ITSEC Newsletter 2026-04-16

Author

Henrik Falk
April 16, 2026

Reverse Engineering a Multi Stage File Format Steganography Chain of the TeamPCP Telnyx Campaign

TeamPCP injected a cred stealer into two releases of the telnyx Python SDK on PyPI. The attack injects 74 lines of malicious code into a single file, telnyx/_client.py, which executes immediately on import telnyx. The payload is hidden inside a WAV audio file data subchunk which is fetched from attacker infrastructure at runtime, and decoded using base64 + XOR before execution. The malware is platform dependent and on Windows it drops a persistent binary disguised as msbuild.exe into the Startup folder for persistence across reboots.

husseinmuhaisen.com/blog/reverse-engineering-teampcp-telnyx-file-format-chain

Common Entra ID Security Assessment Findings - Part 4 - Weak Conditional Access Policies

Reviewing existing Conditional Access policies is one of the most important tasks in an Entra ID security assessment. This section highlights common issues that we regularly observe in practice, including coverage gaps and design weaknesses that reduce the intended security benefits.

blog.compass-security.com/2026/04/common-entra-id-security-assessment-findings-part-4-weak-conditional-access-policies

EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses

Over the past year, security researchers have observed an expansion of the ecosystem around these tools, which can disable endpoint detection and response (EDR) platforms and other threat detection products in a targeted environment. EDR killers typically accomplish this through a technique known as bring-your-own-vulnerable-driver (BYOVD), which abuses legitimate software drivers with Windows kernel access to terminate security processes.

Dark Reading