Edr-Evasion
eBPF Cuts Both Ways: The Kernel Rootkit Is Now Standard Issue in 2026's Supply-Chain Malware
In two weeks, IronWorm and the atomic-lockfile AUR compromise both shipped an eBPF kernel rootkit as just another payload module. The observability primitive your stack is built on is now the malware's stealth layer — and most detection assumptions are structurally defeated.
Sophos Finds an AI-Orchestrated Lab That Auto-Builds EDR-Evasion Payloads for an Active Ransomware Crew
Sophos X-Ops recovered a post-exploitation framework where AI agents read public research, mapped it to MITRE ATT&CK, and generated ~80 Rust and Go payloads tested against Sophos, CrowdStrike, and Microsoft EDR.
Lazarus RemotePE: Memory-Only RAT Behind $577M Crypto Theft Surfaces in Fox-IT Disclosure
Fox-IT and The Hacker News detail RemotePE, a fileless C++ RAT used by North Korea's Lazarus Group against fintech and crypto firms via a DPAPI-bound loader chain. Tied to $577M in 2026 crypto theft.
Payouts King Runs Hidden QEMU VMs to Bypass EDR — STAC4713 and CitrixBleed 2 Campaigns
Sophos tracks two Payouts King campaigns running Alpine Linux inside QEMU on Windows hosts to tunnel reverse SSH and evade endpoint security. STAC3725 chains in CitrixBleed 2 (CVE-2025-5777) against NetScaler.