// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 2, 2026
Signal Brief · Archived

Week of February 2, 2026

2026-02-02 — 2026-02-08 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 2, 2026, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 vuln disclosures, 2 research pocs, 1 incident. Vendors in the record this week: ESET, Tanium, Fortinet.

The Week's Public Record

Events

2026-02-08
research poc
Reynolds: BYOVD Defense Evasion Embedded in Ransomware PayloadReynolds BYOVD embedded in ransomware
Security researchers discovered a ransomware payload that embeds a Bring Your Own Vulnerable Driver (BYOVD) component directly within the ransomware binary, rather than dropping it as a separate tool. This technique allows the ransomware to disable endpoint security products by exploiting a legitimate but vulnerable driver, increasing stealth and effectiveness.
2026-02-06
vuln disclosure
CVE-2025-13818: ESET Management Agent Local Privilege Escalation via TOCTOU Race ConditionCVE-2025-13818
CVE-2025-13818 is a local privilege escalation vulnerability in ESET Management Agent for Windows caused by a Time-of-Check Time-of-Use (TOCTOU) race condition in temporary batch file handling. A local attacker with high privileges can replace a validated batch file before execution, leading to arbitrary command execution with elevated privileges. ESET has released a patch to address the issue.
2026-02-05
vuln disclosure
CVE-2025-15332: Sensitive Information Exposure in Tanium Threat Response LogsCVE-2025-15332
Tanium Threat Response contains an information disclosure vulnerability (CVE-2025-15332) where sensitive data is improperly inserted into log files without sanitization. This could expose credentials or system details to users with access to logs. Tanium has addressed the issue, and affected versions include 4.5.0, 4.6.0, and 4.9.0.
2026-02-04
incident
Interlock Ransomware Uses Hotta Killer Tool with CVE-2025-61155 to Disable EDR/AVCVE-2025-61155
The Interlock ransomware group deployed a custom evasion tool called Hotta Killer that exploits a zero-day vulnerability (CVE-2025-61155) in a gaming anti-cheat driver to terminate endpoint security processes. The tool uses a BYOVD technique to gain kernel-level access and disable EDR and AV before encrypting systems. This incident highlights a novel attack chain combining social engineering, lateral movement, and defense evasion targeting education sector organizations.
2026-02-04
research poc
EDRKillShift tool abuses signed EnCase driver to disable 59 security productsEDRKillShift
A new EDR killer named EDRKillShift leverages a legitimate but revoked EnCase kernel driver to terminate processes associated with 59 security tools. The tool uses a BYOVD technique to load the signed driver and then unhooks or disables endpoint detection and response (EDR) and antivirus software. This demonstrates a practical bypass method that remains effective despite the driver's certificate revocation.
2026-02-02
vuln disclosure
CVE-2026-1232: Anti-Tamper Bypass in BeyondTrust Privilege Management for WindowsCVE-2026-1232
A vulnerability in BeyondTrust Privilege Management for Windows allows bypassing its anti-tamper protections. This could enable an attacker to disable or manipulate the security agent, undermining endpoint privilege management controls.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →