AppData Archives

Winsage

April 9, 2026

This fake Windows support website delivers password-stealing malware

A phishing campaign has been identified that uses a counterfeit Microsoft support website, microsoft-update[.]support, to trick users into downloading a malicious Windows update disguised as WindowsUpdate 1.0.0.msi. This file, created on April 4, 2026, appears legitimate but contains malware designed to steal sensitive information. The campaign targets French-speaking users, leveraging recent data breaches in France to create convincing scams. The malware, once executed, installs an Electron application that runs a Python interpreter, which then deploys various data theft tools. It employs two persistence mechanisms: modifying the Windows registry and creating a shortcut in the Startup folder. The malware connects to external sites for reconnaissance and data exfiltration, using domains like datawebsync-lvmv.onrender[.]com and store8.gofile[.]io. The malware's components have evaded detection by antivirus tools, with VirusTotal reporting zero detections for the main executable and its launcher. Users are advised to check their registry, remove suspicious files, change passwords, and run a full system scan if they suspect installation of the malicious update. Safe updating practices include using the built-in Windows update feature and being cautious of phishing attempts. Indicators of compromise include specific file hashes, domains associated with the phishing campaign, and file system artifacts related to the malware's installation.

Winsage

March 31, 2026

What Is Conhost.exe?

Conhost.exe, or Console Window Host, is a legitimate Windows system process responsible for managing the display and behavior of console windows such as Command Prompt and PowerShell. It facilitates text rendering and manages input/output interactions with the graphical user interface. Each time a console application is launched, a new instance of conhost.exe is created, and multiple instances can appear in Task Manager based on active console applications. To verify the authenticity of conhost.exe, it should run from C:WindowsSystem32 or C:WindowsSysWOW64, have a valid Microsoft Windows Publisher digital signature, and not make outbound network connections. High CPU usage or unusual behavior may indicate malware masquerading as conhost.exe. Troubleshooting steps for issues related to conhost.exe include running a malware scan, checking for Windows updates, updating device drivers, and using the System File Checker. Disabling conhost.exe is not advisable as it is essential for the functioning of console applications.

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

AppWizard

December 27, 2025

How to Properly Benchmark your PC Games Using CapFrameX

Average Frames Per Second (FPS) is a common metric in PC gaming performance, but consistency in gameplay experience is equally important, highlighted by metrics such as 1% low and 0.1% low average FPS. CapFrameX is a tool used for capturing and analyzing detailed performance data, including frametimes, which provide a more accurate assessment of gaming performance than basic FPS counters. Key metrics generated by CapFrameX include: - Average FPS: Overall framerate averaged across the capture session. - 1% low average FPS: Average of the worst 1% of framerates, indicating sustained performance. - 0.1% low average FPS: Average of the worst 0.1% of framerates, highlighting rare but significant performance dips. To ensure accurate benchmarking results with CapFrameX, users should update their UEFI BIOS, operating system, and drivers, clear unnecessary applications, configure power settings for maximum performance, monitor temperatures, and conduct multiple benchmark runs under consistent conditions. The setup process for CapFrameX includes downloading the software, configuring capture options, and verifying the setup through test captures. After capturing benchmark runs, users can analyze the data using the Analysis and Comparison tabs in CapFrameX to evaluate performance metrics and identify potential issues. Common pitfalls in benchmarking include inconsistent scenes, overlooking frametime variance, and not preparing the system properly.

Tech Optimizer

November 14, 2025

Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it

A recent malware campaign has seen attackers disguising the DarkComet remote access trojan as Bitcoin-related applications to target cryptocurrency users. DarkComet RAT allows attackers to gain extensive control over compromised systems, despite its original creator discontinuing it years ago. The malware features capabilities such as keystroke logging, file theft, webcam surveillance, and remote desktop control, posing significant risks to users. The malicious file was distributed as a compressed RAR archive named “94k BTC wallet.exe,” which helps evade email filters. Security analysts at Point Wild discovered that the malware ensures persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key for automatic execution at system startup. It attempts to connect to a command-and-control server at kvejo991.ddns.net over TCP port 1604. The malware injects its payload into legitimate Windows processes to perform keylogging and screen capture while remaining undetected. Captured keystrokes are stored in log files and exfiltrated through the command-and-control channel. Users are advised to avoid downloading cryptocurrency tools from untrusted sources and to keep security software updated.

Winsage

October 31, 2025

Windows LNK File UI Misrepresentation Enables Remote Code Execution Attacks

A vulnerability in the Windows operating system, identified as ZDI-CAN-25373 and disclosed in March 2025, allows advanced persistent threat (APT) actors to deploy malware by manipulating whitespace in Windows LNK files. This technique has been adopted by espionage groups from North Korea, China, Russia, and Iran for data theft and intelligence-gathering. The flaw enables malicious PowerShell commands to be concealed within seemingly legitimate shortcut files, which execute automatically when opened. The exploitation involves weaponized LNK files that initiate obfuscated PowerShell commands to decode embedded TAR archives containing a legitimate Canon printer utility, a malicious loader DLL, and an RC4-encrypted payload with remote access trojan malware. The legitimate executable, although signed with an expired certificate, is trusted by Windows due to its valid timestamp. As of October 2025, Microsoft has not released a patch for this vulnerability, prompting organizations to implement defensive measures against its exploitation.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

Tech Optimizer

September 5, 2025

New Malware Exploits Windows Character Map to Evade Defender and Mine Crypto

Darktrace's autonomous detection system identified suspicious activity when a desktop initiated an unusual HTTP connection using a PowerShell user agent. The attack began with the download of a PowerShell script named “infect.ps1” from the IP address 45.141.87[.]195:8000, which dropped both legitimate and malicious binaries into the user’s AppData directory, including a signed version of AutoIt.exe and various encoded payloads. The attackers exploited Windows’ built-in Character Map (charmap.exe) to inject the miner code into its process space, evading antivirus detection. The loader performed checks for task manager presence, user privileges, and antivirus software, and bypassed User Account Control prompts. Once activated, the cryptominer operated discreetly, connecting to external mining pools like asia.ravenminer.com and monerooceans[.]stream. The malware was designed for persistence, re-downloading itself if terminated. Darktrace monitored the infected device, noting DNS requests and connections to Monero mining endpoints, which triggered high-fidelity alerts. Darktrace's Rapid Autonomous Response blocked the device’s outbound communications, preventing the malware from connecting to the mining pool and stopping over 130 attempted calls to external endpoints. The malware exhibited significant obfuscation, utilized legitimate binaries for side-loading, manipulated registry keys for persistence, and injected processes into trusted Windows applications. The incident underscores the threat posed by adaptive cryptojacking malware, which can drain productivity and inflate energy costs. Darktrace's AI-driven detection intercepted the attack early, mapping the kill chain and enabling rapid mitigation. Indicators of Compromise (IoCs) include: - 45.141.87[.]195:8000/infect.ps1 – Malicious PowerShell script - gulf.moneroocean[.]stream – Monero Endpoint - monerooceans[.]stream – Monero Endpoint - 152.53.121[.]6:10001 – Monero Endpoint - 152.53.121[.]6 – Monero Endpoint - https://api[.]chimera-hosting[.]zip/frfnhis/zdpaGgLMav/nbminer[.]exe – NBMiner executable - Db3534826b4f4dfd9f4a0de78e225ebb – NBMiner loader hash

Winsage

August 19, 2025

Microsoft Windows Warning—Stop Playing These Free PC Games

Windows users are at risk when downloading large files, particularly free games from sites like Dodi Repacks, which have been linked to malware distribution. An investigation revealed that downloading these games involves multiple redirects leading to a ZIP file containing a malicious .dll file. This file triggers the installation of HijackLoader malware, designed to bypass antivirus protections and install additional malicious software. HijackLoader employs advanced techniques to evade detection, including checks for virtual machines and monitoring system resources. It manipulates environment variables and executes payloads to maintain persistence on infected PCs. The malware has been associated with various families, including Danabot and RedLine Stealer, and is capable of delivering secondary payloads, with LummaC2 being a recent example. Users are advised to exercise caution when engaging with pirated downloads.

AppWizard

August 16, 2025

Dawn of War Definitive Edition Save File Location for PC

Warhammer 40,000: Dawn of War – Definitive Edition is a remastered version of the original RTS game, featuring modern enhancements. The save file location for the Definitive Edition is found at: C:Users[Windows Username]AppDataRoamingRelic EntertainmentDawn of WarProfiles. Players can run multiple profiles, each stored in its own folder, and it is recommended to back up the entire Dawn of War folder. The save files can also be accessed via the path: %USERPROFILE%AppDataRoamingRelic EntertainmentDawn of WarProfiles. The remaster supports Steam Cloud for saving progress across devices and includes features like Family Share. The original game remains available as a separate entry on Steam.