// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 23, 2026
Signal Brief · Archived

Week of March 23, 2026

2026-03-23 — 2026-03-29 · 10 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 23, 2026, ColdRecon logged 10 public endpoint-security events from open-source reporting — 6 research pocs, 2 vuln disclosures, 2 incidents. Vendors in the record this week: Microsoft, SentinelOne, Wazuh.

The Week's Public Record

Events

2026-03-29
research poc
Windows Defender Bypass Demonstrated Using Rust PELoaderRust PELoader Defender Bypass
A proof-of-concept demonstrates bypassing Windows Defender by loading a PE file directly from memory using a Rust-based loader, avoiding disk writes. The technique highlights a detection gap in file-scanning approaches and emphasizes the need for memory-based detection.
2026-03-29
research poc
Anthropic's Claude Mythos Preview autonomously finds and exploits zero-day vulnerabilities across major OS and browsersClaude Mythos Preview zero-day discovery
Anthropic's new AI model, Claude Mythos Preview, autonomously discovers and exploits zero-day vulnerabilities across every major operating system and browser. This demonstrates a significant advancement in AI-driven vulnerability research, potentially lowering the barrier for attackers to find and weaponize unknown flaws. The research highlights the need for security vendors to consider AI-powered threats in their detection and response strategies.
2026-03-27
vuln disclosure
CVE-2025-15616: Wazuh Shell Injection RCE VulnerabilityCVE-2025-15616
CVE-2025-15616 is a high-severity shell injection vulnerability in Wazuh agent and manager versions 2.1.0 through 4.7.x. It allows authenticated attackers with configuration access to execute arbitrary commands via logcollector, maild SMTP, and Kaspersky AR components. Successful exploitation can compromise the security monitoring infrastructure and enable lateral movement.
2026-03-27
vuln disclosure
CVE-2026-5027: Path Traversal in POST /api/v2/files Endpoint Allows Arbitrary File WriteCVE-2026-5027
CVE-2026-5027 is a path traversal vulnerability in the POST /api/v2/files endpoint that fails to sanitize the filename parameter from multipart form data. Authenticated attackers can write files to arbitrary filesystem locations, potentially leading to remote code execution. The vulnerability was published on March 27, 2026, and affects products using the vulnerable endpoint.
2026-03-27
incident
Fake Avast website delivers Venom Stealer malwareFake Avast website delivering Venom Stealer
A fraudulent website mimicking Avast displays a fake virus scan and tricks users into downloading Venom Stealer, which steals passwords, session data, and cryptocurrency wallets. The attack uses social engineering to bypass endpoint security by convincing users to manually execute the malware.
2026-03-27
research poc
Ridge IT Cyber MDR Testing Shows EDR Bypass RatesEDR Bypass Testing by Ridge IT Cyber
Ridge IT Cyber conducted testing of managed endpoint security solutions, finding that CrowdStrike was bypassed after 3 months while all other tested EDR platforms were bypassed within 3 days. SentinelOne blocked approximately 30% of threat samples. The results highlight varying effectiveness of EDR solutions against advanced threats.
CrowdStrike · SentinelOne · other tested EDR platforms ↗ ridgeit.com (2026-03-27)
2026-03-26
research poc
PoC Tool Uses BYOVD to Disable Driver Signature Enforcement via Kernel Memory PatchingBYOVD-DSE-Bypass
A proof-of-concept tool exploits a vulnerable signed Gigabyte driver (gdrv.sys) to gain kernel read/write primitives and patch ci.dll!g_CiOptions in memory, disabling Driver Signature Enforcement (DSE) on Windows. This allows loading unsigned kernel drivers, undermining a core OS security mechanism. The technique requires administrator privileges and specific system configurations (Secure Boot and HVCI disabled).
2026-03-26
research poc
Forcepoint DLP Endpoint for macOS Process Suspension Bypass (SIGSTOP)Forcepoint DLP Endpoint macOS SIGSTOP Bypass
A standard user on macOS can bypass Forcepoint DLP Endpoint's content inspection by sending SIGSTOP to two user-owned browser helper processes. This causes the enforcement stack to fail open without generating alerts or audit logs, while the management console falsely reports the agent as connected. The vulnerability is rated CVSS 7.1 and affects version v25.08.5008 on macOS.
2026-03-25
research poc
Sliver dropper uses GPT-4 for environment-aware execution gatingGPT-4-gated Sliver dropper
A 27 MB Go binary acts as a dropper for a Sliver implant, using GPT-4 to evaluate host telemetry before executing. The loader collects 19 telemetry fields, sends them to OpenAI's API, and only proceeds if GPT-4 returns an execute decision with confidence ≥0.8. This technique aims to evade automated analysis by requiring AI-driven approval based on environmental signs of sandboxing or monitoring.
2026-03-24
incident
HwAudKiller BYOVD Campaign Exploits Huawei Audio Driver to Terminate EDR ProcessesHwAudKiller
A malvertising campaign since January 2026 uses fraudulent Google ads to deliver a kernel-mode EDR terminator named HwAudKiller. It exploits a previously undocumented vulnerability in the signed Huawei driver HWAuidoOs2Ec.sys to terminate 23 security products from ring-0, bypassing user-mode protections. The campaign has compromised over 60 victims, enabling credential theft and lateral movement.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →