PoisonX Rootkit: BYOVD Exploitation and CrowdStrike EDR Bypass
The PoisonX rootkit utilizes a Bring Your Own Vulnerable Driver (BYOVD) attack vector to achieve kernel-mode execution, specifically facilitating a 0-day bypass of CrowdStrike EDR. By deploying legitimate but vulnerable drivers, the threat actor escalates privileges from user-mode to kernel-mode, enabling the manipulation of OS structures to blind endpoint detection capabilities. Currently, the campaign is highly targeted toward organizations within Japan. Successful mitigation requires identifying the loading of known vulnerable drivers and implementing kernel-level monitoring to detect unauthorized driver manipulation and EDR neutralization attempts.
CrowdStrike: North Korean Operatives Infiltrating U.S. Tech Industry
CrowdStrike identifies North Korean state-sponsored actors, primarily the FAMOUS CHOLLIMA cluster, as responsible for approximately 47% of all "hands-on-keyboard" operations targeting the U.S. technology sector [1]. The threat actors utilize fraudulent remote employment personas, augmented by AI-generated resumes and stolen PII, to circumvent remote KYC and background checks. To maintain stealthy persistence, operatives deploy U.S.-based "laptop farms" utilizing PiKVM hardware for BIOS-level control and Tailscale mesh VPNs for encrypted C2 communication [2]. These operations focus on high-value intellectual property exfiltration and cryptocurrency theft to finance DPRK weapons development.