EDRStartupHinder Introduces a New Way to Stop Security Tools From Starting on Windows
A new proof-of-concept called EDRStartupHinder demonstrates how an attacker can prevent antivirus and EDR products from launching during Windows startup, including Microsoft Defender on Windows 11 25H2. Instead of trying to tamper with a running security agent, the approach targets the earlier boot phase, when the security service is still initializing. The method abuses a legitimate Windows capability tied to the Bindlink feature to temporarily redirect a critical Windows component that the security product needs to start. When the security process attempts to load that redirected component and fails the integrity checks enforced by Protected Process Light, it shuts itself down. The researcher validated the concept against Defender and reported success against multiple commercial products in a lab environment, while withholding vendor names. This is significant because it shifts the situation from “I already have admin” to “I can disable endpoint visibility at boot,” increasing the likelihood that follow-on activity will go undetected. However, the attacker still needs to obtain initial access and escalate privileges first. Operationally, the technique works by placing a helper service ahead of the security product during startup, redirecting a key System32 DLL to a deliberately corrupted copy, then cleaning up the redirect after the security process terminates. The result is a window in which the endpoint appears normal to a user, but the primary detection stack never comes online, giving attackers time to stage payloads, steal data, or establish persistence before defenses recover. The tool requires administrator privileges, so it is not a first-step intrusion, but it is highly relevant after phishing, credential theft, or local privilege escalation has already occurred. From a risk perspective, it highlights that endpoint protection can be neutralized by manipulating startup dependencies rather than attacking the product directly. It also reinforces that attackers increasingly rely on operating system features to disable defenses while minimizing obvious tampering. To prevent this threat, organizations should tighten admin access and credential hygiene, alert on unexpected service creation or startup order changes, monitor for abnormal DLL redirection activity tied to Bindlink and the bindflt driver, harden endpoints with platform protections that restrict tampering, and ensure incident response playbooks include checks for security agents failing to start at boot.
ValleyRAT_S2 Uses Fake Tools and DLL Side-Loading to Gain Stealthy Long-Term Access
ValleyRAT_S2 is a second-stage remote access payload designed for cyber-espionage and financial theft, with current reporting indicating heavy targeting across Chinese-speaking regions, including mainland China, Hong Kong, Taiwan, and parts of Southeast Asia. It activates after an initial stage succeeds, then becomes the core backdoor that handles command execution, persistence, and broad system discovery. Operators are pushing it through convincing local-language lures, including fake “AI spreadsheet” productivity installers, cracked software bundles, and other utilities that look normal to the intended audience. A key delivery method is DLL side-loading, where attackers place a malicious DLL next to a legitimate signed program, so Windows loads the attacker’s code first. The malware blends in by using common DLL names and matching expected exports so the host program still runs, reducing user suspicion and basic signature-based detection. Other entry paths reported include phishing messages with document attachments and archives, as well as abuse of update mechanisms in popular regional software. Once active, ValleyRAT_S2 performs deep reconnaissance to map the environment, including system details, locale, registry data, installed software, running processes, and storage locations spanning local drives, removable media, and network shares. It is designed to stay resident through scheduled task persistence and watchdog behavior that restarts the malware if defenders kill the process, with staging activity in Temp and AppData paths to support ongoing operations. It also includes stealth features meant to frustrate analysis, such as sandbox checks and runtime API resolution, and can inject into other processes to run code in a way that is harder to trace. The tooling supports credential and data theft, including keystroke monitoring and file collection, then sends results out through hardcoded command-and-control infrastructure over a custom TCP approach intended to blend with normal traffic patterns. Some artifacts indicate deliberate masquerading, including benign-looking process names and signs of code-signing misuse tied to non-obvious entities, which can mislead quick triage. Recommendations include blocking and alerting on DLL side-loading patterns in user-writable directories, restrict installation of unapproved utilities and cracked software, tighten email controls for weaponized documents and archive payloads, monitor for new scheduled tasks and watchdog scripts in Temp/AppData, add detections for suspicious process injection and keystroke collection behaviors, and prioritize rapid isolation when endpoints show unexpected outbound connections to hardcoded C2 infrastructure.
Fake Performance Reviews Used to Deliver Guloader and Install Remcos RAT
A new phishing campaign is using fake employee performance reports to trick users into installing Guloader, which then deploys Remcos RAT for long-term remote access. The emails claim to share an October 2025 performance report and push urgency by warning that dismissals are being planned, aiming to trigger quick clicks from worried employees. Victims receive a compressed RAR attachment containing an executable with a misleading name that appears to be a document, increasing the chance it will be opened on systems that hide file extensions. Once launched, Guloader runs quietly and avoids dropping obvious files right away; instead, it loads malicious code into memory and pulls the next stage from a remote location. In the observed activity, the download source was a Google Drive link, which helps the attacker blend into normal web traffic and reduces the effectiveness of simple domain blocking. The end result is Remcos, a widely used remote access tool that gives attackers deep control over the infected device. Remcos enables surveillance and data theft capabilities that can quickly turn a single click into a broader business risk, including credential capture, monitoring user activity, and collecting stored browser data. The campaign also reinforces two trends defenders should assume will continue: attackers will keep using legitimate cloud platforms to host payloads, and they will keep targeting HR-themed workflows that employees are conditioned to trust. Even when email security blocks many threats, compressed attachments and user-driven execution remain a reliable path for adversaries, especially when the message is emotionally manipulative. In the documented incident, Remcos connected back to an external server over multiple ports, supporting persistent access once the system is compromised. This is operationally attractive for attackers because it supports both quick theft and longer-term footholds for follow-on actions. Preventative measures should include blocking or heavily restricting inbound RAR attachments, preventing execution from user download and temp directories, enforcing visible file extensions on endpoints, training staff to verify HR-related documents through internal channels, and ensuring rapid isolation with credential resets when a user reports opening an unexpected “report” attachment.
