// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 2, 2026
Signal Brief · Archived

Week of March 2, 2026

2026-03-02 — 2026-03-08 · 2 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 2, 2026, ColdRecon logged 2 public endpoint-security events from open-source reporting — 2 research pocs. Vendors in the record this week: Microsoft.

The Week's Public Record

Events

2026-03-08
research poc
Windows Defender Execution Folder Hijack via Symbolic LinkFolder Redirect Technique
A researcher demonstrated a technique to hijack Windows Defender's execution folder by creating a symbolic link with a higher version number in the Platform directory. After reboot, Defender runs from an attacker-controlled folder, enabling DLL sideloading or service disruption. This bypasses Defender's self-protection without requiring vulnerable drivers.
2026-03-05
research poc
New AMSI Bypass Tool with Multi-Layer Obfuscation ReleasedAMSIBypass
A new open-source tool named AMSIBypass has been released, implementing six different AMSI bypass techniques with randomized, multi-layer obfuscation to evade signature-based detection. The tool is designed for authorized security testing and can automatically test payloads until a working bypass is found, then inject it into a new PowerShell session.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →