Symantec

The TeamPCP hacking group released the source code of the Shai-Hulud worm impacting npm and PyPI, prompting European governments to seek secure messaging alternatives due to phishing risks and data sovereignty concerns, while historical analysis reveals the Fast16 malware targeted Iran's nuclear program by tampering with simulation software.

Microsoft disrupted SignSpaceCloud, a Russian cybercrime service providing code signing certificates to malware and ransomware operators, while European governments are shifting from Signal and WhatsApp due to phishing and data sovereignty risks, and the Fast16 malware targeted Iran's nuclear program.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.

Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.