application control Archives

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Winsage

December 18, 2025

Microsoft Eases Windows 11 Smart App Control with Toggle Option

Microsoft's Smart App Control feature in Windows 11 is designed to evaluate and block potentially harmful applications by cross-referencing them against a database of known safe software. Initially, it required a clean installation to enable or disable, which hindered its adoption. Recent updates have removed this requirement, allowing users to toggle the feature on or off directly through the Windows Security app without a system reset. This change addresses user complaints and enhances usability, particularly for developers and IT professionals managing multiple devices. The feature employs artificial intelligence for real-time decisions on app safety and integrates with other Microsoft security tools. Feedback from the tech community has been positive, highlighting the update as a significant improvement in balancing security and user flexibility.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

AppWizard

November 4, 2025

Malicious Android apps on Google Play downloaded 42 million times

The Android ecosystem has seen a significant rise in malicious applications, with over 40 million harmful apps downloaded from Google Play between June 2024 and May 2025. There has been a 67% year-over-year increase in malware targeting mobile devices, particularly spyware and banking trojans. Cybercriminals are shifting tactics from card fraud to mobile payment exploitation, employing phishing, smishing, SIM-swapping, and payment scams. Banking malware transactions reached 4.89 million in 2025, with a slowed growth rate of 3%. Malicious applications increased from 200 to 239, totaling 42 million downloads, with adware now accounting for 69% of all detections. Spyware has surged by 220% year-over-year, with India, the U.S., and Canada being the most affected countries. Notable malware families include Anatsa, which targets financial institutions, Android Void (Vo1d), which affects Android TV boxes, and Xnotice, which targets job seekers. IoT devices, particularly routers, are also being exploited, with the majority of attacks occurring in the U.S. Zscaler recommends implementing security measures such as regular updates, trusting reputable publishers, and adopting zero-trust technology for organizations.

Winsage

October 30, 2025

What Windows 10 EOS Means for Security

Microsoft will cease support for most versions of Windows 10 on October 14, 2025, while offering temporary Extended Security Updates (ESU) for version 22H2. Approximately 40% to 45% of Windows users globally still rely on Windows 10. The end of support raises cybersecurity concerns as Microsoft will stop issuing updates for vulnerabilities and bugs. Organizations using Windows 10 need to devise migration plans to Windows 11, but the transition can be costly and time-consuming, especially for those dependent on legacy software. Delaying migration poses risks such as regulatory violations, increased IT burdens, escalating ESU costs, and exposure to cyber threats. Organizations should prioritize migrating critical systems, review application support, and evaluate ongoing costs for legacy systems. Bitdefender offers security solutions for Windows 10 environments, including risk management, application control, cloud security, and monitoring services.

Winsage

October 8, 2025

CISA Warns of Active Exploits in Critical Windows Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about a significant vulnerability in Microsoft Windows, identified as CVE-2021-43226. This flaw allows attackers to elevate their privileges to SYSTEM level, threatening enterprise networks. It exists within the Common Log File System (CLFS) driver, enabling local, privileged attackers to bypass security measures and gain unauthorized control over systems running various Windows versions, including Windows 10, 11, and Server 2016, 2019, and 2022, as well as legacy systems like Windows 7 SP1 and Server 2008 R2 SP1. The vulnerability arises from improper validation of user-supplied data, leading to buffer overflow and arbitrary code execution without user interaction. It has a CVSS score of 7.8, indicating high severity, and proof-of-concept exploit code is already circulating in underground forums. CISA has set a remediation deadline of October 27, 2025, mandating federal agencies and critical infrastructure operators to implement patches. Recommendations for mitigation include immediate patching, strengthening endpoint controls, implementing layered defenses, continuous monitoring, regular vulnerability management, and maintaining a robust incident response program.

Tech Optimizer

October 6, 2025

Ransomware Gangs Exploit Remote Access Tools to Stay Hidden and Maintain Control

Modern ransomware operations have evolved into complex, multi-stage campaigns that utilize legitimate Remote Access Tools (RATs) to maintain stealth and persistently dismantle organizational defenses. Ransomware encrypts critical data and demands ransom for restoration, with current operations being highly targeted compared to earlier mass phishing attacks. Attackers exploit trusted administrative software like AnyDesk, UltraViewer, RustDesk, and Splashtop to establish backdoors, escalate privileges, and deploy payloads across networks, moving laterally and evading detection. The ransomware kill chain consists of several stages: 1. Initial Access: Attackers gain access through credential compromise, often targeting administrator accounts. 2. Remote Tool Abuse: Attackers deploy RATs either by hijacking existing tools or performing silent installations. 3. Persistence & Privilege Consolidation: They maintain persistence using registry keys and scheduled tasks while escalating privileges. 4. Antivirus Neutralization & Anti-Forensics: Attackers stop antivirus services, manipulate policies, and clear logs to evade detection. 5. Payload Deployment & Execution: Ransomware is delivered and executed within remote sessions to avoid suspicion. Commonly abused RATs include AnyDesk, UltraViewer, AppAnywhere, RustDesk, Splashtop, and TightVNC, which have been associated with various ransomware campaigns. Understanding the tactics and techniques used by adversaries is crucial for effective defense, as they exploit legitimate tools to bypass security measures. Emerging trends include AI-driven RAT deployment, cloud-based RAT abuse, and the integration of RATs in ransomware-as-a-service offerings. A comprehensive defense strategy involves multiple layers of security, including virus protection, behavior-based detection, and application control, to counter the risks posed by RAT abuse in ransomware attacks.

Tech Optimizer

September 20, 2025

MostereRAT Targets Windows Users With Stealth Tactics

A recent investigation by cybersecurity experts revealed a sophisticated phishing campaign utilizing a new strain of malware called MostereRAT, which targets Microsoft Windows systems. This Remote Access Trojan (RAT) allows attackers extensive control over compromised devices and employs advanced evasion techniques, including being crafted in the Easy Programming Language (EPL). MostereRAT can disable security tools, obstruct antivirus traffic, and establish secure communications with its command-and-control server through mutual TLS (mTLS). The attack begins with phishing emails aimed at Japanese users, leading to the download of a Word document that contains a concealed archive. This prompts the user to execute an embedded executable, activating the malware, which installs itself in the system directory and creates services with SYSTEM-level privileges. It also displays a deceptive message in Simplified Chinese to further spread the malware. MostereRAT can disable Windows Update, terminate antivirus processes, and impersonate the TrustedInstaller account to escalate privileges. Its functionalities include keylogging, system information collection, downloading and executing payloads, creating hidden administrator accounts, and running remote access tools like AnyDesk and TightVNC. Some components of MostereRAT's infrastructure were previously linked to a banking trojan reported in 2020.

Winsage

September 1, 2025

Hackers Leverage Windows Defender Application Control Policies to Disable EDR Agents

Cybercriminals are using Windows Defender Application Control (WDAC) policies to disable Endpoint Detection and Response (EDR) agents, creating vulnerabilities in corporate security. Ransomware groups like Black Basta have adopted this method, which evolved from a proof-of-concept tool called "Krueger" into real malware named "DreamDemon." Attackers manipulate the C:WindowsSystem32CodeIntegritySiPolicy.p7b file to implement malicious WDAC policies that block EDR executables during system startup. The technique involves a four-step process: loading the policy, placing it in the CodeIntegrity directory, hiding the policy file, and creating decoy log files. DreamDemon samples, written in C++, exhibit enhanced stealth and target major EDR vendors. Detection efforts focus on monitoring specific registry keys and analyzing file signatures. Despite awareness of this threat, EDR vendors have not implemented sufficient preventative measures, leaving systems exposed.