Good morning. This is your security briefing for Saturday, November 22, 2025, covering 14 articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
CodeXTF2 has released CustomC2ChannelTemplate, a proof-of-concept for developing custom Command and Control channels for Cobalt Strike. The template uses Import Address Table hooking to bypass Cobalt Strike's official ExternalC2 interface limitations, capturing callback data and transmitting it through custom channels to evade standard detection mechanisms.
Researchers introduced Atropos, a novel attack strategy that successfully evades machine learning-based Web Application Firewalls, according to Tillson Galloway. The technique crafts adversarial payloads that exploit tokenization processes and mimic benign traffic statistics, demonstrating vulnerabilities against several commercial ML-based WAFs designed to protect against XSS and SQL injection attacks.
NtDallas has documented BOF_RunPE, a Cobalt Strike Beacon Object File that executes PE files entirely in memory within the Beacon process. The tool employs advanced evasion methods including indirect syscalls, thread start spoofing, and module stomping, though defenders can detect it through kernel telemetry monitoring of thread context manipulation and memory operation transitions.
Security researchers at harryeetsource have documented MOEW, Misaligned Opcode Exception Waterfall, a novel attack technique exploiting x86 instruction misalignment and Windows Structured Exception Handling. The technique deliberately triggers CPU faults that route through attacker-controlled SEH frames, corrupting the exception chain to obscure malicious code execution while bypassing traditional mitigations like DEP and CFG.
Shaheer Yasir has published a technical guide on unhooking ntdll.dll in Rust to bypass EDR security solutions. The technique replaces hooked code sections with clean versions from a suspended process, allowing malicious code to evade detection by security products that rely on function hooking.
Cornell University researchers developed a deep learning method using a CNN with attention mechanisms to detect APVD steganography with 96.2% accuracy. The model, trained on 10,000 images, can recover hidden payloads with up to 93.6% success, demonstrating the vulnerability of adaptive steganographic techniques to AI-based detection.
The 360 Threat Intelligence Center reports that APT-C-26, the Lazarus group, deployed a customized monitoring program with complete remote desktop control capabilities targeting enterprise networks. The surveillance program is fully functional with comprehensive remote control features, threatening enterprise data security and enabling accumulation of strategic resources for future cyberattack operations.
Also from 360 Threat Intelligence Center, MuddyWater APT group launched phishing campaigns targeting multiple regions using macro code and executables disguised as PDF files. The attacks deploy UDPGangster and Phoenix backdoors for persistent access and data theft, demonstrating continued sophisticated social engineering by this known nation-state threat actor.
Research by Fabian Monrose analyzing security-focused browser extension development reveals common vulnerabilities including XSS and CSP bypasses. The study examined source code of multiple extensions, identifying insecure coding practices and gaps in developer security awareness that expose users to risks despite using security-focused tools.
Researchers from Georgia Institute of Technology and Oregon State University, including Angelos D. Keromytis, conducted the first large-scale analysis of orphan flows. These are network communications from compromised hosts unrelated to initial attack vectors or C2 activity, representing a significant blind spot in security monitoring that can be used for lateral movement or data exfiltration without triggering conventional alerts.
Georgia Institute of Technology researchers analyzed the lifecycle of malicious network infrastructure used by threat actors from simple attacks to sophisticated nation-state operations. The study increased publicly known malicious IP infrastructure by 3.06 times and determined that network log retention of 25 months is necessary to uncover 90% of sophisticated attack infrastructure.
A research preprint on arXiv.org introduces ForgeDAN, an evolutionary framework demonstrating techniques for jailbreaking and bypassing safety alignments in large language models. The research explores methods to circumvent security controls implemented in AI systems, presenting attack methodologies that exploit LLM vulnerabilities.
The International Association for Cryptologic Research reports a critical failure in their 2025 election using the Helios electronic voting system. One of three trustees permanently lost their private key, preventing decryption of election results and making verification impossible, highlighting fundamental key management failures in cryptographic systems.
Finally, Hoang Nguyen disclosed CVE-2025-27093, affecting Sliver C2 framework versions 1.5.43 and earlier when configured with Wireguard. The vulnerability allows unrestricted communication between Wireguard clients due to inadequate traffic filtering, enabling attackers with leaked keypairs to target operators' exposed services or facilitate lateral movement between compromised implants. That concludes today's briefing.