Bypass Archives - Security Pulse

Zoom for Windows security update blocks DLL hijacking and privilege escalation (CVE-2025-49457)

Zoom for Enterprise: close DLL path attacks, move to 6.3.10 today

yohanmanuja15 hours ago15 hours ago04 mins

Zoom delivered security fixes for Windows clients after investigators identified CVE-2025-49457, an untrusted DLL search path that can enable local privilege escalation and broader compromise. Because attackers chain DLL hijacking with lateral movement, admins should update Windows endpoints to version 6.3.10 and validate explicit path loading. This analysis explains affected apps, exploitation flow, high-signal detection, and quick remediation steps so defenders can reduce risk without adding noise.

APT37 abusing Google Find Hub to remotely wipe an Android phone

APT37 exploits Google Find Hub to wipe Android phones

yohanmanuja16 hours ago16 hours ago05 mins

APT37 used stolen Google credentials to access Find Hub, check Android device locations, and trigger remote factory resets. The tactic lives in the cloud, not on the handset, so identity controls matter most. Enforce phishing-resistant MFA, restrict console actions, and rehearse rapid re-enrollment.

ClickFix phishing page coaching a user to paste a command that steals M365 access

ClickFix Lures Coach Users to Self-Infect and Bypass Filters

yohanmanuja2 days ago2 days ago04 mins

ClickFix campaigns scale by coaching users to “fix” access issues with copy-paste commands. After the click, actors steal Microsoft 365 tokens or credentials and, in some cases, drop PureRAT for persistence. Break the flow by enforcing admin-only app consent, requiring phishing-resistant MFA, and blocking browser-to-shell chains. Investigate mailbox rules, token reuse, and OAuth grants whenever ClickFix pages appear in referral logs.

Cephalus ransomware abusing RDP credentials to exfiltrate data and encrypt systems with DLL sideloading and AES-CTR + RSA

Cephalus Ransomware Breaks In via RDP, Then Exfiltrates

yohanmanuja4 days ago4 days ago13 mins

Cephalus ransomware breaks in through exposed or weak RDP, steals data, and launches a Go-based encryptor that disables backups and evades analysis with DLL sideloading and key obfuscation. Consequently, victims encounter fast double-extortion pressure and noisy business disruption unless identity and remote-access controls stop the chain early.

Legacy CVEs and misconfigured IIS enable stealth access via msbuild and DCSync

China-Aligned Abuse msbuild, DCSync After Legacy CVE Break-ins

yohanmanuja4 days ago4 days ago05 mins

A China-linked crew still breaks in through legacy CVEs Log4j, Struts, Confluence, GoAhead then hides behind scheduled tasks and msbuild.exe to run memory-resident payloads. They probe domain controllers with DCSync, and they target misconfigured IIS by abusing ASP.NET machine keys to deploy TOLLBOOTH with SEO cloaking. Reduce risk by patching edge services, restricting LOLBAS on servers, rotating machine keys, and alerting on replication from non-DC hosts.

Claude Desktop extension dialog on macOS with a security prompt, highlighting sanitized AppleScript parameters and blocked shell operators

Claude Desktop Extensions Vulnerable to Command Injection

yohanmanuja6 days ago6 days ago05 mins

Researchers documented CVSS 8.9 command injection in three official Claude Desktop extensions Chrome, iMessage, and Apple Notes. Because those connectors built AppleScript commands with unescaped user input, prompt injection could pivot from web content to local shell execution on macOS. Anthropic patched the issues. This analysis explains the exploit chain, the fixes, and the validation steps security teams should run to keep MCP servers safe.

Windows bind filter abuse blinds Microsoft Defender EDR telemetry using EDR-Redir V2

EDR-Redir V2 Blinds Microsoft Defender on Windows 11

yohanmanuja1 week ago1 week ago04 mins

EDR-Redir V2 blinds Microsoft Defender by abusing Windows file-system filter drivers with bind links that redirect or corrupt EDR working paths. This practitioner’s guide explains the method, highlights reliable artifacts, and lists resilient mitigations so teams can validate exposure, restore telemetry, and protect Windows 11 fleets without breaking production.

Android malware “Herodotus” faking human typing with randomized keystrokes

Herodotus Malware Mimics Human Typing to Evade Detection

yohanmanuja2 weeks ago2 weeks ago15 mins

Herodotus is a new Android banking trojan that fakes human typing with randomized delays. Because naive timing checks fail, defenders should harden policy, watch overlays and Accessibility events, and tune fraud models to catch the session—not just the cadence.

Qilin ransomware BYOVD hybrid attack diagram showing Linux payload and vulnerable driver abuse

How Qilin Uses BYOVD and Linux Payloads to Escape Detection

yohanmanuja2 weeks ago2 weeks ago25 mins

Qilin ransomware now combines a Linux payload with a BYOVD (Bring-Your-Own-Vulnerable-Driver) exploit, enabling affiliates to bypass endpoint controls and compromise virtualised and Windows environments. This briefing explains the attack chain, detection challenges, and immediate defensive steps security teams must apply.

Map showing Oracle-linked hacking campaign targeting global organizations.

Google Issues Warning on Expanding Oracle-Linked Threat Activity

yohanmanuja1 month ago1 month ago14 mins

Google has disclosed a widespread Oracle-linked hacking campaign impacting dozens of organizations across sectors including energy, tech, and logistics. The operation, active since mid-2025, exploited software integrations between vendors and clients marking one of the year’s most significant supply chain cyberattacks.

GootLoader’s comeback: hidden filenames, ZIP-JS payloads

npm typosquat targets GitHub Actions to steal tokens and artifacts

Rhadamanthys disruption derails credential-theft campaigns

Windows admins: prioritize November zero-day and RCE

Russia Adds 24-Hour SIM Cooling-Off After Roaming

Zoom for Enterprise: close DLL path attacks, move to 6.3.10 today

Category: Bypass

Zoom for Enterprise: close DLL path attacks, move to 6.3.10 today

APT37 exploits Google Find Hub to wipe Android phones

ClickFix Lures Coach Users to Self-Infect and Bypass Filters

Cephalus Ransomware Breaks In via RDP, Then Exfiltrates

China-Aligned Abuse msbuild, DCSync After Legacy CVE Break-ins

Claude Desktop Extensions Vulnerable to Command Injection

EDR-Redir V2 Blinds Microsoft Defender on Windows 11

Herodotus Malware Mimics Human Typing to Evade Detection

How Qilin Uses BYOVD and Linux Payloads to Escape Detection

Google Issues Warning on Expanding Oracle-Linked Threat Activity