// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 23, 2026
Signal Brief · Archived

Week of February 23, 2026

2026-02-23 — 2026-03-01 · 9 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 23, 2026, ColdRecon logged 9 public endpoint-security events from open-source reporting — 6 research pocs, 2 vuln disclosures, 1 incident. Vendors in the record this week: Microsoft, Sysmon, Trend Micro.

The Week's Public Record

Events

2026-02-27
research poc
SynthAPT: AI-Powered Playbook-Based Adversary Simulation Framework ReleasedSynthAPT
SynthAPT is an open-source adversary simulation framework that uses JSON playbooks to define attack paths, which are compiled into functional shellcode payloads. It integrates an LLM agent to generate playbooks from natural language or threat intelligence, enabling rapid creation of realistic malware scenarios for testing endpoint detections.
2026-02-27
research poc
PoC Tool Disables Windows Defender and Sysmon via ACL Deny Entries on kernel32.dlldefender-acl-blocker
A proof-of-concept tool named defender-acl-blocker modifies ACLs on kernel32.dll to add Deny ACEs for Windows Defender and Sysmon service identities, preventing them from starting after reboot. The technique requires administrator privileges and leaves minimal telemetry, with detection possible via Windows Security Event ID 4670.
2026-02-27
vuln disclosure
Trend Micro Discloses Critical Apex One Vulnerabilities Allowing Remote Code ExecutionCVE-2025-71210
Trend Micro disclosed eight vulnerabilities in Apex One, including two critical unauthenticated remote code execution flaws in the management console. The vulnerabilities were patched in February 2026. The critical flaws allow attackers to upload and execute arbitrary code via directory traversal.
2026-02-25
research poc
Cortex XDR Live Terminal Feature Abused for C2 CommunicationsCortex XDR Live Terminal C2 Abuse
Researchers disclosed that Palo Alto Networks Cortex XDR Live Terminal feature can be abused as a command-and-control channel. The trusted EDR agent component allows attackers to bypass detection by blending traffic with normal operations. Two methods were demonstrated: cross-tenant token reuse and a custom server exploiting a URL validation flaw.
2026-02-25
vuln disclosure
CVE-2026-2914: CyberArk EPM Agent Privilege Escalation VulnerabilityCVE-2026-2914
CVE-2026-2914 is a privilege escalation vulnerability in CyberArk Endpoint Privilege Manager Agent versions 25.10.0 and lower. It allows authenticated local users to exploit elevation dialogs to gain unauthorized elevated privileges. The flaw has low attack complexity and high impact on confidentiality, integrity, and availability.
2026-02-24
research poc
ClrDeOxide: Execute-Assembly in Rust with AMSI Bypass via IHostAssemblyStore and Load_2ClrDeOxide
A proof-of-concept tool demonstrates a technique to load .NET assemblies in memory without triggering AMSI scanning by using the IHostAssemblyStore interface and AppDomain.Load_2 instead of the commonly monitored Load_3. The implementation includes a pure Rust PE metadata parser to automatically extract assembly identity, enabling stealthy in-memory execution.
2026-02-24
research poc
Doppelganger LSASS Cloning Technique Evades EDR ProtectionsDoppelganger
Security researcher Andrea Varischio developed Doppelganger, a proof-of-concept tool that clones the LSASS process to extract credentials without touching the protected original. The technique bypasses EDR hooks, PPL, and monitoring by operating on a copy, leveraging BYOVD to disable PPL in kernel memory. This matters because it demonstrates a novel evasion method against modern EDRs that protect LSASS.
Microsoft · CrowdStrike · SentinelOne ↗ blog.silentforce.io (2026-02-24)
2026-02-23
incident
MIMICRAT Custom RAT Delivered via Multi-Stage ClickFix Campaign Bypasses DefensesMIMICRAT
A new custom remote access trojan named MIMICRAT is being distributed through a sophisticated multi-stage ClickFix campaign. The attack chain uses obfuscated PowerShell scripts to disable Windows Event Tracing and AMSI, then deploys the RAT for data exfiltration and command execution. This technique directly undermines endpoint detection mechanisms.
2026-02-23
research poc
SysWhispers4: Advanced AV/EDR Evasion via Direct and Indirect System CallsSysWhispers4
SysWhispers4 is a Python-based tool that generates C/ASM code for direct and indirect system calls to bypass AV/EDR user-mode hooks. It introduces new syscall number resolution methods (SyscallsFromDisk, RecycledGate, HW Breakpoint) and evasion features like AMSI bypass, ntdll unhooking, and anti-debugging, targeting Windows NT 3.1 through Windows 11 24H2 across multiple architectures.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →