// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of July 28, 2025
Signal Brief · Archived

Week of July 28, 2025

2025-07-28 — 2025-08-03 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of July 28, 2025, ColdRecon logged 7 public endpoint-security events from open-source reporting — 3 research pocs, 2 vuln disclosures, 2 incidents. Vendors in the record this week: Linux, Carbon Black, Elastic.

The Week's Public Record

Events

2025-08-01
research poc
EDR-Freeze Technique Bypasses EDR via Windows Error ReportingEDR-Freeze
A new technique named EDR-Freeze uses Windows Error Reporting (WER) to disable endpoint detection and response (EDR) and antivirus processes without requiring vulnerable drivers. It works by redirecting the WerFault.exe process to overwrite the target security product's executable with a benign file, effectively putting the security tool to sleep.
2025-08-01
vuln disclosure
Linux Kernel AF_UNIX MSG_OOB Use-After-Free VulnerabilityCVE-2025-38236
A use-after-free vulnerability (CVE-2025-38236) was discovered in the Linux kernel's implementation of MSG_OOB for AF_UNIX stream sockets, affecting versions >=6.9. The bug was reachable from the Chrome renderer sandbox on Linux, allowing potential privilege escalation from native code execution to kernel level. The vulnerability was reported and fixed, and Chrome has since blocked MSG_OOB in renderers.
2025-07-30
incident
Qilin Ransomware Uses TPwSav.sys Driver to Disable EDRQilin Ransomware BYOVD with TPwSav.sys
The Qilin ransomware group has adopted a bring-your-own-vulnerable-driver (BYOVD) technique using the legitimate but vulnerable Toshiba driver TPwSav.sys to disable endpoint detection and response (EDR) systems. The attack chain involves DLL sideloading via a Carbon Black update tool and a customized EDRSandblast tool to achieve kernel-level memory manipulation. This allows the ransomware to remove EDR kernel callbacks and evade detection before encrypting files.
2025-07-30
research poc
Attackers Use Free EDR Trials to Disable Existing Security ProtectionsBYOEDR
Researchers describe a technique where attackers install free trial versions of EDR software on compromised endpoints to disable or interfere with existing security products. This 'Bring Your Own EDR' (BYOEDR) method leverages the high privileges and kernel access of EDR agents to tamper with legitimate defenses. The technique highlights a gap in how security tools manage conflicts with other EDRs.
2025-07-30
vuln disclosure
CVE-2025-25011: Elastic Beats Uncontrolled Search Path Element Leading to Local Privilege EscalationCVE-2025-25011
CVE-2025-25011 is a high-severity vulnerability in Elastic Beats version 8.0.0 caused by insecure directory permissions. An attacker with local low-privilege access can exploit uncontrolled search path elements to move or delete arbitrary files, potentially escalating to SYSTEM privileges. No public exploits have been reported yet, but the flaw poses a significant risk to environments using Beats for data shipping and monitoring.
2025-07-29
incident
CISA Advisory on Scattered Spider Cybercriminal Group TTPsScattered Spider
CISA and international partners released an updated advisory detailing Scattered Spider's tactics, techniques, and procedures as of June 2025. The group uses sophisticated social engineering, MFA bypass, and SIM swapping to gain initial access, then deploys ransomware like DragonForce for data extortion. The advisory provides mitigations for critical infrastructure and commercial facilities.
2025-07-28
research poc
XWorm V6 Introduces Advanced Evasion and AMSI Bypass TechniquesXWorm V6 AMSI Bypass
Netskope Threat Labs analyzed XWorm V6.0, revealing new evasion features including AMSI bypass, stealthy delivery, and anti-analysis capabilities. This version enhances the malware's ability to avoid detection by endpoint security products.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →