command execution Archives

BetaBeacon

May 5, 2026

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

ScarCruft compromised a video game platform in a supply chain attack, trojanizing its components with a backdoor called BirdCall to target ethnic Koreans residing in China. The attack enabled the threat actors to target both Windows and Android devices, turning it into a multi-platform threat. The campaign targeted sqgame[.]net, a gaming platform used by ethnic Koreans in China, known as a transit point for North Korean defectors. BirdCall has features like screenshot capture, keystroke logging, and data gathering, and relies on legitimate cloud services for command-and-control. The Android variant collects various data and has seen active development.

BetaBeacon

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android version of the backdoor BirdCall, which serves as spyware in addition to a backdoor. The malware was delivered through a Chinese website that hosts games for Android, iOS, and Windows, targeting only Android and Windows systems. The Android variant of BirdCall has capabilities such as extracting IP geolocation information, collecting contact lists, call logs, SMS data, device information, taking screenshots, recording audio, and exfiltrating files. Users are advised to download software only from official marketplaces and trusted publisher sites to protect against malware infections.

Tech Optimizer

April 16, 2026

MiningDropper Android Malware Exploits Lumolight App

Researchers at Cyble Research and Intelligence Labs (CRIL) have discovered an Android malware framework called MiningDropper, which is being used in various campaigns to distribute malicious payloads such as cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware. Over 1,500 MiningDropper samples were detected in one month, with many showing minimal antivirus detection. MiningDropper operates as a multi-stage delivery framework that employs techniques like XOR-based obfuscation and AES encryption to evade detection. A recent variant uses a trojanized version of the Lumolight application as the initial infection vector, often spread through phishing links and fraudulent websites. The malware executes a series of stages, starting with decrypting an embedded asset and loading additional payloads, including a counterfeit Google Play update interface to deceive users. Two main campaign clusters have been identified: an infostealer campaign targeting Indian users by impersonating trusted entities, and a global campaign distributing the BTMOB RAT, which enables credential theft and device takeover. The final payload capabilities include extracting sensitive data, enabling full device compromise, facilitating financial fraud, and unauthorized cryptocurrency mining. MiningDropper's modularity allows it to adapt and scale across various campaigns while maintaining low detection rates.

Winsage

April 6, 2026

ResokerRAT Hijacks Telegram API to Command Infected Windows PCs

A newly discovered Windows malware called ResokerRAT uses Telegram’s Bot API for its command-and-control operations, allowing it to monitor and manipulate infected systems without a conventional server. It obscures its communications by integrating with legitimate Telegram traffic, complicating detection. Upon execution, it creates a mutex to ensure only one instance runs and checks for debuggers to avoid analysis. It attempts to relaunch with elevated privileges and logs failures to its operator. ResokerRAT terminates known monitoring tools and installs a global keyboard hook to obstruct defensive key combinations. It operates through text-based commands sent via Telegram, allowing it to check processes, take screenshots, and modify system settings to evade detection. Persistence is achieved by adding itself to startup and altering UAC settings. The malware retrieves additional payloads from specified URLs and uses URL-encoded data for communication. Researchers have confirmed its Telegram traffic, and its behavior aligns with various MITRE ATT&CK techniques. Security teams are advised to monitor for unusual Telegram traffic and scrutinize registry keys related to startup and UAC.

Winsage

March 6, 2026

Chinese hackers hide malware in Windows and Google Drive to hit targets

Chinese state-sponsored threat actors, specifically a group known as Silver Dragon, have been conducting espionage operations across Southeast Asia and Europe since at least mid-2024. They have targeted government entities in countries such as Russia, Poland, Hungary, Italy, Japan, Myanmar, and Malaysia. Silver Dragon is believed to be affiliated with APT41 and primarily uses phishing emails to initiate attacks, often containing weaponized documents or links. They employ a custom backdoor called GearDoor, which utilizes Google Drive for command-and-control operations, allowing them to exfiltrate stolen intelligence. The group also hijacks legitimate Windows services to load malicious code and uses tools like SSHcmd and Cobalt Strike for post-exploitation activities. Their tactics involve blending malicious activities with normal system operations, making detection difficult and increasing their dwell time within targeted networks.

Winsage

March 6, 2026

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a social engineering campaign named ClickFix that exploits the Windows Terminal application to deploy Lumma Stealer malware. Detected in February 2026, this campaign instructs users to access Windows Terminal using the Windows + X → I shortcut, enhancing its perceived legitimacy. Attackers evade detection by manipulating users into executing harmful commands through deceptive prompts. The attack chain involves pasting a hex-encoded command into Windows Terminal, which opens additional Terminal and PowerShell instances, leading to a PowerShell process that decodes a script. This process downloads a ZIP payload containing a renamed 7-Zip binary, which extracts files and initiates a multi-stage attack, including retrieving payloads, establishing persistence, configuring Microsoft Defender exclusions, exfiltrating data, and deploying Lumma Stealer by injecting it into "chrome.exe" and "msedge.exe." Lumma Stealer targets browser artifacts to harvest credentials. A secondary attack pathway involves downloading a batch script that writes a Visual Basic Script to the Temp folder and connects to Crypto Blockchain RPC endpoints, also using QueueUserAPC() for code injection into browsers to extract data.

Winsage

March 3, 2026

PoC Exploit Released for Windows Error Reporting ALPC Privilege Escalation

A critical local privilege escalation vulnerability, tracked as CVE-2026-20817, affects Microsoft Windows through the Windows Error Reporting (WER) service. This flaw allows authenticated users with low-level privileges to execute arbitrary code with full SYSTEM privileges. The vulnerability resides in the SvcElevatedLaunch method (0x0D) and fails to validate user permissions, enabling attackers to launch WerFault.exe with malicious command-line parameters from a shared memory block. The exploit affects all versions of Windows 10 and Windows 11 prior to January 2026, as well as Windows Server 2019 and 2022. Microsoft addressed this vulnerability in the January 2026 Security Update. Organizations are advised to apply security patches and monitor for unusual WerFault.exe processes.

Winsage

February 20, 2026

Announcing Windows 11 Insider Preview Build 28020.1619 (Canary Channel)

Windows 11 Insider Preview Build 28020.1619 has been released to the Canary Channel (KB 5077230). New features include: - Enhanced Cross-Device Resume allows users to continue activities from Android devices on PCs, including support for Vivo Browser and Microsoft Copilot app files. - Narrator customization now lets users control how on-screen elements are announced. - Windows Hello Enhanced Sign-in Security now supports peripheral fingerprint sensors. - Voice Typing introduces a 'Wait time before acting' setting for improved command execution. - A streamlined setup flow for Voice Access has been implemented. - Language support for the Settings Agent has expanded to include German, Portuguese, Spanish, Korean, Japanese, Hindi, Italian, and Chinese (Simplified). - A refreshed SCOOBE screen for reviewing recommended settings has been introduced. - Paint version 11.2601.391.0 includes a freeform rotate feature for enhanced editing control. Features in the Canary Channel are rolled out gradually, and a desktop watermark will be displayed in pre-release builds. A clean install is required to exit the Canary Channel.

Winsage

January 26, 2026

We’re talking about the best of Windows 11, and we want your input.

Expressions of affection for Windows are common, and while the author acknowledges some shortcomings in Windows 11, it remains an essential tool for productivity, creativity, and communication. Qualcomm's Snapdragon X2 Plus platform is expected to indicate a significant transition toward Arm-based Windows devices. The Microsoft Store has become a reliable platform for discovering and downloading applications on Windows. Recent enhancements in Windows 11 have improved the experience for handheld gaming PCs. The Windows Package Manager, or winget, is highly regarded, and PowerToys is recommended as essential for Windows 11 users. The Command Palette allows users to launch applications using the keyboard and execute commands. The Windows Subsystem for Linux (WSL) provides a genuine Linux experience within Windows 11. Phone Link facilitates effortless photo transfers. The 12-inch Surface LCD is slightly thinner than the Surface Pro 11. The Windows Central community is engaged in discussions about the standout features of Windows 11.

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.