InfoSec Briefing - February 01, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Saturday, January 31, 2026, covering five critical developments in cybersecurity. All attribution is by the article authors. All article analysis is automated.

InfoSec.pub reports on sophisticated techniques for hijacking .NET Global Assembly Cache and Native Image Cache to achieve lateral movement in Windows environments. Security researcher digicat details how attackers can replace or modify strong-named assemblies and precompiled native images, effectively bypassing digital signatures and integrity checks to compromise any application relying on these components.

G3tSyst3m's Infosec Blog presents research on Living off the Process, an advanced code injection technique that abuses RWX memory regions and ROP gadgets to inject shellcode in 8-byte chunks. Author R.B.C. explains how this method hijacks threads and constructs ROP chains to execute payloads while evading EDR detection by disguising malicious activity as legitimate process behavior.

ESET's WeliveSecurity reports that Russia-aligned threat group Sandworm deployed DynoWiper data-wiping malware against a Polish energy sector company in December 2025. The malware overwrites files with random data across three operational phases and shares code similarities with Sandworm's previous ZOV wiper used in Ukraine, marking continued targeting of critical infrastructure.

WatchTowr Labs has discovered two critical pre-authentication remote code execution vulnerabilities in Ivanti Endpoint Manager Mobile, tracked as CVE-2026-1281 and CVE-2026-1340. The vulnerabilities allow unauthenticated attackers to execute arbitrary commands via bash shell injection due to improper input sanitization, posing severe risks of system compromise, data breaches, and ransomware deployment for organizations running unpatched instances.

The Lat61 Threat Intelligence Team has analyzed a sophisticated multi-stage malware campaign delivering Pulsar RAT using Donut loader for in-memory execution. The malware establishes persistence through registry Run keys, employs anti-analysis mechanisms including anti-VM and anti-debugging routines, and steals credentials from browsers, VPNs, messaging apps, and cryptocurrency wallets before exfiltrating data via Discord webhooks and Telegram bots.

That concludes today's briefing.

📰 Articles Covered

.NET GAC and NIC hijacking for lateral movement - ... - infosec.pub (author: digicat)

This article details techniques for hijacking the .NET Global Assembly Cache (GAC) and Native Image Cache (NIC) to achieve lateral movement and persistence within a network.

**What Happened:**
The article describes two primary methods for hijacking .NET dependencies:
* **GAC Hijacking:** This involves replacing a strong-named assembly in the GAC with a modified version. While the modified assembly might fail strong name verification, it will still load. A key consideration is the presence of a native image in the NIC, which would take precedence. Attackers can either delete the native image or target GAC assemblies that do not have corresponding native images.
* **NIC Hijacking:** This method targets the precompiled native images (`*.ni.dll`) stored in the NIC.
* **The Easy (PE) Way:** Attackers find a remote native image, download it, modify it as a standard Portable Executable (PE) backdoor (ensuring legitimate code execution continues), and then re-upload it. This bypasses digital signatures and integrity checks.
* **The Harder (Assembly) Way:** This involves modifying the original .NET assembly, then generating a new native image from it. This can be done locally (though less reliable) or remotely. Remote compilation is more reliable: the modified .NET assembly is re-signed, a new native image is generated on the target system using `ngen.exe`, and this new image overwrites the original.

**Who is Affected:**
Systems running the .NET framework are potentially affected. Specifically, any application that relies on .NET assemblies present in the GAC or NIC can be targeted. The article notes that files and folders within the GAC and NIC can be modified by members of the local **Administrators group** 【1】.

**Security Implications:**
The security implications are significant, as these techniques allow for:
* **Lateral Movement:** Gaining access to and control over other systems within a network.
* **Persistence:** Maintaining access to a compromised system even after reboots or application restarts.
* **Code Loading into Existing Applications:** Malicious code can be loaded into legitimate, regularly executed .NET applications, making detection more difficult.
* **De-chaining Upload from Execution:** Attackers can upload malicious files and wait for them to be executed by legitimate processes, separating the initial compromise from the actual malicious activity 【1】.

**Technical Details:**
* **.NET Assembly Search Paths:** Unlike traditional DLLs, .NET assemblies do not strictly follow the "first found, first loaded" rule. The loading priority is:
1. Native image (`*.ni.dll`) from the NIC (if it exists).
2. Assembly from the GAC (if it exists).
3. Assemblies from other paths (e.g., application directory) 【1】.
* **Global Assembly Cache (GAC):** Stores **strong-named** .NET assemblies. These assemblies have a unique identity including name, version, culture, and public key token 【1】.
* **Native Image Cache (NIC):** Stores **precompiled native images** (`*.ni.dll`) generated by `ngen.exe` to improve performance by bypassing Just-In-Time (JIT) compilation 【1】.
* **Strong vs. Weak Named Assemblies:** Strong-named assemblies have cryptographic signatures, while weak-named assemblies do not 【1】. Modifying a strong-named assembly in the GAC without re-signing will cause verification to fail but it will still load 【1】.
* **`ngen.exe`:** A tool used to generate native images from .NET assemblies 【1】.

**What Defenders Should Know:**
Defenders should be aware of the following:
* **GAC and NIC Precedence:** Assemblies in the GAC and NIC take priority over those in the application directory 【1】.
* **Administrator Privileges:** Attackers need **local administrator privileges** to modify files within the GAC and NIC 【1】.
* **Monitoring File Integrity:** Implement file integrity monitoring for critical system directories, including the GAC and NIC locations.
* **Understanding .NET Loading Mechanisms:** Familiarize security teams with how .NET assemblies are resolved and loaded, particularly the role of the GAC and NIC.
* **Detecting Suspicious Modifications:** Look for unusual modifications to `.dll` and `*.ni.dll` files within the GAC and NIC directories.
* **Application Whitelisting:** Employ application whitelisting to prevent unauthorized executables from running, which can limit the impact of hijacked assemblies.
Living off the Process - G3tSyst3m's Infosec Blog, Author: R.B.C.

The article "Living off the Process" (LOTP) details an advanced cybersecurity technique that abuses existing features within a running process to inject and execute shellcode in a remote process with a minimal footprint, thereby evading traditional security defenses 【1】.

**What Happened:**
The technique involves copying shellcode into a remote process in small, 8-byte chunks. Instead of using standard memory writing APIs like `WriteProcessMemory`, it leverages Read-Write-Execute (RWX) memory regions and Return-Oriented Programming (ROP) gadgets already present within the target process. A thread within the target process is hijacked, and a ROP chain is constructed. This chain orchestrates the writing of shellcode chunks into memory and ultimately executes the payload 【1】.

**Who is Affected:**
The primary targets are **processes that contain RWX memory regions** and to which an attacker can gain a handle and manipulate threads. This implies that the victim is the user whose context the process is running under, and the attacker typically needs elevated privileges to perform these actions 【1】.

**Security Implications:**
- **Bypasses Traditional Defenses:** By avoiding direct memory writing APIs, LOTP can evade security solutions that specifically monitor for `WriteProcessMemory` or `VirtualAllocEx` calls used for shellcode injection 【1】.
- **Reduced Detectability:** The shellcode writing process is disguised as legitimate gadget usage within the target process's flow, making it harder for Endpoint Detection and Response (EDR) systems to flag as malicious 【1】.
- **Exploitation of Process Artifacts:** The technique highlights the risk of attackers exploiting existing RWX memory regions and in-process code reuse for malicious purposes 【1】.

**Technical Details:**
The process involves several key technical steps:
- **ROP Gadget Collection:** Attackers identify and collect ROP gadgets (small sequences of code ending in `ret`) from the target process 【1】.
- **RWX Memory Identification:** The attacker searches for existing RWX memory regions within the target process. If none are found, they may resort to using `VirtualAllocEx` 【1】.
- **Thread Hijacking:** A thread within the target process is suspended, its context is captured, and its execution pointer (RIP) is redirected to custom stub code. The stack pointer (RSP) is set to point to the ROP chain 【1】.
- **Shellcode Staging:** The shellcode is divided into 8-byte chunks. Assembly stubs are created that use ROP gadgets to write these chunks into the target memory indirectly 【1】.
- **ROP Chain Execution:** The ROP chain is written into memory and designed to execute the staged shellcode. This often involves switching to a fake stack and then continuing execution to the shellcode 【1】.

**What Defenders Should Know:**
Defenders need to be aware of and monitor for:
- **Unusual RWX Memory Usage:** Suspiciously large or numerous RWX memory regions within processes 【1】.
- **Thread Manipulation:** Anomalous thread suspension, context changes (`GetThreadContext`, `SetThreadContext`), and redirection of thread execution 【1】.
- **Privilege Escalation and Access Control:** The importance of limiting privileges and enforcing strict access controls to prevent unauthorized processes from opening handles to and modifying other processes' threads 【1】.
- **Memory Protection:** Implementing robust memory protection techniques such as Data Execution Prevention (DEP/NX), Address Space Layout Randomization (ASLR), and minimizing the availability of executable code gadgets 【1】.
- **Behavioral and Signature-Based Detections:** Employing EDR solutions capable of detecting ROP attacks, indirect shellcode writes, unusual code generation, and ROP chain patterns 【1】.

Defenders can also implement measures such as enforcing least privilege, monitoring for tool-like activity (e.g., gadget scanning tools), using memory scanning to detect modifications, employing application whitelisting, and hardening Windows configurations to restrict thread manipulation capabilities 【1】.
DynoWiper update: Technical analysis and attribution - www.welivesecurity.com

A new data-wiping malware, **DynoWiper**, was deployed against a company in **Poland's energy sector** in December 2025. ESET researchers attribute this attack with medium confidence to the **Russia-aligned threat group Sandworm**, citing similarities to their previous ZOV wiper used in Ukraine.

**What Happened:**
The attack involved the deployment of multiple variants of DynoWiper. While ESET PROTECT largely blocked the malware's execution, the incident highlights Sandworm's continued targeting of critical infrastructure and their evolving tactics. The malware's primary function is to overwrite files with random data, causing irreversible data loss.

**Who is Affected:**
The primary victim identified is a **company within Poland's energy sector**. Sandworm has a history of targeting Polish energy companies for cyberespionage and destructive attacks.

**Security Implications:**
This incident underscores the persistent threat posed by sophisticated, state-aligned actors like Sandworm to **critical infrastructure**, particularly the energy sector. The use of data-wiping malware aims to cause maximum disruption and damage, potentially leading to significant operational downtime and economic loss. The attribution to Sandworm indicates a high-level, well-resourced adversary.

**Technical Details of the DynoWiper Update:**
DynoWiper was deployed in three variants: `<redacted>_update.exe`, `schtask.exe`, and `schtask2.exe`. The malware overwrites files using a 16-byte buffer of random data. Its operation involves three phases:
- Recursively wiping files on all drives, excluding specific system directories.
- Wiping files in the root directory without exclusions, or all files/directories for `schtask2.exe`.
- Forcing a system reboot.
Unlike some other Sandworm malware, DynoWiper focuses solely on the IT environment and does not appear to directly target OT industrial components. Attackers also reportedly used publicly available tools like Rubeus and rsocx before deploying the wiper.

**What Defenders Should Know:**
Defenders should be aware of Sandworm's tactics, including their use of data-wiping malware and deployment via Active Directory Group Policy. Key indicators include similarities between DynoWiper and the ZOV wiper in file wiping logic and directory exclusions. Sandworm is known to modify malware or switch families to evade detection. Organizations, especially in the energy sector, should:
- Strengthen defenses against sophisticated wipers.
- Monitor for unusual file modification or deletion activities.
- Ensure robust endpoint detection and response (EDR/XDR) capabilities are in place.
- Maintain visibility into IT/OT environments.
- Understand potential collaborations between threat groups, which can aid in attribution.
Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) - watchTowr Labs

The cybersecurity article details two critical pre-authentication remote code execution (RCE) vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340**, discovered in **Ivanti Endpoint Manager Mobile (EPMM)**, formerly known as MobileIron Core.

**What Happened:**
An attacker can exploit these vulnerabilities to execute arbitrary commands on the Ivanti EPMM server without requiring any authentication. This means an attacker could gain control of the server and potentially access sensitive data or deploy further malicious software. The vulnerabilities stem from improper handling of specific commands within the system, allowing for command injection.

**Who is Affected:**
**Ivanti Endpoint Manager Mobile (EPMM)** instances are affected. The specific versions impacted are not explicitly detailed in the provided summary, but it is implied that any unpatched versions are at risk. Organizations using Ivanti EPMM to manage their mobile devices are therefore vulnerable.

**Security Implications:**
The security implications are severe. Successful exploitation allows for **unauthenticated remote code execution**, granting attackers a high level of control over the compromised server. This could lead to:
- **Data breaches:** Sensitive information managed by EPMM could be exfiltrated.
- **System compromise:** Attackers could use the server as a pivot point to attack other systems within the network.
- **Ransomware deployment:** Malicious actors could encrypt data and demand a ransom.
- **Disruption of services:** The EPMM service could be rendered inoperable.

**Technical Details:**
The vulnerabilities are related to how Ivanti EPMM processes certain commands, specifically those involving the `bash` shell. The article highlights that the system fails to properly sanitize user-supplied input when constructing commands. This allows an attacker to inject malicious commands that are then executed by the `bash` interpreter with elevated privileges. The exploitation involves crafting specific HTTP requests that contain the injected commands.

**What Defenders Should Know:**
Defenders need to be aware that **unpatched Ivanti EPMM instances are highly vulnerable** to remote exploitation. Key actions include:
- **Patching:** Immediately apply any security patches or updates released by Ivanti for EPMM.
- **Monitoring:** Implement robust network and system monitoring to detect suspicious activity targeting the EPMM server, such as unusual network traffic or unexpected process execution.
- **Segmentation:** Ensure that the Ivanti EPMM server is properly segmented within the network to limit the potential blast radius if compromised.
- **Vulnerability Scanning:** Regularly scan for these specific vulnerabilities to ensure that all instances are protected.

The article suggests that the vulnerabilities are complex and likely exploited by sophisticated actors, emphasizing the need for prompt and thorough remediation.
When Malware Talks Back | Pulsar RAT Powers Live Chat Driven Remote Control and Advanced Infostealer Delivery via Donut Loader - Lat61 Threat Intelligence Team

This cybersecurity article details a sophisticated, multi-stage malware campaign that utilizes advanced evasion techniques and in-memory execution to steal data and maintain persistent access to victim systems.

**What Happened:**
The malware campaign begins with a hidden batch file that establishes persistence through a per-user registry Run key. This batch file then extracts and executes an embedded PowerShell loader, which in turn decrypts and injects shellcode directly into legitimate Windows processes. This shellcode, generated by the Donut tool, loads a .NET payload that functions as a sophisticated stealer and remote access trojan (RAT). The malware employs numerous anti-analysis techniques to evade detection and maintain stealthy persistence, including process migration, watchdog mechanisms for self-resurrection, and anti-VM/anti-debugging routines. Stolen data is exfiltrated in ZIP archives via Discord webhooks and Telegram bots.

**Who is Affected:**
The article does not specify a particular industry or region being targeted. However, the malware's capabilities suggest it is designed for **broad-scale data theft and long-term compromise** across various Windows environments.

**Security Implications:**
The primary security implications are:
- **Data Theft:** The malware is capable of harvesting a wide range of sensitive information, including credentials for browsers, VPNs, messaging apps, gaming platforms, and cryptocurrency wallets.
- **Persistent Access:** Advanced persistence mechanisms ensure the malware remains on the system even after reboots or if initial processes are terminated.
- **Evasion of Traditional Defenses:** The use of in-memory execution, living-off-the-land techniques, and anti-analysis features makes it difficult for traditional antivirus solutions to detect and remove.
- **Remote Control:** The RAT functionality allows attackers to gain full remote control over compromised systems, enabling further malicious activities.

**Technical Details:**
The malware operates in multiple stages:
- **Stage 1 (Batch Dropper):** A hidden batch file creates a hidden folder, sets the hidden attribute, and registers itself in the per-user Run key for persistence. It then extracts a Base64 encoded PowerShell script from within itself, decodes it, executes it, and self-cleans.
- **Stage 2 (PowerShell Loader):** This PowerShell script decodes a byte array using XOR operations. This decoded data is identified as Donut shellcode. The script then uses Win32 interop (P/Invoke) to perform process injection into legitimate Windows processes (like `explorer.exe` or `svchost.exe`) using `CreateRemoteThread`. A watchdog mechanism ensures the shellcode is re-injected if the host process terminates.
- **Stage 3 (.NET Payload):** The Donut shellcode loads a .NET assembly directly into memory. This payload is heavily obfuscated and implements advanced anti-analysis techniques, including anti-virtualization, anti-debugging, and continuous process injection detection. It also establishes persistence via Scheduled Tasks and Registry Run Keys.
- **Functionality:** The .NET payload includes modules like `Pulsar.Common.dll` (for RAT functionalities like remote shell, registry modification, keylogging, screen capture, audio/webcam access) and `Stealer37.dll` (for credential harvesting across numerous applications, system profiling, and secure data handling).
- **Data Exfiltration:** Stolen data is packaged into ZIP archives and exfiltrated using Discord webhooks or the Telegram Bot API. A "victim-valuation summary" (`IntelIX.txt`) is generated to quickly assess the value of stolen credentials before exfiltration.

**What Defenders Should Know:**
- **Evasive Techniques:** Be aware of malware that heavily relies on in-memory execution, process injection, and living-off-the-land techniques to bypass traditional signature-based detection.
- **Persistence Mechanisms:** Monitor for unusual persistence methods, including per-user Run keys, Scheduled Tasks, and the creation of hidden folders.
- **Donut Shellcode:** Recognize the use of Donut shellcode loaders as a common method for delivering .NET payloads.
- **Anti-Analysis:** Understand that modern malware employs sophisticated anti-VM, anti-debugging, and self-protection routines.
- **Data Exfiltration Channels:** Monitor network traffic for exfiltration to platforms like Discord and Telegram, especially for ZIP-compressed archives.
- **Detection and Mitigation:** Traditional antivirus may struggle. Solutions that focus on behavioral analysis and threat hunting are crucial. The article recommends Point Wild UltraAV, which detects this threat as `Trojan_210126_Donut_Client`. Removal involves booting into Safe Mode with Networking and using antivirus software.