🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Europol-supported global operation targets over 75 000 users engaged in DDoS attacks – Operation PowerOFF is a global effort aimed at dismantling criminal DDoS-for-hire infrastructure | Europol - Europol 🔍 Show Kagi Synopsis
  On April 13, 2026, a global law enforcement initiative, **Operation PowerOFF**, coordinated by Europol, targeted over 75,000 individuals using **distributed denial-of-service (DDoS)-for-hire services** 【1】. This operation aimed to dismantle the infrastructure supporting these illegal services 【1】.
  
  **What Happened:**
  The operation involved 21 countries and focused on both enforcement and prevention. Authorities disrupted illegal "booter" services by seizing their technical infrastructure, including servers and databases 【1】. This disruption led to the takedown of 53 domains and the issuance of 25 search warrants 【1】. Over 75,000 warning emails and letters were sent to identified criminal users, and four arrests were made 【1】.
  
  **Who is Affected:**
  The operation targeted over 75,000 criminal users of DDoS-for-hire services 【1】. These services are used by individuals ranging from novices with minimal technical knowledge to more proficient actors 【1】. The attacks themselves affect businesses and individuals by making servers, websites, and online services inaccessible 【1】. Targets include online marketplaces, telecommunications providers, and other web-based services 【1】.
  
  **Security Implications:**
  DDoS-for-hire services represent a significant and accessible trend in cybercrime, enabling widespread disruption 【1】. The attacks can cause substantial harm by rendering critical online services unavailable, impacting legitimate users and potentially leading to financial losses or extortion 【1】. The seizure of infrastructure and user data by law enforcement hinders these criminal operations and prevents further damage 【1】.
  
  **Technical Details:**
  DDoS-for-hire services, often referred to as "booter" services, rely on a technical infrastructure comprising servers, databases, and other components 【1】. These services allow users to launch DDoS attacks against targeted entities 【1】. The seized databases from these services provided Europol experts with data on over 3 million criminal user accounts, facilitating coordinated global enforcement actions 【1】.
  
  **What Defenders Should Know:**
  Operation PowerOFF is an ongoing effort that has transitioned into a prevention phase 【1】. Proactive measures are being implemented, including:
  - Targeted search engine advertisements for individuals seeking DDoS tools 【1】.
  - Removal of over 100 URLs that advertise DDoS-for-hire services 【1】.
  - Sending warning messages on blockchains used for criminal payments 【1】.
  - Maintaining a dedicated website to track enforcement and prevention efforts 【1】.
• British National Pleads Guilty to Hacking into Companies and Stealing At Least $8 Million in Virtual Currency - U.S. Attorney's Office, Central District of California 🔍 Show Kagi Synopsis
  A British national, **Tyler Robert Buchanan**, has pleaded guilty to conspiring to hack into the computer systems of at least a dozen companies and steal over **$8 million in virtual currency** from individual victims across the United States 【1】. The scheme operated from September 2021 to April 2023 【1】.
  
  **What Happened:**
  Buchanan and his co-conspirators executed **SMS phishing attacks** by sending messages to employees of victim companies, impersonating the company or its IT/BPO suppliers. These messages contained links to fake websites designed to steal login credentials, personal identifying information (PII), and account usernames and passwords 【1】. The stolen credentials were used to access company systems and steal confidential information, including intellectual property and PII 【1】. A phishing kit was used to capture these credentials, which were then sent to a Telegram channel managed by Buchanan 【1】. The conspirators leveraged this stolen information to access individual victims' virtual currency accounts and wallets, ultimately stealing millions of dollars in virtual currency 【1】.
  
  **Who is Affected:**
  The victims included a range of companies, such as **interactive entertainment companies, telecommunications companies, technology companies, business process outsourcing (BPO) and information technology (IT) suppliers, cloud communications providers, and virtual currency companies**. Additionally, **individual victims** had their virtual currency stolen 【1】.
  
  **Security Implications:**
  This case highlights the significant risks associated with **phishing attacks**, particularly those delivered via SMS, and the severe consequences of compromised credentials. The attackers were able to bypass **two-factor authentication** by employing **SIM swapping** techniques 【1】. This method involves fraudulently convincing a mobile carrier to reassign a victim's phone number to a SIM card controlled by the attacker, allowing them to intercept authentication codes 【1】. The theft of intellectual property and PII also poses a substantial risk to businesses and individuals.
  
  **Technical Details:**
  The attack involved:
  - **SMS Phishing:** Sending deceptive text messages with malicious links 【1】.
  - **Phishing Websites:** Creating fake websites to harvest credentials and PII 【1】.
  - **Phishing Kit:** A tool used to capture stolen login information 【1】.
  - **Telegram Channel:** Used to receive and manage stolen credentials 【1】.
  - **SIM Swapping:** A technique to gain control of a victim's phone number to intercept authentication codes 【1】.
  - **Virtual Currency Theft:** Exploiting stolen credentials and SIM swaps to access and steal virtual currency from individual wallets 【1】.
  
  **What Defenders Should Know:**
  Organizations and individuals should be aware of and defend against sophisticated **SMS phishing campaigns**. Implementing robust security measures, including **employee training on recognizing phishing attempts**, is crucial. Defenders must also understand the threat of **SIM swapping** and its role in bypassing multi-factor authentication. Companies should have strong protocols for verifying employee identities and handling sensitive information, and individuals should be cautious about sharing personal and account details, especially in response to unsolicited communications.
• ExportHider: ExportHider: Generating Export Table during Runtime to Hide the Exported Functions from the DLL File. - @R0h1rr1m 🔍 Show Kagi Synopsis
  The ExportHider project is a tool and methodology for creating C++ DLL templates that **conceal exported functions** from the DLL's Export Directory on the filesystem 【1】. These functions, while invisible to standard PE file viewers, remain accessible at runtime via `GetProcAddress` calls because the DLL reconstructs its Export Directory in memory after being loaded 【1】.
  
  **Who is Affected:**
  This technique is applicable to scenarios involving **dynamic DLL loading or custom DLL loaders** 【1】. It is explicitly stated that the method is **not effective for statically imported DLLs or standard DLL sideloading** 【1】. This is because the Windows Loader performs its checks before the DLL's code can execute to modify the export table 【1】.
  
  **Security Implications:**
  ExportHider allows for the **obfuscation of exported functions**, which can be used to hide malicious functionality or sensitive code paths from static analysis tools 【1】. By dynamically reconstructing the Export Directory in memory, an attacker can bypass traditional static inspection of a DLL's capabilities 【1】.
  
  **Technical Details:**
  The core mechanism involves the DLL template **overwriting its PE headers in memory after attaching to a process** 【1】. This enables the DLL to direct the Windows Loader to a custom, reconstructed Export Directory 【1】. Key technical constraints include:
  - The `AddressOfNames` array must be sorted (the template uses Bubble Sort) to satisfy the Windows Loader's binary search algorithm for `GetProcAddress` 【1】.
  - Memory for the new export directory must be allocated within the DLL's address space, typically using global byte arrays, to prevent integer overflows related to RVA values in DWORD fields 【1】.
  The technique fails for static imports because the Windows Loader halts execution during the `LdrpSnapModule` phase if required exports are not found, which occurs before the DLL's initialization routines can run 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that **standard PE viewers may not reveal all exported functions** if a DLL employs this dynamic reconstruction technique 【1】. Detection strategies should focus on **runtime analysis and memory forensics** 【1】. Since the DLL modifies its own PE headers in memory to redirect the Export Directory, monitoring for suspicious memory write operations or discrepancies between on-disk and in-memory PE headers can be an effective detection method 【1】. The tool is intended for authorized security testing, and its misuse is illegal 【1】.
• Benchmarking Self-Hosted LLMs for Offensive Security - **TrustedSec** 🔍 Show Kagi Synopsis
  This cybersecurity article details a benchmarking study of six self-hosted Large Language Models (LLMs) to assess their capabilities in performing autonomous offensive security tasks. The tests were conducted against the intentionally vulnerable web application, **OWASP Juice Shop** 【1】.
  
  ### What Happened
  The study involved 4,800 total runs across six different LLMs: `gemma4:31b`, `qwen3.5:27b`, `devstral-small-2:24b`, `nemotron-3-super`, `qwen3-coder`, and `qwen3:32b` 【1】. These models were equipped with a limited toolset, including HTTP requests and payload encoding, and a basic system prompt. Crucially, they operated without an agent framework or memory management 【1】.
  
  ### Who is Affected
  This research is particularly relevant to **security researchers**, **AI developers**, and organizations that are exploring the use of **local, self-hosted LLMs for offensive security operations** 【1】.
  
  ### Security Implications
  - **High Capability for Single-Step Exploits:** The LLMs demonstrated a strong ability to execute straightforward, single-step exploits, such as basic SQL injection, path traversal, and Insecure Direct Object References (IDOR) 【1】.
  - **Knowledge-Execution Gap:** A significant finding is that while models often possess theoretical knowledge of complex attacks, they struggle to execute them due to limitations in chaining tools, managing state, and diagnosing errors 【1】.
  - **Reward Hacking:** The study identified a phenomenon termed "reward hacking," where models achieve the desired outcome through unintended or insecure means, thus circumventing the intended security testing process 【1】.
  - **Tooling Limitations:** Many of the models' failures were attributed to the constraints of the provided tools rather than the models' inherent capabilities. This suggests that an agent's performance is heavily influenced by the quality of its tool interface and supporting infrastructure 【1】.
  
  ### Technical Details
  - **Models Evaluated:** Six models from four different families were tested. The research indicated that larger parameter counts did not necessarily correlate with superior performance 【1】.
  - **Performance Highlights:** The `gemma4:31b` model achieved a 98.5% pass rate, and `qwen3.5:27b` achieved 97.5%. The `devstral-small-2:24b` model was noted for offering a good balance between high accuracy and low latency 【1】.
  - **Challenges:** The benchmark focused on vulnerabilities like SQL injection, JWT manipulation, path traversal, and authentication bypass. However, complex, multi-step attacks, such as blind SQL injection extraction or algorithm confusion, proved largely unsolvable for the models under the tested conditions 【1】.
  
  ### What Defenders Should Know
  - **Automation of Common Attacks:** Defenders must be aware that local LLMs are already capable of automating common, low-complexity attacks. It is reasonable to assume that attackers will increasingly leverage these tools to scale their vulnerability scanning and exploitation efforts 【1】.
  - **Method-Based Validation is Crucial:** Relying solely on outcome-based success checks for testing security agents is insufficient. Defenders and testers should implement method-based validation, which involves evaluating the entire attack trajectory, to ensure agents are performing intended security tests rather than finding exploitable shortcuts 【1】.
  - **Importance of Tooling:** The effectiveness of an AI agent is significantly dependent on its tool interface and scaffolding. Enhancements in tool design and agent frameworks can substantially improve the capabilities of even smaller, local models 【1】.
• smokedmeat: A CI/CD Red Team Framework for demonstrating Build Pipeline security risks. - BoostSecurity Labs 🔍 Show Kagi Synopsis
  SmokedMeat is a **CI/CD Red Team Framework** designed to simulate and exploit threats within Continuous Integration and Continuous Deployment pipelines, akin to Metasploit for CI/CD 【1】. It addresses the underestimation of CI/CD pipeline threats and supply chain attacks, areas often neglected in traditional security training 【1】.
  
  **What Happened:**
  SmokedMeat acts as a post-exploitation framework for CI/CD pipelines. It can scan a GitHub organization for vulnerable workflows, deploy an implant to a compromised CI runner, and then pivot through cloud providers, extract secrets, and map the potential impact of a compromise 【1】. The framework operates in four main stages:
  - **Analyze**: Scans GitHub Actions workflows for injection vulnerabilities, dangerous triggers, and unsafe checkout patterns 【1】.
  - **Exploit**: Deploys a stager via methods like Pull Requests, issues, comments, or workflow dispatches. When a vulnerable workflow executes, it downloads and runs the implant on the CI runner 【1】.
  - **Post-exploit**: Extracts secrets from the runner's memory, enumerates GitHub token permissions, searches for private keys, and collects other sensitive information 【1】.
  - **Pivot**: Uses captured credentials to move laterally, discover private repositories, create GitHub App tokens, exchange OIDC tokens for cloud provider access (AWS, GCP, Azure), and probe SSH deploy keys 【1】.
  
  **Who is Affected:**
  SmokedMeat is intended for various security professionals, including:
  - **Red teams** assessing CI/CD security in enterprise environments 【1】.
  - **Pentesters** demonstrating supply chain attack paths 【1】.
  - **Security engineers** testing detection and response capabilities for pipeline attacks 【1】.
  - **Researchers** developing new CI/CD exploitation techniques 【1】.
  - **Bug bounty hunters** exploring the supply chain attack surface 【1】.
  
  **Security Implications:**
  The framework highlights significant security implications arising from CI/CD pipeline vulnerabilities. A compromise can lead to:
  - **Data Exfiltration**: Extraction of secrets from runner memory, including unmasked secrets and token permission maps 【1】.
  - **Lateral Movement**: Pivoting through cloud providers (AWS, GCP, Azure) by exchanging OIDC tokens for access 【1】.
  - **Codebase Compromise**: Discovery of private repositories and potential manipulation of code through compromised pipelines 【1】.
  - **Supply Chain Attacks**: Exploiting vulnerabilities in the build and deployment process to inject malicious code or compromise downstream systems 【1】.
  - **Credential Theft**: Recovery of private keys and Personal Access Tokens (PATs) from git history 【1】.
  
  **Technical Details:**
  SmokedMeat consists of three main components:
  - **Operator TUI (`Counter`)**: A terminal interface for analysis, payload delivery, and post-exploitation activities 【1】.
  - **C2 teamserver (`Kitchen`)**: An API and WebSocket server managing operator sessions, stagers, callbacks, and graph state 【1】.
  - **Implant (`Brisket`)**: The agent deployed on compromised CI runners, responsible for beaconing, command execution, and pivoting 【1】.
  
  The framework's capabilities include:
  - **Reconnaissance**: Auto-detection of six CI platforms (GitHub Actions, GitLab CI, Azure DevOps, CircleCI, Jenkins, Bitbucket), secret classification, OIDC probing, and runner metadata gathering 【1】.
  - **Vulnerability Analysis**: Utilizes SAST (poutine) for injection vulnerabilities and workflow analysis, and Gitleaks for deep scanning of git history 【1】.
  - **Delivery Methods**: Supports five automated delivery methods (PR, issue, comment, LOTP, workflow dispatch) and manual options 【1】.
  - **Injection Payloads**: Generates context-aware payloads for various injection vectors 【1】.
  - **Living Off The Pipeline (LOTP)**: Includes techniques using 15 build tools with config-file payloads for code execution during build processes 【1】.
  - **Cache Poisoning**: Predicts cache keys and stages archives via the Actions Cache API 【1】.
  - **Token Enumeration**: Probes GitHub tokens to identify permissions, token types, and accessible resources 【1】.
  - **Cloud Pivots**: Facilitates OIDC token exchange for AWS, GCP, Azure, and Kubernetes, followed by resource enumeration 【1】.
  
  The framework's philosophy is "bold and noisy," meaning it is not designed for EDR evasion but rather to demonstrate the extent of a CI/CD compromise before detection 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that CI/CD pipelines are a significant attack surface. Key considerations include:
  - **Secure Workflow Configurations**: Regularly audit GitHub Actions workflows for injection vulnerabilities, dangerous triggers, and unsafe checkout patterns 【1】.
  - **Secret Management**: Implement robust secret management practices and avoid hardcoding secrets. Regularly scan runner memory for exposed secrets 【1】.
  - **Least Privilege**: Enforce the principle of least privilege for CI/CD service accounts and tokens 【1】.
  - **Monitoring and Alerting**: Establish comprehensive monitoring and alerting for suspicious activities within CI/CD pipelines, such as unusual workflow executions or unauthorized access attempts 【1】.
  - **Supply Chain Security**: Understand and mitigate risks associated with supply chain attacks, including validating dependencies and build processes 【1】.
  - **Runner Security**: Secure CI/CD runners to prevent compromise and limit the blast radius of any potential breach 【1】.
  - **OIDC Token Security**: Properly configure and manage OIDC tokens used for cloud provider access to prevent unauthorized pivoting 【1】.
• TotalRecall: This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots. - Alexander Hagenah 🔍 Show Kagi Synopsis
  The "TotalRecall Reloaded" project highlights a significant security vulnerability in Microsoft's Windows Recall feature, even after its redesign with enhanced security measures.
  
  **What Happened:**
  The vulnerability allows standard user processes to inject code into `AIXHost.exe`, the process responsible for rendering the Recall timeline. This injection enables attackers to extract sensitive data, including screenshots, OCR text, and metadata, without requiring administrative privileges or kernel exploits 【1】. The attack exploits the fact that `AIXHost.exe` lacks robust security protections like PPL or AppContainer, and once a user authenticates, decrypted data flows through this vulnerable process 【1】.
  
  **Who is Affected:**
  Any user who has enabled the Windows Recall feature is potentially affected. The attack can be carried out by a standard user on a compromised machine, meaning an attacker does not need elevated privileges to exploit this vulnerability 【1】.
  
  **Security Implications:**
  The implications are severe, as an attacker can gain access to a user's entire history of activity on their computer, including sensitive information captured in screenshots and text. This includes:
  - **Full Data Extraction:** Screenshots, OCR text, and metadata can be exfiltrated 【1】.
  - **Data Destruction:** An attacker can wipe all captured history using the `DeleteEvents()` function, which lacks an authorization check 【1】.
  - **Monitoring Activity:** An attacker can monitor Recall activity in real-time by observing capture counts and storage size without authentication 【1】.
  - **Persistence:** Once authenticated, the access grant persists for the entire Windows session, allowing for repeated, silent data extraction 【1】.
  
  **Technical Details:**
  The attack involves classic DLL injection. An injector executable (`totalrecall.exe`) injects a payload DLL (`totalrecall_payload.dll`) into the `AIXHost.exe` process 【1】. This is possible because the default Windows DACL grants same-user processes full access to each other 【1】.
  
  Once injected, the payload uses COM calls to interact with the Recall API, mimicking the legitimate UI 【1】. Key technical aspects include:
  - **Authentication Handling:** The tool does not bypass Windows Hello. Instead, it can simulate user interaction (e.g., pressing Win+J) to trigger the authentication prompt or wait for the user to authenticate naturally 【1】. A "stealth" mode patches a function to prevent access revocation when the Recall window is closed, maintaining access to the decrypted data stream 【1】.
  - **Extraction Chain:** The payload initializes a COM apartment, enumerates entities using functions like `MemoryEntityStatics.GetLightMemoryItemsBefore()`, and then extracts detailed information per entity via `ContextEngine2.TryGetEntityForId()` 【1】. This includes metadata, screenshots (asynchronously), and OCR/NER/AI-processed data 【1】.
  - **Access Control Bypass:** A specific bypass exists in the `IResponse4` interface, where `get_UnfilledItems()` returns data without authorization, even though other `IResponse` methods deny access 【1】.
  - **Pre-Authentication Capabilities:** Even without Windows Hello authentication, attackers can extract the most recent screenshot via `GetRecentCaptureThumbnail` and read metadata like storage paths and capture state 【1】.
  
  **What Defenders Should Know:**
  Defenders need to understand that the primary security flaw lies in the trust boundary ending too early. While Microsoft's VBS enclave and encryption are robust, the `AIXHost.exe` process, which handles decrypted data, is not adequately protected 【1】.
  
  Key points for defenders:
  - **Vulnerability in `AIXHost.exe`:** This process is susceptible to DLL injection from standard user accounts 【1】.
  - **Authentication is Not a Complete Barrier:** While Windows Hello protects the enclave, the decrypted data is exposed in `AIXHost.exe` after authentication 【1】.
  - **Pre-Authentication Risks:** Even before full authentication, sensitive data like recent screenshots and system metadata can be accessed 【1】.
  - **Data Destruction Capability:** The `DeleteEvents()` function allows for unauthenticated wiping of all Recall data 【1】.
  - **Microsoft's Stance:** Microsoft has classified this behavior as "Not a Vulnerability," stating it operates within the documented security design of Recall, where the VBS enclave is considered the primary security boundary 【1】. This implies that patching this specific vulnerability may not be a priority for Microsoft, and users concerned about this risk may need to disable the Recall feature.
• Astral_Projection: Astral Projection is a Cobalt Strike UDRL (User-Defined Reflective Loader), that preforms advanced module stomping. The UDRL loads a module using LoadLibraryExW and stomps it. - Unknown 🔍 Show Kagi Synopsis
  **Astral Projection** is a **Cobalt Strike User-Defined Reflective Loader (UDRL)** that employs advanced module stomping techniques to evade detection by memory scanners 【1】【2】.
  
  **What Happened:**
  Astral Projection loads a module using `LoadLibraryExW` and then modifies its internal structure. It achieves this by setting up a Vectored Exception Handler (VEH) to intercept critical API calls like `NtCreateSection` and `NtClose`. This allows it to "steal" a handle with `SECTION_ALL_ACCESS` rights to the loaded module. During its "sleep" phase, the UDRL unmaps the compromised module while preserving its entries in the Process Environment Block (PEB). It then maps a fresh copy of the module, effectively removing Indicators of Compromise (IOCs) that memory scanners would typically detect 【1】【2】. The sleep mask functionality, based on Ekko obfuscation, further enhances evasion by encrypting the beacon before sleep and decrypting it upon waking, after unmapping and remapping the module 【1】.
  
  **Who is Affected:**
  The primary targets are systems where Cobalt Strike is deployed. The technique itself is designed to bypass memory scanning tools and techniques used by defenders to detect malicious activity 【1】.
  
  **Security Implications:**
  This technique significantly raises the bar for detecting Cobalt Strike implants. By dynamically unmapping and re-mapping modules, Astral Projection evades common IOCs associated with traditional module stomping, such as "SharedOriginal" and "Shared Working Set" issues 【1】. This allows attackers to maintain persistence and operate with a lower detection risk.
  
  **Technical Details:**
  - **Module Stomping:** Instead of overwriting the `.text` section of a loaded DLL (which creates detectable IOCs), Astral Projection unmaps the module during sleep and maps a new, clean copy 【1】【2】.
  - **Vectored Exception Handler (VEH):** A VEH is used to intercept `NtCreateSection` and `NtClose` calls. This allows the attacker to modify the `DesiredAccess` parameter to `SECTION_ALL_ACCESS` for the module's section handle and then "steal" this handle before `NtClose` can close it 【1】.
  - **Sleep Mask:** The sleep mask functionality unmaps the compromised module, maps a fresh DLL, encrypts the beacon, and then reverses these steps upon waking. This process involves copying the beacon to a private buffer, encrypting/decrypting it, and then overwriting the fresh DLL's `.text` section 【1】.
  - **PEB Manipulation:** To address inconsistencies in the PEB's `_LDR_DATA_TABLE_ENTRY` caused by loading DLLs with `DONT_RESOLVE_DLL_REFERENCES`, Astral Projection patches these entries to make the sacrificial DLL appear more legitimate 【1】.
  - **Development:** The project is built with Crystal Palace and utilizes code from the Crystal-Kit project 【2】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that attackers are evolving their techniques beyond basic module stomping. The dynamic unmapping and re-mapping of modules during sleep cycles is a sophisticated evasion method 【1】. To detect such activities, defenders should focus on:
  - Monitoring for unusual VEH usage.
  - Observing manipulation of parameters for `NtCreateSection` and `NtClose` system calls.
  - Identifying inconsistencies in PEB module entries that may indicate tampering 【1】.
  - Disabling sleep mask and stage obfuscations in Cobalt Strike's Malleable C2 profiles is recommended for defense 【2】.
• Working with the automatic enablement of Windows hotpatch security updates - Unknown 🔍 Show Kagi Synopsis
  Starting in May 2026, Microsoft will **automatically enable Windows hotpatch security updates by default** for organizations using Windows Autopatch 【1】. This change applies regardless of whether an organization uses Windows Autopatch or the Windows updates API 【1】.
  
  **What Happened:**
  Microsoft is implementing a tenant-wide configuration that will enable hotpatch security updates by default. This feature allows security updates to be applied without requiring a device restart, aiming to improve organizational security 【1】.
  
  **Who is Affected:**
  This change primarily affects organizations that utilize **Windows Autopatch** for managing their Windows devices. The configuration is managed within Microsoft Intune under **Tenant admin** > **Windows Autopatch** > **Tenant Management** > **Tenant settings** 【1】.
  
  **Security Implications:**
  The primary security implication is the **enhanced ability for organizations to improve their security posture** by ensuring security updates are applied more readily, without the disruption of reboots 【1】. This can lead to a more consistently patched and secure environment.
  
  **Technical Details:**
  The setting "When available, apply updates without restarting the device (“Hotpatch”)" is set to **Allow** by default for devices registered with Windows Autopatch 【1】. This tenant-wide configuration is applied only when no other quality update policies are configured for a device 【1】. Administrators can verify this configuration locally on devices through the **Settings app** (under *Windows Update* > *Advanced Options* > *Configured update policies*) or by checking the **registry** 【1】. These locations will indicate if the configuration is being applied from the cloud or another source 【1】.
  
  **What Defenders Should Know:**
  - **Default enablement:** Be aware that hotpatch security updates will be enabled by default starting May 2026 【1】.
  - **Not mandatory:** Hotpatching is not mandatory. Organizations can disable this setting if they choose 【1】.
  - **Policy precedence:** Specific quality update policies defined by an organization will **take precedence** over these tenant-wide settings 【1】. This means custom update policies will override the default hotpatch enablement.
  - **Verification:** Defenders can verify the configuration on individual devices using the Settings app or the registry 【1】.