Front Page

Defense Evasion

Killing the Watchdogs: The Gentlemen RaaS Ships an In-House "GentleKiller" Framework That Blinds 400+ Security Tools

ESET this week detailed GentleKiller, an in-house EDR-killing framework that the Gentlemen ransomware-as-a-service gang — one of 2026's most active, with roughly 478 victims — hands to its affiliates as a turnkey suite. The framework ships at least eight variants, each impersonating a different legitimate security product and abusing a unique signed-but-vulnerable kernel driver. Using Bring Your Own Vulnerable Driver, it terminates protection from kernel space, beneath user-mode defenses, targeting more than 400 processes across some 48 products from Microsoft Defender and CrowdStrike to Sophos and ESET's own agents.

The operation industrializes evasion: it weaponizes freshly published BYOVD proof-of-concepts — tools like UnknownKiller and PoisonKiller — within days of their GitHub disclosure, and folds in third-party killers (HexKiller, ThrottleBlood, HavocKiller) behind a shared evasion layer wrapped in Enigma or Themida. A 90% affiliate cut and a focus on Southeast Asia, South America, and Western Europe round out the model. Forensic priority: hunt signed-but-vulnerable driver writes and Service Control Manager driver-load events, correlate abrupt security-service terminations, and cross-check loaded drivers against known-vulnerable catalogs — because once the killer runs, the endpoint's own telemetry goes dark.

Mac Forensics

What the Mac Still Remembers: A New macOS Tahoe Biome Stream Logs Every Menu Click — and Can Reconstruct Deliberate User Actions

Even as attackers race to blind real-time defenses, examiners just gained a quiet new witness. Researchers featured in Forensic Focus's June 17 round-up documented a newly identified artifact in macOS Tahoe 26: an App.MenuItem Biome stream, at ~/Library/Biome/streams/restricted/App.MenuItem/local, that timestamps every menu selection a user makes across applications. Correlated with file-system and unified-log records, it lets investigators reconstruct intent — evidence that a user deliberately compressed, encrypted, or deleted files rather than a process doing so on its own.

Biome is Apple's on-device behavioral store, and these protected streams accumulate a high-resolution record of activity that survives even when an application keeps no logs of its own — exactly the residue that outlasts an attacker's clean-up or an insider's denials. The same round-up tempers the find with a Daubert-flavored caution: examiners must test alternate explanations before asserting causation. Forensic priority: preserve the restricted Biome streams during acquisition, decode their SEGB/protobuf records, and corroborate every menu event against file-system and unified-log timestamps before drawing conclusions.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-48907

Joomla Content Editor (JCE) — an improper access-control flaw lets an unauthenticated attacker create a rogue editor profile and abuse the profile-import workflow to upload and execute arbitrary PHP, planting a persistent web shell; CVSS 10.0. It chains missing authorization, weak file validation, and disabled upload safeguards in JCE 1.0.0 through 2.9.99.4 (fixed in 2.9.99.5). CISA added it to the KEV on June 16 with a June 19 federal deadline. Forensic Note: Hunt newly imported editor profiles, rogue PHP under media/upload directories, and web-shell callbacks; inventory JCE versions across all Joomla sites.

CRITICAL
CVE-2026-42530

NGINX (F5) — a use-after-free in the HTTP/3 module (ngx_http_v3_module) lets an unauthenticated remote attacker trigger denial of service or, where ASLR is disabled or bypassed, remote code execution in the worker process; CVSS 9.2. F5 shipped out-of-band fixes on June 18 alongside companion bug CVE-2026-42055 (an HTTP/2 and gRPC heap overflow), spanning NGINX Open Source, Plus, Gateway Fabric, and Instance Manager. Forensic Note: Review HTTP/3 (QUIC) traffic and worker-process crash artifacts, hunt malformed gRPC and proxy requests, and confirm upgrade to OSS 1.31.2 or Plus R37 P2 / R36 P6.

Malware Spotlight

Rokarolla — Android Banker With Full Device Takeover

Zimperium's zLabs detailed Rokarolla, an Android banking trojan that targets 217 banking and cryptocurrency apps through a toolkit of 137 remote commands. Spread by fake sites posing as TikTok or Chrome, it leans entirely on a single granted Accessibility permission to overlay fake login pages, harvest lock-screen credentials, SMS, and contacts, keylog input, and block or intercept calls to suppress bank fraud alerts — and it rewrites the clipboard to swap in attacker crypto-wallet addresses. Forensic Note: Examine Accessibility-service grants, sideload origins, overlay-injection artifacts, and clipboard-tampering hooks; check for call-blocking configuration.