campaigns Archives

Winsage

March 2, 2026

RAT Malware Via Windows Explorer Puts Crypto at Risk

Cofense Intelligence reported that threat actors are exploiting Windows File Explorer and WebDAV servers to deliver Remote Access Trojans (RATs) to corporate systems, bypassing browser security measures. This method allows attackers to infiltrate machines without using web browsers, taking advantage of File Explorer's ability to connect to remote WebDAV servers. Despite WebDAV being deprecated by Microsoft in November 2023, it is still supported in Windows, creating a vulnerability. The campaigns began in February 2024, with a significant increase in September 2024, and 87% of these campaigns deliver multiple RATs, including XWorm, Async RAT, and DcRAT. Victims typically receive phishing emails disguised as invoices, containing URL or LNK shortcut files that initiate a WebDAV connection. The attacks often utilize Cloudflare Tunnel for hosting malicious WebDAV servers, making the traffic appear legitimate. Notably, 50% of affected campaigns are in German, while 30% are in English. The report emphasizes the risks posed to individuals holding digital assets, as RATs can access sensitive information, including crypto wallet files. Organizations are advised to monitor network traffic for Cloudflare Tunnel instances and educate users about the risks associated with File Explorer's capabilities.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

AppWizard

February 28, 2026

In a world of serious videogames, the Valheim devs’ new co-op dungeon crawler is a reminder that having fun is okay

Begraved is a co-op game developed by Grip Jaw, featuring a blend of cozy gameplay and horror elements. Players embark on missions in dungeons, collecting treasures to sell to a character called the Taxman. The game allows for customization of a hideout, which serves as a central hub for missions and social interaction. Players can revive allies at designated points and float as ghosts to assist teammates. The game includes a selfie camera for fun interactions. The demo is currently available and may contain bugs, as it is an early version.

AppWizard

February 28, 2026

In a world of serious videogames, the Valheim devs’ new co-op dungeon crawler is a reminder that having fun is okay

Begraved is a co-op game developed by Grip Jaw, a team of former Valheim members, blending cozy and horror elements in a genre they call 'friendslop.' Players explore dungeons, collect treasures, and interact with a customizable hideout that serves as a social hub. The game features a narrative framework encouraging player progression and ownership, with mechanics allowing for team revivals and ghost assistance. The demo includes a selfie camera for capturing moments, emphasizing fun and lighthearted gameplay. The demo is available for download after Steam Next Fest, although it is an early version that may contain bugs.

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

Tech Optimizer

February 22, 2026

Researchers Discover First Android Malware Using Generative AI for Persistence

Security researchers have identified a new Android Trojan named PromptSpy that uses generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers, PromptSpy leverages Google's Gemini AI model to analyze infected device screens and generate tailored instructions for embedding itself within recent apps lists. It includes a Virtual Network Computing (VNC) module that allows attackers full remote control over the device, enabling activities such as viewing the screen, performing actions remotely, capturing lock screen data, blocking uninstallation attempts, gathering device information, taking screenshots, and recording screen activity as video. The malware communicates with command-and-control servers using AES encryption and exploits Android Accessibility Services, making it difficult to remove. PromptSpy is distributed through a dedicated website and is financially motivated, adapting to various Android interfaces and operating system versions. ESET's analysis indicates that the malware is regionally targeted, with a focus on Argentina, and may have been developed in a Chinese-speaking environment. The same threat actor is believed to be responsible for both VNCSpy and PromptSpy.

AppWizard

February 21, 2026

CONVERGENCE GAMES SHOWCASES OVER 30 OF THE HOTTEST AA AND INDIE TITLES COMING TO CONSOLE AND PC IN 2026

Fourth Floor unveiled video links from the Convergence Games Showcase on February 19, 2026, which introduced over 30 AA and Indie games set for release in 2026. The event was hosted by Dodger and Jesse Cox in collaboration with IGN, featuring first gameplay reveals and exclusive content from companies like Curve Games, Gambit Digital, and Playside. Rich Keith, CEO of Fourth Floor, highlighted the showcase's growth and focus on the indie community. Fourth Floor, founded in 2017, specializes in games marketing services and works with both AAA and indie game publishers.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

AppWizard

February 19, 2026

Android security gets aggressive as Google bans thousands of developers and millions of sketchy apps

Google has reported significant improvements in app security for Android in 2025, preventing over 1.75 million policy-violating apps from entering the Play Store and removing more than 80,000 developer accounts attempting to distribute malware. The integration of AI models into the app review process has enhanced the speed and accuracy of identifying malicious patterns. Additionally, Google blocked over 255,000 apps from requesting unnecessary sensitive data and eliminated 160 million spam ratings and reviews. Google Play Protect now evaluates over 350 billion apps daily, identifying 27 million new malicious apps outside the Play Store and blocking 266 million risky installation attempts across 185 markets. A new measure has been implemented to prevent users from disabling Play Protect during phone calls to combat social engineering tactics. Future plans include democratizing developer verification and simplifying protection against "tapjacking" attacks in Android 16.

AppWizard

February 19, 2026

PromptSpy Android Malware Abuses Google Gemini to Automate Recent-Apps Persistence

Cybersecurity researchers have identified a new Android malware named PromptSpy that utilizes Google's Gemini AI chatbot to enhance its capabilities and persistence on infected devices. PromptSpy can capture lockscreen data, obstruct uninstallation, gather device information, take screenshots, and record screen activity. It integrates Gemini to analyze the current screen and provide instructions to keep the malware active in the recent apps list. The malware uses a hard-coded AI model and communicates with a command-and-control server via the VNC protocol, allowing remote access to the victim's device. It is financially motivated, targeting users in Argentina, and was developed in a Chinese-speaking environment. PromptSpy is distributed through a dedicated website and is considered an advanced version of a previously unidentified malware called VNCSpy.