// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 27, 2026
Signal Brief · Archived

Week of April 27, 2026

2026-04-27 — 2026-05-03 · 14 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 27, 2026, ColdRecon logged 14 public endpoint-security events from open-source reporting — 7 research pocs, 6 incidents, 1 vuln disclosure. Vendors in the record this week: Microsoft, Trellix, Checkmarx.

The Week's Public Record

Events

2026-05-03
incident
Microsoft Defender for Endpoint falsely quarantines DigiCert root certificates as malwareMicrosoft Defender false positive on DigiCert root certificates
Microsoft Defender for Endpoint incorrectly flagged and quarantined legitimate DigiCert root certificates, causing potential disruption to TLS validation and application trust. The incident underscores risks of automated endpoint remediation when security tools misclassify critical system artifacts.
2026-05-03
incident
Trellix Discloses Unauthorized Access to Source CodeTrellix Source Code Breach
Cybersecurity vendor Trellix disclosed that a threat actor gained unauthorized access to its source code. The breach raises supply chain concerns as exposure of security product internals could aid attackers in bypassing detections. Details remain limited.
2026-05-01
research poc
CopyFail Attack Demonstrates Kernel-Level EDR Evasion on Linux via Root AccessCopyFail
Security researchers demonstrated a technique called CopyFail that bypasses Linux kernel-level EDR/security agents even when the attacker has root access. The method exploits the fact that security modules cannot intercept direct kernel function calls, allowing an attacker to tamper with agent memory and disable protections. This challenges the assumption that root access means total compromise, showing that EDR can still provide value if properly implemented.
2026-04-30
research poc
Deep#Door Python Backdoor Evades Detection on WindowsDeep#Door
Researchers disclosed a Python-based remote access trojan (RAT) named Deep#Door that uses tunneling and obfuscation to evade detection on Windows endpoints. The malware steals credentials and maintains persistence, posing a threat to endpoint security controls.
2026-04-29
research poc
Hades Gate: First-Principles Direct Syscall Technique for EDR/AV BypassHades Gate
Hades Gate is a proof-of-concept tool that constructs direct syscall stubs at runtime by manually walking the PEB, parsing PE headers, and extracting syscall numbers from ntdll.dll. It bypasses userland EDR/AV hooks by executing syscalls without calling monitored ntdll functions, demonstrating a technique relevant to endpoint security evasion.
2026-04-29
incident
DPRK Threat Actor Uses AI-Generated npm Malware in PromptMink CampaignPromptMink
A North Korean threat actor uploaded an AI-generated npm package in October 2025 as part of a campaign dubbed PromptMink. The package delivered remote access trojans (RATs) and was linked to broader DPRK operations involving fake firms. The use of generative AI to craft malware represents an evolution in supply chain attack techniques.
2026-04-28
incident
Checkmarx Supply Chain Breach via Compromised GitHub RepositoriesCheckmarx Supply Chain Incident via Trivy/TeamPCP
Checkmarx suffered a supply chain incident where attackers gained unauthorized access to GitHub repositories, likely via the TeamPCP attack on Trivy scanner, leading to publication of malicious Jenkins AST plugin artifacts. Customer data was not stored in the affected repositories, but data exfiltration occurred on March 30, 2026, with stolen data later published by LAPSUS$.
2026-04-28
research poc
VECT 2.0 Ransomware Encryption Flaw Turns It Into a WiperVECT 2.0 Ransomware Encryption Flaw
Check Point Research discovered that VECT 2.0 ransomware contains a critical encryption flaw causing permanent data destruction for files larger than 128 KB. The flaw, present across Windows, Linux, and ESXi variants, discards three of four decryption nonces, making recovery impossible even for the attacker. This effectively turns the ransomware into a wiper for virtually all meaningful enterprise data.
2026-04-28
research poc
PhantomRPC Privilege Escalation Technique in Windows via RPC InterfacesPhantomRPC
A security researcher disclosed a new privilege escalation technique called PhantomRPC that abuses RPC interfaces exposed by Local Service accounts, such as the DHCP Client service, to escalate privileges on Windows systems. No patch is available, and the technique relies on design flaws in RPC server implementations.
2026-04-28
incident
RansomHouse Claims Breach of $1B Cybersecurity Vendor, Possibly BarracudaRansomHouse claims breach of cybersecurity vendor
The RansomHouse ransomware group claims to have breached a $1 billion cybersecurity vendor, with speculation pointing to Barracuda. The breach allegedly exposed customer contact lists, proprietary detection logic, source code, and support tickets containing detailed customer network configurations. This incident raises significant supply chain concerns for the vendor's customers.
Barracuda (speculated) ↗ thecybersecguru.com (2026-04-28)
2026-04-27
research poc
AI-Driven Variant Analysis Bypasses Defender for Endpoint SAM Hive Extraction DetectionMonth of Bypasses - SAM Hive Extraction Bypass
Persistent Security Research Team launched a 'Month of Bypasses' series, using their Nemesis AI-driven BAS platform to discover a bypass for Microsoft Defender for Endpoint's detection of SAM hive credential dumping (T1003.002). The AI iteratively found a method using WMI to create a shadow copy and a raw disk read to extract the SAM hive, evading behavior monitoring. This demonstrates how AI can systematically find gaps in endpoint detection logic.
2026-04-27
incident
Pakistan government staff targeted by phishing with obfuscated staged malware hosted on BunnyCDNStaged payload delivery via BunnyCDN with obfuscation
A phishing campaign targeted Pakistan government employees using fake project files to deliver malware. The attack employed obfuscation and staged payload delivery hosted on BunnyCDN to evade detection. This technique highlights a method to bypass endpoint security by splitting malicious code into multiple stages and hiding it behind legitimate CDN services.
2026-04-27
research poc
Research Demonstrates Linux ELF Malware Generator Evading ML Detection via Semantic-Preserving ChangesSemantic-Preserving ELF Malware Generator
Researchers developed a malware generator that applies semantic-preserving transformations to Linux ELF binaries, successfully evading machine learning-based malware detectors. The technique highlights weaknesses in current AI-driven endpoint security tools for Linux environments.
2026-04-27
vuln disclosure
CrowdStrike Discloses Critical Vulnerability in Falcon Platform
CrowdStrike published a security advisory on April 21, 2026, addressing a critical vulnerability in its Falcon platform products. The Canadian Centre for Cyber Security issued an alert (AV26-384) regarding the advisory. No further technical details were provided in the article.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →