SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, March 24th, 2026: Tax Scam to EDR Kill; Netscaler Patches; gRPC-Go Authz Bypass;
Mar 24, 2026
Tax-season malvertising and fake PDF updaters that trick filers into installing malware. Attackers using vulnerable drivers to disable kernel-mode AV and EDR. Critical Citrix NetScaler/ADC patches for SAML out-of-bounds and a VPN race-condition. A gRPC-Go authorization bypass caused by a missing leading slash in request paths.
AI Snips
Chapters
Transcript
Episode notes
Tax Season Fake Google Ads Deliver Malware
- Huntress observed tax-season fake Google ads leading to malicious PDF fillers and fake browser updates.
- Ads were real but redirected to malware and some offered bring-your-own-vulnerable-driver exploits that can kill endpoint protection.
Scammers Escalate To Driver-Based EDR Kill
- Attackers are escalating from phishing to using vulnerable drivers to disable AV/EDR, increasing malware sophistication.
- Bring-your-own-vulnerable-driver (BYOVD) exploits enable attackers to kill endpoint protection after initial lure.
Update Jim's Forensics Tools After AI Review
- If you use affected tools, update immediately: Jim's GitHub forensic tools received AI security review and patches.
- Johannes notes multiple fixes, including header injection and TOCTOU issues, are published on the repo.