Check Point Research Archives

Tech Optimizer

November 4, 2025

3,000+ YouTube videos deliver malware disguised as free software

YouTube has been identified as a platform for a sophisticated malware distribution network known as the Ghost Network, which has been active since 2021 and surged in activity in 2025. This network uses over 3,000 videos disguised as software cracks and game hacks to spread information-stealing malware, targeting users searching for free software or cheat tools. Cybercriminals utilize compromised accounts and social engineering tactics to create a false sense of security, with videos featuring positive comments from fake accounts. The malware includes programs like Lumma Stealer, Rhadamanthys, StealC, and RedLine, which harvest sensitive information. Two significant campaigns were highlighted: one involved the Rhadamanthys infostealer through a channel with nearly 10,000 subscribers, and the other offered cracked software via a channel with around 129,000 subscribers, with one video gaining over 291,000 views. Users are advised to avoid cracked software, use strong antivirus protection, never disable antivirus software, be cautious with links, use password managers and two-factor authentication, keep systems updated, and utilize trusted data removal services to protect against these threats.

Winsage

November 3, 2025

New Windows Graphics Vulnerabilities Expose Systems to Remote Code Execution Risks

Check Point Research (CPR) identified three vulnerabilities in Microsoft’s Graphics Device Interface (GDI): 1. CVE-2025-30388: Inadequate validation of clipping rectangles in EMF+ files can lead to heap corruption in GdiPlus.dll, allowing potential remote code execution. Microsoft patched this in May 2025 with version 10.0.26100.4061. 2. CVE-2025-53766: A critical flaw in GdiPlus.dll allows remote code execution without user interaction due to unallocated memory writes triggered by malformed EmfPlusDrawRects records. Microsoft addressed this in August 2025 with version 10.0.26100.4946. 3. CVE-2025-47984: This vulnerability, related to an earlier issue, involves improper handling of EMR_STARTDOC records in gdi32full.dll, leading to information disclosure. Microsoft fixed this in July 2025 with version 10.0.26100.4652. Microsoft released patches for these vulnerabilities during its Patch Tuesday updates in May, July, and August of 2025.

Winsage

November 3, 2025

New GDI Flaws Could Enable Remote Code Execution in Windows

A series of vulnerabilities within the Windows Graphics Device Interface (GDI) has been discovered, potentially allowing for remote code execution and information disclosure. These vulnerabilities are linked to malformed enhanced metafile (EMF) and EMF+ records, leading to memory corruption during image rendering. Three specific vulnerabilities were analyzed and included in Microsoft's Patch Tuesday updates released in May, July, and August of 2025. They are cataloged as: - CVE-2025-30388: Rated important and more likely to be exploited. - CVE-2025-53766: Rated critical, enabling remote code execution. - CVE-2025-47984: Rated important, associated with information disclosure. All three involve out-of-bounds memory access triggered by crafted metafiles. Microsoft has released patches for GdiPlus.dll and gdi32full.dll to address these vulnerabilities, including validation checks and corrections in memory handling. These vulnerabilities also affect Microsoft Office for Mac and Android platforms.

Winsage

October 18, 2025

New Windows GDI Rust Kernel Vulnerability Triggers Remote Code Execution

Security researchers identified a vulnerability in the Rust-based Windows kernel component, specifically within the Windows Graphics Device Interface (GDI), which can be triggered remotely and cause system-wide crashes. The flaw was linked to the win32kbase_rs.sys kernel driver, resulting from an out-of-bounds memory access while processing a malformed path in an EmfPlusDrawBeziers record. This vulnerability represents a denial-of-service risk, allowing a malicious actor to crash systems by embedding a harmful metafile in documents or webpages. It affects both x86 and x64 systems running Windows 11 version 24H2, with a single compromised low-privilege account capable of causing widespread crashes. Microsoft released a fix in the May 28, 2025, preview update (KB5058499), which included a new bounds-hardened routine, but initial testing showed that the feature flag for this fix was disabled, delaying full mitigation until July 2025 Patch Tuesday.

Winsage

October 17, 2025

Denial of Fuzzing: Rust in the Windows kernel

Check Point Research (CPR) identified a significant security vulnerability in the Rust-based kernel component of the Graphics Device Interface (GDI) in Windows, reported to Microsoft in January 2025. The issue was resolved in OS Build 26100.4202, part of the KB5058499 update released on May 28, 2025. The vulnerability was discovered during a fuzzing campaign targeting the Windows graphics component through metafiles, revealing multiple security issues including information disclosure and arbitrary code execution. The specific bug was linked to a crash occurring during the execution of a NtGdiSelectClipPath syscall in the win32kbasers.sys driver, triggered by an out-of-bounds memory access when processing malformed metafile records. Microsoft classified the vulnerability as moderate severity and addressed it in a non-security update, implementing substantial changes to the affected kernel module.

Tech Optimizer

September 2, 2025

New malware exploits trusted Windows drivers to get around security systems – here’s how to stay safe

The Chinese threat group Silver Fox has exploited the WatchDog Antimalware driver to disable antivirus and endpoint detection tools as part of a strategy called "Bring Your Own Vulnerable Driver." They have also targeted the Zemana Anti-Malware driver (ZAM.exe) to ensure compatibility across Windows 7, 10, and 11. Initial infection methods are speculated to involve phishing or social engineering. The attackers used infrastructure in China to host loader binaries with anti-analysis features, which included hardcoded lists of targeted security processes for termination and facilitated the deployment of ValleyRAT malware. Check Point Research noted that the exploitation of the WatchDog driver has evolved, prompting WatchDog to release an update for a local privilege escalation flaw, although concerns about arbitrary process termination persist. IT teams are advised to update blocklists, implement YARA detection rules, and monitor network traffic to mitigate risks.

Winsage

August 13, 2025

Microsoft’s Patch Tuesday gives sys admins a baker’s dozen

Microsoft's August Patch Tuesday addressed 111 vulnerabilities, including 12 classified as critical. A known elevation of privilege flaw in the Windows Kerberos protocol, CVE-2025-53779, has a CVSS score of 7.2 and requires authenticated access for exploitation. Two critical remote code execution (RCE) vulnerabilities, CVE-2025-50165 and CVE-2025-53766, both rated 9.8, were identified in the Windows Graphics Device Interface. SharePoint has a critical RCE bug, CVE-2025-49712, with a severity score of 8.8. Other critical flaws include vulnerabilities in Microsoft Message Queuing, Office, Hyper-V, and Azure Stack Hub. Adobe released fixes for 68 CVEs, including eight critical RCE bugs in InCopy and critical issues in other products like Commerce, InDesign, and Substance 3D applications. SAP issued 15 security notes, including three critical vulnerabilities rated at 9.9 related to code injection in SAP S/4HANA. Intel released 34 advisories addressing 66 vulnerabilities, including high-severity issues in Xeon 6 processors and Intel Ethernet Drivers. Google updated Android to fix several flaws, including two actively exploited Qualcomm vulnerabilities.

Winsage

August 13, 2025

Microsoft Vulnerabilities Exposed by Check Point Research

Check Point Research identified six new vulnerabilities in Microsoft Windows, including one classified as critical. These vulnerabilities could lead to system crashes, arbitrary code execution, or expose sensitive data. Check Point reported these issues to Microsoft, resulting in patches released on August 12th. One significant vulnerability is in a Rust-based Windows kernel component, which can cause total system crashes. Two other vulnerabilities, CVE-2025-30388 and CVE-2025-53766, allow for arbitrary code execution when users interact with specially crafted files. Additionally, CVE-2025-47984 can leak memory contents over the network, posing risks of sensitive information exposure. Check Point's security solutions already protect its customers from these threats, and users are encouraged to apply the August Patch Tuesday updates promptly.

Tech Optimizer

July 30, 2025

JSCEAL Malware Targets Crypto Users via Fake Facebook Ads

A new malware strain called JSCEAL has emerged, targeting cryptocurrency users by exploiting online advertising. Active since early 2025, it masquerades as legitimate trading applications and uses deceptive ads on platforms like Facebook to lure victims. The malware impersonates well-known exchanges such as Coinbase, Binance, and OKX, tricking users into downloading counterfeit apps that harvest sensitive information like credentials and wallet data. Over 35,000 malicious ads were tracked in 2025, affecting thousands of users. JSCEAL employs malvertising tactics, redirects users to counterfeit websites, and uses JavaScript-based payloads to exploit browser vulnerabilities. Its polymorphic code allows it to evade detection, and it can take remote control of devices using Android Accessibility permissions. Cryptocurrency exchanges are responding by enhancing security measures and advising users to verify app sources, implement multi-factor authentication, and use ad blockers. Users are encouraged to enable browser extensions that flag suspicious sites and to download applications only from official stores.

AppWizard

June 21, 2025

Hundreds of Minecraft mods on GitHub are infested with hard-to-spot spyware

A sophisticated malware campaign known as the “Stargazers Ghost” network is targeting young gamers, particularly those playing Minecraft, to capture sensitive login information and personal data. This operation, based in a Russian-speaking region, uses a two-pronged approach: initially acquiring login credentials and then extracting more extensive personal information, including passwords and cryptocurrency details. The malware has infiltrated over 500 GitHub repositories, disguising itself within Minecraft Java installers to evade antivirus protections. GitHub, while monitoring for malicious content, faces challenges due to the volume of attacks. To enhance safety, parents are advised to vet GitHub pages, test mods on a “burner” account, and restrict access to official mods in the “Bedrock Edition” of the game.