// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of August 4, 2025
Signal Brief · Archived

Week of August 4, 2025

2025-08-04 — 2025-08-10 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of August 4, 2025, ColdRecon logged 5 public endpoint-security events from open-source reporting — 2 incidents, 1 research poc, 1 vuln disclosure, 1 vendor announcement. Vendors in the record this week: Microsoft, Trend Micro, Sophos.

The Week's Public Record

Events

2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
Sophos · Microsoft · Kaspersky · Trend Micro · SentinelOne · McAfee · Bitdefender · Cylance · F-Secure · Symantec · Webroot · HitmanPro ↗ mine2.io (2025-08-08) ↗ zendata.security (2025-08-08) ↗ cyberpress.org (2025-08-07) ↗ www.bleepingcomputer.com (2025-08-07)
2025-08-06
incident
ThrottleStop Driver Abused in BYOVD Attack to Terminate Antivirus ProcessesThrottleStop BYOVD AV Killer
In a recent incident response case in Brazil, attackers used a Bring Your Own Vulnerable Driver (BYOVD) technique with the legitimate ThrottleStop.sys driver to terminate antivirus processes. The attack began with valid RDP credentials, followed by credential theft and lateral movement, ultimately deploying MedusaLocker ransomware. The AV killer has been observed in the wild since at least October 2024.
2025-08-06
research poc
Research Evaluates Four Evasion Techniques Against Microsoft Defender for Endpoint and Cloud AIAdvanced Evasion Techniques Against Microsoft EDR
A research paper tested four advanced evasion techniques against Microsoft Defender for Endpoint and its cloud-based AI/ML protection. The techniques included Early Cryo Bird injection, direct syscalls with encrypted shellcode, ZigStrike injection, and a covert C2 channel via browser native messaging. Results showed that while some techniques bypassed EDR, cloud AI detection caught most, except for the ZigStrike XLL and native messaging C2 methods.
2025-08-05
vuln disclosure
Trend Micro Apex One Management Console Pre-Auth RCE (CVE-2025-54987)CVE-2025-54987
CVE-2025-54987 is a critical pre-authentication remote code execution vulnerability in the Trend Micro Apex One on-premises management console. It allows unauthenticated attackers to upload malicious code and execute arbitrary OS commands via OS command injection. The flaw is similar to CVE-2025-54948 but affects a different CPU architecture.
2025-08-04
vendor announcement
Huntress Announces Agent Tamper Protection FeatureHuntress Agent Tamper Protection
Huntress released a Tamper Protection feature for its endpoint agent to prevent unauthorized users and threat actors from stopping, uninstalling, or manipulating the agent. The feature uses a kernel-mode driver on Windows and a system extension on macOS to protect agent services, files, and registry keys. It is managed via the Huntress portal and can be temporarily disabled for maintenance.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →