07-13)
2025-07-08
vuln disclosure
CVE-2025-6995: Ivanti Endpoint Manager Agent Password Decryption VulnerabilityCVE-2025-6995
CVE-2025-6995 is an information disclosure vulnerability in Ivanti Endpoint Manager caused by improper encryption in the agent component. A local authenticated attacker can decrypt other users' passwords stored on the system, enabling credential theft and potential lateral movement. The flaw is classified under CWE-257 (Storing Passwords in a Recoverable Format).
2025-07-07
research poc
RingReaper Linux Malware Uses io_uring for EDR EvasionRingReaper
RingReaper is a Linux malware that leverages io_uring for stealthy operations, evading endpoint detection and response (EDR) tools. It uses a custom protocol and advanced techniques to bypass security monitoring on Linux endpoints.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →