data theft Archives

Winsage

December 3, 2025

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

Microsoft has addressed a long-standing security vulnerability, identified as CVE-2025-9491, which has been exploited since 2017. This vulnerability involves a misinterpretation issue within Windows Shortcut (LNK) files, potentially allowing remote code execution. The flaw was highlighted in the November 2025 Patch Tuesday updates, with a CVSS score of 7.8/7.0. It allows crafted .LNK files to obscure harmful content, making it invisible to users, thus enabling attackers to execute code under the current user's context. The vulnerability was exploited by various state-sponsored groups, including those from China, Iran, North Korea, and Russia, for data theft and espionage. Microsoft initially deemed the flaw not warranting immediate attention, citing user interaction requirements and existing system warnings. Subsequent investigations revealed its exploitation by cyber espionage groups, including XDSpy and China-affiliated actors targeting European entities. The recent patch aims to ensure that the entire Target command is displayed in the Properties dialog, while 0patch provides warnings for LNK files exceeding 260 characters.

Tech Optimizer

December 3, 2025

Fileless protection explained: Blocking the invisible threat others miss

Fileless malware operates within a computer's active memory, avoiding detection by traditional antivirus solutions that rely on file scanning. It uses legitimate tools like PowerShell to execute harmful commands without creating files, making it difficult to identify. Cybercriminals can use fileless malware for various malicious activities, including data theft and cryptocurrency mining. Malwarebytes combats fileless attacks through two defense layers: Script Monitoring, which intercepts potentially dangerous scripts at execution, and Command-Line Protection, which scrutinizes command-line tools for suspicious activities. Examples of fileless attacks include malicious email attachments activating PowerShell to download ransomware, hidden JavaScript on websites mining cryptocurrency, and attackers using Windows Management Instrumentation (WMI) to create backdoors. Malwarebytes' Fileless Protection operates automatically in the background, ensuring legitimate applications function normally while monitoring for threats. It is part of a comprehensive security framework that includes machine-learning detection and web protection, designed to stop attacks that do not write files. This protection is included with Malwarebytes Premium, aimed at safeguarding personal and small business systems.

AppWizard

November 27, 2025

My dad filled his phone with random PDF apps and I blame Google

The author's father struggled to open a PDF on his HONOR phone, despite the device's native office suite supporting PDF files. He downloaded multiple misleading PDF apps from the Play Store, which did not resolve the issue. Eventually, he received a deceptive alert suggesting he update his PDF application, which led him to download yet another app. The problem was resolved when the author advised him to uninstall WPS Office, eliminating the misleading alerts and allowing PDFs to open correctly. A report from Malwarebytes indicated that only 15% of users feel confident identifying scams, highlighting the challenges users face in navigating the Android ecosystem. The Google Play Store has been criticized for hosting low-quality apps and deceptive ads, with a report from Zscaler noting the presence of hundreds of malicious apps. The author emphasizes the need for stricter advertising practices and better management of preinstalled apps to protect less tech-savvy users.

Tech Optimizer

November 17, 2025

EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT

In November 2025, a sophisticated malware campaign emerged, combining social engineering with advanced data theft tools. The attack begins with a tactic called ClickFix, where users are tricked into executing commands in the Windows Run window, leading to the installation of Amatera Stealer, which extracts sensitive information from browsers, cryptocurrency wallets, and password managers. Following this, attackers deploy NetSupport RAT for remote access to the compromised computer. Amatera Stealer employs advanced evasion techniques, including obfuscated PowerShell code and XOR encryption to mislead security efforts. It was originally marketed as ACR Stealer by a group named SheldIO. The infection process starts with a .NET-based downloader that retrieves payloads encrypted with RC2 from platforms like MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. The malware disables AMSI by overwriting the "AmsiScanBuffer" string in memory, neutralizing Windows' security scanning. Amatera communicates with command servers through encrypted channels, using AES-256-CBC for traffic encryption, making inspection difficult. It aggregates stolen data into zip files and sends them to criminal servers, selectively executing additional payloads targeting high-value assets.

Tech Optimizer

November 13, 2025

Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have discovered an attack campaign that uses legitimate Remote Monitoring and Management (RMM) tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on users' systems. Attackers lure victims to fake download sites that mimic legitimate software pages for utilities like Notepad++, 7-Zip, and VLC Media Player, delivering modified versions of LogMeIn Resolve. The malicious installers are disguised with filenames such as "notepad++.exe" and "chatgpt.exe." Once executed, these files install the RMM tool and additional malware capable of stealing sensitive information. ASEC has identified three CompanyId values associated with the attacks: 8347338797131280000, 1995653637248070000, and 4586548334491120000. The malware, known as PatoRAT, is a Delphi-developed backdoor that gathers system information and has extensive malicious capabilities, including keylogging and remote desktop access. Users are advised to download software only from official websites and verify digital signatures, while organizations should monitor for unauthorized RMM installations and the identified indicators of compromise.

AppWizard

November 4, 2025

VajraSpy Malware Lurks in 12 Android Chat Apps via Romance Scams

Security researchers from ESET have identified malicious apps targeting Android users that masquerade as legitimate messaging tools, capable of recording conversations, stealing text messages, and tracking locations. Known as VajraSpy, this malware can capture audio, take screenshots, and exfiltrate contacts and call logs, transmitting sensitive information to cybercriminal-controlled servers. The campaign primarily targets users in Pakistan and India, but the apps are globally distributed. These deceptive applications often appear on platforms like the Google Play Store and are removed after detection. Attackers use emotional manipulation to convince users to download the compromised app, which can intercept two-factor authentication codes, leading to account takeovers. Businesses face risks of exposing corporate secrets through infected devices. Recent incidents show similar spyware infiltrations, with some apps recording over 1,400 downloads before removal. Experts recommend using verified app sources, enabling multi-factor authentication, and reviewing app permissions to mitigate risks. Users should uninstall suspicious apps, change passwords, and monitor accounts for unusual activity if affected. The spyware's ability to record conversations without consent violates privacy norms and could lead to legal consequences for those responsible. The industry is urged to advocate for stricter regulations on app marketplaces and improve international cooperation to dismantle cyber networks.

Tech Optimizer

November 3, 2025

70% of Americans think antivirus will protect their online privacy – here’s the real truth

A survey by NordVPN revealed that while 52% of American consumers claim to use antivirus software daily, many do not understand its fundamental functions. Over a quarter mistakenly believe antivirus software provides complete protection against online threats, which increases their vulnerability to identity theft and cyber threats. Additionally, more than a third of participants reported not using any form of cybersecurity software, despite concerns about data theft. Commonly misunderstood security tools include identity theft protection services, ad and tracker blockers, password managers, firewalls, and VPNs. Misunderstanding these tools can jeopardize online security, as personal information like email addresses and phone numbers can be exploited in phishing attacks. The survey highlighted the need for better cybersecurity education, as misconceptions about antivirus capabilities can leave users exposed to various online threats.

TrendTechie

November 3, 2025

RuTube и VK Видео изменили правила игры на пиратском рынке контента

The volume of pirated video content in Russia decreased by over 14% in the first half of 2025, with a reported decline to approximately 0.6 million instances. The amount of blocked pirated content surged by 42% in 2024, reaching 12.5 million instances, and the number of blocked pirate domains rose to 110,000. Russia is the third-largest consumer of pirated content globally, following the United States and India. The peak of Russian online piracy occurred between 2015 and 2018. Torrents are becoming obsolete, particularly among younger generations, who prefer legal access to content. Users face risks from hackers when visiting sites offering free content, with warnings about potential viruses and data theft.

Winsage

October 31, 2025

Windows LNK File UI Misrepresentation Enables Remote Code Execution Attacks

A vulnerability in the Windows operating system, identified as ZDI-CAN-25373 and disclosed in March 2025, allows advanced persistent threat (APT) actors to deploy malware by manipulating whitespace in Windows LNK files. This technique has been adopted by espionage groups from North Korea, China, Russia, and Iran for data theft and intelligence-gathering. The flaw enables malicious PowerShell commands to be concealed within seemingly legitimate shortcut files, which execute automatically when opened. The exploitation involves weaponized LNK files that initiate obfuscated PowerShell commands to decode embedded TAR archives containing a legitimate Canon printer utility, a malicious loader DLL, and an RC4-encrypted payload with remote access trojan malware. The legitimate executable, although signed with an expired certificate, is trusted by Windows due to its valid timestamp. As of October 2025, Microsoft has not released a patch for this vulnerability, prompting organizations to implement defensive measures against its exploitation.

AppWizard

October 30, 2025

NFC Relay Attack: 700+ Android Apps Harvest Banking Login Details

Researchers at zLabs have identified over 760 malicious Android applications that exploit Near Field Communication (NFC) technology to steal banking credentials and facilitate fraudulent transactions. This cybercrime campaign has expanded from isolated incidents in April 2024 to a widespread operation targeting financial institutions in countries including Russia, Poland, the Czech Republic, Slovakia, and Brazil. The malware utilizes social engineering tactics by impersonating around 20 legitimate banking institutions and government services, such as VTB Bank, Tinkoff Bank, and the Central Bank of Russia. The malware ecosystem is supported by over 70 command-and-control servers and private Telegram channels for data exfiltration. Attackers deceive victims into granting dangerous NFC permissions, allowing the malware to intercept payment data during contactless transactions. Some campaigns use paired applications for data extraction and fraudulent purchases, while others focus solely on data exfiltration. The malware maintains communication with its command-and-control infrastructure, enabling real-time relay attacks to conduct transactions using victims' payment credentials. The rapid spread of this NFC-based payment malware highlights the adaptability of cybercriminals as contactless payment technologies become more common. Financial institutions are urged to enhance fraud detection systems, mobile device manufacturers should tighten NFC permission controls, and users are advised to be cautious when granting NFC access to applications.