// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of January 5, 2026
Signal Brief · Archived

Week of January 5, 2026

2026-01-05 — 2026-01-11 · 2 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of January 5, 2026, ColdRecon logged 2 public endpoint-security events from open-source reporting — 2 research pocs. Vendors in the record this week: Microsoft, multiple commercial EDR/AV vendors.

The Week's Public Record

Events

2026-01-11
research poc
EDRStartupHinder: Bindlink API Abuse to Block EDR Startup via DLL RedirectionEDRStartupHinder
A proof-of-concept tool, EDRStartupHinder, uses the Windows Bindlink API to redirect a critical DLL loaded by an EDR service to a corrupted copy, causing the EDR process to terminate itself due to Protected Process Light (PPL) restrictions. The technique targets the EDR before it fully starts by running as a higher-priority service, effectively preventing endpoint protection from loading.
2026-01-10
research poc
AMSI Bypass via HAMSICONTEXT Heap Corruption on Windows 11HAMSICONTEXT corruption AMSI bypass
A proof-of-concept demonstrates bypassing the Antimalware Scan Interface (AMSI) by corrupting the HAMSICONTEXT structure in the process heap. The technique locates the 'DotNet' appName string and its associated HAMSICONTEXT pointer via heap walking, then overwrites the context with zeros, disabling AMSI scanning for the process. This method is confirmed to work on Windows 11.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →