cybersecurity researchers Archives

Winsage

June 26, 2025

Researchers Demonstrate Windows Registry Manipulation via C++ Program

Cybersecurity researchers have developed a C++ program that demonstrates how attackers manipulate the Windows Registry to establish persistence, evade security measures, and alter system behavior. The Windows Registry is a database for system, application, and user settings, making it a target for malware. Key tactics include: - Persistence: Malware adds entries to auto-start locations to survive system reboots. - Evasion: Attackers modify security-related keys to circumvent defenses. - Privilege Escalation: Weak permissions on service keys can allow redirection of execution paths. The C++ program uses Windows API functions to create or modify registry keys, simulating real-world malware tactics. Key functions include: - RegCreateKeyEx: Opens or creates a registry key. - RegSetValueEx: Writes a value into the specified key. Red teamers use such code to simulate threats, focusing on persistence, configuration tampering, and payload storage. Blue teams can mitigate risks through monitoring, restricting permissions, and endpoint detection. The demonstration emphasizes the importance of ethical testing practices and the need for proactive registry monitoring and least-privilege access controls in cybersecurity.

AppWizard

June 19, 2025

GodFather Android Malware Runs Real Apps in a Sandbox to Steal Data

Cybersecurity researchers at Zimperium zLabs have discovered a new variant of the GodFather Android malware that uses on-device virtualization to hijack legitimate mobile applications, primarily targeting banking and cryptocurrency apps. This malware installs a concealed host application that downloads a genuine version of the targeted app within a controlled environment, redirecting users to this manipulated version. It monitors user actions in real time, capturing sensitive information like usernames and passwords. The GodFather malware targets 484 applications globally, with a focus on 12 financial institutions in Turkey. It employs traditional overlay attacks and uses legitimate open-source tools to evade detection. The malware manipulates APK files, relocates malicious code, and utilizes Android’s accessibility services to deceive users into granting permissions. It also encodes critical information to complicate tracking efforts and transmits screen details back to attackers for real-time monitoring.

Tech Optimizer

June 9, 2025

Cryptostealing Malware Found in Printer Software Highlights Growing Supply Chain Threat

A cybersecurity incident involving Procolored printers revealed vulnerabilities in everyday hardware, as users may have downloaded malware capable of stealing cryptocurrencies like Bitcoin. Tech content creator Cameron Coward reported an antivirus alert linked to Procolored printer software, prompting an investigation by G Data researchers who found malicious code in installation files on the manufacturer's website. The identified threats included a remote access tool (Win32.Backdoor.XRedRAT.A) and a cryptocurrency wallet stealer (MSIL.Trojan-Stealer.CoinStealer.H). Compromised files were last updated in October 2024 and distributed through official channels. The company initially denied the issue but later removed the downloads from their website in May 2025 and acknowledged the malware might have been introduced via USB transfers. An analysis of an attacker’s wallet showed a total of 9.3 BTC accumulated across 330 transactions before it was emptied. Cybersecurity experts recommend that users conduct antivirus scans and consider reformatting drives and reinstalling operating systems if infections are suspected.

Tech Optimizer

May 29, 2025

A Trojan-Downloading Website Is Imitating a Popular Antivirus Website

Hackers are increasingly using sophisticated techniques to entice users into downloading malware, with many individuals still falling victim to basic social engineering tactics. A counterfeit website mimicking the legitimate antivirus program Bitdefender has been created, which could mislead users. This spoofed site hosts a bundled executable named StoreInstaller.exe that contains malware configurations linked to VenomRAT, capable of remote access, credential theft, keylogging, and data exfiltration. The counterfeit site closely resembles the legitimate one, making it difficult for untrained users to distinguish between them. Users are advised to download antivirus software only from reputable sources and to verify the authenticity of the website before proceeding.

Tech Optimizer

May 19, 2025

Hackers can turn off Windows Defender with this sneaky new tool

A security researcher known as es3n1n has developed a program called Defendnot, which disguises itself as an antivirus application and exploits a previously undocumented Windows Security Center (WSC) API. Defendnot registers itself as a legitimate antivirus, causing Windows Defender to disable itself when it detects another antivirus, leaving users vulnerable. Microsoft has responded by enabling Defender to detect and quarantine Defendnot as 'Win32/Sabsik.FL.!ml'. This is not the first version of such a program; a previous iteration was removed due to copyright infringement.

Winsage

April 8, 2025

Neptune RAT malware is hijacking Windows PCs, holding them for ransom and stealing passwords

Cybercriminals have released a new malware strain called Neptune RAT, which targets Windows PCs and is capable of stealing cryptocurrencies and passwords, as well as holding data for ransom. It features a crypto clipper that can alter cryptocurrency wallet addresses, a password-stealing function affecting over 270 applications, and ransomware capabilities that lock files until a ransom is paid. The malware can disable antivirus software, monitor victims' screens in real-time, and has the ability to wipe a PC. It is distributed through platforms like GitHub, Telegram, and YouTube, making it difficult for cybersecurity researchers to analyze. Users are advised to be cautious with downloads, consider identity theft protection services, and practice safe browsing habits to mitigate risks.

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.

Tech Optimizer

February 28, 2025

Evolving Snake Keylogger Variant Targets Windows Users

Cybersecurity researchers at Fortinet have identified a new variant of the Snake Keylogger malware, which has blocked over 280 million infection attempts globally. This malware captures sensitive user information, including credentials and browser data, and has the highest infection rates in China, Turkey, Indonesia, Taiwan, and Spain. The Snake Keylogger operates in three phases: distribution through phishing emails, data collection by capturing keystrokes and extracting credentials from browsers, and data transmission to command-and-control servers via encrypted channels. It employs advanced evasion techniques, such as process hollowing and persistence mechanisms, to operate stealthily. The malware uses obfuscation tools like AutoIt scripting to evade antivirus defenses and specifically targets browser-stored credentials. Security experts recommend caution with emails, using updated antivirus software, and regular patching of systems to mitigate risks.

Tech Optimizer

February 27, 2025

New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections

Cybersecurity researchers at Trellix have identified a malware campaign utilizing a legitimate antivirus driver, specifically the Avast Anti-Rootkit driver (aswArPot.sys), to gain kernel-level access and bypass security protocols. The malware, named “kill-floor.exe,” deploys the Avast driver as a file called “ntfs.bin” and registers it as a service using the Service Control utility (sc.exe) to obtain unrestricted privileges. It monitors active processes and terminates security-related processes by communicating with the Avast driver through the DeviceIoControl API. The malware exploits kernel-mode capabilities to execute actions that dismantle system defenses. Organizations are advised to implement BYOVD protection strategies, including detection rules for vulnerable drivers. Key indicators associated with this campaign include the MD5 hashes: 40439f39f0195c9c7a3b519554afd17a (kill-floor.exe) and a179c4093d05a3e1ee73f6ff07f994aa (ntfs.bin).

AppWizard

February 25, 2025

Popular Android financial help app is actually dangerous malware

Cybersecurity researchers discovered a predatory loan application called SpyLoan on the Google Play Store, which targeted Indian consumers and achieved around 100,000 downloads before being removed. The app presented itself as a financial management tool but required extensive permissions, accessing sensitive user information. User reviews indicated experiences of blackmail and low loan amounts. SpyLoan falsely claimed affiliation with a registered non-banking financial company and redirected users to download a separate loan application from an external site, circumventing some Google safeguards. Google confirmed the app's removal and stated that Android devices are protected against known malware through Google Play Protect.