cybersecurity Archives

Winsage

June 25, 2026

Introduction to COM usage by Windows threats

Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.

AppWizard

June 24, 2026

Minecraft mod hides malware sweeping Australian gaming communities

A new US price point in cybersecurity has made advanced cyber capabilities accessible to a wider audience, including individuals who may want to cause harm for personal reasons rather than financial gain. In Australia, personal cyber insurance products have traditionally focused on risks like identity theft and financial fraud, driven by economic incentives. As the nature of cyber threats evolves, existing insurance products may not adequately cover risks from individuals motivated by personal grievances, prompting a need for insurers to reevaluate coverage, risk assessment, and customer education.

AppWizard

June 24, 2026

Government’s homegrown messaging app ‘NepaConnect’ appears on google play store

A government-developed messaging application named NepaConnect has been launched on the Google Play Store, aiming to provide a secure internal communications platform for state officials in Nepal. The initiative, disclosed by Finance Minister Dr. Swarnim Wagle, involves the creation of a sovereign digital infrastructure with a team of around 80 technical professionals. NepaConnect features include encrypted communication, document sharing, secure file storage, location sharing, voice messaging, document scanning, meeting scheduling, AI integration, status feeds, and ride-management services. The app is designed to centralize various workplace functions and reduce reliance on foreign communication platforms. However, details about its security standards, encryption protocols, and overall transparency remain limited. Currently, the application is in early development stages, with some features incomplete or non-functional. The future success of NepaConnect will depend on factors such as cybersecurity, user adoption, and the government's ability to encourage civil servants to switch from existing platforms.

AppWizard

June 24, 2026

Grand Theft Auto 6 ‘VIP early access’ scam sites are already popping up, Malwarebytes warns

Grand Theft Auto 6 is set to release on November 19, with official preorders starting on June 25. Fraudulent websites are offering "VIP early access" for high fees, primarily in cryptocurrency. Malwarebytes has warned that these scams exploit the game's popularity, charging inflated prices for nonexistent access and mimicking legitimate platforms. The scams target younger audiences, using persuasive language to encourage impulsive decisions. Consumers are advised to be cautious, as there is currently no legitimate early access available.

Winsage

June 23, 2026

In 2011, Microsoft signed the Secure Boot certificates that still sit inside millions of Windows PCs, and the first one expires on June 24, 2026, leaving unupdated machines running normally while future boot-level revocations stop reaching them

Microsoft's Secure Boot certificates, including the Microsoft Corporation KEK CA 2011, will expire on June 24, 2026, followed by the Microsoft UEFI CA 2011 on June 27 and the Microsoft Windows Production PCA 2011 on October 19. New certificates issued in 2023 will replace these older ones. While devices will continue to operate and receive standard Windows updates, they will gradually lose access to critical security updates that protect against boot-level threats. After June 24, the ability to sign new disallowed signature database payloads with the old KEK will be lost, reducing the capacity to revoke compromised bootloaders. Users are advised to keep Windows and firmware updates current, while enterprises may face challenges managing diverse machine inventories for updates.

Tech Optimizer

June 23, 2026

Active Exploitation of Critical CVE-2026-20253 in Splunk Enterprise: Unauthenticated RCE via PostgreSQL Sidecar Service

A critical security vulnerability, SVD-2026-0603 (CVE-2026-20253), has been identified in Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. This flaw allows unauthenticated, remote attackers to create or truncate arbitrary files on the host system by exploiting the PostgreSQL Sidecar Service endpoints. The vulnerability is actively exploited, with public proof-of-concept code available, and has been added to the CISA Known Exploited Vulnerabilities (KEV) list. Successful exploitation can lead to full remote code execution (RCE) as the Splunk user. The vulnerability arises from inadequate authentication controls on the PostgreSQL Sidecar Service endpoints, specifically /v1/postgres/recovery/backup and /v1/postgres/recovery/restore, which are accessible without authentication. It is classified under CWE-306: Missing Authentication for Critical Function and has a CVSS v3.1 base score of 9.8 (Critical). Attackers can exploit the vulnerability by sending crafted HTTP POST requests to the exposed endpoints, allowing them to create or truncate files and potentially execute malicious scripts. Indicators of compromise include unexpected files in directories such as /tmp/ or /opt/splunk/var/run/supervisor/pkg-run/, modified Splunk Python scripts, and unusual outbound connections from Splunk to unknown PostgreSQL servers. The vulnerability aligns with several MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). Active exploitation of CVE-2026-20253 has been confirmed, and it is likely that both opportunistic cybercriminals and sophisticated threat actors will use this exploit. The affected versions of Splunk Enterprise are 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6, with the issue resolved in versions 10.2.4 and 10.0.7. Organizations are advised to upgrade to fixed versions or disable the PostgreSQL Sidecar Service as a mitigation strategy.

Tech Optimizer

June 22, 2026

I Turned Off All Antivirus Protection for a Week. Here’s What I Learned

The author conducted an experiment by disabling both Bitdefender and Windows Security for a week to rely solely on personal cybersecurity instincts. They took precautions by using a secondary device and backing up important data. Throughout the week, the author experienced heightened awareness while navigating online tasks, encountered a phishing email, and adapted to a more deliberate browsing rhythm. Key takeaways included exercising caution, verifying sources, being aware of URLs, and keeping software updated. The experiment highlighted the importance of both good habits and antivirus software in maintaining cybersecurity. The author concluded that while personal vigilance is crucial, antivirus software is essential for those lacking strong instincts.

Tech Optimizer

June 21, 2026

Malware Has Gotten Smarter. Here’s How Your Antivirus Has, Too

Antivirus software is evolving from relying on static databases of known malware signatures to employing behavioral monitoring and machine learning for threat detection. Traditional antivirus solutions focused on recognizing known threats through unique signatures, but this approach has become inadequate due to the rapid evolution of malware, including polymorphic and metamorphic types. Modern antivirus systems now monitor program behavior, looking for suspicious activities such as unexpected file encryption or unusual network communication. Machine learning models analyze large datasets to identify patterns associated with malware, allowing for the classification of files as safe, potentially unwanted, or malicious. Techniques like sandboxing and dynamic analysis are used to preemptively neutralize threats. However, advancements in AI also present challenges, as cybercriminals can exploit these technologies to create sophisticated malware that evades detection. Despite improvements in antivirus effectiveness, modern cyberattacks increasingly target individuals through methods like phishing and social engineering, necessitating a combination of robust antivirus solutions and good cybersecurity practices.

Tech Optimizer

June 21, 2026

Is Free Antivirus Safe in 2026? What Most Free Antivirus Apps Don’t Tell You

Some free antivirus software provides legitimate protection against malware, viruses, ransomware, trojans, and suspicious downloads, but not all are equal. Free antivirus programs often generate revenue through premium upgrades, advertising, partner promotions, data collection, or bundled software offers. Users may face upselling tactics, including pop-up notifications and upgrade prompts, which can create confusion between marketing messages and actual security threats. Many free antivirus apps collect data on websites visited, download activity, device information, and security events, raising privacy concerns. Devices often come with built-in antivirus protection, such as Microsoft Defender for Windows and XProtect for Mac, while smartphones have multiple layers of security. In 2026, the biggest cybersecurity risks are phishing attacks, fake websites, investment scams, account takeovers, social engineering attacks, and credential theft, rather than malware. Free antivirus software can create a false sense of security, leading users to believe they are safe from cyber threats. A reputable free antivirus may suffice for users who browse responsibly and maintain good online habits, while paid antivirus may be worth it for additional services like identity theft monitoring and VPNs. Not all free antivirus products offer the same level of protection, so users should choose reputable providers and scrutinize privacy policies.

Tech Optimizer

June 20, 2026

Chinese police bust cybercrime ring behind ‘Silver Fox’ Trojan virus

Chinese law enforcement has dismantled cybercrime operations linked to a new variant of the Silver Fox Trojan virus, which targets employees in enterprises and public institutions, particularly in financial roles. The malware allows cybercriminals remote access to steal account credentials, intercept SMS verification codes, and harvest personal information. A criminal syndicate in Jilin province, led by an individual named Chen, developed this Trojan and conducted mass phishing campaigns, resulting in losses exceeding 7 million yuan. Police have taken action against Chen and 26 accomplices, with ongoing investigations. Recommendations for enhancing personal cybersecurity include downloading software from official websites, scrutinizing website domains, verifying links before clicking, and disconnecting compromised computers from the internet. Under China's Criminal Law, unauthorized access to computer systems and data theft can lead to imprisonment and financial penalties.