// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 16, 2026
Signal Brief · Archived

Week of March 16, 2026

2026-03-16 — 2026-03-22 · 17 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 16, 2026, ColdRecon logged 17 public endpoint-security events from open-source reporting — 7 research pocs, 5 incidents, 5 vuln disclosures. Vendors in the record this week: Palo Alto Networks, Microsoft, Various EDR vendors.

The Week's Public Record

Events

2026-03-22
research poc
BYOC Technique Uses Docker Containers to Bypass EDR DetectionBYOC (Bring Your Own Container)
A technique called BYOC (Bring Your Own Container) leverages Docker's trusted status to execute attacks inside containers, evading endpoint detection and response (EDR) tools. The method was presented at AVTOKYO2024 and has been used in the wild by the North Korea-linked TraderTraitor group against macOS. It exploits the limited visibility of EDR into container internals, allowing attackers to smuggle data, establish reverse shells, and move laterally without detection.
2026-03-20
incident
Qilin and Warlock Ransomware Groups Use BYOVD to Disable Endpoint SecurityBYOVD (Bring Your Own Vulnerable Driver) used by Qilin and Warlock ransomware
The Qilin and Warlock ransomware groups are employing Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint security tools on Windows systems. This allows the ransomware to operate without detection or interference from security software. The technique leverages legitimate but vulnerable drivers to gain kernel-level access and terminate security processes.
2026-03-20
incident
Multi-stage PureLog Stealer campaign uses copyright-themed phishing lures and fileless techniquesPureLog Stealer fileless delivery chain
A targeted campaign delivers the PureLog Stealer malware through localized phishing lures themed as copyright infringement notices. The attack chain uses a Python loader and dual .NET loaders to execute payloads entirely in memory, employing AMSI bypass and other evasive techniques to avoid endpoint detection.
2026-03-20
incident
Ransomware Groups Expand EDR Killer Tactics Beyond BYOVDEDR Killer Expansion
Ransomware operators are increasingly using script-based tools, legitimate anti-rootkit software, and driverless techniques to disable endpoint security before encryption. Nearly 90 active EDR killers are used by groups like Akira, Medusa, Qilin, RansomHouse, and DragonForce, with many tools commercially traded underground. This shift prioritizes reliability in neutralizing defenses over stealthy encryption.
2026-03-19
research poc
Red Teams Demonstrate Techniques to Blind Windows Telemetry for EDR EvasionWindows Telemetry Blinding
Redfox Security published a research blog detailing how red teams can suppress Windows telemetry sources including ETW, AMSI, PowerShell logging, and userland API hooks to evade EDR detection. The article describes lab-based techniques such as memory patching, AMSI bypass, PowerShell downgrade, indirect syscalls, and disabling security services, emphasizing the ongoing arms race between evasion and detection.
2026-03-19
incident
Qilin and Warlock Ransomware Industrialize BYOVD EDR-Killer AttacksBYOVD EDR-Killer
Qilin and Warlock ransomware operations have adopted a kernel-level attack chain using Bring Your Own Vulnerable Driver (BYOVD) to disable over 300 endpoint security products before encryption. The technique abuses legitimately signed but vulnerable drivers to gain Ring 0 access, unregister EDR callbacks, and terminate security processes, leaving endpoints blind. Research from Cisco Talos and Trend Micro in April 2026 confirms the industrial scale of these attacks.
2026-03-19
research poc
SnappyClient Malware Uses Multiple Evasion Techniques to Bypass Endpoint SecuritySnappyClient
A new malware called SnappyClient employs multiple evasion techniques to hinder endpoint security detection. It includes an AMSI bypass, Heaven's Gate, direct system calls, and transacted hollowing. This demonstrates advanced methods to evade modern EDR and antivirus solutions.
2026-03-19
research poc
ESET researchers detail EDR killer ecosystem and vulnerable driver abuseEDR killers via vulnerable driver abuse
ESET researchers published an analysis of the EDR killer ecosystem, focusing on how attackers abuse vulnerable signed drivers to terminate endpoint security processes. The research highlights the growing trend of BYOVD (Bring Your Own Vulnerable Driver) attacks and the tools used to disable EDR/AV products.
2026-03-19
research poc
Unit 42 Analyzes AI Use in Malware: Remote Decision Making and Illusory FeaturesAI-Gated Execution
Unit 42 researchers analyzed two malware samples leveraging AI: a .NET infostealer with non-functional OpenAI API calls for evasion and analysis, and a Golang dropper using an LLM for environment assessment to decide on infection. The findings indicate early experimentation by threat actors, with AI enabling lower-skilled attackers but facing challenges in local model deployment.
2026-03-18
incident
McAfee discovers AI-generated malware campaign using 1,700+ fake filenames to deliver crypto minersAI-generated malware campaign with cryptocurrency miners
McAfee uncovered a malware campaign leveraging generative AI to create fake software installers for popular games and apps. The campaign uses over 1,700 unique filenames to distribute cryptocurrency miners, with the malware likely created using AI-generated code. This highlights the increasing use of AI to scale and obfuscate malware distribution.
2026-03-18
vuln disclosure
CVE-2025-31144: Quick Agent V2/V3 Improper Communication Channel RestrictionCVE-2025-31144
CVE-2025-31144 is a medium-severity vulnerability in Quick Agent V2 and V3 that allows a remote unauthenticated attacker to attempt to log in to an arbitrary host via the Windows system where the agent is running. The issue stems from improper restriction of communication channels to intended endpoints. This could lead to unauthorized access attempts leveraging the agent's host.
2026-03-18
vuln disclosure
Elastic Agent osqueryd Parameter Injection Allows Local Arbitrary Code ExecutionCVE-2024-52976
CVE-2024-52976 is a high-severity vulnerability in Elastic Agent's osqueryd subprocess that allows local attackers with low privileges to execute arbitrary code via parameter injection. The flaw arises from inclusion of functionality from an untrusted control sphere, requiring the ability to modify osqueryd configurations. This could lead to complete compromise of the affected endpoint.
2026-03-18
vuln disclosure
Rapid7 Insight Agent Privilege Escalation via Unquoted Service PathCVE-2022-0237
CVE-2022-0237 is a privilege escalation vulnerability in Rapid7 Insight Agent versions 3.1.2.38 and earlier. An attacker can hijack execution flow due to an unquoted argument in the runas.exe command used by ir_agent.exe, leading to elevated rights and persistent access. The issue was fixed in version 3.1.3.80.
2026-03-18
vuln disclosure
CVE-2026-0232: Local Administrator Can Disable Cortex XDR Agent on WindowsCVE-2026-0232
A vulnerability in Palo Alto Networks Cortex XDR agent on Windows allows a local administrator to disable the agent. This could allow malware to operate without detection. The issue is fixed via Content Update 2120 and newer agent versions.
2026-03-17
research poc
Researchers Decrypt Palo Alto Cortex XDR BIOC Rules, Uncover Global Whitelist EvasionCortex XDR BIOC Rule Decryption and Global Whitelist Bypass
Researchers reverse-engineered Palo Alto Cortex XDR agent's encrypted BIOC rules, revealing hardcoded global whitelists that allowed attackers to bypass behavioral detections. By appending a specific string to command-line arguments, malicious actions like LSASS credential dumping could evade detection. Palo Alto patched the issue in agent version 9.1 and content update 2160.
Palo Alto Networks ↗ gbhackers.com (2026-03-17)
2026-03-16
vuln disclosure
OpenEDR Kernel Driver IOCTL DLL Injection Privilege Escalation VulnerabilityCVE-2025-69784
A local, non-privileged attacker can exploit a vulnerable IOCTL interface in the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path. This allows loading an attacker-controlled DLL into high-privilege processes, achieving arbitrary code execution with SYSTEM privileges and full system compromise.
2026-03-16
research poc
OpenClaw bypasses EDR, DLP, and IAM via runtime semantic exfiltration, cross-agent context leakage, and agent-to-agent trust chainsOpenClaw
Researchers demonstrated that the OpenClaw attack framework can bypass endpoint detection and response (EDR), data loss prevention (DLP), and identity and access management (IAM) systems without triggering alerts. The attack exploits three novel techniques: runtime semantic exfiltration, cross-agent context leakage, and agent-to-agent trust chains with zero mutual authentication. Six defense tools were rapidly developed, but three attack surfaces remained unmitigated.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →