Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

EDR, YARA, and AppLocker guidance for malicious ONNX loading

Defensive Guidance
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

Defenders are being urged to harden detection around malicious ONNX loading on Windows, because trusted AI files can hide malware behind normal inference behavior. The guidance centers on EDR monitoring, YARA rules, and AppLocker to catch extraction paths and block suspicious execution. That reduces the chance that a model file and its loader can bypass security engines by riding on trusted Windows ML components.

Related Happenings

Windows BitLocker YellowKey security feature bypass (CVE-2026-45585)

Vulnerability
First: 20.05.2026 11:28 Last: 20.05.2026 11:28 Sources 1

About this happening: **CVE-2026-45585** is a **BitLocker security feature bypass** affecting **Windows 11 26H1/24H2/25H2** and **Windows Server 2025**, and Microsoft has already issued **mitigations**...

Open Happening

Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)

Advisory/Mitigation
First: 20.05.2026 10:31 Last: 20.05.2026 10:31 Sources 1

About this happening: Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...

Open Happening

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

Open Happening

BlackSanta EDR killer malware activity targeting HR departments

Malware Activity
First: 11.03.2026 00:57 Last: 11.03.2026 00:57 Sources 1

About this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...

Open Happening

A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2

Malware Activity
First: 10.03.2026 00:50 Last: 10.03.2026 00:50 Sources 1

About this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...

Open Happening

Timeline

  1. 30.10.2025 21:47 2 articles · 6mo ago

    Defenders are urged to monitor malicious ONNX loading on Windows

    Technical Analysis Update

    Security researcher hxr1 showed that malicious ONNX model files can ride Windows ML inference workflows, where trusted Microsoft-signed DLLs load model data and help a loader reconstruct and execute hidden payloads while looking like benign AI activity. He recommended monitoring who loads ONNX files, what is extracted, where extracted data is passed, and using YARA rules and AppLocker to detect or block suspicious behavior.

    Show sources
    Open in new tab