Investigators say Hill’s pitch hinged on a bespoke endpoint-monitoring platform that quietly seeded a loader, nicknamed “ShadowQuill,” across federal enclaves, promising rapid threat hunting while actually funneling traffic to third-party infrastructure. The impact stretched beyond inflated labor charges; network forensics suggest at least twenty internal repositories were scraped for source code relating to taxpayer-data analytics, prompting an urgent cross-agency credential rotation in late 2023. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Hill ASC Inc.’s $14.75 million settlement with the U.S. Department of Justice closes a five-year saga in which the Rockville-based contractor allegedly billed agencies for “highly adaptive” cybersecurity support it was never qualified to deliver. Office of Public Affairs analysts noted the pattern echoed tactics previously linked to the SilentLibra group, correlating Hill’s invoice spikes with command-and-control bursts during quarterly patch cycles. While the False Claims Act settlement turns on fraudulent invoices rather than data theft, Justice Department officials stress that unchecked vendor implants can magnify fiscal waste into systemic exposure. Deploying the rule against live memory snapshots identified 37 compromised endpoints within GSA test ranges, underscoring how small deviations in behavioral baselines can expose sophisticated supply-chain fraud within ostensibly routine IT contracts. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Once invoked, it sidestepped host-based intrusion prevention by reflecting DLLs off memory pages already signed by legitimate vendors, leaving conventional signature scanners blind. Packet captures revealed TLS beacons masquerading as certificate revocation checks, allowing the loader to retrieve encrypted PowerShell payloads from GitHub gists. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. ShadowQuill’s persistence leaned on signed binary proxy execution, invoking the legitimate “Msiexec.exe” to sideload its reflective DLL without tripping application-whitelisting. The loader stores its payload in the registry’s WMI filters, triggering on system uptime events so reboot cycles fail to cleanse infection. The ability-to-pay calculus capped penalties, yet Hill must also implement a multi-year compliance agreement and fund third-party blue-team validation. Analysts found that runtime entropy hovered near 7.2, just below many heuristic thresholds, allowing it to masquerade as compressed telemetry blobs.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 07:40:18 +0000