actors Archives

Winsage

June 13, 2026

Windows Server 2025 Adds DNS Over HTTPS for Secure DNS Traffic

Microsoft has rolled out support for DNS over HTTPS (DoH) in Windows DNS Server as part of the Windows Server 2025 update. This feature enhances the security of DNS communications through encryption and server authentication, allowing encrypted client-to-resolver traffic in on-premises DNS environments. DoH encrypts DNS queries and responses using HTTPS, protecting sensitive information from interception or alteration. It also uses digital certificates for DNS server authentication to reduce spoofing and impersonation risks. The feature is compatible with existing Windows DNS Server configurations and supports both encrypted and traditional DNS. DoH support is available on Windows Server 2025 with the June 9, 2026 update or newer. Administrators must configure a trusted TLS certificate and enable DoH in the DNS Server service to deploy this feature. Microsoft plans to extend encryption capabilities to include communication between the Windows DNS Server and upstream DNS resolvers in the future.

Winsage

June 12, 2026

Hackers Use Fake Windows Update Installers to Deliver OnyxC2 Credential Stealer

OnyxC2 is a sophisticated credential stealer available for a subscription fee of 0 per month, distributed through disguised lures such as fake Windows updates and legitimate software installers. It functions as a commercial product with features like an automated payload builder, tiered licensing, and a centralized web dashboard. The malware boasts a 99% detection-evasion rate, successfully evading major antivirus solutions during tests. It is developed in C++, utilizing direct system calls and mutating with each build to avoid detection. OnyxC2 collects data from around 210 applications, targeting 45 web browsers, password managers, cryptocurrency wallets, and FTP clients. The malware is delivered using DLL sideloading, where a password-protected archive contains a legitimate application and a malicious DLL. The attacker's DLL is disguised by inflating its size and is loaded by a trusted binary. The malicious code remains encrypted on disk and decrypts in memory to evade analysis. OnyxC2 communicates with a Cloudflare-fronted command-and-control server to manage infected hosts and execute commands like hardware registration and cookie uploads. The threat extends to business environments, targeting FTP and email clients, with stolen session cookies allowing ongoing access to corporate infrastructure. Implementing anti-data exfiltration controls is recommended as a mitigation strategy.

Winsage

June 12, 2026

Microsoft’s bug-hunting nemesis extends vendetta with more zero-day attacks — Nightmare Eclipse publishes RoguePlanet and GreatXML local privilege escalation exploits

Nightmare-Eclipse, also known as Chaotic-Eclipse, has introduced two new exploits: RoguePlanet and GreatXML. RoguePlanet exploits a vulnerability in Windows Defender, allowing attackers to gain SYSTEM user access privileges by tricking a user into executing a script. This access enables attackers to execute commands beyond standard Administrator capabilities, siphon sensitive data, and install malware. GreatXML provides a method for bypassing BitLocker encryption by creating a specially crafted "unattend.xml" file and a "Recovery" directory on the Windows recovery partition. Microsoft has shifted its stance from threatening legal action against Eclipse and is now monitoring the situation, while Eclipse has postponed a planned mass disclosure of zero-day Windows vulnerabilities initially set for July 14 due to delays in developing RoguePlanet.

AppWizard

June 12, 2026

Android users need to uninstall these apps ASAP as they are a security risk

Google will soon notify Android users when an app they installed has lost developer support. Currently, users only receive alerts from Play Protect for significant security threats or potentially harmful apps. The only way to discover if an app has been delisted is through external sources or by trying to install it on a new device. Recent findings in the Play Store indicate that Google is preparing to inform users when apps have been removed from the Play Store and will no longer receive updates. Abandoned apps pose significant security risks, as they may contain vulnerabilities that can be exploited by malicious actors. Google's new notifications aim to encourage users to uninstall unsupported apps to protect their personal data.

AppWizard

June 11, 2026

I was big into Clutch’s mix of story and racing styles, but the driving’s a lot simmier than I expected

Clutch is a cinematic open world action-driving game set in Monaco, where professional and underground street racing collide. It has sold over six million copies shortly after its release, making it the only racing franchise with sales comparable to major third-person action titles. The game features a narrative that follows siblings Theo and Cass Martial in the R1K racing league, incorporating fully motion-captured actors, cutscenes, and an expansive open world. Players engage in dynamic scenarios, including police chases and street racing with the Midnight Collective, where they can earn money for new cars and perform viewer-requested stunts. Clutch aims to blend narrative with gameplay, offering a vibrant experience that encourages player investment in the characters and their journeys.

AppWizard

June 11, 2026

Valve to discontinue physical Steam gift cards by the end of 2026 due to scammers — says nefarious actors continue to exploit them despite years of restrictions

Valve will discontinue the sale of physical Steam gift cards by the end of 2026, with retail stores expected to deplete existing inventory by the end of this year. Current holders of Steam gift cards can still redeem them at any time, following local laws. Users can still purchase and send digital gift cards through the Steam platform. Additionally, Valve is implementing a reservation-based system for its Steam Controller to prevent scalping, restricting reservations to eligible Steam accounts with a solid purchase history.

Winsage

June 10, 2026

Microsoft’s biggest-ever Patch Tuesday fixes 206 bugs, including 3 zero-days

Microsoft's recent Patch Tuesday release addressed 206 security vulnerabilities, marking the largest update since the program began in October 2003. Among these, 32 vulnerabilities are classified as critical, including three zero-day vulnerabilities that were disclosed before patches were available, though none are reported to be actively exploited. Notable vulnerabilities include: - CVE-2026-50507 in Windows BitLocker, with a CVSS score of 6.8, allowing unauthorized bypass of security features through physical attacks. - CVE-2026-49160 in HTTP.sys, with a CVSS score of 7.5, which can be exploited for remote denial-of-service attacks. - CVE-2026-45586 in the Windows Collaborative Translation Framework (CTFMON), with a CVSS score of 7.8, which could grant SYSTEM privileges to attackers.

Winsage

June 10, 2026

Windows 11’s June update shuts down an intentional BitLocker backdoor with full file access

Microsoft addressed three zero-day vulnerabilities identified by security researcher Nightmare-Eclipse, named YellowKey, GreenPlasma, and MiniPlasma. The YellowKey vulnerability allows access to BitLocker-protected drives on Windows 11 using a USB key, leading to allegations that Microsoft may have left a backdoor in BitLocker. Microsoft implemented a mitigation strategy included in the June 2026 Patch Tuesday updates, which addressed over 200 security flaws. Tensions arose between Microsoft and Nightmare-Eclipse regarding vulnerability reporting protocols and researcher compensation, with Microsoft initially threatening legal action against the researcher. Following backlash, Microsoft retracted the threat but tensions persisted. Nightmare-Eclipse claimed retaliation from Microsoft, including the banning of their GitHub account and deletion of their Microsoft account, which Microsoft denied. The situation highlights the ongoing challenges in cybersecurity and the relationship between tech companies and security researchers.

AppWizard

June 9, 2026

This New Computer Virus Is Disguising Itself As A Popular Video Game

Old-school gaming consoles are seeing a resurgence, but hackers are exploiting this trend with a malware campaign called "WeedHack," which emerged in January. This malware operates on a "Malware-as-a-Service" model, allowing users to purchase it to infect victims. WeedHack functions as a remote access infostealer, compromising computers to manipulate screens, access webcams, and steal sensitive data. It propagates by enticing users with unofficial "Minecraft" mods and clients, often using videos and download links as bait. Additionally, it employs "SEO poisoning" to promote fake websites as legitimate sources for these mods on platforms like Discord and Reddit. WeedHack disguises itself as a JAR file, similar to the official "Minecraft" client, and once executed, it installs its payload from Ethereum server domains. It can insert itself into antivirus exclusion lists, evading detection, and McAfee's tests show that Windows Defender is ineffective against it. The malware collects extensive information, including Wi-Fi networks and browser cookies, and grants hackers complete control over infected computers. The WeedHack virus serves as both malware and a training ground for aspiring hackers, structured into two tiers: a free version with core capabilities and a paid subscription for advanced features. A community has formed around WeedHack, offering tutorials, a Discord server, and a website for feature requests and custom payload creation. This community aspect lowers the barrier for newcomers, particularly targeting a younger audience that may not understand online safety.

AppWizard

June 8, 2026

NFCShare Android malware spreads via fake banking app updates on GitHub

New variants of the NFCShare Android malware are disguised as fake updates for legitimate banking applications and are targeting customers of various banks in Europe through a phishing campaign to steal sensitive payment card data. The malware prompts victims to place their cards near the NFC chip of their mobile devices, using Android’s IsoDep interface to read card information, including card number, type, expiry date, and a 4-digit PIN. The stolen data is exfiltrated to the attacker’s command-and-control host via a WebSocket channel. Recent attacks began on May 14, with victims directed to a phishing site that impersonates a legitimate bank and then to a GitHub repository hosting a malicious APK file. The repository has hosted 56 unique APKs impersonating banking applications primarily from Italy and Spain. The malware has evolved from initially targeting Deutsche Bank in Germany to a broader range of banks. The latest version features malformed APK packaging to complicate automated analysis. Users are advised to download banking applications only from Google Play and to be cautious of verification requests that ask for NFC card scans.