AppData Archives

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

AppWizard

December 27, 2025

How to Properly Benchmark your PC Games Using CapFrameX

Average Frames Per Second (FPS) is a common metric in PC gaming performance, but consistency in gameplay experience is equally important, highlighted by metrics such as 1% low and 0.1% low average FPS. CapFrameX is a tool used for capturing and analyzing detailed performance data, including frametimes, which provide a more accurate assessment of gaming performance than basic FPS counters. Key metrics generated by CapFrameX include: - Average FPS: Overall framerate averaged across the capture session. - 1% low average FPS: Average of the worst 1% of framerates, indicating sustained performance. - 0.1% low average FPS: Average of the worst 0.1% of framerates, highlighting rare but significant performance dips. To ensure accurate benchmarking results with CapFrameX, users should update their UEFI BIOS, operating system, and drivers, clear unnecessary applications, configure power settings for maximum performance, monitor temperatures, and conduct multiple benchmark runs under consistent conditions. The setup process for CapFrameX includes downloading the software, configuring capture options, and verifying the setup through test captures. After capturing benchmark runs, users can analyze the data using the Analysis and Comparison tabs in CapFrameX to evaluate performance metrics and identify potential issues. Common pitfalls in benchmarking include inconsistent scenes, overlooking frametime variance, and not preparing the system properly.

Tech Optimizer

November 14, 2025

Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it

A recent malware campaign has seen attackers disguising the DarkComet remote access trojan as Bitcoin-related applications to target cryptocurrency users. DarkComet RAT allows attackers to gain extensive control over compromised systems, despite its original creator discontinuing it years ago. The malware features capabilities such as keystroke logging, file theft, webcam surveillance, and remote desktop control, posing significant risks to users. The malicious file was distributed as a compressed RAR archive named “94k BTC wallet.exe,” which helps evade email filters. Security analysts at Point Wild discovered that the malware ensures persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key for automatic execution at system startup. It attempts to connect to a command-and-control server at kvejo991.ddns.net over TCP port 1604. The malware injects its payload into legitimate Windows processes to perform keylogging and screen capture while remaining undetected. Captured keystrokes are stored in log files and exfiltrated through the command-and-control channel. Users are advised to avoid downloading cryptocurrency tools from untrusted sources and to keep security software updated.

Winsage

October 31, 2025

Windows LNK File UI Misrepresentation Enables Remote Code Execution Attacks

A vulnerability in the Windows operating system, identified as ZDI-CAN-25373 and disclosed in March 2025, allows advanced persistent threat (APT) actors to deploy malware by manipulating whitespace in Windows LNK files. This technique has been adopted by espionage groups from North Korea, China, Russia, and Iran for data theft and intelligence-gathering. The flaw enables malicious PowerShell commands to be concealed within seemingly legitimate shortcut files, which execute automatically when opened. The exploitation involves weaponized LNK files that initiate obfuscated PowerShell commands to decode embedded TAR archives containing a legitimate Canon printer utility, a malicious loader DLL, and an RC4-encrypted payload with remote access trojan malware. The legitimate executable, although signed with an expired certificate, is trusted by Windows due to its valid timestamp. As of October 2025, Microsoft has not released a patch for this vulnerability, prompting organizations to implement defensive measures against its exploitation.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

Tech Optimizer

September 5, 2025

New Malware Exploits Windows Character Map to Evade Defender and Mine Crypto

Darktrace's autonomous detection system identified suspicious activity when a desktop initiated an unusual HTTP connection using a PowerShell user agent. The attack began with the download of a PowerShell script named “infect.ps1” from the IP address 45.141.87[.]195:8000, which dropped both legitimate and malicious binaries into the user’s AppData directory, including a signed version of AutoIt.exe and various encoded payloads. The attackers exploited Windows’ built-in Character Map (charmap.exe) to inject the miner code into its process space, evading antivirus detection. The loader performed checks for task manager presence, user privileges, and antivirus software, and bypassed User Account Control prompts. Once activated, the cryptominer operated discreetly, connecting to external mining pools like asia.ravenminer.com and monerooceans[.]stream. The malware was designed for persistence, re-downloading itself if terminated. Darktrace monitored the infected device, noting DNS requests and connections to Monero mining endpoints, which triggered high-fidelity alerts. Darktrace's Rapid Autonomous Response blocked the device’s outbound communications, preventing the malware from connecting to the mining pool and stopping over 130 attempted calls to external endpoints. The malware exhibited significant obfuscation, utilized legitimate binaries for side-loading, manipulated registry keys for persistence, and injected processes into trusted Windows applications. The incident underscores the threat posed by adaptive cryptojacking malware, which can drain productivity and inflate energy costs. Darktrace's AI-driven detection intercepted the attack early, mapping the kill chain and enabling rapid mitigation. Indicators of Compromise (IoCs) include: - 45.141.87[.]195:8000/infect.ps1 – Malicious PowerShell script - gulf.moneroocean[.]stream – Monero Endpoint - monerooceans[.]stream – Monero Endpoint - 152.53.121[.]6:10001 – Monero Endpoint - 152.53.121[.]6 – Monero Endpoint - https://api[.]chimera-hosting[.]zip/frfnhis/zdpaGgLMav/nbminer[.]exe – NBMiner executable - Db3534826b4f4dfd9f4a0de78e225ebb – NBMiner loader hash

Winsage

August 19, 2025

Microsoft Windows Warning—Stop Playing These Free PC Games

Windows users are at risk when downloading large files, particularly free games from sites like Dodi Repacks, which have been linked to malware distribution. An investigation revealed that downloading these games involves multiple redirects leading to a ZIP file containing a malicious .dll file. This file triggers the installation of HijackLoader malware, designed to bypass antivirus protections and install additional malicious software. HijackLoader employs advanced techniques to evade detection, including checks for virtual machines and monitoring system resources. It manipulates environment variables and executes payloads to maintain persistence on infected PCs. The malware has been associated with various families, including Danabot and RedLine Stealer, and is capable of delivering secondary payloads, with LummaC2 being a recent example. Users are advised to exercise caution when engaging with pirated downloads.

AppWizard

August 16, 2025

Dawn of War Definitive Edition Save File Location for PC

Warhammer 40,000: Dawn of War – Definitive Edition is a remastered version of the original RTS game, featuring modern enhancements. The save file location for the Definitive Edition is found at: C:Users[Windows Username]AppDataRoamingRelic EntertainmentDawn of WarProfiles. Players can run multiple profiles, each stored in its own folder, and it is recommended to back up the entire Dawn of War folder. The save files can also be accessed via the path: %USERPROFILE%AppDataRoamingRelic EntertainmentDawn of WarProfiles. The remaster supports Steam Cloud for saving progress across devices and includes features like Family Share. The original game remains available as a separate entry on Steam.

Winsage

August 3, 2025

Fix: Microsoft Office Error Codes 0-2048(0) and 0-2054(0) During Installation

Office installation can encounter error codes 0-2048(0) and 0-2054(0) due to issues accessing a valid configuration file or source path. Error 0-2048(0) indicates a missing or incorrectly referenced XML configuration file, while Error 0-2054(0) signifies a general installation failure. Common causes include corrupted configuration files, remnants of previous Office versions, or insufficient administrative permissions. To resolve these errors, one should uninstall all previous Office components, clear temporary and app data folders, generate a new XML configuration file using the Office Customization Tool, and install Office with the Deployment Tool. If problems persist, additional steps include using Microsoft's Office Uninstall Support Tool, installing from an offline installer, and checking for disk errors and sufficient free space.

Tech Optimizer

June 9, 2025

ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has reported that ViperSoftX malware, first identified in 2020, continues to pose a significant threat, particularly targeting cryptocurrency-related information. It disguises itself as cracked software or eBooks on torrent sites and uses deceptive tactics to infect users globally. ViperSoftX exploits the Windows Task Scheduler to execute malicious PowerShell scripts and communicates with its command-and-control server to transmit detailed system information. The malware captures clipboard activity to steal cryptocurrency wallet addresses and employs mechanisms to avoid detection, including self-removal. It also deploys secondary payloads like Quasar RAT and ClipBanker, which hijacks wallet addresses during transactions. ASEC warns that infections can lead to total system compromise and advises users to avoid unverified downloads and maintain updated security measures. Indicators of Compromise (IOCs): - MD5: - 064b1e45016e8a49eba01878e41ecc37 - 0ed2d0579b60d9e923b439d8e74b53e1 - 0efe1a5d5f4066b7e9755ad89ee9470c - 197ff9252dd5273e3e77ee07b37fd4dd - 1ec4b69f3194bd647639e6b0fa5c7bb5 - URLs: - http://136.243.132.112/ut.exe - http://136.243.132.112:881/3.exe - http://136.243.132.112:881/APPDATA.exe - http://136.243.132.112:881/a.ps1 - http://136.243.132.112:881/firefoxtemp.exe - IPs: - 136.243.132.112 - 160.191.77.89 - 185.245.183.74 - 212.56.35.232 - 89.117.79.31