cybersecurity firm Archives

Winsage

April 17, 2026

Hackers are abusing unpatched Windows security flaws to hack into organizations

Hackers have exploited vulnerabilities in Windows systems, specifically targeting three flaws: BlueHammer, UnDefend, and RedSun. BlueHammer has been patched by Microsoft, while UnDefend and RedSun remain unaddressed. The exploitation is linked to code published by a researcher named Chaotic Eclipse, who criticized Microsoft for their response to vulnerabilities. All three flaws affect Windows Defender, allowing hackers potential high-level access to systems. Microsoft emphasized the importance of coordinated vulnerability disclosure to protect customers and the research community. The situation underscores the ongoing struggle between cybersecurity defenders and cybercriminals.

Tech Optimizer

April 13, 2026

Fake Windows 11 support site offers ‘update’ that steals data and evades antiviruses

Malwarebytes has discovered a counterfeit Windows support site offering a fake "cumulative update" for Windows 11 24H2. Users who click the "Download Update" button download an 83MB package designed to compromise sensitive information, including passwords and payment details. The file, named WindowsUpdate 1.0.0.msi, falsely lists Microsoft as the author and is created using WiX Toolset 4.0.0.5512. VirusTotal reported zero detections for the main executable and VBS launcher, highlighting the malware's architecture designed to evade detection. The malicious website's address includes "microsoft-update.support," differing from the legitimate support site. Malwarebytes has added the malicious site to its detection service database.

AppWizard

April 7, 2026

Researchers find 50 ‘dangerous’ Android apps that are secretly hijacking phones: Who is at risk

Recent findings from McAfee have revealed a malware campaign named Operation NoVoice that has infiltrated over 50 applications on the Google Play Store, which collectively received over 2.3 million downloads before being removed. The malware uses a rootkit attack strategy to gain administrator-level control of Android devices while remaining undetected. Affected apps appeared benign, performing tasks like cleaning files or managing photos, but were secretly communicating with a remote server to send device information. This allowed attackers to deploy custom exploit code, achieving root-level access and posing significant security risks. The malware persists even after factory resets, potentially requiring firmware reinstallation for complete removal. Users with older or unpatched Android versions are at greater risk, as well as anyone who downloaded the compromised apps.

AppWizard

April 3, 2026

2.3 Million Users Affected by New Android Malware Hid in 50 Google Play Apps

Google has imposed strict restrictions on sideloading applications on Android devices due to concerns about risks from external sources. A new malware named NoVoice has been discovered on Google Play, embedded in over 50 applications with at least 2.3 million downloads, potentially compromising that many devices. The malware seeks root access by exploiting vulnerabilities in older Android versions and can steal sensitive data and install/remove apps without consent. It is difficult to remove, as it installs recovery scripts that survive factory resets. However, Google has stated that devices updated since May 2021 are protected against this threat, and Google Play Protect removes these apps and blocks new installs. Users with devices updated after May 2021 are considered safe, while those with infected apps should consider their devices compromised.

AppWizard

April 1, 2026

‘NoVoice’ Android malware on Google Play infected 2.3 million devices

A new Android malware called NoVoice has been found in over 50 applications on Google Play, with more than 2.3 million downloads. The malware targets older Android versions, specifically those patched between 2016 and 2021, and attempts to gain root access by exploiting vulnerabilities. It conceals malicious components within the com.facebook.utils package and uses steganography to hide an encrypted payload within a PNG image file. NoVoice avoids infecting devices in certain regions and has checks to detect emulators and VPNs. Once activated, the malware contacts its command-and-control server to gather device information and polls it every 60 seconds for tailored exploits aimed at rooting the device. It can exploit 22 vulnerabilities, including kernel bugs, and establishes persistence by replacing key system libraries and installing recovery scripts. The malware injects code into applications, particularly targeting WhatsApp to extract sensitive data for session replication, which is then exfiltrated to the C2 server. The malicious apps containing NoVoice have been removed from Google Play, but users who installed them should consider their devices compromised. Upgrading to devices with later security patches is recommended to mitigate the threat.

AppWizard

March 13, 2026

FBI Investigating After Malware Found Lurking in Steam PC Games

The FBI is investigating malware hidden in several video games on the Steam platform, targeting users from May 2024 to January 2026. The investigation includes games like BlockBlasters, Chemia, Dashverse, DashFPS, Lampy, Lunara, PirateFi, and Tokenova, with some previously removed from Steam for malicious content. Steam had over 132 million monthly active users and more than 117,000 games in 2025. The FBI is reaching out to affected gamers, ensuring victim confidentiality and potential eligibility for services under federal and state law. This incident is part of a broader trend of malware targeting gamers, with previous cases involving fan games and cheat software affecting millions of accounts.

Winsage

February 19, 2026

From Marquette to Microsoft: This alumnus leads global communications for over a billion Microsoft devices

A representative from Marquette University visited University of Detroit Jesuit High School during Chris Morrissey’s junior year, shortly after Marquette’s men’s basketball team won the national championship in 1977. Morrissey decided to attend Marquette, influenced by friends with siblings enrolled there. He has had a diverse career, moving from the automotive sector to chemicals, and is currently the senior director of communications for Windows and devices at Microsoft. Morrissey worked the midnight shift at the downtown Hilton during college, which allowed him to complete homework and read major newspapers. His interest in technology began at Chrysler, where he embraced new PCs while others were hesitant. At Microsoft, he manages a team that handles communications for Windows device updates and features, emphasizing the global impact of their work. Recently, his team addressed a crisis involving a cybersecurity issue affecting Windows devices, focusing on customer support. Morrissey credits his Marquette education with teaching him to prioritize others in crisis situations. He has also become involved in community service in Seattle, volunteering at food banks and serving on the board of North Helpline. As a father and grandfather, he values the growth mindset he sees in his children.

AppWizard

February 19, 2026

New backdoor found in Android tablets targeting users in Russia, Germany and Japan

Researchers from Kaspersky have discovered an Android backdoor named Keenadu, embedded in the firmware of devices, allowing it to infect tablets before they reach consumers. This malware, affecting over 13,700 users globally, primarily targets advertising fraud by hijacking browser search engines, monitoring app installations, and generating fraudulent revenue. Tablets from various manufacturers, including Alldocube, have been found compromised, with the malware likely inserted during the firmware build stage through a compromised supply chain. Keenadu has multiple variants, some hidden in applications, and employs evasion tactics based on device language settings and time zones. It cannot be removed using standard Android security tools, and users are advised to install clean firmware or replace their devices entirely.

AppWizard

February 17, 2026

New Keenadu backdoor found in Android firmware, Google Play apps

A sophisticated Android malware named Keenadu has been discovered embedded in the firmware of various device brands, compromising all installed applications and granting unrestricted control over infected devices. It employs multiple distribution methods, including compromised firmware images delivered over-the-air, access via backdoors, embedding in system applications, modified applications from unofficial channels, and infiltration through apps on Google Play. As of February 2026, Keenadu has been confirmed on approximately 13,000 devices, primarily in Russia, Japan, Germany, Brazil, and the Netherlands. The firmware-integrated variant remains dormant if the device's language or timezone is associated with China and ceases to function without the Google Play Store and Play Services. While currently focused on ad fraud, Keenadu has extensive capabilities for data theft and risky actions on compromised devices. A variant embedded in system applications has limited functionality but elevated privileges to install apps without user notification. The malware has been detected in the firmware of Android tablets from various manufacturers, including the Alldocube iPlay 50 mini Pro. Kaspersky has detailed how Keenadu compromises the libandroid_runtime.so component, making it difficult to remove with standard Android OS tools. Users are advised to seek clean firmware versions or consider replacing compromised devices with products from trusted vendors.

Winsage

February 13, 2026

Microsoft: New Windows LNK spoofing issues aren’t vulnerabilities

Security researcher Wietze Beukema revealed vulnerabilities in Windows LK shortcut files at the Wild West Hackin' Fest, which could allow attackers to deploy harmful payloads. He identified four undocumented techniques that manipulate these shortcut files, obscuring malicious targets from users. The vulnerabilities exploit inconsistencies in how Windows Explorer handles conflicting target paths, allowing for deceptive file properties. One technique involves using forbidden Windows path characters to create misleading paths, while another manipulates LinkTargetIDList values. The most sophisticated method alters the EnvironmentVariableDataBlock structure to present a false target in the properties window while executing malicious commands in the background. Microsoft declined to classify the EnvironmentVariableDataBlock issue as a security vulnerability, stating that exploitation requires user interaction and does not breach security boundaries. They emphasized that Windows recognizes shortcut files as potentially dangerous and provides warnings when opening them. However, Beukema noted that users often ignore these warnings. The vulnerabilities share similarities with CVE-2025-9491, which has been exploited by various state-sponsored and cybercrime groups. Microsoft initially did not address CVE-2025-9491 but later modified LNK files to mitigate the vulnerability after it was widely exploited.