credential theft Archives

Winsage

April 9, 2026

This fake Windows support website delivers password-stealing malware

A phishing campaign has been identified that uses a counterfeit Microsoft support website, microsoft-update[.]support, to trick users into downloading a malicious Windows update disguised as WindowsUpdate 1.0.0.msi. This file, created on April 4, 2026, appears legitimate but contains malware designed to steal sensitive information. The campaign targets French-speaking users, leveraging recent data breaches in France to create convincing scams. The malware, once executed, installs an Electron application that runs a Python interpreter, which then deploys various data theft tools. It employs two persistence mechanisms: modifying the Windows registry and creating a shortcut in the Startup folder. The malware connects to external sites for reconnaissance and data exfiltration, using domains like datawebsync-lvmv.onrender[.]com and store8.gofile[.]io. The malware's components have evaded detection by antivirus tools, with VirusTotal reporting zero detections for the main executable and its launcher. Users are advised to check their registry, remove suspicious files, change passwords, and run a full system scan if they suspect installation of the malicious update. Safe updating practices include using the built-in Windows update feature and being cautious of phishing attempts. Indicators of compromise include specific file hashes, domains associated with the phishing campaign, and file system artifacts related to the malware's installation.

Winsage

April 9, 2026

BlueHammer: Windows zero-day exploit leaked

A proof-of-concept (PoC) exploit called BlueHammer has been released on GitHub, targeting an unpatched local privilege escalation vulnerability in Windows. The exploit, attributed to users Chaotic Eclipse and Nightmare Eclipse, has been modified by security researchers to work on updated versions of Windows 10, 11, and Windows Server. The exploit manipulates Microsoft Defender to create a Volume Shadow Copy, allowing access to sensitive registry files and enabling the extraction of NTLM password hashes. This facilitates the alteration of a local Administrator's password and subsequent login. The exploit can duplicate the Administrator's security token and create a malicious Windows Service that runs with SYSTEM privileges. While there are no reports of BlueHammer being exploited by malicious actors, researchers warn that such PoC code can be weaponized quickly. Microsoft has committed to investigating reported security issues related to this vulnerability.

Tech Optimizer

April 8, 2026

Avast Antivirus: A Complete Guide to the Software and Its Security Features

Avast antivirus is a widely used digital security solution for mobile and desktop platforms, developed by Gen Digital. It offers a free version that is accessible and easy to set up, making it popular among first-time users. Key security features include real-time threat protection, web protection tools, email protection, behavior monitoring, and a network inspector. The software operates quietly in the background, has a clean and intuitive interface, and provides essential security features in its free version. However, users may experience intrusive upgrade prompts, and advanced tools require a paid subscription. Avast distinguishes itself by offering behavioral threat detection in both free and paid versions, and its extensive user base enhances its threat detection capabilities. The free version includes basic protections suitable for everyday online activities, but advanced features necessitate an upgrade. Users are encouraged to adopt strong passwords, utilize password managers, enable two-factor authentication, and practice safe browsing habits to ensure online privacy.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

Winsage

March 27, 2026

Microsoft tells crusty old kernel drivers to get with the Windows Hardware Compatibility Program

Microsoft is enhancing the security of the Windows kernel by eliminating trust for kernel drivers not certified through the Windows Hardware Compatibility Program (WHCP) starting with the April 2026 Windows Update. This change specifically targets kernel drivers signed by the now-obsolete cross-signed root program, which has been associated with security vulnerabilities. The new policy will initially be introduced in an "evaluation mode" to monitor and audit driver loads for potential compatibility issues. Custom kernel drivers can still be used under the Application Control for Business policy, but must be signed by an authority within the device's Secure Boot Platform Key or Key Exchange Key variables. The changes will impact Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025.

AppWizard

March 19, 2026

New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Cybersecurity researchers have identified a new family of Android malware called Perseus, designed for device takeovers and financial fraud. It utilizes Accessibility-based remote sessions for real-time monitoring and interaction with infected devices, particularly targeting Turkey and Italy. Perseus monitors user notes to extract personal or financial information and is distributed through dropper applications via phishing websites. It expands on the codebase of previous malware like Phoenix and employs disguises as IPTV services to reduce user suspicion. Once operational, it performs overlay attacks and captures keystrokes to steal credentials from financial applications. The malware allows operators to issue commands through a command-and-control panel, enabling various malicious actions, including capturing note content and initiating remote visual streams. Perseus also conducts environment checks to evade detection and ensure it operates on legitimate devices.

Winsage

March 17, 2026

5 security features in Windows 11 Pro to keep you protected against even the smartest cyberattacks

Windows 11 Pro includes a comprehensive suite of cybersecurity features that enhance protection against vulnerabilities such as lost devices, stolen passwords, risky downloads, and phishing attempts. Key features include: - BitLocker: Encrypts drive contents to secure sensitive information on laptops, particularly useful for mobile devices. - Windows Hello for Business: Replaces traditional passwords with a device-bound PIN or biometric verification, reducing the risk of credential theft. - Smart App Control: Prevents malicious software from executing by evaluating applications before they run, effective against modern threats. - Windows Sandbox: Allows users to run potentially risky software in a secure, isolated environment that resets upon closure. - Windows Firewall: Regulates network traffic to and from the PC, filtering based on application, port, protocol, and network type, and helps manage application interactions with the network.

Winsage

March 12, 2026

Microsoft Introduces Phishing-Resistant Windows Sign-Ins With Entra Passkeys

Microsoft will introduce phishing-resistant passwordless authentication through passkeys for Windows devices, integrated with Microsoft Entra. This feature is expected to enter public preview between mid-March and late April 2026 for global tenants, while government cloud environments will receive the update from mid-April to mid-May. Users can access Entra-protected resources using device-bound passkeys stored securely within Windows Hello, allowing authentication through biometric or local verification methods. This update expands passwordless authentication to unmanaged or personal Windows devices. Passkeys utilize public-key cryptography, enhancing security by storing a private key on the device and registering a matching public key with the service. Each passkey is uniquely associated with a specific device and cannot be exported or synchronized. Organizations must enable the Passkeys (FIDO2) authentication method in Entra for the preview. This initiative is part of Microsoft's broader strategy to eliminate passwords, responding to rising cybersecurity concerns related to password-based authentication.

AppWizard

March 12, 2026

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Cybersecurity researchers have identified six new families of Android malware designed to extract sensitive data and facilitate financial fraud. Notable threats include: - PixRevolution: Targets Brazil's Pix payment platform, activates during Pix transfers, and uses real-time monitoring to intervene in transactions. Victims are tricked into installing malicious apps from counterfeit Google Play Store listings, which enable accessibility services for the malware to capture screens and overlay fake interfaces to reroute funds. - BeatBanker: Spreads through phishing attacks disguised as legitimate Google Play Store pages. It uses an inaudible audio loop for persistence, functions as a banking trojan, and includes a cryptocurrency miner. It creates deceptive overlays for platforms like Binance and Trust Wallet to divert funds and can monitor web browsers and execute remote commands. - TaxiSpy RAT: Exploits accessibility services to gather sensitive information such as SMS messages and call logs, targeting banking and cryptocurrency applications with overlays for credential theft. It employs advanced evasion techniques like native library encryption and real-time remote control. - Mirax: A private malware-as-a-service (MaaS) offering with a subscription model that provides tools for banking overlays and information gathering, including keystrokes and SMS. - Oblivion: Another Android RAT available at a competitive price, featuring capabilities to bypass security measures on various devices. - SURXRAT: Distributed through a Telegram-based MaaS ecosystem, it uses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure. Some samples incorporate a large language model component, indicating experimentation with AI by threat actors.

Winsage

March 4, 2026

PoC Exploit Released for Microsoft Windows Error Reporting ALPC Privilege Escalation

A proof-of-concept exploit for CVE-2026-20817, a local privilege escalation vulnerability in the Windows Error Reporting (WER) service, has been released by security researcher oxfemale on GitHub. This vulnerability allows low-privileged users to gain SYSTEM-level access through crafted Advanced Local Procedure Call (ALPC) messages. The flaw is located in the WER service's SvcElevatedLaunch method, which fails to validate caller privileges before executing WerFault.exe with user-supplied command line parameters. The CVSS v3.1 base score for this vulnerability is 7.8, indicating a high severity level. It affects unpatched versions of Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 prior to the January 2026 update. Demonstrations have shown successful exploitation on Windows 11 23H2. Security teams are advised to monitor for unusual processes related to WerFault.exe, investigate missing SeTcbPrivilege in SYSTEM tokens, and review WER-related activities from low-privilege users. Immediate application of the January 2026 security patches is recommended, and a temporary workaround involves disabling the WER service.