detection systems Archives

Tech Optimizer

May 12, 2026

Trend Micro Inc stock (JP3180400008): Trading at premium to fair value estimate

Trend Micro Inc (TSE: 4704) is trading at ¥6,178.00, which is a 698% premium over Morningstar's estimated fair value of ¥8,415.77 for May 2026. The company specializes in cybersecurity solutions, including antivirus software and cloud security, with a subscription-based business model. Its core markets include Japan, North America, Europe, and Asia-Pacific, with significant revenue from enterprise security solutions like the Trend Micro Vision One XDR platform. The company has a Price/Earnings ratio of 20.02, a Quick Ratio of 1.10, and a Return on Assets of 13.52%. The rising demand for cybersecurity, particularly in North America, is a key revenue driver. Trend Micro's portfolio includes AI-powered threat intelligence and mobile security solutions, targeting sectors like finance and healthcare. The company is positioned favorably against competitors and offers U.S. investors access through American Depository Receipts (ADRs).

AppWizard

May 12, 2026

TrickMo Android Malware Targets Banking, Wallet, and Authenticator Apps

TrickMo, an Android banking malware, has re-emerged with enhanced stealth and operational capabilities, targeting banking, fintech, wallet, and authenticator apps. It retains its core device takeover abilities while improving stealth, persistence, and flexibility. The malware persuades users to grant accessibility permissions, allowing full remote control, including real-time screen viewing. A significant advancement is its shift to The Open Network (TON) for command-and-control communication, complicating takedown efforts. TrickMo has been actively deployed in France, Italy, and Austria since early 2026, using fake login overlays to capture credentials while recording user activity. It communicates through .adnl endpoints within the TON network and employs DNS-over-HTTPS for encrypted DNS queries. The malware's modular design includes a primary application as a loader and a dynamically loaded APK module called “dex.module” for malicious capabilities. It features network reconnaissance and tunneling capabilities, allowing commands like HTTP probing and establishing SSH tunnels, which can bypass fraud detection systems. Dormant features suggest potential for future capabilities without altering the core application. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo's various components.

Winsage

May 11, 2026

New GhostLock tool abuses Windows API to block file access

A security researcher has developed a proof-of-concept tool called GhostLock, which exploits a vulnerability in the Windows file API, specifically the 'CreateFileW' function. By manipulating the 'dwShareMode' parameter to grant exclusive access to files, GhostLock can prevent other users or applications from opening those files, resulting in a 'STATUSSHARINGVIOLATION' error. The tool automates the process of opening multiple files on SMB shares, causing access disruptions without requiring elevated privileges. This technique is intended as a disruption attack rather than a destructive one, similar to ransomware, and can serve as a diversion during intrusions. Detection of this attack relies on monitoring the open-file count with ShareAccess set to 0 at the file server layer. Dvash has provided resources for IT teams to enhance detection capabilities against this threat.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

Tech Optimizer

April 8, 2026

Avast Antivirus: A Complete Guide to the Software and Its Security Features

Avast antivirus is a widely used digital security solution for mobile and desktop platforms, developed by Gen Digital. It offers a free version that is accessible and easy to set up, making it popular among first-time users. Key security features include real-time threat protection, web protection tools, email protection, behavior monitoring, and a network inspector. The software operates quietly in the background, has a clean and intuitive interface, and provides essential security features in its free version. However, users may experience intrusive upgrade prompts, and advanced tools require a paid subscription. Avast distinguishes itself by offering behavioral threat detection in both free and paid versions, and its extensive user base enhances its threat detection capabilities. The free version includes basic protections suitable for everyday online activities, but advanced features necessitate an upgrade. Users are encouraged to adopt strong passwords, utilize password managers, enable two-factor authentication, and practice safe browsing habits to ensure online privacy.

AppWizard

February 27, 2026

Facebook designed an app for teens called Bell but never launched it, court records reveal

In 2018, Facebook proposed an app named Bell aimed at high school students to create a safe space for communication about school events and social interactions. Internal documents indicated that Facebook intended for Bell to engage teens and transition them to the main platform after graduation. The app was designed to include features like group chats, event organization, and an anonymous confessions section. Facebook aimed for Bell to reach 80% of U.S. high schools by the end of 2020, with plans to expand globally. However, the app was never developed, and a spokesperson described it as an early exploratory idea dependent on strong content moderation. Meta has faced legal challenges regarding the impact of its platforms on minors' mental health and has implemented features in its Teen Accounts to empower parental control.

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

Tech Optimizer

December 30, 2025

Hackers Advertised VOID ‘AV Killer’ with Kernel-level Termination Claims

A new threat actor named Crypt4You is promoting a tool called VOID KILLER on underground forums and dark web marketplaces. VOID KILLER is designed as a kernel-level antivirus and endpoint detection response process killer, specifically engineered to bypass existing security defenses. It targets the core of operating systems to dismantle protective barriers, posing a significant challenge to contemporary defensive architectures. VOID KILLER can terminate Windows Defender and around fifty consumer-grade antivirus solutions without detection, utilizing polymorphic build techniques to evade signature-based detection systems. It features automatic User Account Control (UAC) bypass mechanisms and can inject any executable file, making it compatible with various malware families. Custom builds of VOID KILLER are priced at three hundred dollars, and payment is accepted in cryptocurrencies. Organizations using Windows Defender, consumer antivirus software, and advanced EDR solutions face increased risk exposure due to this tool.

Tech Optimizer

December 28, 2025

Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass

A malicious entity named AlphaGhoul has introduced a tool called NtKiller, designed to disable antivirus software and endpoint detection systems, posing a threat to organizations using traditional security measures. NtKiller was advertised on an underground forum, claiming to allow attackers to operate undetected while executing malware. It reportedly circumvents security programs like Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro, and can bypass enterprise-grade Endpoint Detection and Response solutions in aggressive modes. Analysts from KrakenLabs noted that NtKiller uses early-boot persistence mechanisms to evade detection and operates on a modular pricing structure, with core functionality available for [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A malicious entity known as AlphaGhoul has recently surfaced within the cybercriminal underworld, promoting a tool dubbed NtKiller. This tool is engineered to discreetly disable antivirus software and endpoint detection systems, posing a new threat to organizations that rely on traditional security measures. NtKiller was unveiled on an underground forum frequented by individuals seeking to buy and sell hacking services. The advertisement claims that this tool enables attackers to operate undetected while executing their malware on compromised machines. The introduction of NtKiller signifies a formidable challenge for businesses that depend on established security solutions. According to the threat actor, the tool is capable of circumventing several widely-used security programs, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. Alarmingly, it is also said to bypass enterprise-grade Endpoint Detection and Response (EDR) solutions when utilized in aggressive modes. Analysts from KrakenLabs have observed that NtKiller employs early-boot persistence mechanisms, allowing it to remain concealed and evade detection by security teams once activated. This stealthy approach complicates efforts to identify and eliminate the malware. Further investigation by KrakenLabs revealed that NtKiller operates on a modular pricing structure. The core functionality is available for 0, with additional features such as rootkit capability and User Account Control (UAC) bypass each priced at an extra 0. This pricing model indicates that the tool has been meticulously crafted for commercial distribution within the cybercriminal ecosystem. Beyond merely terminating processes, NtKiller is purported to support advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Technical capabilities The technical features attributed to NtKiller render it particularly perilous in the hands of adept attackers. The tool's early-boot persistence mechanism allows it to embed itself during system startup, prior to the activation of many security monitoring systems. This timing advantage facilitates the execution of malicious payloads in an environment where detection capabilities are significantly diminished. Moreover, the anti-debugging and anti-analysis protections embedded within NtKiller hinder researchers and automated tools from scrutinizing the malware's behavior, resulting in a substantial knowledge gap regarding its true capabilities versus its promotional claims. Another critical feature is the silent UAC bypass option, which enables malware to acquire elevated system privileges without triggering standard Windows prompts that could alert users to suspicious activities. When combined with rootkit functionality, this allows attackers to maintain persistent access to compromised systems while remaining undetected by conventional security measures. It is essential to highlight that these capabilities have yet to be independently verified by third-party researchers, leaving the actual effectiveness of NtKiller uncertain. Organizations are urged to remain vigilant and ensure their security tools incorporate behavioral detection mechanisms that extend beyond signature-based identification to effectively combat such emerging threats. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and additional features priced at 0 each. The tool supports advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Its silent User Account Control bypass option allows malware to gain elevated privileges without alerting users. The effectiveness of NtKiller's capabilities has not been independently verified, prompting organizations to enhance their security measures beyond signature-based detection.

Tech Optimizer

November 17, 2025

EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT

In November 2025, a sophisticated malware campaign emerged, combining social engineering with advanced data theft tools. The attack begins with a tactic called ClickFix, where users are tricked into executing commands in the Windows Run window, leading to the installation of Amatera Stealer, which extracts sensitive information from browsers, cryptocurrency wallets, and password managers. Following this, attackers deploy NetSupport RAT for remote access to the compromised computer. Amatera Stealer employs advanced evasion techniques, including obfuscated PowerShell code and XOR encryption to mislead security efforts. It was originally marketed as ACR Stealer by a group named SheldIO. The infection process starts with a .NET-based downloader that retrieves payloads encrypted with RC2 from platforms like MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. The malware disables AMSI by overwriting the "AmsiScanBuffer" string in memory, neutralizing Windows' security scanning. Amatera communicates with command servers through encrypted channels, using AES-256-CBC for traffic encryption, making inspection difficult. It aggregates stolen data into zip files and sends them to criminal servers, selectively executing additional payloads targeting high-value assets.