Editor’s Highlights
Slightly later than normal due to winter vacations, here is a roundup of what happened with WithSecure Elements during December 2025.
Extended Detection and Response
Endpoint Protection
WithSecure Agent for Windows and Server
A new version of the endpoint clients is available. This release makes the Elements Agent version 25.5 available (internal version 25.5.416).
The endpoints automatically upgrade, without a reboot.
This release introduces new features (with Profile Editor Update).
Software Updater Engine
The software updater engine is now downloaded directly from the Update server instead of being bundled with the MSI installer, resulting in more efficient update delivery.
Enhanced Agent Connectivity Diagnostics
The agent now provides more comprehensive connectivity status information to the portal, enabling better troubleshooting and diagnosis of sensor connectivity issues.
Browsing Protection - Newly Registered Domain Blocking
Browsing protection now blocks newly registered domains when this feature is enabled from the portal, providing enhanced protection against potential threats from recently created domains.
Enhanced Proxy Settings Management
Starting with this version, any proxy settings provided during installation will be automatically replaced by the proxy value from the assigned profile after the first successful profile assignment, providing better administrative control.
WithSecure Agent for Mac
WithSecure Elements Agent macOS 25.5 has been released.
This release brings
- Updated sensor version 25.2.188
- Sensor now aware of "blocked" events from Firewall
- macOS 26 liquid glass update for Elements Agent user interface
- Built with Xcode 26 SDKs
- Discontinued support for macOS 13
Elements Agent macOS 25.5 supports following macOS versions:
- macOS 26 Tahoe
- macOS 15 Sequoia
- macOS 14 Sonoma
WithSecure Agent for Mobile Protection for IOS
An update to the WithSecure Elements Mobile Protection app for iOS (25.12.12002) has been released.
New Features:
- Added support for identifying and blocking newly registered domains that may host emerging threats.
- The app can now receive and apply proxy settings remotely from the WithSecure Elements Endpoint Protection portal, improving centralized management.
- Added safe search functionality to Safari extension to achieve feature parity with existing Chrome extension.
- Improvements to permission request handling.
- Improvements to app stability and UI
WithSecure Agent for Mobile Protection for Android
An update to the WithSecure Elements Mobile Protection app for Android (25.5.0023466) has been released
It includes the following new features and improvements:
- Added support for identifying and blocking newly registered domains that may host emerging threats.
- The app and the WithSecure Elements Endpoint Protection portal now supports remote proxy server(s) setting
- The app now displays scan results when applications are updated
- Android 10 through Android 12.1 support have been dropped
- Improvements to permission request handling
- Improvements to app stability
WithSecure Agent for Linux
Elements Agent for Linux and Linux Security 64 are now available for both AMD64 and ARM64 architectures on the latest distribution versions:
- Red Hat Enterprise Linux (RHEL) 10
- Rocky Linux 10
- AlmaLinux 10
- Oracle Linux 10
- Debian 13
Note: Full system memory dump remote operation is not yet supported for the RHEL 10, Rocky Linux 10, AlmaLinux 10, and Oracle Linux 10 distributions.
Exposure Management
Exposure Management for Business
New release includes updates on the Attack Path visualization and Environment→Network page:
AttackPath visualization
- The AttackPath visualization has now been updated to show verified connections between nodes in the attack path diagrams.
- An option to show verified network connections has been added to the main Attack Path visualization view. This option is enabled by default and may be toggled through the control panel.
- Connections are green when verified connection findings are available. Connections are shown as dashed lines where verifications are unavailable. Verifications will not be possible if the source node does not have the EDR agent installed. The step flyout now includes fields that show which ports are reachable from the source node.
- The legend panel includes new explanatory text and a key for the new line styles.
- The Attack Path simulator discards findings older than 30 days.
Environment → Network page
- List of company external assets in now default landing page on the Environment → Network page
- Page design has been updated while preserving all of the functionality as before
- Internet tab is moved as a secondary tab providing possibility to search for the publicly visible assets
- Page design has been updated while preserving all of the functionality as before
- Search results now contain also an indicator (checkmark) if publicly visible assets is already added to the scan group
WithSecure Vulnerability Management Portal
- Added a pop-up notification to inform users about the upcoming removal of Devices → Vulnerability assets page by the end of 2025.
- Resolved an issue causing the Vulnerability Management dashboard on the Home → Overview tab to display empty results instead of vulnerability data.
Exposure Management System Scan
Support for detecting vulnerabilities in the following products was added to Authenticated Scanning:
- Apache Syncope
- AWS JDBC Wrapper
- Spring Cloud Gateway
In addition, the detection of Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2025-61882) was added.
Support for detecting vulnerabilities in the following products was added to Authenticated Scanning for Windows:
- Ankitects Anki
- Apache Causeway
- Asustor Backup Plan
- Asustor EZ Sync
- Autodesk 3ds Max
- Autodesk Fusion and Fusion 360
- AWS PGSQL ODBC
- AWS Wickr desktop clients
- Fluent Bit
- GoSign Desktop
- HP System Event Utility
- Intel PresentMon
- Intel Thread Director Visualizer
- Joplin
- Lite XL
- MongoDB BI Connector ODBC
- MongoDB Connector for BI
- N-able Take Control Agent
- N-central windows agent and N-central probe
- Opera browser editions
- Razer Synapse
- SigTest
- SigTest Phoenix
- Synology ActiveProtect Agent
- Total Commander
- WatchGuard Mobile VPN with SSL client
Elements Foundations
Integrations
Elements API
New API Endpoints for Managing Elements API Credentials
We have introduced new endpoints to automate the management of API keys for the Elements API:
Create API Key
POST /api-keys/v1/create
- Generate a new API key for accessing the Elements API.
- Keys can be created at the organisation or Service Organisation Partner (SOP) level.
- By default, keys are read-only for security. Optionally, set readOnly to false for write access.
- Important: clientSecret is returned only once during creation—store it securely.
Delete API Key
DELETE /api-keys/v1/api-keys/{clientId}
- Permanently remove an API key by its ID.
- Deleted keys cannot be recovered or used for authentication.
List API Keys
GET /api-keys/v1/api-keys
- Retrieve all API keys for the current organisation or specify an organizationId when querying from SOP level.
For full details, including request/response formats and examples, refer to the API documentation.
Other items of interest
Want notifications for new changelogs?
Changelogs have moved! You can now find all product changelogs here: Product Changelogs
Want notifications for new changelogs?
- For all products: Click the Follow button on the Changelog homepage to receive email notifications whenever new changelogs are published.
- For specific products only: At the moment, email notifications for individual product changelogs are not yet available in the Community. We’re actively working on enabling email notifications for individual changelogs and will let you know as soon as this feature is available.
- To make sure you don’t miss any updates in the meantime, we recommend subscribing to all changelog notifications (see above).
- You can also use notifications in Elements Security Center or save the product’s changelog page as a browser bookmark for quick access.
In case you missed it
Important Update: Sample Submission has moved to a new platform
From the beginning of 2026, the Sample Submission service has moved to a new platform. You can find more details in a dedicated article.
TangleCrypt: a sophisticated but buggy malware packer
Executive Summary
WithSecure's STINGR Group is releasing a detailed technical analysis of TangleCrypt, a previously undocumented packer for Windows malware. The packer was found on two executables used in a recent ransomware attack and their payloads were both identified as an EDR killer known as STONESTOP that leverages the malicious ABYSSWORKER driver.
Key findings about TangleCrypt:
- The payload is stored inside the PE Resources via multiple layers of base64 encoding, LZ78 compression and XOR encryption.
- The loader supports two methods of launching the payload: in the same process or in a child process. The chosen method is defined by a string appended to the embedded payload.
- To hinder analysis and detection, it uses a few common techniques like string encryption and dynamic import resolving, but all of these were found to be relatively simple to bypass. The lack of any advanced anti-analysis mechanisms also makes manual unpacking of the payload rather straightforward.
- Although the packer has an overall interesting design, we identified several flaws in the loader implementation that may cause the payload to crash or show other unexpected behaviour.
Read more about it HERE
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via the Ideas section of the WithSecure Community, now accessible directly from WithSecure™ Elements Security Center.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center