Microsoft products and infrastructure are involved in four active threat items this week, none of which are patched or patchable via a CVE cycle. The CL-STA-1062 campaign exploited ASPX web applications and MSSQL Server as exfiltration staging infrastructure. ClickOnce, a built-in Windows deployment framework, is being actively weaponized for privilege-free malware delivery and C2 persistence. A Node.js implant campaign abuses .NET csc.exe for in-memory DLL compilation on Windows endpoints.