EDR, YARA, and AppLocker guidance for malicious ONNX loading
Defensive Guidance
Summary
Hide ▲
Show ▼
Defenders are being urged to harden detection around malicious ONNX loading on Windows, because trusted AI files can hide malware behind normal inference behavior. The guidance centers on EDR monitoring, YARA rules, and AppLocker to catch extraction paths and block suspicious execution. That reduces the chance that a model file and its loader can bypass security engines by riding on trusted Windows ML components.
Related Happenings
AI-assisted EDR-evasion malware development lab
Malware Activity
H score12
First: 02.06.2026 14:00
Last: 02.06.2026 14:00
Sources 1
About this happening:
A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
AI-assisted EDR-evasion malware development lab
Malware ActivityAbout this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)
Vulnerability
H score9
First: 20.05.2026 11:28
Last: 20.05.2026 11:28
Sources 1
About this happening:
CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue...
Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)
VulnerabilityAbout this happening: CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue...
Latest development: 11.06.2026 20:43
Security researcher Chaotic Eclipse released GreatXML, a Windows BitLocker bypass that copies unattend.xml and Recovery/WindowsRE/ReAgent.xml onto the recovery partition and then boots into Windows Recovery Environment (WinRE) to spawn a shell with unrestricted access to the BitLocker volume. The researcher said the flaw could automatically affect systems that ever used Windows Defender Offline Scan, and the release followed YellowKey (CVE-2026-45585), which Microsoft patched in Patch Tuesday updates.
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
H score32
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
About this happening:
**Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationAbout this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Latest development: 10.06.2026 12:57
On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
H score24
First: 19.03.2026 20:52
Last: 19.03.2026 20:52
Sources 1
About this happening:
**54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical AnalysisAbout this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
BlackSanta EDR killer malware activity targeting HR departments
Malware Activity
H score20
First: 11.03.2026 00:57
Last: 11.03.2026 00:57
Sources 1
About this happening:
The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
BlackSanta EDR killer malware activity targeting HR departments
Malware ActivityAbout this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
Timeline
-
30.10.2025 21:47 2 articles · 8mo ago
Defenders are urged to monitor malicious ONNX loading on Windows
Technical Analysis UpdateSecurity researcher hxr1 showed that malicious ONNX model files can ride Windows ML inference workflows, where trusted Microsoft-signed DLLs load model data and help a loader reconstruct and execute hidden payloads while looking like benign AI activity. He recommended monitoring who loads ONNX files, what is extracted, where extracted data is passed, and using YARA rules and AppLocker to detect or block suspicious behavior.
Show sources
- LotL Attack Hides Malware in Windows Native AI Stack — www.darkreading.com — 30.10.2025 21:47
- LotL Attack Hides Malware in Windows Native AI Stack — www.darkreading.com — 30.10.2025 21:47