attack method Archives

Tech Optimizer

November 15, 2025

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

A new malware called RONINGLOADER specifically targets Chinese users and can disable security tools. It operates as a multi-stage loader that spreads a modified version of gh0st RAT and bypasses antivirus protections. RONINGLOADER infiltrates systems through fake software installers that mimic legitimate applications like Google Chrome and Microsoft Teams. Once inside, it disables Windows Defender and Chinese security solutions such as Qihoo 360 Total Security and Huorong. The malware uses a signed driver that appears legitimate to Windows but is designed to terminate security processes. If one method of disabling security fails, RONINGLOADER has multiple fallback strategies. The Dragon Breath APT group is behind this campaign, having refined their techniques based on previous operations. The infection begins with a trojanized NSIS installer that drops components onto the victim's system. One installer deploys genuine software, while the other initiates the attack chain. RONINGLOADER creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts tp.png using XOR encryption and a rotation operation, then loads new system libraries to eliminate security hooks. It elevates privileges using the runas command and scans for active security software, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. To terminate these processes, it uses a signed driver named ollama.sys, which is digitally signed by Kunming Wuqi E-commerce Co., Ltd. This driver can terminate processes using kernel-level APIs that standard security tools cannot intercept. Additionally, RONINGLOADER blocks network connections for Qihoo 360 before injecting code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection.

Tech Optimizer

November 13, 2025

New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware

Security researchers have identified a malware campaign using the ClickFix social engineering technique to spread information-stealing malware on Windows and macOS. The campaign targets users searching for cracked software, leading them to malicious Google-hosted landing pages. Victims encounter fake security warnings that prompt them to execute a malicious command, resulting in the installation of infostealer malware. Windows users receive the ACR stealer, while macOS users get the Odyssey stealer, both delivered in password-protected ZIP files. ACR also loads additional malware like SharkClipper, which hijacks cryptocurrency clipboard data. The campaign has seen a 700% increase in ACR logs in May 2025, with ClickFix becoming the most common initial access method, accounting for 47% of all initial access schemes. The malware collects various user data, including passwords and cryptocurrency wallets, and operates in a fileless manner to evade detection. Security experts advise against executing unverified commands and recommend enhancing endpoint detection capabilities to combat these threats.

AppWizard

October 16, 2025

Pixnapping: Side-Channel Vulnerability Allows Android Apps to Capture Sensitive Screen Data

A newly identified attack method called Pixnapping poses a significant threat to Android devices by allowing malicious applications to capture on-screen information from other apps through pixel stealing. This attack affects various applications, including Signal, Google Authenticator, and Venmo. Pixnapping occurs when a user installs a malicious app that uses Android APIs to launch a target application, capturing sensitive information displayed on the screen by exploiting a side channel. The attack utilizes the GPU.zip side-channel vulnerability, prevalent in modern GPUs from manufacturers like AMD, Apple, Arm, Intel, Qualcomm, and Nvidia. Currently, there are no mitigation strategies available for developers against Pixnapping, which can lead to the theft of locally stored secrets, such as two-factor authentication codes. The GPU.zip vulnerability was disclosed in 2023 and remains unaddressed by GPU vendors.

AppWizard

October 14, 2025

New Android Pixnapping attack steals MFA codes pixel-by-pixel

A new side-channel attack called Pixnapping allows malicious Android applications to extract sensitive data without permissions by stealing pixels displayed by applications or websites. This attack can reveal private information, including chat messages from secure apps like Signal, emails from Gmail, and two-factor authentication (2FA) codes from Google Authenticator. Developed by a team of researchers, Pixnapping works on fully patched modern Android devices and can exfiltrate 2FA codes in under 30 seconds. Google attempted to address this vulnerability (CVE-2025-48561) in a September update, but the researchers bypassed these measures. A more robust solution is expected in the December 2025 Android security update. The attack begins with a malicious app exploiting Android’s intents system to launch a target app or webpage, processed by the system’s composition engine, SurfaceFlinger. The malicious app identifies target pixels by executing graphical operations and uses a 'masking activity' to conceal the target app. The attacker modifies the cover window to display all opaque white pixels except for the chosen transparent pixel. The isolated pixels are enlarged using a stretch-like effect when applying blur, and an OCR-style technique is then used to recover the pixels. The researchers utilized the GPU.zip side-channel attack to leak visual information, achieving a data leakage rate of 0.6 to 2.1 pixels per second, allowing sensitive data extraction in less than 30 seconds. Pixnapping was demonstrated on various devices, including Google Pixel and Samsung Galaxy models running Android versions 13 through 16, indicating that older Android versions are also at risk. An analysis of nearly 100,000 Play Store apps revealed hundreds of thousands of invocable actions through Android intents, highlighting the broad applicability of the attack. Examples of potential data theft include: - Google Maps: Timeline entries can take around 20–27 hours to recover. - Venmo: Account-balance regions can leak in approximately 3–5 hours. - Google Messages: Recovery requires roughly 11–20 hours. - Signal: Recovery takes about 25–42 hours, effective even with Screen Security enabled. Both Google and Samsung plan to address these vulnerabilities by the end of the year, but no GPU chip vendor has announced plans to patch the GPU.zip side-channel attack. Although the original exploit method was mitigated in September, an updated attack has successfully bypassed the fix. Google has indicated that exploiting this data leak requires specific information about the targeted device, resulting in a low success rate, and current assessments found no malicious apps on Google Play exploiting the Pixnapping vulnerability.

AppWizard

October 14, 2025

No fix yet for attack that lets hackers pluck 2FA codes from Android phones

A new attack method called Pixnapping has been developed, allowing malicious applications to capture sensitive information like two-factor authentication (2FA) codes and location data in under 30 seconds without requiring system permissions. This attack has been successfully demonstrated on devices such as the Google Pixel and Samsung Galaxy S25, and it can adapt to other models. Despite Google's release of mitigations, modified versions of the attack remain effective. The malicious app prompts targeted applications to display sensitive information, which it can then capture by mapping graphical operations to screen coordinates. Information not displayed on the screen, such as secret keys within an app, is secure from this attack. Pixnapping is similar to a previous attack called GPU.zip, which exploited vulnerabilities in graphics processing units (GPUs) to extract sensitive visual data, and the weaknesses exploited by GPU.zip have not been fixed.