Bypass Record
Input Capture × ThreatDown Endpoint Protection
A publicly-reported instance of Input Capture bypassing ThreatDown Endpoint Protection, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Attackers used SEO poisoning to trick users into downloading a malicious IP scanner that deployed the Oyster Backdoor DLL. The backdoor performed input capture to steal SSH credentials, which were then used to access NAS and VMware hypervisors. Because the victim only used ThreatDown Endpoint Protection (EP) without EDR/MDR, the attackers bypassed real-time protection and deployed Rhysida ransomware to encrypt VMDK files and local backups.
Detection & mitigation
Monitor for unusual process creation from downloaded installers, especially those communicating with newly registered or suspicious domains. Deploy EDR/MDR to detect lateral movement and credential misuse; enforce application whitelisting and restrict administrative tool execution.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.