// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of November 24, 2025
Signal Brief · Archived

Week of November 24, 2025

2025-11-24 — 2025-11-30 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of November 24, 2025, ColdRecon logged 5 public endpoint-security events from open-source reporting — 4 research pocs, 1 incident. Vendors in the record this week: CrowdStrike.

The Week's Public Record

Events

2025-11-30
research poc
Researchers Demonstrate LLM-Based Technique to Bypass Behavioral EDRLLM-based behavioral EDR bypass
Security researchers have developed a method using large language models (LLMs) to craft malware that evades behavioral detection by endpoint detection and response (EDR) systems. The technique leverages LLMs to generate code that mimics legitimate user behavior, effectively bypassing behavioral analysis engines. This proof-of-concept highlights a potential new attack vector against modern endpoint security solutions.
2025-11-29
research poc
Mandiant M-Trends 2026 Report Discloses PROMPTFLUX and PROMPTSTEAL: Malware That Queries LLMs Mid-Execution to Evade DetectionPROMPTFLUX
Mandiant's M-Trends 2026 report reveals two new malware families, PROMPTFLUX and PROMPTSTEAL, that actively query large language models during execution to dynamically adapt their behavior and evade traditional endpoint detection. PROMPTFLUX uses LLM responses to select evasion techniques based on the target environment, while PROMPTSTEAL focuses on extracting proprietary ML models via distillation attacks. This represents a shift from AI-generated malware to AI-driven runtime adaptation, breaking signature and behavior-based defenses.
2025-11-26
research poc
Potential Persistence via New AMSI Providers Detected in RegistryAMSI Provider Persistence
A detection rule identifies when a new AMSI provider is added via the Windows Registry, which attackers can use to bypass AMSI protections. This technique allows malicious code to evade script content scanning by registering a rogue AMSI provider. The rule helps defenders detect such persistence mechanisms.
2025-11-24
incident
CrowdStrike Insider Leaked Dashboard Screenshots to CybercriminalsCrowdStrike Insider Screenshot Leak
A CrowdStrike insider was terminated after sharing screenshots of internal dashboards, including an Okta SSO panel, with the financially motivated group Scattered Lapsus$ Hunters. The group falsely claimed a system breach, but CrowdStrike confirmed no compromise occurred and customer protections remained intact. The incident highlights insider threat risks to security vendors.
2025-11-24
research poc
Offensive Programming with Nim: EDR Evasion via Direct Syscalls and UnhookingNim-EDR-Evasion-Direct-Syscalls
A research proof-of-concept demonstrates using the Nim programming language to evade EDR detection by disabling AMSI and ETW, invoking NT system calls directly, and unhooking ntdll.dll. The article provides a technical walkthrough for educational purposes, highlighting how these techniques can bypass user-mode API monitoring.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →