credential theft Archives

AppWizard

December 2, 2025

New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

A new Android malware named Albiriox has emerged, marketed as malware-as-a-service (MaaS). It features a hard-coded list of over 400 applications, including banking and cryptocurrency platforms, and is distributed through social engineering tactics using dropper applications. Initially advertised in late September 2025, it became a full MaaS offering by October, with Russian-speaking threat actors behind its development. Albiriox allows remote control of compromised devices via an unencrypted TCP socket connection and Virtual Network Computing (VNC), enabling attackers to extract sensitive information and perform overlay attacks for credential theft. One campaign targeted victims in Austria using German-language lures and counterfeit Google Play Store listings. Albiriox also utilizes Android's accessibility services to bypass security measures and employs a novel distribution strategy involving a counterfeit website that collects phone numbers. Additionally, another Android MaaS tool, RadzaRat, was introduced, masquerading as a file management utility while offering extensive surveillance and remote control capabilities. RadzaRat can log keystrokes and maintain persistence through specific permissions, highlighting a trend in the availability of sophisticated cybercrime tools.

Winsage

November 27, 2025

Microsoft Security Keys May Require PIN After Recent Windows Updates

Microsoft announced an update for FIDO2 security keys on Windows 11, introducing a new prompt for users to set up a PIN during authentication. The rollout began with preview update KB5065789 on September 29, 2025, for OS Builds 26200.6725 and 26100.6725, and was completed with security update KB5068861 on November 11, 2025, for OS Builds 26200.7171 and 26100.7171. This update affects sign-ins where a Relying Party (RP) or Identity Provider (IDP) requests User Verification set to “Preferred” for keys without a PIN, in accordance with WebAuthn specifications. Users must now set up a PIN during authentication flows, not just during registration. To avoid PIN prompts, RPs or IDPs can set “userVerification” to “discouraged.” There is no option to roll back the changes.

Winsage

November 26, 2025

Microsoft: Security keys may prompt for PIN after recent updates

Microsoft issued a notice to users about a new behavior related to FIDO2 security keys following Windows updates since the September 2025 preview update. This change affects devices on Windows 11 versions 24H2 or 25H2, where users may be prompted to enter a PIN during authentication. The adjustment aligns with WebAuthn specifications, which outline protocols for authentication methods, including PINs and biometrics. User verification can be categorized as discouraged, preferred, or required, with "preferred" necessitating a PIN setup if supported by the authenticator. The rollout began after the KB5065789 preview update and was completed with the November KB5068861 security update. Microsoft stated that after installing the September 29, 2025 update, users might need to create a PIN to sign in with a security key, even if it was not required during initial registration. This behavior occurs when a Relying Party or Identity Provider requests User Verification = Preferred during authentication with a FIDO2 security key lacking a PIN. Organizations can opt to adjust the user verification setting to "discouraged" if they do not want to require users to create or enter PINs. FIDO2 security keys enable passwordless authentication by requiring the physical presence of a USB, NFC, or Bluetooth token, gaining popularity as organizations seek to reduce risks associated with traditional passwords.

Winsage

November 19, 2025

Sysmon – Go-to Tool for IT Admins, Security Pros, and Threat Hunters Coming to Windows

Microsoft will integrate native System Monitor (Sysmon) functionality into Windows 11 and Windows Server 2025, enhancing security operations for IT teams. This integration will provide instant threat visibility, automate compliance through Windows Update, and include features such as process monitoring, network connection tracking, credential access detection, file system monitoring, process tampering detection, WMI persistence tracking, and custom configuration support. It will also offer official customer service support and allow seamless access to events through Windows Event Logs or Security Information and Event Management (SIEM) systems. Administrators can enable Sysmon using the command "sysmon -i." Future plans include expanding Sysmon’s capabilities with enterprise-scale management and AI-powered detection.

Winsage

November 19, 2025

Microsoft Integrates System Monitor (Sysmon) into Windows 11

Microsoft will integrate its forensic tool, System Monitor (Sysmon), into the Windows kernel with the upcoming releases of Windows 11 and Server 2025. This integration will transform Sysmon from a standalone utility into a native “Optional Feature” that will be serviced automatically through Windows Update. Administrators will no longer need to manually distribute Sysmon; instead, it can be activated through the “Turn Windows features on or off” dialog or command-line instructions. The integration will ensure that updates flow through the standard Windows Update pipeline, providing official support and Service Level Agreements (SLAs) for Sysmon. Microsoft plans to utilize local computing capabilities for AI inferencing to enhance security measures, focusing on detecting credential theft and lateral movement patterns. Sysmon will maintain backward compatibility with existing workflows, allowing the use of custom configuration files and adhering to the XML schema while continuing to log events to the Windows event log. Community-driven configuration repositories will remain operational, preserving established community knowledge.

Winsage

November 16, 2025

Windows 11 Pro upgrade plummets under $10

Prices for a Windows 11 Pro license have dropped below , making it affordable to upgrade older PCs into capable daily drivers. The upgrade offers a streamlined interface, enhanced multitasking with snap layouts, improved search functionality, and integrated Microsoft Teams. It also includes advanced security features like virtualization-based security, Smart App Control, and BitLocker device encryption. Windows Update packages are reported to be up to 40% smaller, allowing older hardware to operate more efficiently. To ensure compatibility, a machine must have a 64-bit CPU, at least 4GB of RAM, a minimum of 64GB storage, support for Secure Boot, and TPM 2.0. Microsoft's PC Health Check app can verify these requirements. A smooth setup requires a discounted Windows 11 Pro license, an 8–16GB USB drive for installation, and access to free online installation media and drivers. The clean installation process involves backing up files, creating a bootable USB installer, installing Windows 11 Pro, and running Windows Update for patches. Users can optimize their setup by enabling Storage Sense, Core Isolation, and uninstalling unnecessary applications. StatCounter reports that Windows 11 powers about one-third of the world’s PCs, improving performance for browsers and office applications. A clean install can significantly reduce boot times and enhance overall system responsiveness. Security features like Secure Boot and Credential Guard help reduce vulnerabilities. When purchasing a Windows license, it's important to buy from reputable sellers to ensure the key is legitimate. Students and employees may have access to free or low-cost licenses through educational or corporate programs. For machines that cannot run Windows 11, modern Linux distributions like Mint and Ubuntu offer practical, cost-free alternatives with user-friendly installers and built-in drivers.

Tech Optimizer

November 13, 2025

Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have discovered an attack campaign that uses legitimate Remote Monitoring and Management (RMM) tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on users' systems. Attackers lure victims to fake download sites that mimic legitimate software pages for utilities like Notepad++, 7-Zip, and VLC Media Player, delivering modified versions of LogMeIn Resolve. The malicious installers are disguised with filenames such as "notepad++.exe" and "chatgpt.exe." Once executed, these files install the RMM tool and additional malware capable of stealing sensitive information. ASEC has identified three CompanyId values associated with the attacks: 8347338797131280000, 1995653637248070000, and 4586548334491120000. The malware, known as PatoRAT, is a Delphi-developed backdoor that gathers system information and has extensive malicious capabilities, including keylogging and remote desktop access. Users are advised to download software only from official websites and verify digital signatures, while organizations should monitor for unauthorized RMM installations and the identified indicators of compromise.

Tech Optimizer

November 13, 2025

New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware

Security researchers have identified a malware campaign using the ClickFix social engineering technique to spread information-stealing malware on Windows and macOS. The campaign targets users searching for cracked software, leading them to malicious Google-hosted landing pages. Victims encounter fake security warnings that prompt them to execute a malicious command, resulting in the installation of infostealer malware. Windows users receive the ACR stealer, while macOS users get the Odyssey stealer, both delivered in password-protected ZIP files. ACR also loads additional malware like SharkClipper, which hijacks cryptocurrency clipboard data. The campaign has seen a 700% increase in ACR logs in May 2025, with ClickFix becoming the most common initial access method, accounting for 47% of all initial access schemes. The malware collects various user data, including passwords and cryptocurrency wallets, and operates in a fileless manner to evade detection. Security experts advise against executing unverified commands and recommend enhancing endpoint detection capabilities to combat these threats.

Winsage

November 10, 2025

Advancing security with Windows and Surface | Microsoft SFI Report Nov 2025

Microsoft is committed to security through its Secure Future Initiative (SFI), which employs 34,000 engineers to enhance cybersecurity. The November 2025 SFI Progress Report outlines advancements in security, including principles of Secure by Design, Secure by Default, and Secure Operations integrated into Windows and Surface products. Key updates include: - Windows 11 introduces passwordless sign-in with Passkeys and FIDO2 credentials to reduce phishing risks. - Phishing-resistant multi-factor authentication (MFA) is now widely used, lowering account compromise risks. - Windows Hotpatch allows security updates without device restarts, achieving 81% compliance within 24 hours of Patch Tuesday. - Windows 11 features quick machine recovery for automatic, cloud-connected recovery from boot failures. Surface devices lead in security by enabling all recommended features by default and developing memory-safe firmware to address vulnerabilities. Notably, 70% of security vulnerabilities are linked to memory safety issues, and Surface uses Rust-based UEFI firmware to enhance defenses. Surface also develops Windows drivers in Rust to eliminate memory safety bugs and shares innovations through the Open Device Partnership to improve security across the ecosystem.

Tech Optimizer

November 7, 2025

Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus

A banking trojan named Herodotus targets Android users globally, operating as Malware-as-a-Service and disguising itself as a legitimate app to lure users into downloading an APK from unofficial sources. Once installed, it gains critical system permissions to perform banking operations on behalf of the user. The malware is primarily distributed through SMS phishing campaigns that lead victims to fraudulent download pages. Herodotus employs overlay attacks to steal credentials and hijack sessions, posing a significant threat to financial security. It uses advanced evasion tactics, including random delays and realistic typing patterns, to avoid detection by traditional antivirus solutions. The trojan captures screen content and keystrokes, allowing real-time monitoring of user activity. Detection is complicated as Herodotus circumvents defenses by installing from unknown sources and executing harmful actions only after obtaining user permissions. Effective defense requires recognizing multiple indicators of compromise, such as suspicious SMS links and behavioral anomalies, which traditional antivirus protection often overlooks.