// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of November 10, 2025
Signal Brief · Archived

Week of November 10, 2025

2025-11-10 — 2025-11-16 · 14 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of November 10, 2025, ColdRecon logged 14 public endpoint-security events from open-source reporting — 8 research pocs, 3 incidents, 3 vuln disclosures. Vendors in the record this week: Microsoft, Entrust, Oracle.

The Week's Public Record

Events

2025-11-14
research poc
EfiGuard Bootkit Disables Windows PatchGuard and Driver Signature EnforcementEfiGuard
EfiGuard is an open-source UEFI bootkit that patches the Windows kernel during boot to disable PatchGuard and Driver Signature Enforcement (DSE). It operates before the OS loads, allowing unsigned drivers and kernel modifications without triggering security checks. This demonstrates a persistent, pre-OS attack vector against endpoint security mechanisms.
2025-11-14
research poc
ZREBypass: A Tool for AV/EDR Evasion via Binary, Shellcode, and Webshell ObfuscationZREBypass
ZREBypass is a publicly released tool that applies encryption and anti-analysis techniques to binaries, shellcode, and webshells to evade detection by security products. It integrates anti-debugging, anti-VM, and anti-sandbox checks, lowering the barrier for attackers to bypass endpoint defenses.
2025-11-14
research poc
Rust-Based AMSI Memory Patching Technique DemonstratedAMSI Memory Patching via Rust
A red teamer demonstrates patching the AmsiScanBuffer function in memory using Rust to bypass Windows Antimalware Scan Interface (AMSI). The technique loads amsi.dll, locates AmsiScanBuffer, and overwrites its instructions to always return AMSI_RESULT_CLEAN, effectively disabling script content scanning. This allows execution of malicious PowerShell scripts without detection by AMSI-integrated security products.
2025-11-14
incident
Cl0p Ransomware Breaches Entrust via Oracle E-Business Suite Zero-DayCVE-2025-61882
The Cl0p ransomware group claims to have breached security vendor Entrust by exploiting CVE-2025-61882, a zero-day remote code execution vulnerability in Oracle E-Business Suite. The flaw, rated CVSS 9.8, allows unauthenticated attackers to execute code remotely. Entrust confirmed the breach and is investigating, while Oracle released a patch in October 2025.
Entrust · Oracle ↗ tornews.com (2025-11-14)
2025-11-14
incident
RONINGLOADER Campaign Uses Signed Drivers to Disable Microsoft Defender and Bypass EDRRONINGLOADER
Elastic Security Labs discovered a campaign by Dragon Breath APT using a loader called RONINGLOADER that abuses signed kernel drivers to disable Microsoft Defender and other endpoint security products. The malware employs multi-stage evasion including PPL abuse, custom WDAC policies, and process termination to deploy the gh0st RAT. This represents an escalation in APT capabilities for neutralizing security tools.
Microsoft · Kingsoft · Tencent · Qihoo 360 · Huorong ↗ gbhackers.com (2025-11-14)
2025-11-14
vuln disclosure
Fortinet Discloses Actively Exploited Zero-Day in FortiWeb WAFCVE-2025-64446
Fortinet confirmed a critical path confusion vulnerability (CVE-2025-64446) in FortiWeb's GUI component was silently patched after being exploited in the wild. Unauthenticated attackers can execute administrative commands via crafted HTTP/HTTPS requests, creating new admin accounts on exposed devices. The flaw affects multiple FortiWeb versions and has been added to CISA's Known Exploited Vulnerabilities catalog.
2025-11-14
vuln disclosure
Qualys Cloud Agent for macOS Local Privilege Escalation via PATH Manipulation in Uninstall ScriptCVE-2025-43079
A local privilege escalation vulnerability exists in the Qualys Cloud Agent for macOS uninstall script (qagent_uninstall.sh) due to unsafe PATH handling. An attacker with sudo access can manipulate the PATH environment variable to execute arbitrary commands as root during agent uninstallation. The vulnerability affects versions up to 5.1.x and has not been exploited in the wild.
2025-11-13
research poc
Researcher Demonstrates Physical Bypass of Windows Tamper ProtectionWindows Tamper Protection Physical Bypass
A penetration tester discovered a method to disable Windows Tamper Protection with physical access, enabling remote code execution via a C2 connection. The finding highlights that physical access can undermine a key defense designed to prevent automated tampering of Microsoft Defender settings. The researcher is coordinating responsible disclosure with Microsoft and has not released technical details.
2025-11-13
research poc
Process Argument Spoofing via TLS Callbacks Evades EDR DetectionTLS-ProcArgs-Spoofing
A proof-of-concept demonstrates using Thread Local Storage (TLS) callbacks to modify process command-line arguments after kernel-level EDR logging but before main() execution. This allows malicious arguments to be hidden from security tools that monitor process creation, evading detection without suspicious patterns like suspended processes or cross-process memory writes.
2025-11-13
research poc
Registry Tradecraft Evasion Using RegRestoreKeyRegRestoreKey
A researcher demonstrated a method to evade EDR detection by using the RegRestoreKey API to revert registry changes made by malicious actions, effectively hiding indicators of compromise. The technique bypasses registry-based detections that rely on current state or event logs, as the restoration can occur before telemetry is processed. This matters because many EDR solutions depend on registry monitoring for threat detection.
2025-11-11
vuln disclosure
CVE-2025-10905: Avast Free Antivirus MiniFilter Driver Collision Allows Disabling ProtectionCVE-2025-10905
A vulnerability in the MiniFilter driver of Avast Free Antivirus before version 25.9 on Windows allows a local attacker with administrative privileges to disable real-time protection and self-defense mechanisms. This could leave the endpoint unprotected against malware. The issue is resolved in version 25.9.
2025-11-11
research poc
Silencing EDR via Windows Kernel Debugging (kd.exe)EDR-Silence-via-Kernel-Debugger
A technique uses the legitimate Microsoft-signed kernel debugger (kd.exe) to nullify EDR kernel callbacks, bypassing detection without loading a vulnerable driver. It requires enabling debug mode and a reboot, then leverages the Debug API to write zeros to callback arrays, effectively deafening the EDR while it appears operational.
2025-11-10
research poc
KVC Framework Released for Kernel-Level Security Research and EDR EvasionKVC
The KVC (Kernel Vulnerability Capabilities) framework was published as an open-source tool for Windows security research. It enables unsigned driver loading via DSE bypass and manipulation of process protections to dump LSASS memory, even on systems with HVCI/VBS enabled. The tool is intended for authorized penetration testing and education.
2025-11-10
incident
Kimsuky APT Uses Microsoft Tools for Invisible BackdoorKimsuky LotL LotC Backdoor
North Korean APT group Kimsuky is using living-off-the-land (LotL) and living-off-the-cloud (LotC) techniques to deploy a fileless backdoor that evades endpoint detection. The attack chain starts with a malicious .LNK file that executes regsvr32.exe to load a malicious DLL, then uses the Outlook Web API for command and control. This allows the backdoor to blend in with normal Microsoft traffic, bypassing EDR and DLP solutions.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →