command Archives

Winsage

June 18, 2025

XDSpy Threat Actors Leverages Windows LNKs Zero-Day Vulnerability to Attack Windows System Users

A cyber espionage campaign attributed to the XDSpy threat actor has been discovered, exploiting a zero-day vulnerability in Windows shortcut files identified as “ZDI-CAN-25373.” This vulnerability allows attackers to conceal executed commands within specially crafted shortcut files. XDSpy has primarily targeted government entities in Eastern Europe and Russia since its activities became known in 2020. Researchers from HarfangLab found malicious LNK files exploiting this vulnerability in mid-March, revealing issues with how Windows parses LNK files. The infection begins with a ZIP archive containing a malicious LNK file, which triggers a complex Windows shell command to execute malicious components while displaying a decoy document. This command extracts and executes a first-stage malware called “ETDownloader,” which establishes persistence and downloads a second-stage payload known as “XDigo.” The XDigo implant, written in Go, collects sensitive information and employs encryption for data exfiltration. This campaign represents an evolution in XDSpy's tactics, combining zero-day exploitation with advanced multi-stage payloads.

Winsage

June 18, 2025

What version of Windows is on your PC? Here’s how to find out

To check your Windows version and build number, you can use the following methods: 1. Winver Tool: Type “winver” in the taskbar search bar and select the command to display your version and build number in a pop-up window. 2. Windows Settings: Go to the start menu, select “Settings,” then navigate to “System” and click on “About” to find your version and build number under “Windows specifications.” 3. Registry Database: Type “regedit” in the taskbar search field, open the Registry Editor, and navigate to HKEYLOCALMACHINE->SOFTWARE->Microsoft->Windows NT->CurrentVersion to find the version number under “ReleaseId” and “DisplayVersion.”

Winsage

June 18, 2025

XDSpy Threat Actors Exploit Windows LNK Zero-Day Vulnerability to Target Windows System Users

The XDSpy threat actor is exploiting a Windows LNK zero-day vulnerability (ZDI-CAN-25373) to target governmental entities in Eastern Europe and Russia since March 2025. This campaign involves a multi-stage infection chain deploying the XDigo implant, developed in Go. Attackers use spearphishing emails with ZIP archives containing crafted LNK files that exploit the vulnerability. Upon execution, these files sideload a malicious C# .NET DLL named ETDownloader, which establishes persistence and retrieves the XDigo payload from specific domains. XDigo is a data collection implant capable of file scanning, clipboard capture, and screenshot acquisition, communicating with command-and-control servers. The campaign targets Belarusian governmental entities and employs advanced tactics, including anti-analysis checks and encryption for data exfiltration. Indicators of compromise include specific SHA-256 hashes for ZIP archives, LNK files, the ETDownloader, and XDigo malware, along with associated distribution and command-and-control domains.

Tech Optimizer

June 17, 2025

Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT

Threat actors are using a fileless variant of AsyncRAT, targeting German-speaking individuals with a deceptive verification prompt. This prompt misleads users into executing harmful commands. The malware employs obfuscated PowerShell scripts to operate in memory without creating files on disk, complicating detection by antivirus solutions. The attack begins with a fake verification page prompting users to click "I’m not a robot," which copies a malicious command to the clipboard. This command uses conhost.exe to run a hidden PowerShell instance that retrieves a payload from a remote server. The malware establishes a connection to a command-and-control server and maintains persistence through registry keys, enabling remote control and data exfiltration. Key tactics include stealth execution, in-memory C# compilation, and TCP-based communication over non-standard ports. The campaign has been active since at least April 2025. Indicators of Compromise (IOCs) include: - IP: 109.250.111[.]155 (Clickfix Delivery) - FQDN: namoet[.]de (Clickfix / C2 Server) - Port: 4444 (TCP Reverse Shell Listener) - URL: hxxp[:]//namoet[.]de:80/x (PowerShell Payload) - Registry (HKCU): SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows (Persistence on Boot) - Registry (HKCU): SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin (Holds Obfuscated Command)

Winsage

June 17, 2025

I hope this PowerToys redesign becomes a reality — it’s too easy to get lost in the app

PowerToys is evolving with new features for Windows 11 users, including a proposed redesign shared by software engineer Niels Laute on the PowerToys GitHub page. The new dashboard layout aims to enhance user experience by making essential tools more accessible and aligns with the aesthetics of Windows 11. Despite its versatility, many features of PowerToys are not well-known and require users to explore further. The envisioned dashboard seeks to highlight these lesser-known functionalities and simplify navigation. The concept is still in early development stages, indicating that significant changes may take time to implement.

Winsage

June 16, 2025

Update Windows Now — Microsoft Confirms System Takeover Danger

CVE-2025-33073 is a Windows authentication relay attack vulnerability with a CVSS score of 8.8, indicating high severity. It allows attackers to gain SYSTEM privileges on affected systems. Currently, there is no evidence of active exploitation, but the public disclosure raises concerns. Exploitation involves executing a malicious script that makes the victim's machine connect to the attacker's system using SMB. Security researchers have described it as an authenticated remote command execution on machines that do not enforce SMB signing. Microsoft has released a fix as part of the June Patch Tuesday security updates to address this vulnerability.

Winsage

June 15, 2025

Windows 11 finally gets a small, but long-requested Windows 10 taskbar feature

Windows 11 is nearing its fourth anniversary, and Microsoft has reintroduced the clock in the calendar flyout, a feature that users missed since its initial release. This feature allows for a larger clock display with seconds, visible whether the calendar is collapsed or expanded. Users can toggle the clock off in the Settings menu, but the feature is being rolled out gradually. To enable it sooner, users can use the ViVeTool app with specific commands. However, the taskbar calendar still lacks advanced functionalities like displaying user agendas or creating new events.

Winsage

June 15, 2025

I’ve used a lot of Windows launchers, but this is the best one by far

Flow Launcher is a desktop productivity tool for Windows 11 that excels in speed, opening instantly with a keyboard shortcut and providing audio cues. It features an extensive library of plugins, allowing users to enhance functionality with ease, including pre-installed plugins for searching bookmarks, managing files, and executing system commands. The plugin store offers a variety of extensions, catering to diverse needs, including tools for OneNote, Spotify, and gaming. Flow Launcher is highly customizable, enabling users to adjust extension functions, search result priorities, and activation shortcuts. It also allows the creation of custom hotkeys for quick access to frequently used tools, such as an enhanced clipboard history.

Winsage

June 14, 2025

6 registry tweaks every tech-savvy user must apply on Windows 11

Windows 11 provides customization tools such as the Settings app, Control Panel, and Group Policy Editor, but advanced users often utilize the Registry Editor for deeper control. Key Registry tweaks include: 1. Disable the Home page in Settings: Modify the Registry to revert the Settings app to open directly to the "System" section instead of the "Home" page by creating a string value named SettingsPageVisibility and setting it to hide:home. 2. Disable automatic Windows Update: Prevent automatic downloads and installations by creating a key named WindowsUpdate under Policies, then a subkey AU, and a DWORD value NoAutoUpdate set to 1. 3. Disable the Lock Screen experience: Expedite the sign-in process by creating a key named Personalization and a DWORD value Nolockscreen set to 1. 4. Enable automatic Registry backup: Restore automatic Registry backups by creating a DWORD value EnablePeriodicBackup set to 1 and scheduling a task to run daily for backup. Editing the Registry carries risks, and it is advised to back up the PC before making changes.

AppWizard

June 14, 2025

This massive mod for Mount and Blade 2: Bannerlord not only converts it to Sengoku-era Japan, it adds fully simulated naval battles months ahead of the base game

Shokuho is a total conversion mod for Mount & Blade 2: Bannerlord, set in feudal Japan starting in 1568 during Oda Nobunaga's campaign. Players can build armies or ally with local lords, featuring mechanics like tiered castle sieges and naval battles. The mod integrates the Diplomacy Mod and has surpassed Bannerlord in naval gameplay, which is still under development. Shokuho showcases a distinct aesthetic with visually impressive battles and is inspired by Ghost of Tsushima. It is available for download on ModDB, while the War Sails expansion for Bannerlord has been postponed to autumn.