datawater.com • 3d
Microsoft Defender: RoguePlanet Zero-Day CVE-2026-50656 and Woodgnat Exploitation
The 'Woodgnat' threat actor (KongTuke) is leveraging a critical race condition in the Microsoft Defender quarantine pipeline (CVE-2026-50656) to facilitate local privilege escalation (LPE) to SYSTEM on Windows 10 and 11. The attack chain initiates with 'ClickFix' social engineering, followed by DLL sideloading via the legitimate MpExtMs.exe binary. This enables the deployment of the 'Mistic' backdoor (utilizing EndpointDlp.dll) and the 'ModeloRAT' Python-based Trojan. This sophisticated access is subsequently auctioned to high-impact ransomware groups such as Qilin, Akira, and Black Basta, presenting a significant risk to Insurance, Education, and IT service sectors through high-durability, privileged persistence.
Links:datawater.com, SecurityWeek, Threatlocker, Socprime, Helpnetsecurity, Malwarebytes, Morphisec, News4Hackers, Vectra, cybelangel.com, bleepingcomputer.com, gbhackers.com, Cybersecurity News, csoonline.com, feeds.feedburner.com, helpnetsecurity.com, Security, Isacchain, Radar, Zscaler, Securityaffairs, Cyfirma, Blog, Hackread, Mallory, securityweek.com, Reddit, Cyderes, Tomshardware, Thrivenextgen, Automox, Github, Nvd, Cisa, Sentinelone, Cve, Rapid7, Youtube, Labs, Fieldeffect, Paubox, Adminbyrequest, Ground, Buttondown, Rodtrent •