6 Microsoft Zero-Days, EDR-Killing Drivers, and Cloud Worms

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Zero-Day Surge: Microsoft, BeyondTrust, and Fortinet

A wave of critical patches has been released to address actively exploited flaws in ubiquitous enterprise software.

• Microsoft Patch Tuesday (6 Active Zero-Days) — Microsoft addressed 58 vulnerabilities, including six actively exploited zero-days. Key threats include CVE-2026-21510 (Windows Shell bypass) and CVE-2026-21513 (MSHTML bypass), both allowing attackers to evade security prompts via malicious links.

• BeyondTrust Remote Support RCE (CVE-2026-1731) — A critical, pre-authentication remote code execution vulnerability affects BeyondTrust Remote Support and Privileged Remote Access. With a CVSS of 9.9, this allows unauthenticated attackers to execute commands as the site user, posing an immediate risk to remote access infrastructure.

• Fortinet FortiClientEMS SQL Injection (CVE-2026-21643) — A critical SQL injection flaw allows unauthenticated attackers to execute arbitrary code. This comes alongside continued active exploitation of the FortiCloud SSO bypass (CVE-2026-24858), which attackers are using to create persistent admin accounts.

• Windows Notepad RCE (CVE-2026-20841) — Modernization brings new risks: Notepad’s ability to render Markdown is being exploited. Malicious .md files with crafted links can trigger command injection, allowing remote code execution upon user interaction.

2. The “EDR Killer” Evolution: Weaponizing Drivers

Attackers are refining “Bring Your Own Vulnerable Driver” (BYOVD) attacks to blind security teams before striking.

• EnCase Driver Weaponized — Threat actors are deploying a decade-old, revoked kernel driver (EnPortv.sys) from the EnCase forensic suite to terminate EDR processes. Despite the certificate revocation, gaps in Windows Driver Signature Enforcement allow it to load, enabling attackers to kill defenses from the kernel level.

• Reynolds Ransomware Embeds BYOVD — In a significant capability jump, the new Reynolds ransomware embeds a vulnerable NsecSoft driver directly within its payload. Rather than relying on separate tools, the ransomware itself handles the driver registration and termination of Sophos, CrowdStrike, and Defender processes prior to encryption.

3. Supply Chain Impersonation and Traffic Hijacking

Trust in software sources and network traffic is being abused by sophisticated impostors and router-level implants.

• Trojanized 7-Zip Installer (7zip[.]com) — A lookalike domain is distributing a signed (but revoked) installer for 7-Zip. While installing the legitimate tool, it silently enrolls the victim’s PC into a residential proxy network, modifying firewalls to allow external traffic routing.

• DKnife AitM Framework — China-aligned actors are deploying the “DKnife” modular toolkit on Linux-based routers and edge devices. It performs deep packet inspection to hijack traffic, steal credentials, and inject malware like ShadowPad, affecting PCs and mobile devices connected to the compromised network.

• macOS ClickFix via AI Artifacts — Threat actors are abusing public Claude AI artifacts and Google Ads to target macOS users. Victims looking for tech support are directed to AI-generated guides that instruct them to paste malicious Terminal commands, deploying the MacSync infostealer.

4. Cloud Worms and Legacy Infrastructure

Automated campaigns are exploiting misconfigurations at scale, while ancient Linux kernels remain a target.

• TeamPCP Cloud Worm — A worm-driven campaign is targeting exposed cloud control planes (Docker APIs, Kubernetes, Ray dashboards). Once inside, it self-propagates, deploying cryptominers and proxy tools to build a massive illicit infrastructure.

• SSHStalker Botnet — This botnet targets legacy Linux systems (kernel 2.6.x) using 15-year-old exploits. It combines mass SSH scanning with old-school IRC command-and-control to maintain dormant persistence on cloud-hosted servers.

• Library Vulnerabilities (Pillow & ClamAV) — High-severity flaws in the Pillow Python library (CVE-2026-25990, OOB write in PSDs) and legacy ClamAV bytecode interpreters (CVE-2020-37167) highlight the risks of unpatched dependencies in image processing and security scanning pipelines.

Proactive Steps for the Week 

• Patch Emergency: Prioritize the Microsoft zero-days (especially Shell and MSHTML), BeyondTrust (v25.3.2+), and Fortinet EMS (v7.4.5+).

• Block Vulnerable Drivers: Add the hashes for the EnCase driver (3111f4d...) and NsecSoft driver to your EDR blocklist. Enforce Microsoft’s Vulnerable Driver Blocklist via policy to stop BYOVD attacks.

• Hunting for “fake” 7-Zip: Scan endpoints for services named “Uphero” or binaries in C:\Windows\SysWOW64\hero\. Block the domain 7zip[.]com.

• Hardening Cloud Control Planes: Audit all public-facing Docker/Kubernetes APIs and Ray dashboards. TeamPCP is actively scanning for these; ensure they are behind VPNs or strict authentication.

• Review Notepad Usage: Update the Windows Store version of Notepad to v11.2510+ to mitigate the Markdown RCE.

• Verify Router Integrity: For edge devices, monitor for unusual port usage or processes (like dknife.bin), specifically looking for TLS interception indicators associated with the DKnife framework.