cybersecurity researchers Archives

Winsage

June 3, 2026

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers have identified an unpatched vulnerability that could expose NTLMv2 hashes to attackers, linked to the "search:" URI handler. This issue is similar to CVE-2026-33829, which involved a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler. The flaw allows attackers to trick users into connecting to their SMB servers, disclosing NTLMv2 hashes for authentication exploitation. The new vulnerability operates using "search:" and "crumb=location:" parameters, resulting in a similar Net-NTLMv2 leak. Microsoft has chosen not to address this issue, stating only vulnerabilities classified as Important or Critical would be fixed. Recommendations to mitigate risks include blocking outbound SMB traffic, enforcing SMB signing, and disabling NTLM authentication where possible.

AppWizard

June 3, 2026

Fake ‘Minecraft’ Mods Bring Malware to as Many as 116,000 Players

The "Minecraft" community is facing a cybersecurity threat from a malware operation called WeedHack, which disguises itself as fake mods to lure players into downloading it. This operation, run by a teenager, has affected over 116,000 players and uses social engineering tactics to distribute malicious mods, cheats, and clients. WeedHack spreads through trusted channels, including YouTube, and employs search engine optimization poisoning to mislead users. The malware operates by disseminating malicious Java Archive files that appear legitimate, compromising devices to extract sensitive information such as session IDs, browser cookies, and cryptocurrency wallet data. It can also steal credentials for applications like Discord, Steam, and Telegram, and includes remote control features for surveillance and keylogging. Approximately 2,000 new infections occur daily, primarily affecting users in the United States, Germany, India, the United Kingdom, and Italy. The low cost of access to this malware has led to its use by teenagers for online bullying and harassment.

AppWizard

May 25, 2026

Over 200 Fake Android Apps Are Quietly Stealing Money From Phone Bills

Zimperium identified a sophisticated malware campaign that exploited nearly 250 Android applications, posing as popular games and social media platforms. The malware ensnared users into premium subscription services without consent, using techniques like JavaScript injection and interception of one-time passwords. The campaign primarily targeted users in Malaysia, Romania, Thailand, and Croatia, with the malware capable of reading SIM cards and activating for specific mobile carriers. Zimperium first detected the scam in March 2025 and monitored it until at least January 2026. Google stated that none of the compromised applications were available on its app store and emphasized that Android users are protected by Google Play Protect. The hackers deployed three malware variants, with the first using an automated subscription engine, the second targeting users in Thailand with premium SMS messages, and the third combining SMS fraud with real-time notifications to attackers via Telegram. The campaign primarily affected Malaysian SIM card users, with significant activity also in Thailand and Romania. Despite the campaign's last known activity in January, parts of its infrastructure remain operational. The attacks highlight vulnerabilities in application security and the challenges of policing app downloads from third-party marketplaces.

AppWizard

May 20, 2026

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Cybersecurity researchers have identified an ad fraud and malvertising operation called Trapdoor, targeting Android users with 455 malicious applications and 183 command-and-control domains. Users often download these disguised apps, which initiate malvertising campaigns and lead to further downloads of malicious applications. At its peak, Trapdoor generated 659 million bid requests daily, with over 24 million downloads of the associated apps, primarily from the United States. The operation exploits install attribution tools to activate malicious activities only for users acquired through fraudulent ad campaigns, while suppressing such behavior for organic downloads. Trapdoor employs advanced evasion techniques, including obfuscation and impersonation of legitimate software, to avoid detection. Google has removed the identified malicious apps from the Play Store in response to the threat.

AppWizard

May 9, 2026

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

Cybersecurity researchers from ESET have discovered 28 fraudulent applications on the Google Play Store that falsely claimed to provide access to call histories for any phone number. These apps have been downloaded over 7.3 million times, with one app alone accounting for over 3 million downloads. The operation, named CallPhantom, primarily targeted Android users in India and the Asia-Pacific region. Users were lured into subscription services, paying for access to fictitious data, including call histories and SMS records, but received only randomly generated information. Some apps were published under the developer name "Indian gov.in" to create a false sense of trust. Payments were processed through the Google Play Store or third-party applications like Google Pay and Paytm. Users who subscribed via Google Play may be eligible for refunds, while those who used third-party payment methods may not be able to recover their funds. The fraudulent activity may have been ongoing since at least November 2025.

BetaBeacon

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android version of the backdoor BirdCall, which serves as spyware in addition to a backdoor. The malware was delivered through a Chinese website that hosts games for Android, iOS, and Windows, targeting only Android and Windows systems. The Android variant of BirdCall has capabilities such as extracting IP geolocation information, collecting contact lists, call logs, SMS data, device information, taking screenshots, recording audio, and exfiltrating files. Users are advised to download software only from official marketplaces and trusted publisher sites to protect against malware infections.

Tech Optimizer

May 4, 2026

Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities

Cybersecurity researchers at Wiz’s ZeroDay.Cloud event in London exploited two significant vulnerabilities in PostgreSQL, tracked as CVE-2026-2005 and CVE-2026-2006, which were disclosed on May 4, 2026. The vulnerabilities were found in the pgcrypto extension, affecting public-key decryption and symmetric decryption functions. CVE-2026-2005 allows privilege escalation via a buffer overflow during public-key decryption, while CVE-2026-2006 enables attackers to corrupt memory through inadequate checks in symmetric decryption. PostgreSQL has released patches for these vulnerabilities across versions 14.21 to 18.2, and MariaDB addressed a related issue in versions 11.4.10 and 11.8.6. Database administrators are advised to apply updates and audit logs for suspicious activity.

AppWizard

May 3, 2026

Telegram Mini Apps abused for crypto scams, Android malware delivery

Cybersecurity researchers have identified a fraud operation named FEMITBOT that exploits Telegram’s Mini App feature to conduct various crypto scams, impersonate reputable brands, and distribute Android malware. This operation uses a unique string in API responses and employs Telegram bots with embedded Mini Apps to create convincing app-like experiences. The scams include fraudulent cryptocurrency platforms and financial services, with impersonation of brands like Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu. The operation utilizes a shared backend infrastructure, allowing multiple phishing domains to use the same API response. Users interacting with the bots are shown phishing pages within Telegram’s WebView, often featuring fake balances and urgency tactics to prompt deposits or referrals. Additionally, some Mini Apps attempt to distribute malware disguised as legitimate Android APKs. Users are advised to be cautious when engaging with Telegram bots related to cryptocurrency investments and to avoid sideloading APK files.

Winsage

April 19, 2026

Windows Defender Security Flaws Actively Exploited by Hackers

Three vulnerabilities in Microsoft Defender, known as BlueHammer (CVE-2026-33825), RedSun, and UnDefend, are being actively exploited by hackers. BlueHammer has been patched, while RedSun and UnDefend remain unpatched. The public release of exploit code has accelerated real-world attacks, affecting Windows 10, Windows 11, and Windows Server systems. Attackers have begun exploiting these vulnerabilities, leading to concerns about privilege escalation, disruption of security updates, and the rapid spread of attacks.

AppWizard

April 17, 2026

New RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps

Cybersecurity researchers from Zimperium zLabs have identified four families of Android malware—RecruitRat, SaferRat, Astrinox, and Massiv—targeting banking and cryptocurrency applications. These malware families can extract sensitive information from over 800 applications. They primarily use phishing and smishing to lure users into downloading malicious software. Phishing involves creating fake websites resembling legitimate login pages, while smishing uses urgent text messages with links to download harmful payloads. RecruitRat targets job seekers with fake employment websites, and SaferRat promises free access to premium video services. Astrinox mimics a business tool and has been linked to a fraudulent Apple App Store page, while Massiv's distribution methods remain unclear. Once installed, these malware applications initiate Overlay attacks, displaying counterfeit screens to capture user credentials. They also use a "blindfold" technique to obscure their activities by overlaying static images on the user's screen. The malware can intercept security codes, capture one-time passwords, and employ keylogging techniques. RecruitRat has a library of over 700 counterfeit login pages that activate with targeted apps. Researchers recommend avoiding links in urgent messages and downloading apps only from official sources.