artifacts Archives

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

AppWizard

February 21, 2026

Epic Games Store PC Weekly Free Games 19/02/2026

From 4 PM GMT on February 19, 2026, to 4 PM GMT on February 26, 2026, the Epic Games Store is offering free downloads of Return To Ash and STALCRAFT: X Starter Edition. Return To Ash is published and developed by Serenity Forge, featuring a narrative set in a quiet hospital. STALCRAFT: X Starter Edition is published and developed by EXBO, offering MMOFPS gameplay with RPG elements and includes a Starter Pack with a 7-day Premium membership, weapons, armor, artifacts, and cosmetics.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Winsage

February 15, 2026

Windows 11 KB5077181 fixes gaming bugs, Nvidia black screen, and performance issue affecting explorer.exe, taskbar, and Start menu

Windows 11 KB5077181 is a mandatory update that resolves up to 58 critical vulnerabilities, including a serious flaw in Windows Notepad that could allow for remote code execution. It introduces new features like an Apple Handoff-like Resume function and addresses gaming issues, particularly graphical artifacts in games such as Forza Horizon 5. The update fixes the black screen problem affecting certain Nvidia GPUs and resolves issues related to explorer.exe freezing or crashing upon login. Microsoft has confirmed that the update addresses black screen problems in isolated multiuser environments and rectifies boot failures linked to specific GPU configurations. Users can check if the update is installed by navigating to Settings > System > About, with the latest version being Build 26200.7840 or newer.

Winsage

February 11, 2026

Windows shortcut files targeted by ransomware gang Global Group

The Global Group ransomware operates in a mute mode, executing all activities locally on the compromised system without communicating with a command and control server. It generates the encryption key directly on the host machine, meaning no data is exfiltrated despite claims in its ransom note. This method streamlines the attack process, minimizes detection risks, and allows for quicker execution of attacks, targeting more victims while making data exfiltration unnecessary for compelling ransom payments.

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

AppWizard

January 28, 2026

The Defiant, a Story-Driven, Single-Player WWII FPS, Announced for PC and Consoles

Developer Hoothanes, in collaboration with publisher 4Divinity, is creating a single-player first-person shooter titled The Defiant, set during China's War of Resistance against Japan in World War II. The game utilizes Unreal Engine 5 and features diverse gameplay mechanics, including stealth infiltration, close-quarters firefights, sniping, urban espionage, code-breaking operations, vehicular combat, and large-scale assaults. The developers prioritize historical accuracy, treating weapons as historical artifacts and exploring settings such as occupied villages, frozen forests, fortified supply routes, and enemy-controlled urban zones. The game is available for wishlisting on Steam.

Tech Optimizer

January 19, 2026

PDFSIDER Malware Actively Used by Threat Actors to Bypass Antivirus and EDR Defenses

PDFSIDER is a sophisticated backdoor malware that bypasses modern endpoint detection and response systems. It is distributed through targeted spear-phishing campaigns that exploit vulnerabilities in legitimate PDF software. The malware is delivered via spear-phishing emails containing ZIP archives with a trojanized executable disguised as the PDF24 App. When executed, it uses DLL side-loading to load a malicious DLL (cryptbase.dll) alongside the legitimate PDF24.exe, allowing attackers to execute code without detection. PDFSIDER establishes encrypted command-and-control channels using the Botan 3.0.0 cryptographic library with AES-256 in GCM mode and operates mainly in memory to minimize detectable artifacts. It collects system information and executes commands through hidden cmd.exe processes. The malware employs advanced techniques to evade detection in sandbox and virtual machine environments, including checks for available RAM and debugger presence. Indicators of compromise include the malicious file cryptbase.dll and various clean files associated with the legitimate PDF24 application. Organizations are advised to enforce strict controls on executable files, provide user awareness training, and monitor DNS queries and encrypted traffic to detect PDFSIDER communications. The malware's behavior aligns with tactics used in state-sponsored espionage rather than financially motivated cybercrime.

AppWizard

January 15, 2026

Monster Train 2’s first DLC is transforming the game with a giant new mode and the hammer-swinging Railforged clan

A significant update for Monster Train 2, titled Destiny of the Railforged, will be released in early February as the game's first paid DLC. It introduces a new clan, the Railforged, and a gameplay mode called Soul Savior. In Soul Savior, players battle to reclaim souls from a final boss named the Lifemother, with unique mechanics that enhance gameplay. Players can unlock and upgrade over 30 souls, each providing powerful enhancements and strategic options. The Railforged clan specializes in boosting the pyre's attack power and features new units and mechanics. Additionally, the Wurmkin clan will receive a free update with new designs and balance adjustments. Pricing details for the DLC have not been disclosed.

AppWizard

January 9, 2026

Intel: Stutters in PC Games are “Breaking Immersion”

Google's "Project Butter," introduced with Android 4.1, aimed to improve scrolling smoothness on 60Hz smartphone displays. Intel announced the Precompiled Shader Distribution to enhance gaming performance by downloading shaders directly to PCs via Arc Control software, debuting with Panther Lake review driver downloads and initially supporting select DirectX 12 titles on Steam. Intel will update offline shaders alongside game patches and driver updates, with a focus on optimal performance. Petersen expressed support for Microsoft's efforts in precompiled shaders for Windows gaming. Intel Arc employs machine learning for its XeSS image upscaler and Xe Frame Generation system, with plans to address frame-pacing issues using AI. Petersen discussed the need to distinguish between frame generation and rasterization, emphasizing that visual improvements should be viewed separately from performance metrics like frames per second.