// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of January 26, 2026
Signal Brief · Archived

Week of January 26, 2026

2026-01-26 — 2026-02-01 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of January 26, 2026, ColdRecon logged 3 public endpoint-security events from open-source reporting — 1 vuln disclosure, 1 research poc, 1 incident. Vendors in the record this week: ESET, Microsoft, Baidu.

The Week's Public Record

Events

2026-01-30
vuln disclosure
Local Privilege Escalation in ESET Inspect Connector via OpenSSL DLL HijackingCVE-2025-13176
A local privilege escalation vulnerability (CVE-2025-13176) was disclosed in ESET Inspect Connector for Windows. The flaw allows a low-privileged user to load a malicious DLL into the SYSTEM-level EDR agent process by exploiting a hardcoded OpenSSL configuration path. This can lead to full system compromise and potential bypass of EDR protections.
2026-01-28
research poc
Bloo Research Demonstrates Windows Defender Bypass Using XOR-Encrypted Metasploit Shellcode and Custom LoaderMSFDefender
Bloo's TRI team executed a research project to evaluate Windows Defender's detection of Metasploit payloads. They found that directly generated EXE payloads were blocked, but by exporting raw shellcode, applying XOR encryption, and using a custom C loader, they bypassed Defender's real-time protection and static scanning. The research also explored the Script Web Delivery module for fileless execution.
2026-01-26
incident
Arsenal-237 Toolkit Weaponizes Baidu Driver BdApiUtil64.sys for Kernel-Level AttacksArsenal-237 BYOVD BdApiUtil64.sys
The Arsenal-237 malware toolkit uses the legitimately signed but vulnerable Baidu driver BdApiUtil64.sys as a Bring-Your-Own-Vulnerable-Driver (BYOVD) component to gain kernel-level access. This enables attackers to terminate security products, steal credentials, and establish persistence, completely bypassing user-mode defenses. Discovery indicates a critical kernel compromise requiring immediate isolation and system rebuild.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →