LockBit Ransomware Abuses Legitimate Windows Defender Utility
The initial target compromise happened via the Log4j vulnerability against an unpatched VMWare Horizon Server. The attackers modified the Blast Secure Gateway component of the application installing a web shell using PowerShell code found documented here.
Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire and a new way to side-load Cobalt Strike.
In particular, when attempting to execute Cobalt Strike, Sentinel One observed a new legitimate tool used for side-loading a malicious DLL, that decrypts the payload.
Previously observed techniques to evade defenses by removing EDR/EPP's userland hooks, Event Tracing for Windows and Antimalware Scan Interface were also observed.
Featured Resources
View More Resources
CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover
CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.
Exposure Validation Demo
Demo of automated offensive simulations validating detection, prevention, and IOC coverage
Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID
Identity is the new perimeter. The move to the cloud and remote work creates new security boundaries based on users and services operating across cloud and hybrid environments, making