A reported ValleyRAT upgrade into an eight-stage chain ending in kernel-mode stealth shows why defenders treat driver-level malware as a different class of problem.
An incident response investigation found an attack chain built on disabled defenses, a steganographic web shell, and Mimikatz, then repeated reuse of a server that had not been fully cleaned.
A reported experiment shows how a language model, a disassembler, and a small state loop can turn endpoint defense analysis into something faster, repeatable, and potentially useful for evasion research.
A macOS attack chain described as using legitimate operating-system behavior, not a classic vulnerability, raises a hard question: how much protection remains if a standard user can silence the tools meant to watch them?
ATT&CK v19 introduces structural changes, including the deprecation of Defense Evasion and its replacement with Stealthee and Impair Defenses.
A broad recap of browser bugs, EDR killers, a TV botnet, an OpenBSD flaw, and Android trojans points to one durable pattern: attackers keep choosing the shortest path to control, not the flashiest one.
A reported consolidation of EDR-killer tooling inside a Gentlemen RaaS workflow highlights how ransomware crews may be packaging defense suppression as a reusable service.
Cloud logging is supposed to preserve evidence, but control-plane abuse can turn that evidence into the first thing an intruder tries to silence.
A vendor research finding points to a worrying shift in cloud attacks: instead of only stealing data, intruders may also try to weaken the telemetry defenders depend on.
A new open-source proof of concept shows how policy-based throttling in Windows can choke the cloud link that many EDR tools rely on, creating a defense-evasion risk that looks more like network starvation than malware tampering.
A newly surfaced ransomware brand is drawing attention not because it rewrote encryption, but because it appears to be hiding better than older playbooks expected.
The latest Gremlin Stealer variant appears built for delay and concealment, combining encrypted resource storage with a commercial packer that turns ordinary code into custom bytecode.
A reported espionage campaign shows how a signed executable can become little more than a mask when the real payload arrives through a side-loaded DLL.
A new ransomware family fuses attack and evasion, embedding a vulnerable driver to quietly neutralize security tools before striking.