EDR-Freeze: User-Mode Technique That Freezes EDR Processes
Researchers have discovered a method called EDR-Freeze that enables attackers to silently disable antivirus and endpoint detection tools without requiring the installation of a malicious driver or exploiting a major system flaw. Instead, it leverages a standard Windows feature called Error Reporting, which is designed to collect information when a program crashes. This system uses a snapshot process that temporarily pauses a program while memory data is collected, then resumes it when the snapshot is complete. EDR-Freeze manipulates this sequence so that the snapshot tool is suspended before it can resume the targeted program, leaving the antivirus or security software in a frozen, inactive state. In testing, researchers showed that even Microsoft Defender could be forced into this “coma state” using only built-in Windows functions, making the technique highly stealthy and difficult to detect. Because no new files are dropped on disk and no vulnerable drivers are needed, it bypasses many of the warning signs defenders are trained to watch for. The risk with EDR-Freeze is that it gives attackers a quiet window of opportunity. With security agents frozen, attackers can move through a network, steal data, or install ransomware without triggering alarms. While this is not a flaw that can be easily patched, organizations can take proactive steps to reduce the risk. Security teams should monitor unusual or prolonged suspensions of critical processes, especially antivirus or endpoint agents, and look for abnormal Error Reporting activity. Monitoring services that automatically restart security tools when they stop responding can help limit the impact. Enforcing strict administrative privileges, auditing system behavior, and ensuring all security software is up to date are also key. In the long term, vendors, including Microsoft, may need to redesign parts of the Error Reporting system to prevent this type of abuse. The takeaway is that attackers continue to find creative ways to turn legitimate system tools against defenders, which reinforces the need for layered defenses and fast detection of suspicious behavior.
Operation Rewrite: SEO Poisoning Campaign Targeting IIS Servers
In March 2025, Palo Alto Networks uncovered a campaign called Operation Rewrite; however, details are only being reported now, following months of in-depth analysis that tied it to a broader Chinese-speaking threat ecosystem. The operation hijacks Microsoft IIS web servers and uses a malicious module named BadIIS to manipulate search engine results. Instead of creating new websites, attackers compromise trusted, high-reputation domains and inject popular keywords, allowing search engines to rank them highly for unrelated queries. Search engine crawlers are fed fake, keyword-rich content, which poisons the results. When real users later click these links, they are redirected to gambling or adult platforms that generate revenue for the attackers. Investigators also found that attackers exploited their access to plant web shells, create local accounts, and steal source code, thereby gaining lasting control beyond the SEO poisoning scheme. The campaign has continued to evolve since its inception. Researchers identified multiple BadIIS variants, including ASP[.]NET handlers, managed [.]NET modules, and PHP scripts, all engineered to manipulate search engines and funnel users to attacker-controlled sites. The geographic targeting is focused on East and Southeast Asia, with a particular emphasis on Vietnam, revealed through the keywords and local search engines embedded in the malware’s configuration. Infrastructure links connect Operation Rewrite to the previously tracked “Group 9” cluster, and its methods show similarities to the “DragonRank” campaign, suggesting collaboration within a larger network of threat actors. For organizations, the impact is twofold: their brand reputation suffers when trusted websites serve harmful content, and compromised servers risk deeper exploitation. Defenders should audit IIS servers for unauthorized modules, monitor for unusual redirects, and tighten web traffic monitoring to prevent unauthorized access. Treating SEO poisoning as both a financial crime operation and a gateway for more serious breaches is critical for long-term resilience.
IMDS Abuse: Turning a Cloud Feature into an Attack Path
The Instance Metadata Service (IMDS) is a core part of cloud platforms, providing virtual machines with temporary credentials and configuration data without storing permanent secrets in code. While designed for security and convenience, attackers increasingly exploit it to steal credentials, move laterally, and escalate privileges. The most significant risk lies in the older IMDSv1, which accepts unauthenticated requests and can be abused through server-side request forgery (SSRF) or misconfigured workloads. By tricking a vulnerable application into reaching the IMDS endpoint, attackers can harvest credentials that grant access to critical cloud services. IMDSv2, the newer standard, requires a session token, making these attacks harder, but many environments still use v1 or lack proper restrictions. Once credentials are stolen, attackers can use them to access storage, databases, or even pivot to higher-privileged roles. Recent threat hunting from Wiz Researchers demonstrated how data-driven detection can expose abnormal IMDS activity and stop these attacks before damage occurs. Their research uncovered two real-world incidents: a zero-day in the Pandoc document converter that attempted to pull IMDS data through hidden iframes, and a misconfigured ClickHouse database in Google Cloud that attackers probed for metadata theft. Both attempts failed due to platform safeguards, but they highlight how attackers continue to test new avenues across AWS, Azure, and GCP. The findings underline that IMDS abuse is not hypothetical—it is being actively attempted and could succeed in less protected environments. To reduce risk, organizations should enforce IMDSv2, minimize instance permissions, and monitor for anomalous metadata requests that deviate from normal patterns. Treating IMDS as both a critical utility and a high-value attack surface is now essential to securing cloud operations.
