aliases

Winsage
May 8, 2025
Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.
Tech Optimizer
March 3, 2025
Recent developments indicate that Mac users are facing an escalating threat from malware designed for macOS systems, particularly with the emergence of a strain called FrigidStealer. This malware spreads through deceptive browser update prompts on compromised websites, leading users to download a malicious DMG file that seeks elevated privileges to steal sensitive information. Cybersecurity firm Proofpoint has traced the operations of FrigidStealer to two threat actors: TA2726, a traffic distribution service provider, and TA2727, which delivers the malware. This campaign also targets Windows and Android devices, indicating a multi-platform strategy. Additionally, the rise of infostealer malware has compromised approximately 330 million credentials in 2024, with around 3.9 billion credentials circulating from infostealer logs. Users are advised to adopt protective measures, including being cautious of fake software updates, enabling two-factor authentication, using password managers, and exercising caution with downloads and links.
Winsage
February 12, 2025
The Russian state-sponsored threat group Sandworm has intensified its campaign against Ukrainian Windows users since late 2023, executing sophisticated malware intrusions. They have deployed counterfeit Microsoft Key Management Service (KMS) activators and fraudulent Windows updates. One recent incident involved a deceptive KMS activation tool containing the BACKORDER malware loader, which enabled the delivery of DarkCrystal RAT after disabling Windows Defender. DarkCrystal RAT allows attackers to extract sensitive information, including saved credentials, browser cookies and histories, keystrokes, FTP credentials, and system details. The rise of pirated software from untrusted sources has facilitated these attacks, posing a threat to Ukraine's national security, critical infrastructure, and private sector resilience.
Winsage
February 3, 2025
Flyby11, a third-party utility for navigating Windows 11 system requirements, has received a significant update that includes a Registry tweak and refined scripts for improved stability. Microsoft Defender flags Flyby11 as a Potentially Unwanted Application (PUA:Win32/Patcher), which may deter some users. The application has been adjusted to comply with Microsoft's updated CPU and TPM policies, although Microsoft does not officially support this method. Users are advised to test Flyby11 in a virtual machine due to its lack of digital signatures. The latest version, 1.2, is available for download on its official GitHub repository.
Winsage
November 28, 2024
The Russian-based RomCom cybercrime group has exploited two zero-day vulnerabilities to target Firefox and Tor Browser users in Europe and North America. The first vulnerability, CVE-2024-9680, is a use-after-free bug in Firefox's animation timeline feature, allowing code execution within the browser's sandbox. Mozilla issued a patch for this on October 9, 2024. The second vulnerability, CVE-2024-49039, is a privilege escalation flaw in the Windows Task Scheduler service, which Microsoft addressed on November 12. RomCom combined these vulnerabilities into a zero-day chain exploit that enables remote code execution without user interaction, requiring victims only to visit a malicious website. The attacks specifically targeted Tor Browser users, particularly versions 12 and 13. ESET estimates the campaign's scale could affect between one and 250 victims per country. RomCom has a history of exploiting zero-day vulnerabilities, including an incident in July 2023 targeting organizations at the NATO Summit. The group is linked to various financially motivated campaigns and is currently targeting organizations in Ukraine, Europe, and North America across multiple sectors.
Search