aliases Archives

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

March 9, 2025

Enable old Classic Notepad in Windows 11 24H2 without AI and modern UI

Users can restore the classic Notepad experience by disabling the .txt execution for notepad.exe in the App execution aliases settings. To launch the legacy version, they can use the Windows Run dialog and type notepad.exe. Microsoft has introduced a ChatGPT-based "Rewrite" feature in Notepad, requiring a Microsoft account and a Microsoft 365 subscription for access, while core functionalities remain available without an account. To enable the classic Notepad in Windows 11, users should check if it is installed, remove the association with the new Notepad, and associate .txt files with the legacy version. They can also create a Start menu shortcut for the classic Notepad. To revert to the new Notepad, users can delete the classic shortcut and adjust settings in the Registry Editor and App execution aliases.

Tech Optimizer

March 3, 2025

New malware exploits fake updates to steal data

Recent developments indicate that Mac users are facing an escalating threat from malware designed for macOS systems, particularly with the emergence of a strain called FrigidStealer. This malware spreads through deceptive browser update prompts on compromised websites, leading users to download a malicious DMG file that seeks elevated privileges to steal sensitive information. Cybersecurity firm Proofpoint has traced the operations of FrigidStealer to two threat actors: TA2726, a traffic distribution service provider, and TA2727, which delivers the malware. This campaign also targets Windows and Android devices, indicating a multi-platform strategy. Additionally, the rise of infostealer malware has compromised approximately 330 million credentials in 2024, with around 3.9 billion credentials circulating from infostealer logs. Users are advised to adopt protective measures, including being cautious of fake software updates, enabling two-factor authentication, using password managers, and exercising caution with downloads and links.

Winsage

February 12, 2025

New Sandworm Attacks Use Trojanized MSFT Activators

The Russian state-sponsored threat group Sandworm has intensified its campaign against Ukrainian Windows users since late 2023, executing sophisticated malware intrusions. They have deployed counterfeit Microsoft Key Management Service (KMS) activators and fraudulent Windows updates. One recent incident involved a deceptive KMS activation tool containing the BACKORDER malware loader, which enabled the delivery of DarkCrystal RAT after disabling Windows Defender. DarkCrystal RAT allows attackers to extract sensitive information, including saved credentials, browser cookies and histories, keystrokes, FTP credentials, and system details. The rise of pirated software from untrusted sources has facilitated these attacks, posing a threat to Ukraine's national security, critical infrastructure, and private sector resilience.

Winsage

February 3, 2025

Microsoft blocks free Windows 11 24H2 system requirements bypass app as potential malware

Flyby11, a third-party utility for navigating Windows 11 system requirements, has received a significant update that includes a Registry tweak and refined scripts for improved stability. Microsoft Defender flags Flyby11 as a Potentially Unwanted Application (PUA:Win32/Patcher), which may deter some users. The application has been adjusted to comply with Microsoft's updated CPU and TPM policies, although Microsoft does not officially support this method. Users are advised to test Flyby11 in a virtual machine due to its lack of digital signatures. The latest version, 1.2, is available for download on its official GitHub repository.

Tech Optimizer

December 16, 2024

AI-powered deception: The sneaky macOS malware masquerading as your next video call

Artificial intelligence (AI) is being used by cybercriminals to enhance their scams, exemplified by a malware called Realst that masquerades as video-calling software. This malware targets macOS and Windows users and has been active for about four months. The hackers behind Realst operate under the fake company name "Meetio" and have used various aliases. They employ social engineering tactics, often contacting victims through platforms like Telegram, presenting fraudulent business opportunities, and leading them to download the malware from a deceptive website. Once installed, Realst scans for sensitive information, organizes it, and sends it to a remote server. It can extract credentials from applications like Telegram and web browsers. To protect against such malware, users are advised to verify software sources, be cautious of unexpected contacts, enable two-factor authentication, use strong passwords, keep software updated, and consider personal data removal services.

Winsage

December 1, 2024

How to enable and use Rewrite AI in Notepad on Windows 11

The tutorial explains how to enable and use the Rewrite AI feature in Notepad on Windows 11, which utilizes GPT for text editing. Users can rephrase sentences, change the tone, or rewrite documents with AI credits. The feature is currently in preview mode for Windows 11 Insider users in the US, UK, Canada, France, and Italy, with 50 credits available. Users in Singapore, Malaysia, Australia, New Zealand, Thailand, or Taiwan can access it with a Copilot Pro or Microsoft 365 subscription. To enable Rewrite, users must adjust their region settings to a supported country and update Notepad. The Rewrite functionality includes options to rewrite, shorten, lengthen, change tone, and format text, with each action consuming one AI credit. Users can access Notepad settings by clicking the gear icon in the top-right corner.

Winsage

November 28, 2024

Firefox and Windows zero-days exploited by Russian RomCom hackers

The Russian-based RomCom cybercrime group has exploited two zero-day vulnerabilities to target Firefox and Tor Browser users in Europe and North America. The first vulnerability, CVE-2024-9680, is a use-after-free bug in Firefox's animation timeline feature, allowing code execution within the browser's sandbox. Mozilla issued a patch for this on October 9, 2024. The second vulnerability, CVE-2024-49039, is a privilege escalation flaw in the Windows Task Scheduler service, which Microsoft addressed on November 12. RomCom combined these vulnerabilities into a zero-day chain exploit that enables remote code execution without user interaction, requiring victims only to visit a malicious website. The attacks specifically targeted Tor Browser users, particularly versions 12 and 13. ESET estimates the campaign's scale could affect between one and 250 victims per country. RomCom has a history of exploiting zero-day vulnerabilities, including an incident in July 2023 targeting organizations at the NATO Summit. The group is linked to various financially motivated campaigns and is currently targeting organizations in Ukraine, Europe, and North America across multiple sectors.

AppWizard

November 19, 2024

Google may soon let you create email aliases in an effort to fight spam (Update)

Google is developing a feature called "Shielded Email" to enhance user privacy by allowing users to mask their primary email addresses. This system will create temporary or limited-use email aliases that forward messages to the user's main email account, helping to reduce spam and protect against data breaches. Findings from an APK teardown suggest that Shielded Email is integrated into the Autofill settings menu, although it is currently non-functional. Users will be able to generate email addresses for different applications and deactivate forwarding at any time to control spam, aiming to protect against online tracking and mitigate data breach risks.