Find notable cyber news and cases, enriched with sources, timelines, and signals.

EDR, YARA, and AppLocker guidance for malicious ONNX loading

Defensive Guidance
First reported
Last updated
Happening score
H score 11
1 unique sources, 1 articles

Summary

Hide ▲

Defenders are being urged to harden detection around malicious ONNX loading on Windows, because trusted AI files can hide malware behind normal inference behavior. The guidance centers on EDR monitoring, YARA rules, and AppLocker to catch extraction paths and block suspicious execution. That reduces the chance that a model file and its loader can bypass security engines by riding on trusted Windows ML components.

Related Happenings

AI-assisted EDR-evasion malware development lab

Malware Activity
H score12 First: 02.06.2026 14:00 Last: 02.06.2026 14:00 Sources 1

About this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...

Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)

Vulnerability
H score9 First: 20.05.2026 11:28 Last: 20.05.2026 11:28 Sources 1

About this happening: CVE-2026-45585 (YellowKey) is a BitLocker security feature bypass affecting Windows 11 24H2/25H2/26H1 and Windows Server 2025, including Server Core. Microsoft disclosed the issue...

Latest development: 11.06.2026 20:43

Security researcher Chaotic Eclipse released GreatXML, a Windows BitLocker bypass that copies unattend.xml and Recovery/WindowsRE/ReAgent.xml onto the recovery partition and then boots into Windows Recovery Environment (WinRE) to spawn a shell with unrestricted access to the BitLocker volume. The researcher said the flaw could automatically affect systems that ever used Windows Defender Offline Scan, and the release followed YellowKey (CVE-2026-45585), which Microsoft patched in Patch Tuesday updates.

Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)

Advisory/Mitigation
H score32 First: 20.05.2026 10:31 Last: 20.05.2026 10:31 Sources 1

About this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...

Latest development: 10.06.2026 12:57

On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
H score24 First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
H score20 First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Timeline

  1. 30.10.2025 21:47 2 articles · 8mo ago

    Defenders are urged to monitor malicious ONNX loading on Windows

    Technical Analysis Update

    Security researcher hxr1 showed that malicious ONNX model files can ride Windows ML inference workflows, where trusted Microsoft-signed DLLs load model data and help a loader reconstruct and execute hidden payloads while looking like benign AI activity. He recommended monitoring who loads ONNX files, what is extracted, where extracted data is passed, and using YARA rules and AppLocker to detect or block suspicious behavior.

    Show sources