In 2025, adversary tradecraft continued to accelerate away from traditional malware-heavy campaigns toward techniques that abuse trust, disrupt telemetry, and exploit defender assumptions. Rather than attempting to bypass detections through obfuscation alone, attackers increasingly focused on weakening or neutralizing the defensive controls themselves. This targets control planes, security agent stability, and legitimate administrative tooling.

Our most-read blogs this year, authored by Binary Defense analysts and experts, stood out for documenting how these techniques work in practice. Each blog connects attacker behavior to real detection challenges, highlighting where visibility breaks down and why modern defense requires more than signature-based prevention.

DON’T FREEZE ME OUT, BRO! — ARC LABS TECHNICAL ANALYSIS OF EDR-FREEZE

EDR-Freeze represents a growing class of attacks focused on disrupting endpoint detection and response sensors at runtime rather than evading detections after execution. Instead of hiding malicious activity, the attacker’s goal is to interfere with the agent’s ability to observe anything at all.

This ARC Labs analysis explores how EDR-Freeze targets EDR agent processes through techniques such as thread suspension, resource starvation, and execution interference. In many cases, the agent does not crash outright; it simply stops reporting meaningful telemetry, creating a dangerous illusion of endpoint health.

Our analyst explains why certain agent architectures are more susceptible than others, how attackers validate that telemetry has been degraded, and what secondary signals defenders may still observe when the primary sensor is impaired. It challenges the assumption that an installed agent equals active visibility and highlights the need for independent monitoring of sensor health.

WHAT CVE-2025-53770 TEACHES US ABOUT ZERO-DAY REALITY AND RANSOMWARE ROUTINE

This blog reframes zero-day exploitation as an operational constant rather than an exceptional, rare event. Using CVE-2025-53770 as a case study, it demonstrates how attackers rapidly weaponized a newly disclosed vulnerability using familiar ransomware workflows instead of bespoke exploit chains.

The analysis walks through how disclosure-to-exploitation timelines continue to shrink, routinely outpacing enterprise patch cycles and emergency change windows. It examines why patch SLAs alone fail as a meaningful risk control for internet-facing services and how attackers capitalize on known exposure windows.

Rather than focusing solely on exploit mechanics, the analyst emphasizes the defensive implications: detection strategies must assume exploitation will occur and focus on post-exploitation behaviors such as process spawning, credential access, lateral movement, and command execution. The takeaway is clear — defenders must plan for exploitation, not hope to avoid it.

DEFENDNOT: TURNING WINDOWS DEFENDER AGAINST ITSELF

DefendNot highlights a shift in attacker methodology toward abusing operating system trust models instead of bypassing them. Rather than disabling Microsoft Defender through exploits or tampering, this technique manipulates how Windows determines which security provider is active.

The blog explains how Windows security provider registration works, how attackers can abuse that logic to cause Defender to disable itself, and why this behavior often occurs without triggering traditional alerts. No malware injection is required — only the use of legitimate system mechanisms as designed.

The analysis underscores a critical detection gap: most environments lack visibility into security control state changes. By focusing on process execution alone, defenders may miss the moment when protection is silently suppressed. This post challenges teams to rethink how they monitor control integrity and trust assumptions baked into the OS.

RMM TOOL CONVENIENCE AND CONTROL COMES WITH A COST

Remote Monitoring and Management (RMM) tools are foundational to modern IT operations, but this blog details how attackers increasingly abuse them as a primary access, persistence, and execution mechanism. Because these tools are legitimate, powerful, and expected, they provide ideal cover for malicious activity.

The post breaks down common RMM abuse patterns observed in real incidents, including initial access via compromised credentials, scripted command execution, and long-term persistence through trusted management channels. It explains why behavioral detections frequently fail due to expected admin usage and limited contextual baselines.

Rather than recommending the removal of RMM tooling, the blog calls out governance, logging, and monitoring gaps that attackers routinely exploit. It reinforces a hard truth for defenders: legitimacy has become a core evasion technique, and detection must focus on context, intent, and anomalous use — not just the tool itself.

Why These Insights Matter

Across all four blogs, a consistent pattern emerges:

• Attackers target assumptions, not just vulnerabilities
• Defensive tooling is increasingly part of the attack surface
• Visibility gaps—not missing tools—drive dwell time

Explore more insights from Binary Defense analysts here