// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 30, 2026
Signal Brief · Archived

Week of March 30, 2026

2026-03-30 — 2026-04-05 · 8 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 30, 2026, ColdRecon logged 8 public endpoint-security events from open-source reporting — 4 incidents, 2 vuln disclosures, 2 research pocs. Vendors in the record this week: CrowdStrike, Broadcom.

The Week's Public Record

Events

2026-04-05
vuln disclosure
PoisonX BYOVD Driver Bypasses CrowdStrike Falcon via Microsoft-Signed Kernel DriverPoisonX BYOVD
A previously unknown Microsoft-signed kernel driver, PoisonX.sys, was discovered enabling Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks to terminate CrowdStrike Falcon's Protected Process Light (PPL) sensor. The driver exposes an undocumented IOCTL (0x22E010) that allows user-mode attackers to kill any process by PID from kernel mode, bypassing PPL protections. This vulnerability highlights the risk of signed but vulnerable drivers being exploited to disable endpoint security.
2026-04-02
incident
Qilin ransomware deploys multi-stage EDR killer via malicious msimg32.dllQilin EDR killer
Qilin ransomware operators use a malicious msimg32.dll to execute a multi-stage infection chain that terminates endpoint detection and response (EDR) processes. The attack leverages DLL side-loading and a custom tool to disable security software before deploying ransomware. This technique allows attackers to evade detection and encrypt systems unimpeded.
2026-04-02
research poc
Memory Fluctuation: An Advanced In-Memory Evasion Technique Presented at CoRIIN 2026Memory Fluctuation
Researchers presented 'Memory Fluctuation' at CoRIIN 2026, a technique that evades memory scanners in EDR/AV by cyclically encrypting shellcode and toggling memory protections. The method prevents tools like Moneta or pe-sieve from detecting malicious code during dormant periods. Proof-of-concept code and detection scripts were released on GitHub.
2026-03-31
incident
SentinelOne AI EDR autonomously stops LiteLLM supply chain attackLiteLLM supply chain attack
SentinelOne's AI-powered EDR autonomously detected and blocked a zero-day supply chain attack targeting the LiteLLM library. The attack involved malicious code injected into the supply chain, which was stopped before execution globally. This demonstrates the capability of AI-driven endpoint security to prevent novel threats without prior signatures.
2026-03-31
incident
Malware campaign uses WhatsApp to deliver VBScript and MSI backdoorsWhatsApp VBScript/MSI backdoor campaign
A malware campaign distributes VBScript files via WhatsApp messages, initiating a multi-stage infection chain that installs MSI backdoors for persistent access. The attack abuses renamed Windows tools and cloud-hosted payloads to evade detection. This campaign highlights the use of social engineering and living-off-the-land techniques to bypass endpoint security.
2026-03-30
research poc
SysInject: EDR Hook Bypass via Proxy Calls and Exception HandlerSysInject
SysInject is a proof-of-concept technique that bypasses EDR hooks by routing calls through legitimate hooked functions with clean parameters, then using an exception handler to redirect execution to the intended syscall. This maintains a clean callstack and evades both hook-based and callstack-based detection.
2026-03-30
vuln disclosure
Critical Privilege Escalation Vulnerability in Symantec DLP Agent (CVE-2026-3991)CVE-2026-3991
A local privilege escalation vulnerability (CVE-2026-3991) was disclosed in Symantec Data Loss Prevention (DLP) Agent for Windows. The flaw allows attackers with local access to escalate to SYSTEM by exploiting a hardcoded OpenSSL configuration path. Broadcom has released patches to address the issue.
2026-03-30
incident
Infostealer Campaign Uses DLL Sideloading with Signed Microsoft Office Binary to Evade DetectionDLL sideloading via winword.exe for infostealer delivery
An infostealer campaign targeting professional networks used DLL sideloading via a legitimate signed Microsoft Office binary (winword.exe) to execute malicious code. At the time of discovery, the payload had zero detections on VirusTotal, indicating effective evasion of antivirus engines. The technique leverages trusted process execution to reduce behavioral suspicion.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →