Qilin Ransomware Group Deploys EDR-Blinding Attack Chain The Qilin ransomware group has introduced a highly advanced, multi-stage infection chain capable of disabling over 300 endpoint detection and response (EDR) solutions before executing its ransomware payload. Discovered by Cisco Talos Intelligence, the attack leverages a malicious DLL file to execute entirely in memory, minimizing forensic traces and evading traditional antivirus defenses. The attack begins with DLL side-loading, where a legitimate Windows application loads a rogue msimg32.dll instead of the authentic system library. The malicious DLL maintains normal system activity by forwarding legitimate requests to the real library while triggering its hidden payload during initialization. The malware then suppresses security event logging, neutralizes user-mode hooks, and uses structured and vectored exception handling to obscure execution from behavioral scanners. A syscall-scanning technique further bypasses EDR monitoring. Before deploying its final payload, the malware checks the system’s language settings, crashing if post-Soviet language packs are detected a tactic likely used by Russian-affiliated operators to avoid domestic law enforcement scrutiny. The payload is decrypted and mapped directly into memory using shared memory views, ensuring it never touches the hard drive in an unencrypted state. Once active, the malware escalates privileges and loads two kernel-level drivers: rwdrv.sys (a renamed legitimate driver) and hlpdrv.sys (a custom malicious driver). These drivers grant direct memory access and terminate protected EDR processes, respectively. By abusing a signed driver, the malware bypasses Windows Driver Signature Enforcement and systematically unregisters over 300 EDR monitoring callbacks, effectively blinding security tools at the kernel level. To conceal its activity, the malware temporarily disables Windows Code Integrity enforcement, allowing unrestricted kernel modifications before restoring integrity checks to reduce forensic evidence. The attack marks a significant evolution in ransomware tactics, shifting from evasion to the active dismantling of security defenses before payload execution.

GreyNoise Report: Exploitation Surges Often Precede Vulnerability Disclosures by Weeks A recent report from threat intelligence firm GreyNoise reveals that hackers frequently begin exploiting software vulnerabilities before vendors publicly disclose them sometimes weeks in advance. Analyzing attack patterns between mid-December 2025 and late March 2026, GreyNoise found that nearly half of all scanning and exploitation surges targeting specific products were followed by vulnerability disclosures within three weeks. The median time between a surge in malicious activity and a vendor’s disclosure was 11 days, offering organizations a potential early warning to patch or harden systems. Of the 42 scanning events observed, 57% led to disclosures, while 56% of brute-force attempts and 42% of remote-code-execution (RCE) probes also preceded public CVEs. The report highlights distinct patterns in attacker behavior: - Scanning activity was widely dispersed, with many IP addresses conducting a few sessions each likely broad reconnaissance. - Later-stage attacks (brute-force and RCE) were more concentrated, with fewer IPs generating high session volumes, suggesting targeted exploitation. - High-severity flaws generated the most probing activity, with some exploitation detected up to 39 days before disclosure. Notable examples include: - A Cisco vulnerability exploited in five surges over 18 days before disclosure, with IP activity dropping but session counts rising a shift from reconnaissance to focused attacks. - Juniper, SonicWall, and Ivanti flaws also saw early exploitation, with one Ivanti flaw targeted 36 days prior to disclosure. GreyNoise’s findings underscore that exploitation surges can serve as an early indicator of undisclosed vulnerabilities, particularly for critical infrastructure vendors. The data suggests that organizations monitoring such activity may gain a critical window to mitigate risks before patches are available.

A zero-day vulnerability (CVE-2025-53690) in Sitecore’s Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) was exploited by threat actors using a leaked sample ASP.NET machine key. Attackers leveraged ViewState deserialization to achieve remote code execution on exposed on-premises deployments. Post-exploitation, they deployed malware (including DWAGENT RAT), exfiltrated sensitive Sitecore configurations, stole credentials and tokens, performed Active Directory reconnaissance, and escalated privileges to domain administrator level. The attack targeted multi-instance environments with customer-managed static keys, risking lateral movement across networks. While Mandiant disrupted the attack before full execution, the breach exposed backend dependencies, user data, and network architectures, enabling potential follow-on attacks like data theft, ransomware, or system takeover. Sitecore confirmed affected customers were notified, but unpatched systems remain at risk of full infrastructure compromise and operational disruption if exploited further.

APT41, a China-linked cyber threat group, compromised a Taiwanese government-affiliated research institute employing sophisticated tools like ShadowPad and Cobalt Strike. The attack involved exploiting vulnerabilities in Microsoft Office to initiate payload delivery, followed by document exfiltration, persistent access through web shells, and sophisticated evasion techniques. The institute suffered a breach of security systems resulting in the leakage of sensitive documents, possibly impacting governmental operations and data security. This incident has emphasized the need for robust cybersecurity measures within institutions that are integral to national infrastructure.

CISA issued an emergency directive ordering US federal agencies to urgently patch two actively exploited zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in Cisco Adaptive Security Appliances (ASA) and Firepower firewalls. The flaws—enabling remote code execution (RCE) and privilege escalation—were linked to a state-sponsored threat actor (same group behind the 2023–2024 ArcaneDoor campaign). The attacker deployed custom malware to disable logging, prevent forensic analysis, and install a persistent backdoor by modifying the ROMMON bootloader. Despite repeated warnings, over 32,000 unpatched internet-facing devices remained exposed as of October 2025, risking full system compromise, lateral movement across networks, and potential data exfiltration. CISA mandated immediate firmware updates or decommissioning of legacy devices, emphasizing that even non-public-facing appliances were at risk. The vulnerabilities’ exploitation could grant attackers unrestricted access to critical infrastructure, enabling espionage, disruption of government services, or further attacks on interconnected systems. The directive also expanded to include three additional actively exploited flaws in the KEV catalog, underscoring the escalating threat to federal networks.

Threat actors exploited a zero-day remote code execution (RCE) vulnerability (CVE-2025-20352) in older, unpatched Cisco networking devices (9400, 9300, and legacy 3750G series) to deploy a Linux rootkit named Operation Zero Disco. The rootkit grants persistent access, allows log manipulation, bypasses authentication (AAA/VTY ACLs), and enables lateral movement across VLANs via ARP spoofing. Attackers also attempted to exploit CVE-2017-3881, a 7-year-old flaw in Cisco’s Cluster Management Protocol. The malware installs fileless hooks into the IOSd process, disappearing after reboots, and leaves no reliable detection method—requiring low-level firmware/ROM analysis for confirmation. While newer switches have partial ASLR protections, sustained targeting could still compromise them. The attack risks unauthorized network control, data exfiltration, and lateral expansion within corporate or critical infrastructure environments. No public reports confirm data theft, but the rootkit’s capabilities enable stealthy, long-term persistence for future exploits. Trend Micro warns that compromised devices may serve as launchpads for broader attacks, though no direct financial, reputational, or operational damages (e.g., outages, data leaks) were explicitly documented in the article.