abuse Archives

Winsage

March 27, 2026

Microsoft tells crusty old kernel drivers to get with the Windows Hardware Compatibility Program

Microsoft is enhancing the security of the Windows kernel by eliminating trust for kernel drivers not certified through the Windows Hardware Compatibility Program (WHCP) starting with the April 2026 Windows Update. This change specifically targets kernel drivers signed by the now-obsolete cross-signed root program, which has been associated with security vulnerabilities. The new policy will initially be introduced in an "evaluation mode" to monitor and audit driver loads for potential compatibility issues. Custom kernel drivers can still be used under the Application Control for Business policy, but must be signed by an authority within the device's Secure Boot Platform Key or Key Exchange Key variables. The changes will impact Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025.

AppWizard

March 25, 2026

‘Is my mom okay?’: Boy watching ‘Minecraft’ movie hears his mother getting shot in head

A 5-year-old boy witnessed his pregnant mother, Monique Aldridge, being fatally shot in the head by her ex-boyfriend, Vaughn Boatner, in Hayward, California, on May 11, 2023. Boatner entered the home by sliding under a partially open garage door. He fled to Seattle after the shooting but was later apprehended. Aldridge's boyfriend was also severely injured in the attack. Boatner was sentenced to 35 years in prison after pleading no contest to voluntary manslaughter and attempted murder. The boy, unharmed, was found safe by responding officers, and it was revealed that he was the child of both Aldridge and Boatner. Aldridge and her boyfriend had recently argued over a minor disagreement. Boatner confronted Aldridge about their son's safety before the shooting. Aldridge's boyfriend locked the boy in a closet for protection during the chaos. Boatner's sentencing occurred on March 19, and Aldridge's family is committed to supporting her son.

AppWizard

March 16, 2026

Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse

Google is piloting a security enhancement in its Android Advanced Protection Mode (AAPM) that restricts certain applications from using the accessibility services API. This update is part of Android 17 Beta 2. AAPM, introduced in Android 16, enhances device security by blocking app installations from unknown sources, restricting USB data signaling, and mandating Google Play Protect scanning. Developers can integrate with AAPM through the AdvancedProtectionManager API to adapt their apps based on the security mode's status. The new restriction prevents non-accessibility apps from accessing the accessibility services API, allowing only verified accessibility tools like screen readers and voice-based input tools. Non-accessibility apps, including antivirus software and password managers, will have their access revoked when AAPM is activated, and users cannot grant permissions to these apps unless AAPM is disabled. Additionally, Android 17 introduces a new contacts picker feature that allows developers to specify which fields to access from a user's contact list, providing more granular control over data access.

Winsage

March 11, 2026

Windows Hello gets passkey support for Entra accounts

Microsoft is enhancing the sign-in process for Microsoft Entra on Windows devices by introducing support for passkeys that integrate with Windows Hello, reducing reliance on traditional passwords. This feature aims to improve resistance against phishing attacks and will begin its optional public preview between mid-March and the end of April 2026 for organizations globally. Government cloud environments will have a separate preview from mid-April to mid-May. Administrators must activate this functionality for users. Employees will be able to access Entra-secured services using Windows Hello through biometric recognition or a PIN code, with cryptographic keys securely stored on the device. This method protects against phishing and account abuse since the keys remain on the device and are not vulnerable to interception. Passkeys will also work on Windows systems not linked to Entra, allowing access to company resources without passwords on personal or shared devices. Each Entra account generates a unique passkey per device, and synchronization between devices is not supported. Administrators need to enable the FIDO2 passkey method within Entra’s authentication policy to activate this feature. Microsoft aims to gradually eliminate passwords, providing stronger defenses against phishing and account compromise.

AppWizard

March 11, 2026

New Telegram app lets whistleblowers report fraud without sharing personal data

AlphaTON Capital Corp. and the Midnight Foundation launched the Vera Report, an anonymous reporting application for whistleblowers, on March 3, 2026. The platform uses advanced technologies such as confidential computing, zero-knowledge proofs, blockchain anchoring, and decentralized storage via IPFS. It targets a market of 1 billion monthly active users and addresses significant U.S. fraud losses estimated between 0 billion and trillion, with the DOJ recovering .8 billion in fiscal year 2025, of which .3 billion came from whistleblower cases. On the announcement day, ATON shares declined by 2.07%, with a market cap impact of approximately K. The Vera Report aims to improve privacy and accountability in government and corporate sectors by facilitating anonymous reporting while protecting whistleblower identities.

Winsage

March 6, 2026

Chinese hackers hide malware in Windows and Google Drive to hit targets

Chinese state-sponsored threat actors, specifically a group known as Silver Dragon, have been conducting espionage operations across Southeast Asia and Europe since at least mid-2024. They have targeted government entities in countries such as Russia, Poland, Hungary, Italy, Japan, Myanmar, and Malaysia. Silver Dragon is believed to be affiliated with APT41 and primarily uses phishing emails to initiate attacks, often containing weaponized documents or links. They employ a custom backdoor called GearDoor, which utilizes Google Drive for command-and-control operations, allowing them to exfiltrate stolen intelligence. The group also hijacks legitimate Windows services to load malicious code and uses tools like SSHcmd and Cobalt Strike for post-exploitation activities. Their tactics involve blending malicious activities with normal system operations, making detection difficult and increasing their dwell time within targeted networks.

AppWizard

March 6, 2026

YouTube Expands In-App Direct Messaging Test

YouTube is expanding its revamped direct messaging feature from an initial trial in Poland and Ireland to 31 European countries. This feature, available to signed-in users aged 18 and older, allows users to send direct messages and share videos within the YouTube app. The messaging remains experimental and is focused on one-on-one or small group interactions rather than creating a comprehensive social inbox. Users in the United States and other regions are not part of this trial. The age restriction and invite acceptance requirement aim to enhance safety and privacy. YouTube is implementing moderation tools, spam controls, and reporting mechanisms to ensure user protection. The effectiveness of this feature could influence future developments and potential global rollout.

Winsage

March 6, 2026

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a social engineering campaign named ClickFix that exploits the Windows Terminal application to deploy Lumma Stealer malware. Detected in February 2026, this campaign instructs users to access Windows Terminal using the Windows + X → I shortcut, enhancing its perceived legitimacy. Attackers evade detection by manipulating users into executing harmful commands through deceptive prompts. The attack chain involves pasting a hex-encoded command into Windows Terminal, which opens additional Terminal and PowerShell instances, leading to a PowerShell process that decodes a script. This process downloads a ZIP payload containing a renamed 7-Zip binary, which extracts files and initiates a multi-stage attack, including retrieving payloads, establishing persistence, configuring Microsoft Defender exclusions, exfiltrating data, and deploying Lumma Stealer by injecting it into "chrome.exe" and "msedge.exe." Lumma Stealer targets browser artifacts to harvest credentials. A secondary attack pathway involves downloading a batch script that writes a Visual Basic Script to the Temp folder and connects to Crypto Blockchain RPC endpoints, also using QueueUserAPC() for code injection into browsers to extract data.

AppWizard

March 4, 2026

Meet Vera Report, The App That Lets You Whistleblow Anonymously From a Smartphone Using Telegram Messenger

AlphaTON Capital Corp. and the Midnight Foundation have launched Vera Report, an anonymous reporting platform utilizing privacy-preserving blockchain technology and confidential computing for real-time reporting of fraud, waste, and abuse. A report by the Government Blockchain Association reveals an annual loss of billion to trillion due to federal fraud in the U.S. and highlights that whistleblower cases have recovered .3 billion under the DOJ’s False Claims Act in FY 2025. Despite potential savings of 0 billion from a 20% reduction in fraud, 31% of employees fear retaliation for reporting. Vera Report allows users to report fraud anonymously through a Telegram application, employing Zero-Knowledge Proofs, Confidential Computing, Blockchain Verification, Decentralized Storage, Automatic Metadata Stripping, and AI Credibility Assessment to protect submitters’ identities and improve reporting efficiency.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.