InfoSec Briefing - April 28, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Tuesday, April 28, 2026, covering 6 articles. All attribution is by the article authors. All article analysis is automated.

LAB52 has published analysis of EasterBunny, a highly customized Stage 3 implant deployed by APT29, the Russian foreign intelligence service. Discovered in 2019, the malware targeted government agencies, diplomatic delegations, and defense organizations across Europe, Central Asia, and Five Eyes countries. Each sample is uniquely tailored per victim using BIOS UUID-derived decryption keys and advanced evasion techniques, defeating traditional indicator-based detection methods and maintaining persistent access for intelligence gathering.

Synacktiv researchers have discovered a new Windows authentication reflection vulnerability that bypasses Microsoft's recent patch, allowing local privilege escalation to SYSTEM on Windows Server 2025. The attack exploits SMB multiplexing and a new feature allowing arbitrary TCP ports for SMB connections, enabling attackers to relay privileged authentication from services like LSASS back to the local machine.

JPCERT's Incident Response Group has developed a novel detection system combining graph-based modeling with large language model reasoning to identify malicious Windows logon activities. The system transforms Windows Event Logs into authentication graphs analyzed using PageRank and Hidden Markov Models. The approach was validated against a real-world incident involving the threat actor exploiting Ivanti Connect Secure for lateral movement.

The Goodboy Framework is a 15-stage educational course teaching Windows malware development in Rust, progressing from basic shellcode loaders to a full command and control agent. All 15 binaries achieved zero detection rates on VirusTotal by implementing advanced antivirus and machine learning evasion techniques. The course demonstrates both offensive development and defensive analysis perspectives for security professionals and researchers.

AsuNa has released TLGMapper, an IDA Pro script that parses TraceLogging metadata in 64-bit PE binaries to map Event Tracing for Windows events to their source functions. The tool automates static analysis of binary instrumentation through metadata extraction and call-graph analysis, enabling security researchers to understand telemetry capabilities without executing the binary, though it has limitations including 64-bit only support and reduced effectiveness on obfuscated binaries.

DrvEye is a static analysis toolkit for Windows kernel drivers that enables security researchers to assess driver exploitability and identify input output control codes, symbolic links, and certificate information. The tool targets Bring Your Own Vulnerable Driver hunters and kernel reverse engineers, helping them determine if drivers will load on specific Windows configurations and their exploitation potential while generating findings and proof-of-concept code for vulnerability assessment.

That concludes today's briefing.

📰 Articles Covered

Eatser Bunny an APT29 implant - The content posted at the provided URL is controlled by LAB52, which is part of S2GRUPO.

The cybersecurity article details **EasterBunny**, a sophisticated cyber espionage implant developed by the **APT29 group**, also known as the Russian SVR 【1】. This malware was discovered in 2019 and was used in highly customized campaigns to maintain long-term persistence and gather intelligence within targeted organizations 【1】.

### What Happened
APT29 deployed EasterBunny as a **Stage 3 implant** to ensure persistent access and facilitate intelligence gathering. A key characteristic of this malware is its extreme customization, with each sample being uniquely tailored to the victim. This makes traditional detection methods relying on static indicators like hashes or IP addresses ineffective 【1】.

### Who is Affected
The targets of this campaign were primarily **government agencies, diplomatic delegations, and national defense organizations** located in Europe, Central Asia, and countries belonging to the "Five Eyes" intelligence alliance 【1】.

### Security Implications
The EasterBunny implant poses significant security risks:
- **Persistence and Credential Theft:** It systematically steals user credentials and can bypass password expiration policies through techniques like Golden Ticket or SAML attacks 【1】.
- **Operational Backdoor:** It provides attackers with an operational backdoor, allowing them to introduce additional post-exploitation tools such as Cobalt Strike or Sliver, and to exfiltrate sensitive data like emails and documents 【1】.
- **Stealthy Operation:** The malware employs advanced techniques to evade detection, including anti-analysis, anti-sandbox, and anti-forensic measures. It uses multi-layered loading ("Matryoshka" style) and junk code to remain hidden 【1】.

### Technical Details
EasterBunny has a complex technical architecture:
- **Multi-layered Execution:** It operates as a multi-layered pipeline where each stage decrypts and loads the subsequent one, utilizing a reflexive loader for Position Independent Code (PIC) 【1】.
- **Unique System Identifiers:** A distinctive feature is its execution dependency on the specific machine it's installed on. Decryption keys are derived from unique system identifiers such as the BIOS UUID, MachineGuid, and MRT GUID 【1】.
- **Command and Control (C2) Communication:** The malware communicates with its C2 servers by using compromised legitimate third-party websites to mimic normal traffic. It encapsulates data within HTTP cookies, imitating Google ad-tracking patterns 【1】.
- **Modular Design:** The implant is modular, allowing operators to dynamically load additional modules for specific malicious tasks, such as DCSync modules 【1】.

### What Defenders Should Know
Defenders need to be aware of the following to counter EasterBunny:
- **Unreliable Indicators of Compromise (IOCs):** Due to the malware's high degree of customization, static IOCs are not effective for detection 【1】.
- **Focus on Tactics, Techniques, and Procedures (TTPs):** Defenders should prioritize behavioral detection methods that focus on the group's TTPs 【1】.
- **Key Indicators for Detection:**
- **Anti-Analysis Evasion:** Look for time-based evasion techniques, such as loops that pause for extended periods to bypass sandboxes 【1】.
- **Registry Persistence:** The malware utilizes specific COM object registry keys (CLSID) for persistence, with subkeys containing encrypted configuration data 【1】.
- **Memory Forensics Evasion:** It employs a "moat" technique, zeroing out the first 4KB of memory pages, to evade memory scanners like Volatility's `malfind` 【1】.
- **YARA Rules:** Specific YARA rules are available (detailed in Appendix 6.3 of the report) designed to detect the "Wrapper" logic characteristic of the EasterBunny family 【1】.
- **Behavioral Monitoring:** Monitor for unusual process behaviors, including unexpected registry modifications, suspicious HTTP traffic patterns (especially cookie-based data exfiltration), and the dynamic loading of modules into memory 【1】.
Bypassing Windows authentication reflection mitigations for SYSTEM - Synacktiv

This cybersecurity article details the discovery of new vulnerabilities that bypass Windows authentication reflection mitigations, leading to local privilege escalation (LPE) and potential system compromise 【1】.

**What Happened:**
Researchers discovered that Microsoft's patch for CVE-2025-33073 did not fully address the root cause of authentication reflection vulnerabilities. This led to the identification of a new LPE vulnerability via NTLM reflection. The attack involves starting a local SMB server on a custom port and then coercing a privileged service, such as LSASS, to authenticate to this local share. Due to SMB multiplexing, where multiple authenticated sessions can share the same TCP connection, the privileged NTLM authentication is relayed back to the machine's own SMB service, granting the attacker a privileged SMB session 【1】. A key enabler for this attack is a new feature in Windows 11 24H2 and Windows Server 2025 that allows specifying an arbitrary TCP port for SMB connections 【1】.

**Who is Affected:**
The newly discovered vulnerability, assigned **CVE-2026-24294**, affects **Windows Server 2025 by default** 【1】. While Windows 11 24H2 has a similar feature for arbitrary port connections, it is protected because it enforces SMB signing 【1】.

**Security Implications:**
The primary security implication is **local privilege escalation**, allowing an attacker with initial access to a vulnerable machine to gain SYSTEM-level privileges 【1】【1】. This bypasses previous mitigations and highlights that the underlying issue of authentication reflection remains a significant risk for Windows machines 【1】.

**Technical Details:**
The attack leverages a feature allowing arbitrary TCP ports for SMB connections 【1】. An attacker first sets up a local SMB server on a specific port (e.g., 12345) and mounts it using `net use \\<attacker_ip>\share /tcpport:12345`. This establishes a TCP connection that the SMB client will reuse 【1】. The attacker then coerces a privileged service (like LSASS) to authenticate to the same share path. Because SMB allows multiple sessions to be multiplexed over a single TCP connection, the authenticated NTLM credentials from the privileged service are relayed back to the machine's own SMB service, granting the attacker a privileged session 【1】【1】. This vulnerability was patched in March 2026 【1】.

**What Defenders Should Know:**
Defenders should be aware that **authentication reflection vulnerabilities are still a threat** despite previous patches 【1】【1】. The ability to relay local authentications remains a significant risk. Implementing **SMB signing** is crucial, as it mitigates this specific vulnerability on Windows 11 24H2 【1】. Organizations should stay informed about new vulnerabilities and ensure their systems are patched promptly, especially concerning authentication mechanisms and SMB configurations.
GRAPH-AWARE LLM FOR WINDOWS LOGONS WITH A CLOSED-LOOP GUARDED DETECTION AGENT - The content posted at the URL is controlled by **Shusei Tomonaga** from the **Incident Response Group at JPCERT/CC**.

The cybersecurity article "GRAPH-AWARE LLM FOR WINDOWS LOGONS WITH A CLOSED-LOOP GUARDED DETECTION AGENT" by Shusei Tomonaga (JPCERT/CC) presents a novel approach to detecting malicious logon activities within the vast amount of Windows Event Logs 【1】.

### What Happened
The author developed a system that combines graph-based relational modeling with Large Language Model (LLM) reasoning to identify suspicious logon events 【1】. This method aims to overcome the limitations of traditional log analysis, which is often overwhelmed by the sheer volume of data, and LLM-only approaches, which can be expensive and constrained by context windows 【1】. The system compresses Windows Event Logs into an authentication graph, which is then analyzed by an LLM agent 【1】.

### Who is Affected
**Organizations utilizing Windows environments, especially those with Active Directory**, are affected by the challenge of differentiating legitimate logon activities from malicious ones 【1】. The article highlights the system's efficacy through a real-world incident involving a threat actor (consistent with UNC5221) that exploited Ivanti Connect Secure and engaged in lateral movement 【1】.

### Security Implications
Attackers frequently exploit legitimate authentication mechanisms, leaving minimal forensic evidence 【1】. High-risk activities such as lateral movement, credential abuse, and Kerberoasting can easily be missed within noisy log data 【1】. If undetected, these actions can allow attackers to maintain persistence and move freely within a network 【1】.

### Technical Details
The system employs several technical components:
- **Graph Modeling**: Windows Event Logs are transformed into a graph where users and hosts are nodes, and logons are represented as edges. This significantly reduces data volume and helps visualize structural anomalies like lateral movement patterns 【1】.
- **Feature Extraction**: Techniques like **PageRank and Hidden Markov Models (HMM)** are used to score and prioritize nodes and edges, guiding the LLM's focus towards suspicious activities 【1】.
- **LLM Agent Workflow**: A closed-loop agent operates on a "Plan, Generate, Execute, Analyze, Decide" cycle. It generates Cypher queries to interact with the authentication graph, analyzes the results, and iterates until sufficient evidence is found or the investigation concludes 【1】.
- **Guardrails**: To ensure accuracy and auditability, the LLM agent incorporates prompt-based guardrails, strict input/output contracts, and requires evidence-based justifications for its findings 【1】.

### What Defenders Should Know
Defenders should consider the following recommendations:
- **Compress Logs Before Analysis**: Avoid feeding raw logs directly into LLMs. Utilize graph compression techniques to make large-scale log analysis feasible and cost-effective 【1】.
- **Implement Guardrails**: Employ structured outputs, evidence requirements, and parameterized query templates to control LLM behavior and ensure trustworthy, actionable results 【1】.
- **Focus on Relationships**: Prioritize identifying structural anomalies within authentication graphs, such as accounts accessing multiple hosts, rather than focusing on isolated log entries 【1】.
- **Automate Prevention**: Leverage AI agents to translate investigation findings into durable detection rules (e.g., Sigma rules) to prevent future occurrences 【1】.
- **Utilize Tooling**: The author has released **LogonTracer v2.0** on GitHub to support this graph-aware approach 【1】.
goodboy-framework: 15-stage Windows malware development & analysis course in Rust. Red team builds it, blue team detects it. All 15 binaries achieved 0/76 on VirusTotal. - The content posted at the URL is controlled by **F2u0a0d3**.

The **Goodboy Framework** is a 15-stage educational course in Rust that teaches Windows malware development and analysis from both offensive (red team) and defensive (blue team) perspectives 【1】. The course progresses from basic shellcode loaders to a full Command and Control (C2) agent, with each stage demonstrating techniques to evade antivirus (AV) and machine learning (ML) detection 【1】.

**What Happened:**
The course developed 15 distinct malware binaries, each incorporating progressively sophisticated evasion techniques. Notably, all 15 binaries achieved a **0/76 detection rate on VirusTotal** at the time of their development 【1】. This was achieved by understanding how defenses work and then developing methods to bypass them, illustrating an "arms race" between attackers and defenders 【1】.

**Who is Affected:**
The course is designed for **security professionals, researchers, and students** interested in understanding malware development and defense mechanisms. The binaries themselves are harmless, displaying only a "GoodBoy" message box and performing no malicious actions like network activity, persistence, or system modifications, except for a localhost beacon in the final stage 【1】. However, the techniques taught could be adapted for malicious purposes.

**Security Implications:**
The primary security implication lies in the **demonstration of advanced evasion techniques** that can render traditional security solutions ineffective. The course highlights the **"sample burning" phenomenon**, where the act of submitting a sample to AV vendors for testing inadvertently trains their systems to detect it 【1】. This means that a binary that is initially undetectable can become detectable simply by being tested 【1】. The course also shows how defenders can break previous evasion techniques, forcing attackers to continually evolve their methods 【1】.

**Technical Details:**
The framework progresses through stages, each building upon the last:
- **Initial Stages:** Focus on basic shellcode loaders, XOR encryption, and fragmentation 【1】.
- **Intermediate Stages:** Introduce RC4 encryption, custom API hashing, and direct/indirect syscalls to bypass ntdll hooks 【1】.
- **Advanced Stages:** Incorporate anti-debugging, hardware-based sandbox detection, module stomping, and payload encryption during sleep states 【1】.
- **Final Stage:** A full C2 agent with encrypted HTTPS beaconing 【1】.

Each stage documents the offensive technique, detection methods (using YARA, Sigma, ETW, and memory forensics), and techniques to break those detections 【1】. Empirical data on AV/ML evasion, including specific engine bypasses, is provided 【1】.

**What Defenders Should Know:**
Defenders should be aware of the following:
- **The "Sample Burning" Phenomenon:** Testing samples on platforms like VirusTotal can lead to their detection by AV vendors, as these platforms are used to train ML classifiers 【1】.
- **Evolving Evasion Techniques:** Attackers continuously develop new methods to bypass defenses, necessitating constant updates to detection strategies 【1】.
- **Layered Defense:** Relying on a single detection method is insufficient. A multi-faceted approach incorporating signature-based detection, behavioral analysis, memory forensics, and threat intelligence is crucial 【1】.
- **Adversarial Thinking:** Understanding how attackers think and operate is key to developing effective defenses. The "Dual Perspective" taught in the course emphasizes building, detecting, and then breaking one's own creations 【1】.
- **Importance of Isolated Environments:** Executing unknown binaries should always be done in isolated virtual machines to prevent compromise 【1】.
TLGMapper: An IDA Pro script that parses TraceLogging metadata embedded in x64 PE binaries and resolves each event to its owning ETW provider and the function that fires it. - **AsuNa-jp** is the individual that controls the content posted at the GitHub URL https://github.com/AsuNa-jp/TLGMapper .

TLGMapper is an **IDA Pro script** designed to parse **TraceLogging metadata** within x64 PE binaries. This allows security researchers and reverse engineers to map **Event Tracing for Windows (ETW) events** to the specific functions that generate them, aiding in the static analysis of binary instrumentation 【1】.

**What Happened:**
TLGMapper was developed to provide a method for analyzing ETW events embedded in binaries. It automates the process of linking these events back to their source functions, which is often a manual and time-consuming task 【1】.

**Who is Affected:**
The primary users of TLGMapper are **security researchers, reverse engineers, and malware analysts** who need to understand the behavior of executable files without necessarily running them 【1】.

**Security Implications:**
* **Enhanced Reverse Engineering:** The tool significantly improves the ability to understand the telemetry a binary can produce, which is crucial for analyzing potentially malicious software 【1】.
* **Improved Detection Engineering:** By identifying the ETW events a binary is capable of emitting, defenders can develop more precise and effective detection rules for malicious activities 【1】.

**Technical Details:**
TLGMapper works in two main phases:
* **Metadata Extraction:** It searches for `ETW0` headers in non-executable segments, parses provider and event data, and locates `_tlgProvider_t` structures within `.data` segments 【1】.
* **Resolution:** It employs data-flow and call-graph analysis to connect events to their originating functions. This resolution process uses a priority system, including methods like Direct-Preceding, Direct-Nearest, and Call-Graph Depth-First Search (DFS) 【1】.

**What Defenders Should Know:**
* **Capabilities:** Defenders should be aware that tools like TLGMapper exist, enabling a deeper static analysis of binaries and their potential for generating ETW telemetry 【1】.
* **Limitations:** The current version of TLGMapper is restricted to **x64 PE binaries**. Its call-graph analysis has a depth limit of 3, and it may struggle with highly obfuscated binaries 【1】. Understanding these limitations is key to assessing the tool's applicability in specific scenarios.
DrvEye: Static analysis & exploitation-triage toolkit for Windows kernel drivers. Discover IOCTLs, Symbolic Links, and check cert , - **0xDbgMan**

DrvEye is a toolkit designed for static analysis and exploitation triage of Windows kernel drivers, aimed at security researchers, BYOVD (Bring Your Own Vulnerable Driver) hunters, and kernel reverse engineers 【1】.

**What Happened:**
DrvEye was developed to provide a rapid, static analysis of Windows kernel drivers (`.sys` files). It aims to answer two key questions: whether a driver will load on a given Windows configuration and what its exploitability potential is 【1】.

**Who is Affected:**
The tool is primarily for **security researchers, BYOVD hunters, driver triagers, and kernel reverse engineers** 【1】. It helps them assess the security posture and exploitability of `.sys` files. The output of the tool, such as Proof-of-Concept (PoC) code, could potentially be used by malicious actors if they gain access to vulnerable drivers, but the tool itself is intended for defensive and research purposes 【1】.

**Security Implications:**
DrvEye can reveal critical security weaknesses in Windows kernel drivers. It identifies:
- **Driver Loadability:** It models Authenticode, WDAC, and HVCI policies to predict if a driver will load, flagging reasons for failure like missing `FORCE_INTEGRITY` flags or the presence of W+X sections 【1】.
- **Exploitability:** It discovers IOCTL (Input/Output Control) interfaces, performs taint analysis, classifies exploit primitives (e.g., token-stealing, arbitrary read/write, PPL bypass), and identifies bug classes (e.g., double-fetch, integer overflow) 【1】【1】【1】.
- **Vulnerability Discovery:** By analyzing IOCTL surfaces through multiple discovery paths and using hash-based dispatch reversal, it can uncover vulnerabilities even in anti-reverse engineering drivers 【1】.

**Technical Details:**
DrvEye employs several advanced techniques:
- **Load Verdict Matrix:** Assesses driver loadability across different Windows configurations (Default, Secure Boot, HVCI, Test-signing, S Mode) 【1】.
- **IOCTL Surface Analysis:** Utilizes dispatch-table walking, a WDF emulator, and brute-force scanning, along with hash-based dispatch reversal, to discover IOCTL codes and their handlers 【1】.
- **Exploit Primitive and Bug Class Classification:** Leverages per-handler taint analysis, backward slicing, constant propagation, and path-sensitive gate detection to identify primitives like `token-steal`, `arb-write`, and bug classes like `double-fetch` 【1】.
- **Artifact Generation:** Produces compilable C PoCs, fuzzing harnesses, runtime tracers, PowerShell status checkers, and IDAPython scripts to aid analysis and exploitation confirmation 【1】.
- **Live Policy Data:** Can fetch current Microsoft trust lists, revocation lists, and WDAC vulnerable-driver block lists for up-to-date analysis 【1】.

**What Defenders Should Know:**
Defenders can leverage DrvEye for auditing and defensive purposes:
- **Proactive Vulnerability Assessment:** Use the tool to statically analyze drivers deployed within their environment to identify potential vulnerabilities before they are exploited 【1】【1】.
- **Stay Updated:** Regularly update the tool's live policy data (`--live-check` and `--loldrivers`) to ensure analysis reflects the latest Microsoft trust data and vulnerable driver block lists 【1】.
- **Understand Exploitability:** Recognize the types of exploit primitives and bug classes DrvEye can identify, allowing for better threat modeling and defense strategy development 【1】.
- **Responsible Disclosure:** If vulnerabilities are found in vendor drivers, defenders should follow responsible disclosure practices 【1】.
- **Authorization:** Users must ensure they have proper authorization before analyzing any driver or running any generated PoC on a system 【1】.