Signal Brief · Archived
Week of September 15, 2025
The Week's Public Record
Events
2025-09-21
research poc
Research PoC Demonstrates ETW Bypass Using Direct Syscalls and In-Memory Patching of NtTraceEventETW Patching via Direct Syscalls
A research article details a method to bypass Event Tracing for Windows (ETW) by patching the NtTraceEvent syscall in memory with a RET instruction. The technique uses direct system calls and manual PE parsing to evade EDR hooks, effectively disabling ETW-based telemetry for stealthy operations.
2025-09-20
vuln disclosure
Moxa EDR-810 Server Agent Information Disclosure VulnerabilityCVE-2017-12128
An information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A remote attacker can send a specially crafted TCP packet to trigger the vulnerability, potentially exposing sensitive information. The vulnerability has a CVSS v3 base score of 7.5 (High).
2025-09-20
vuln disclosure
McAfee Agent 5.x prior to 5.7.3 Multiple VulnerabilitiesCVE-2021-31839, CVE-2021-31840
McAfee Agent versions 5.x before 5.7.3 contain two vulnerabilities: improper privilege management allowing local authenticated attackers to edit the agent event log (CVE-2021-31839), and an unsigned DLL preloading attack enabling loading of malicious libraries (CVE-2021-31840). These flaws could allow attackers to manipulate security event data or execute arbitrary code on endpoints.
2025-09-19
research poc
SentinelOne Research on Hunting LLM-Enabled Malware via Embedded Prompts and API KeysLLM-Enabled Malware Hunting Methodology
SentinelOne researchers presented a methodology for hunting LLM-enabled malware by pattern matching against embedded API keys and prompt structures. They identified previously unknown samples, including what may be the earliest known LLM-enabled malware dubbed 'MalTerminal', and discussed detection challenges posed by runtime code generation.
2025-09-16
vuln disclosure
CVE-2025-55118: Control-M/Agent Heap-Based Buffer Overflow in SSL/TLS HandlingCVE-2025-55118
CVE-2025-55118 is a heap-based buffer overflow vulnerability in BMC Control-M/Agent that can be triggered remotely when non-default SSL/TLS configurations are used. The flaw allows memory corruption, potentially leading to denial of service or arbitrary code execution. Mitigation involves reviewing and changing the affected configuration settings.
2025-09-16
incident
CrowdStrike npm Packages Compromised in Shai-Halud Supply Chain AttackShai-Halud supply chain attack (CrowdStrike npm compromise)
Multiple npm packages published by CrowdStrike were compromised in an ongoing supply chain attack linked to the Shai-Halud campaign. The malicious packages contained a script that downloads TruffleHog to steal secrets and creates unauthorized GitHub Actions workflows for persistence. CrowdStrike confirmed the Falcon sensor and platform are not impacted.
2025-09-16
incident
EvilAI malware campaign uses AI-generated code to target critical infrastructureEvilAI
Trend Micro researchers discovered the EvilAI malware campaign exploiting AI-generated code to breach critical sectors globally. The campaign leverages AI to craft evasive malware, posing a significant threat to endpoint security. This incident highlights the emerging risk of AI-assisted attacks bypassing traditional defenses.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.