Bitdefender

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

A smishing campaign has been active since December 2025, targeting drivers in 12 countries with fraudulent text messages impersonating transport authorities, toll operators, and parking services, resulting in over 79,000 fraudulent messages sent as of April 2026.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.

Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.