// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 13, 2026
Signal Brief · Archived

Week of April 13, 2026

2026-04-13 — 2026-04-19 · 11 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 13, 2026, ColdRecon logged 11 public endpoint-security events from open-source reporting — 6 vuln disclosures, 4 incidents, 1 research poc. Vendors in the record this week: Microsoft, Cisco, Agent Zero.

The Week's Public Record

Events

2026-04-18
research poc
Research PoC: AMSI Bypass via amsiInitFailed Reflection and Fileless Payload Execution Detected by SysmonAMSI Bypass via amsiInitFailed Reflection
A research analysis demonstrates an AMSI bypass technique using PowerShell reflection to set the amsiInitFailed flag, followed by fileless payload execution via csc.exe. The attack chain was simulated with Atomic Red Team and detected using Sysmon telemetry, highlighting behavioral indicators for defense evasion.
2026-04-17
vuln disclosure
RedSun Zero-Day: Local Privilege Escalation via Microsoft Defender Race ConditionRedSun
On April 16, 2026, exploit developer Nightmare-Eclipse published RedSun, a working local privilege escalation exploit for Windows. RedSun abuses a race condition in Microsoft Defender's real-time scanning to write an attacker-controlled binary to System32, achieving SYSTEM privileges. The exploit is unpatched and has been observed in the wild.
2026-04-16
incident
PowMix botnet targets Czech workforce with AMSI bypassPowMix
The PowMix botnet is being distributed in a campaign targeting the Czech workforce. The payload is delivered via an LNK file that triggers a PowerShell loader, which extracts the botnet from a ZIP archive data blob, bypasses AMSI, and executes the decrypted script directly in memory.
2026-04-16
incident
Attackers Use QEMU Hidden Virtual Machines to Evade Detection and Deploy RansomwareQEMU Hidden VM
Threat actors are deploying hidden QEMU virtual machines on compromised endpoints to establish stealthy persistence, harvest credentials, exfiltrate data, and ultimately deliver PayoutsKing ransomware. The technique allows long-term access while evading endpoint security tools by operating within a virtualized environment.
2026-04-15
incident
Digitally signed adware tool disables antivirus on thousands of endpointsSigned adware tool deploying antivirus-killing scripts
A digitally signed adware tool was observed deploying payloads with SYSTEM privileges that disabled antivirus protections on thousands of endpoints across educational, utilities, government, and healthcare sectors. The abuse of signed software allowed the attack to evade detection and terminate security processes.
2026-04-15
vuln disclosure
Cisco ThousandEyes Enterprise Agent Arbitrary File Overwrite VulnerabilityCVE-2026-20161
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent allows a local low-privileged attacker to overwrite arbitrary files via symbolic link following. This can lead to integrity compromise on the affected endpoint. Cisco has published an advisory and affected versions are listed.
2026-04-15
vuln disclosure
CVE-2026-30624: Agent Zero 0.9.8 RCE via Malicious MCP Server ConfigurationCVE-2026-30624
CVE-2026-30624 is a command injection vulnerability in Agent Zero 0.9.8's External MCP Servers configuration feature. Attackers can supply a malicious JSON configuration with arbitrary commands and arguments, leading to remote code execution with the privileges of the Agent Zero process. No authentication or user interaction is required for network-based exploitation.
2026-04-14
incident
JDownloader Supply-Chain Attack Deploys r77 Rootkit and WDAC Policy to Disable AntivirusJDownloader Supply-Chain Attack with r77 Rootkit and WDAC Policy
Attackers compromised the official JDownloader website and replaced download links with trojanized installers. The malicious installer deploys a Python bot, an r77 rootkit, and a WDAC policy that blocks 50 security executables from running, effectively killing antivirus protection. The attack uses dead-drop resolvers for resilient C2 communication.
Avast · AVG · Avira · Microsoft · HitmanPro · Kaspersky ↗ www.gendigital.com (2026-04-14)
2026-04-14
vuln disclosure
CVE-2026-21742: Fortinet FortiSOAR Cleartext Password DisclosureCVE-2026-21742
CVE-2026-21742 is an information disclosure vulnerability in Fortinet FortiSOAR that exposes cleartext passwords in API responses for Secure Message Exchange and Radius queries. An authenticated attacker with low privileges can view these credentials, potentially leading to credential theft and unauthorized access to integrated systems. The flaw affects multiple versions of FortiSOAR PaaS and on-premise deployments.
2026-04-13
vuln disclosure
CVE-2026-0234: Cortex XSOAR/XSIAM Microsoft Teams Integration Authentication BypassCVE-2026-0234
CVE-2026-0234 is an authentication bypass vulnerability in Palo Alto Networks Cortex XSOAR and Cortex XSIAM platforms affecting the Microsoft Teams integration. The flaw allows unauthenticated attackers to bypass cryptographic signature verification and access or modify protected resources. This could compromise security orchestration workflows and sensitive incident response data.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →