Axis Communications, a leading provider of network video and surveillance solutions, has confirmed a critical vulnerability in its Autodesk® Revit® plugin that exposed Azure Storage Account credentials within signed DLLs. Discovered in July 2024 by Trend Micro’s Zero Day Initiative™ (ZDI), the vulnerability allowed attackers to access and manipulate cloud assets belonging to Axis and […]
Cybercriminals have discovered a novel way to co-opt Discord webhooks as surrogate command-and-control (C2) channels across popular language ecosystems.
Unlike traditional C2 servers, webhooks offer free, low-profile exfiltration that blends seamlessly into legitimate HTTPS traffic.
Over the past month, malicious packages in npm, PyPI, and RubyGems have quietly siphoned sensitive files and telemetry from developer machines and continuous integration environments.
Initial sightings involved a seemingly innocuous npm module named mysql-dumpdiscord. Upon installation or execution, it probes for configuration and environment files—such as config[.]json, [.]env, and ayarlar[.]js—reads their contents, and then issues an HTTP POST to a hard-coded Discord webhook URL.
The attacker-controlled webhook, embedded as a string constant, receives each file’s contents, with longer files truncated to 1,900 characters to fit Discord’s messaging limits.
Socket.dev analysts identified this technique only after network monitoring flagged an unusual spike in POST requests to discord[.]com/ api/ webhooks/....
Further investigation revealed a second npm proof-of-concept leveraging the official discord.js library:-
This minimalist approach transforms any string passed into the function into a C2 message, bypassing host-based detection that looks for unusual domains or signatures.
Across ecosystems, threat actors adopt similar tactics. In Python’s PyPI registry, a package dubbed malinssx overrides the install command in setuptools.
During pip install, it serializes a notification message in Vietnamese—“Some just installed the maladicus package via pip!”—and dispatches it to its Discord webhook.
Any network errors are caught and ignored, and the legitimate install process continues unobstructed.
In RubyGems, an altered version of sqlcommenterrails collects host metadata—such as / etc / passwd contents, DNS servers, current user, and public IP—and formats it into a multi-line JSON payload.
This is then POSTed to a webhook over HTTPS. Error handling is silent, ensuring no interruption in the gem installation.
Infection Mechanism
These packages exploit install-time hooks to achieve persistence and stealth. By overriding installer commands (install[.]run in Python, gemspec hooks in Ruby), malicious code executes before the host’s security controls alert on runtime behaviors.
This early-stage execution means secrets are exfiltrated long before code analysis or endpoint protection kicks in.
Moreover, using Discord’s infrastructure avoids raising suspicions from static allow-lists that permit traffic to discord[.]com for business collaboration, turning a trusted domain into a covert data pipeline.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Think your WAF has you covered? Think again. This holiday season, unmonitored JavaScript is a critical oversight allowing attackers to steal payment data while your WAF and intrusion detection systems see nothing. With the 2025 shopping season weeks away, visibility gaps must close now.
Get the complete Holiday Season Security Playbook here.
Bottom Line Up Front
The 2024 holiday season saw major
EDR-Freeze is a proof-of-concept tool that forces endpoint detection and response (EDR) or antivirus processes into a temporary “coma.” Instead of installing a vulnerable driver, it leverages legitimate Windows Error Reporting components, specifically WerFaultSecure.exe and the MiniDumpWriteDump API to pause security processes from user mode. By racing threads at just the right moment, EDR-Freeze suspends all […]
Microsoft Edge has identified and mitigated a critical threat exploiting its Internet Explorer (IE) compatibility mode, closing off high-risk entry points and reinforcing security for both individual and enterprise users. Although the web has largely embraced modern standards, many enterprise and government applications continue to rely on legacy technologies such as ActiveX controls and Flash. […]
A recent analysis from researcher Itamar Hällström has revealed the technical workings and forensic trail of “EDR-Freeze,” a proof-of-concept technique that temporarily disables security software.
By abusing legitimate Windows components, this method can place Endpoint Detection and Response (EDR) and antivirus (AV) processes into a temporary, reversible coma, allowing attackers to operate undetected.
How EDR-Freeze Pauses Security Tools
The EDR-Freeze technique cleverly misuses the Windows Error Reporting (WER) system to achieve its goal.
Unlike many evasion tools that rely on bringing a vulnerable driver (BYOVD) to gain kernel-level privileges, this method operates entirely from user mode.
The attack is initiated by the EDR-Freeze tool, which launches a legitimate, signed Microsoft executable, WerFaultSecure.exe. This helper process is instructed to generate a minidump of a target security process, such as Windows Defender’s MsMpEng.exe.
EDR Freeze Tool Targets Security Process
A key side effect of the minidump creation process, which leverages DbgHelp's MiniDumpWriteDump function, is that it suspends all threads in the target process.
The EDR-Freeze tool exploits this behavior, initiating the dump but holding it in a suspended state for a configurable period, effectively pausing the EDR without crashing it.
Once the specified time elapses, the operation is cleanly aborted, and the security process resumes normal function, leaving minimal traces in standard logs.
Uncovering The Forensic Artifacts
Despite its stealthy nature, the EDR-Freeze technique leaves behind distinct artifacts in a system’s memory. A forensic investigation of a memory image can uncover the entire chain of events.
Analysis tools can identify the suspended threads within the target EDR process and correlate their creation times with the activity of the WerFaultSecure.exe helper process. Investigators can also examine process handles, which act as permissions.
Forensic Artifacts
The WerFaultSecure.exe process will hold a handle to the EDR process with specific access rights, including PROCESS_SUSPEND_RESUME, which is a strong indicator of its purpose.
Command-line arguments also provide crucial evidence, showing the EDR-Freeze tool passing the target process ID (PID) to WerFaultSecure.exe.
Furthermore, the technique creates transient files, such as t.txt, during its operation. Although these files are deleted upon completion, their presence in a memory dump serves as a valuable forensic lead, Itamar Hällström said.
Detection Strategies
Defenders can proactively hunt for this activity using custom detection rules. YARA rules have been developed to identify both the EDR-Freeze binary itself and its behavioral patterns in memory.
A binary-focused rule can look for a combination of strings related to the WerFaultSecure.exe command-line flags and API imports for process manipulation, such as CreateFileW and CreateEventW.
A second, behavior-focused rule can scan system memory for a cluster of suspicious indicators, such as privilege escalation APIs and process suspension functions being used together.
This investigation highlights a critical evolution in attacker tradecraft: instead of killing security tools, they can simply pause them. This demonstrates that even Protected Process Light (PPL) processes can be manipulated, turning trusted system components into weapons.
Detecting these attacks requires defenders to move beyond endpoint alerts and incorporate memory forensics into their incident response workflows.
A significant security flaw has been discovered in Happy DOM, a popular JavaScript DOM implementation, affecting versions up to v19.
This vulnerability places systems at risk of Remote Code Execution (RCE) attacks, potentially impacting the package’s 2.7 million weekly users.
The flaw arises because the Node.js VM Context used by Happy DOM is not a completely isolated environment, which can allow untrusted code to escape and gain access to the underlying system’s functionalities.
The primary issue is that Happy DOM has JavaScript evaluation enabled by default, a detail that may not be apparent to all developers using the library.
This default configuration becomes a security risk when the environment executes untrusted code. An attacker can craft malicious JavaScript that traverses the constructor chain to access the process-level Function constructor.
This allows them to execute code outside the intended sandboxed environment, leading to a full VM escape.
The type of module system in use CommonJS or ESM determines the extent of the attacker’s control. In a CommonJS environment, an attacker can access the require() function, which allows them to load Node.js modules and perform unauthorized actions.
Potential Attack Scenarios
The implications of this vulnerability are far-reaching, especially for applications that use Server-Side Rendering (SSR) or testing frameworks that process external content.
An attacker could inject a malicious script into user-controlled HTML, which would then be executed on the server. Successful exploitation could lead to several damaging outcomes:
Data Exfiltration: Gaining access to sensitive information like environment variables, configuration files, and other secrets.
Lateral Movement: Using network access to connect to other internal systems. Although Happy DOM has some network protections, a compromised process could bypass them.
Code Execution: Obtaining child process access to run arbitrary commands on the server.
Persistence: Modifying the file system to maintain a long-term presence on the compromised system.
Mitigations
The developers of Happy DOM have released a patched version to address this vulnerability. Users are strongly advised to take immediate action to protect their systems.
The recommended course of action is to update to Happy DOM v20 or newer. This updated version disables JavaScript evaluation by default and includes a warning if it is enabled in what is considered an insecure environment.
For users who require JavaScript evaluation, it is crucial to run Node.js with the --disallow-code-generation-from-strings flag.
This setting prevents the use of eval() and Function() at the process level, closing the loophole that allows for the VM escape.
If an immediate update is not feasible, developers should disable JavaScript evaluation manually unless the content being processed is from a completely trusted source.
North Korean threat actors have escalated their Contagious Interview campaign, deploying 338 malicious npm packages with over 50,000 downloads to target cryptocurrency and blockchain developers through sophisticated social engineering tactics. The state-sponsored operation represents a significant evolution in supply chain attacks, utilizing more than 180 fake personas and a dozen command and control endpoints to […]
Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors.
The activity, described as akin to an “exploit shotgun” approach, has singled out a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and
Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving “credible reports” in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users’ devices.
“Threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer’s JavaScript
