// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of December 22, 2025
Signal Brief · Archived

Week of December 22, 2025

2025-12-22 — 2025-12-28 · 2 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of December 22, 2025, ColdRecon logged 2 public endpoint-security events from open-source reporting — 2 research pocs. Vendors in the record this week: Microsoft.

The Week's Public Record

Events

2025-12-28
research poc
Windows Defender Bypass Using Alternate Data Stream Shellcode LoaderShellcode-Loader-with-ADS
A proof-of-concept demonstrates bypassing Windows Defender by storing raw shellcode in an NTFS Alternate Data Stream (ADS) attached to a legitimate file. The loader reads and executes the shellcode from the ADS, evading static detection because Defender scans only the primary file stream. This technique reduces on-disk footprint and complicates forensic analysis.
2025-12-28
research poc
Research Demonstrates Bypass of Microsoft Defender for Endpoint AMSI ProviderMDE AMSI Provider Bypass
A security researcher published a proof-of-concept bypass for the AMSI provider in Microsoft Defender for Endpoint. The technique prevents MDE's AMSI integration from scanning script content, potentially allowing malicious scripts to evade detection. This matters because AMSI is a key defense layer against script-based attacks.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →