cybercriminals Archives

Tech Optimizer

April 17, 2026

Millions of people use this American-made antivirus and you can get $30 off right now

PC Matic is an American cybersecurity company established in 1999, focused on preventing infections before they occur. It aims to disrupt cybercrime by enhancing the protection of everyday devices, thereby reducing the profitability of large-scale attacks. The company has protected over 100 million applications and devices, with more than 3 million customers. PC Matic offers user-friendly and affordable tools for individuals and families. Currently, they have a promotional discount of 30% off the first purchase with the code GOLOOT30, applicable to orders over .99, valid until January 1, 2027.

Winsage

April 16, 2026

Fake Proton VPN sites are pushing NWHStealer malware to Windows users

A malware campaign is utilizing counterfeit Proton VPN websites and other deceptive tactics to distribute a Windows infostealer known as NWHStealer. This malware extracts sensitive information, including browser credentials and cryptocurrency wallet details, and operates stealthily by injecting itself into legitimate processes. Two primary infection vectors have been identified: malicious ZIP archives on a free web hosting platform and trojanized installers from fake Proton VPN sites. The malware employs DLL hijacking and can exfiltrate data to a command-and-control server while ensuring persistence through scheduled tasks and disguising payloads as legitimate system processes. It also exploits the Windows cmstp.exe utility to bypass User Account Control. Users are advised to avoid downloading software from unofficial sources and to verify file signatures and publisher information.

Winsage

April 15, 2026

Microsoft adds Windows protections for malicious Remote Desktop files

Microsoft has introduced new security measures for Windows 10 and Windows 11 to protect against phishing attacks that exploit Remote Desktop Protocol (RDP) connection files. These updates, part of the April 2026 cumulative updates (KB5082200, KB5083769, and KB5082052), include a one-time educational prompt for users upon first opening an RDP file, requiring acknowledgment of the associated risks. Subsequent attempts to open RDP files will display a security dialog with information about the file's publisher, the remote system address, and local resource redirections, with options disabled by default. If an RDP file is unsigned, a warning will indicate an "Unknown remote connection." These protections apply only to connections initiated through RDP files, not through the Windows Remote Desktop client, and can be temporarily disabled via the Windows Registry.

AppWizard

April 14, 2026

Mirax RAT Targets Android Devices Through Meta Apps

Mirax is a remote access Trojan (RAT) targeting Android devices in Spanish-speaking countries, identified by Outpost24's KrakenLabs in early March. It propagates fraudulent advertisements on Meta-owned applications, allowing cybercriminals to gain initial access. Mirax can interact with compromised devices in real time, converting them into residential proxy nodes through ads on platforms like Facebook and Instagram. It uses SOCKS5 protocol and Yamux multiplexing to establish proxy channels and uncover victims' IP addresses. The malware captures keystrokes, steals sensitive data, executes commands, and monitors user activity. It employs overlay pages to steal credentials and orchestrates distribution through Meta ads and GitHub for malicious APK files. Users are tricked into enabling installations from "unknown sources," and the malware disguises itself behind video playback features. Additionally, a threat actor has been offering Mirax as a malware-as-a-service (MaaS) on illicit forums, with subscription prices starting at ,500 for three months. This service is described as highly controlled and exclusive, primarily targeting Russian-speaking actors in underground communities.

Winsage

April 14, 2026

This fake Windows 11 24H2 update looks perfect, until it avoids antivirus and steals your passwords

Cybercriminals are using sophisticated tactics to deceive users, particularly with a counterfeit website posing as a legitimate Windows 11 update. This site operates under the domain microsoft-update[.]support and is designed to trick individuals into downloading malware that compromises sensitive information. The site is written in French and mimics a genuine cumulative update for Windows 11, version 24H2, featuring a convincing KB article number and a blue download button. The malware is packaged as a Windows update using the WiX Toolset 4.0.0.5512 and is labeled "WindowsUpdate 1.0.0.msi," with properties that suggest it is from Microsoft. At the time of analysis, VirusTotal showed no detections for the malware, which conceals its harmful code within an Electron shell, making it difficult to identify. Users are advised to download updates directly through the Windows Settings app or from Microsoft's official support hub.

Tech Optimizer

April 13, 2026

Fake Claude site installs malware that gives attackers access to your computer

Claude, an AI tool developed by Anthropic, receives nearly 290 million web visits monthly and has become a target for cybercriminals. A fake website has been found that impersonates Claude, distributing a trojanized installer named Claude-Pro-windows-x64.zip. This installer, while appearing legitimate, deploys PlugX malware, granting attackers remote access to users' systems. The fraudulent site mimics the official download page and uses passive DNS records linked to commercial bulk-email platforms, indicating active maintenance by the operators. The ZIP file contains an MSI installer that incorrectly spells "Claude" as "Cluade" and creates a desktop shortcut that launches a VBScript dropper. This script runs the legitimate claude.exe while executing malicious activities in the background, including copying files to the Windows Startup folder to ensure persistence after reboot. The attack utilizes a DLL sideloading technique recognized by MITRE as T1574.002, where a legitimate G DATA antivirus updater is exploited with a malicious DLL. Within 22 seconds of execution, the malware establishes a connection to an IP address associated with Alibaba Cloud, indicating control over the compromised system. The dropper script also employs anti-forensic measures to delete itself and the VBScript after deployment. Indicators of compromise include the filenames Claude-Pro-windows-x64.zip, NOVUpdate.exe, avk.dll, and NOVUpdate.exe.dat, along with the network indicator 8.217.190.58:443 (TCP) as the command and control destination. Users are advised to download Claude only from the official site and to remain vigilant against potential compromises.

Tech Optimizer

April 8, 2026

AI malware threatens Windows 11 security. Traditional antivirus can’t keep up

AI-powered fileless malware poses a significant challenge to Windows 11 security, as traditional antivirus solutions struggle to detect these advanced threats. This type of malware operates without traditional files and can execute malicious actions directly in memory, bypassing conventional detection methods. Vulnerabilities in applications like Excel and Outlook have been exploited, allowing harmful code execution through simple actions like opening a preview pane. The integration of AI features, such as Microsoft's Copilot, has also created new risks, leading to potential data leaks. To combat these threats, a multi-layered security approach that includes behavioral analysis and real-time monitoring is essential. Upgrading from Windows 11 Home to Windows 11 Pro provides additional security features to enhance defenses against malware.

AppWizard

April 8, 2026

The FBI Warns That Foreign Cybercriminals Have Targeted Messaging App Users

Cybercriminals connected to Russian intelligence are conducting a large phishing campaign targeting messaging applications, impacting thousands of accounts worldwide. A joint advisory from the FBI and CISA reveals that these attacks focus on individuals with access to sensitive information, including government officials, military personnel, political figures, and journalists. The campaign relies on deception, with attackers impersonating official support channels on platforms like Signal, sending messages that prompt victims to click malicious links or provide confidential information. Victims who comply risk losing control of their accounts, allowing attackers to read private messages and access contact lists. This trend has been observed not only in the U.S. but also in the Netherlands, where similar tactics are used against government employees. The FBI notes that the security of the messaging apps is not the issue; rather, the vulnerability lies in human error. The rise of social engineering tactics poses a risk to both high-profile individuals and potentially everyday users, and users are advised to be cautious with unsolicited messages and not to share sensitive information.

Winsage

April 7, 2026

“This was not opportunistic. It was precision.” — How North Korean hackers used Microsoft Teams and Slack to compromise Windows PCs with an elaborate ploy

On March 30, 2026, axios, a JavaScript HTTP client library, was temporarily compromised by suspected North Korean hackers who hijacked maintainer Jason Saayman's account. This allowed them to publish two malicious versions of axios on npm. The malicious versions were identified and removed within three hours by StepSecurity. A post-mortem blog on GitHub provided security measures for users of Windows, macOS, and Linux, highlighting risks from a Remote Access Trojan (RAT) introduced during the breach. The attack was attributed to a group known as UNC1069, which has been active since at least 2018. Two weeks prior to the breach, Saayman was targeted in a social engineering campaign where attackers posed as a legitimate company founder, leading him to install the RAT via a fake update during a Microsoft Teams meeting. Microsoft Teams was not compromised; it was used as a delivery method for the Trojan. Saayman noted the operation's sophistication.

Tech Optimizer

April 7, 2026

Norton 360: Comprehensive Cybersecurity for Devices

Norton 360 is a comprehensive cybersecurity solution that protects consumers and businesses from digital threats, integrating features like a VPN and password manager. It safeguards various devices, including PCs and smartphones, and offers multiple editions for individuals, families, and small businesses. Key features include real-time threat detection, a smart firewall, a no-logs VPN, a password manager, parental controls, behavior-based detection for zero-day threats, cloud backup functionality, and performance optimization tools. The suite is effective against phishing, malware, and ransomware, with a 100% detection rate confirmed by independent tests. Norton 360 also caters to small businesses with endpoint protection, compliance tools, and secure file sharing. It employs heuristics and machine learning for threat adaptation and supports unlimited devices in premium plans. The software is compatible with Windows, macOS, Android, and iOS, and offers a VPN service with servers in over 30 countries. Norton 360 competes in the global cybersecurity market, maintaining a strong presence in North America and Europe, with subscription models ranging from basic to deluxe editions. Demand for the product has increased due to high-profile data breaches, and it is available in over 150 countries. Common use cases include protecting home networks, securing client data for freelancers, and safeguarding school-issued laptops. Norton 360 is part of Gen Digital Inc., which focuses on consumer cybersecurity.