artifacts Archives

Winsage

August 23, 2025

Hackers Can Exfiltrate Windows Secrets and Credentials Silently by Evading EDR Detection

A new method allows attackers to extract Windows secrets and credentials without being detected by most Endpoint Detection and Response (EDR) solutions. This technique enables individuals with access to a Windows machine to gather credentials for lateral movement within a network. The Local Security Authority (LSA) manages sensitive information through two in-memory databases: the SAM database, which stores user credentials, and the Security database, which holds LSA secrets. Access to these databases requires interaction with the SAM and SECURITY registry hives, protected by Discretionary Access Control Lists (DACLs) that limit access to SYSTEM privileges. Attackers typically face detection when accessing the lsass.exe process memory, as EDR solutions monitor high-risk activities. Researcher Sud0Ru has introduced a method that bypasses these defenses by using the undocumented API NtOpenKeyEx with the REGOPTIONBACKUPRESTORE flag, allowing attackers to read the SAM and SECURITY hives without SYSTEM-level privileges. To avoid detection, attackers use the RegQueryMultipleValuesW API, which is less monitored by EDRs, to extract encrypted secrets from the hives. This approach allows the operation to occur entirely in memory, leaving no on-disk artifacts and evading typical security alerts.

AppWizard

August 21, 2025

Google answers our prayers, adds 10x zoom button to Pixel 10 Pro camera app

The Google Pixel 10 Pro series has introduced a dedicated 10x zoom button in its camera app, enhancing user experience by simplifying the process of capturing distant subjects. This new feature addresses previous issues with the zoom slider, which often resulted in imprecise zoom levels. The Pixel line, known for its photographic capabilities, has utilized a 48MP 5x periscope camera to achieve quality 10x shots by cropping the center 12MP. A December 2024 poll indicated that over 70% of respondents from Android Authority wanted a dedicated 10x zoom button, highlighting the importance of user feedback in design improvements.

Winsage

August 19, 2025

Microsoft Windows Warning—Stop Playing These Free PC Games

Windows users are at risk when downloading large files, particularly free games from sites like Dodi Repacks, which have been linked to malware distribution. An investigation revealed that downloading these games involves multiple redirects leading to a ZIP file containing a malicious .dll file. This file triggers the installation of HijackLoader malware, designed to bypass antivirus protections and install additional malicious software. HijackLoader employs advanced techniques to evade detection, including checks for virtual machines and monitoring system resources. It manipulates environment variables and executes payloads to maintain persistence on infected PCs. The malware has been associated with various families, including Danabot and RedLine Stealer, and is capable of delivering secondary payloads, with LummaC2 being a recent example. Users are advised to exercise caution when engaging with pirated downloads.

AppWizard

August 16, 2025

I played this free, 15-minute claymation horror game about examining an ancient idol in the morning while the birds were chirping, and it still scared me more than anything I’ve played in years

The Children of Clay is a free horror game available on Steam, where players assume the role of an unnamed protagonist who receives a mysterious prehistoric idol from a colleague. The game is set in a dimly lit office and features visuals inspired by iconic artifacts and modern indie titles. It combines horror and puzzle-solving elements, offering a unique experience that lasts about 15 minutes.

Winsage

August 12, 2025

Web Account Manager: The Foundational Enabler of Single Sign-On for Windows Applications within the Microsoft Identity Ecosystem

Organizations are adopting cloud-first strategies for digital identity management, particularly using Microsoft identity providers and implementing Zero Trust Architecture. Microsoft's Web Account Manager (WAM), introduced with Windows 10, is central to this transformation, enabling secure access and single sign-on (SSO) across applications like Microsoft 365 Copilot, Office 365, Teams, and OneDrive. WAM addresses fragmentation issues associated with traditional authentication methods by centralizing identity management and token handling, thus enhancing security and user experience. WAM mitigates fragmentation challenges by simplifying protocol integration, managing token lifecycle, and reducing operational overhead. It provides seamless SSO for end-users, simplifies integration for developers, and supports compliance and security for organizations. WAM features two primary APIs for token acquisition: GetTokenSilently and RequestToken, which facilitate secure token requests based on device states and application needs. Future enhancements will focus on improving token protection strategies.

Tech Optimizer

August 8, 2025

Cyberattackers Leverage Trusted Drivers to Disable Antivirus Software and Bypass Security Protocols

A cyberattack on a Brazilian enterprise involved the use of legitimate, digitally signed drivers to disable antivirus solutions and deploy MedusaLocker ransomware. The attackers executed a Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting the ThrottleStop.sys driver, which has a critical vulnerability (CVE-2025-7771) allowing unauthorized memory access. They compromised an SMTP server using valid RDP credentials, extracted user credentials with Mimikatz, and moved laterally across the network. The attackers uploaded and executed an AV killer program and a renamed version of the driver, terminating antivirus processes to facilitate ransomware deployment. The malware targeted major antivirus vendors and employed kernel-level commands to eliminate security processes. Recommendations for defense include multi-factor authentication, hardening RDP access, and implementing layered security measures.

Tech Optimizer

August 7, 2025

Hackers Use Legitimate Drivers to Kill Antivirus Processes and Lower The System’s Defenses

Attackers have been using the ThrottleStop.sys driver to disable antivirus software in compromised networks since October 2024. This driver, designed for CPU throttling, allows malware to gain kernel-level memory access and terminate security processes. Initial access is typically gained through stolen RDP credentials or brute-forced administrative accounts, enabling the deployment of the AV killer alongside ransomware like MedusaLocker. Once inside, attackers extract additional user credentials using tools like Mimikatz and move laterally with Pass-the-Hash techniques. They upload two key components, ThrottleBlood.sys (the renamed driver) and All.exe (the AV killer), to user directories. The malware effectively disables Windows Defender and other endpoint protections, leading to severe data encryption in industries with exposed RDP endpoints, particularly affecting victims in Brazil, Ukraine, Kazakhstan, Belarus, and Russia. Securelist analysts noted that traditional self-defense features in Kaspersky products can counter this AV killer, but many organizations still rely on less effective solutions. The malware exploits two vulnerable IOCTL functions in the ThrottleStop.sys driver, allowing arbitrary memory reads and writes. It uses a loop to match and terminate antivirus processes by invoking kernel functions. The malware avoids detection by restoring original kernel bytes after execution. This situation highlights the need for improved driver integrity monitoring and robust security strategies.

Winsage

August 5, 2025

APT37 Hackers Weaponizes JPEG Files to Attack Windows System Leveraging “mspaint.exe” File

A new variant of the RoKRAT malware, attributed to North Korea's APT37 group, utilizes advanced techniques such as steganography to hide malicious code within JPEG image files, complicating detection efforts. This malware is primarily distributed in South Korea through compressed archives containing Windows shortcut files that lead to a multi-stage infection process. The process involves executing PowerShell commands to decrypt and run the malware, which can inject itself into trusted Windows processes like mspaint.exe and notepad.exe, leaving minimal forensic traces. The malware also exfiltrates sensitive information using legitimate cloud APIs, making attribution difficult. APT37 has demonstrated adaptability by changing its injection targets and camouflaging its development artifacts, highlighting the need for advanced Endpoint Detection and Response (EDR) solutions and proactive security measures.

AppWizard

August 4, 2025

Why Android E-Readers Are Superior to the Kindle Colorsoft (Especially If You Read Comics)

The Boox Go Color 7 is an Android e-reader with full access to the Google Play Store. The Kindle Colorsoft features an impressive color e-ink screen but is limited by Amazon's proprietary operating system, restricting access to content only from the Amazon store and lacking native support for EPUB files. It does not have dedicated comics apps, which is a significant drawback for users interested in comics. In contrast, Android e-readers offer access to various comics apps, improved web browsing capabilities, and the potential for gaming and other creative uses. Alternatives to the Kindle Colorsoft include the Boox Note Air 4C, which has a 10.3-inch display and comes with a stylus, and the Bigme B751C, a budget-friendly option with a seven-inch display.

AppWizard

August 3, 2025

Fix: “Skin Images Must Be 64×64 or 64×32 PNG Files” Error in Minecraft

Uploading a custom skin in Minecraft can result in the error message: “Skin images must be 64×64 or 64×32 pixel PNG files.” This indicates that the skin does not meet Minecraft’s requirements, which specify that skins must be either 64×64 or 64×32 pixels and in PNG format. Factors contributing to upload failures include using unofficial skin sources, incorrect file formats or dimensions, compatibility issues with different skin types, and temporary server problems. To troubleshoot skin upload issues: 1. Convert the image to PNG format using Paint by opening the file and saving it as a PNG picture. 2. Change skin dimensions to 64×64 or 64×32 pixels using a skin editor tool, verifying dimensions through file properties. 3. Disable the “Only Trusted Skins” setting in Minecraft Bedrock Edition to allow custom skins from non-official sources. 4. Convert the skin into a skin pack using the MCBuild Skin Pack Generator, ensuring the file is in PNG format and under 40KB in size. If problems persist, contact Mojang Support or check the official Minecraft bug tracker for ongoing issues.