DLLs Archives

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

AppWizard

December 11, 2025

AMD’s Redstone update could revitalize FSR for PC games – here’s why Nvidia should be worried

AMD has launched FSR Redstone, accessible through the AMD Adrenalin 25.12.1 driver, featuring FSR Frame Generation, Ray Regeneration, and Radiance Caching, along with enhanced FSR Upscaling technology, compatible exclusively with RDNA 4 hardware (Radeon RX 9060 XT and RX 9070 XT/RX 9070 GPUs). Ray Regeneration will debut in Call of Duty: Black Ops 7, with plans for future titles. The update aims to improve image quality and performance, closing the gap with Nvidia's DLSS 4 technology. However, it lacks backward compatibility with older GPUs, limiting its use to RDNA 4 hardware. FSR Radiance Caching is expected to enhance ray tracing performance in 2026, and the FSR Redstone SDK will facilitate easier integration into games.

Tech Optimizer

October 20, 2025

New DefenderWrite Tool Allows Attackers to Inject Malicious DLLs into AV Executable Folders

DefenderWrite is a new tool that uses whitelisted Windows programs to bypass antivirus protections and write files into executable folders. Developed by cybersecurity expert Two Seven One Three, it allows penetration testers to deploy payloads in secure locations without needing kernel-level access. The tool identifies whitelisted system programs, enabling attackers to inject malicious DLLs into antivirus folders. In tests on Windows 11 with Microsoft Defender, four vulnerable programs were identified: msiexec.exe, Register-CimProvider.exe, svchost.exe, and lsass.exe. DefenderWrite includes parameters for targeted operations and a PowerShell script for scanning executables. It highlights the need for antivirus vendors to improve their whitelisting policies and process isolation. The tool is publicly available, raising concerns about its potential use in real-world attacks.

Tech Optimizer

October 14, 2025

New IAmAntimalware Tool Injects Malicious Code Into Processes Of Popular Antiviruses

A new tool called IAmAntimalware was released on October 11, 2025, by a developer known as Two Seven One Three on GitHub. It is designed to infiltrate antivirus software by injecting malicious code, exploiting vulnerabilities in Windows service cloning and digital signature manipulation. IAmAntimalware can clone legitimate antivirus services, allowing it to bypass antivirus self-protection mechanisms. It modifies the Windows Cryptography API registry to hijack the cryptographic provider and supports COM object CLSID manipulation for component loading. The tool relies on a companion tool named CertClone to duplicate valid Windows certificates, making injected DLLs appear legitimate. Demonstrations have shown its ability to inject code into processes like Bitdefender’s BDProtSrv, creating unauthorized files within antivirus folders. Although widespread exploitation has not yet occurred, its open-source nature and straightforward design could lead to increased adoption. Security analysts rate the technique as medium severity due to its reliance on system access and lack of zero-day exploits, highlighting vulnerabilities in antivirus trust models. Experts recommend monitoring unusual module loads and enforcing strict certificate trust policies to mitigate risks associated with IAmAntimalware.

Tech Optimizer

October 11, 2025

Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor

A new cybersecurity technique allows attackers to exploit antivirus software by injecting malicious code into its processes, evading detection and compromising security. The method involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder. This technique takes advantage of antivirus solutions' reliance on operating system features and less-guarded auxiliary components. By exporting and importing registry keys, attackers can create a duplicate service that retains the original's configurations, allowing for the injection of malicious DLLs during service startup. An open-source tool named IAmAntimalware automates this process, successfully demonstrating the technique with various antivirus programs. To mitigate these threats, monitoring of module loads, auditing trusted certificates, and enforcing security features are recommended.

Winsage

September 26, 2025

LNK Malware Leverages Legit Windows Files to Slip Past Defenses

Threat actors from Israel have reintroduced the use of Windows shortcut (.LNK) files to deliver a Remote Access Trojan (RAT). Victims are lured to download a file named “cyber security.lnk” from a Discord channel, which opens a decoy PDF while executing a PowerShell script in the background. The script uses odbcconf.exe to register and execute a malicious DLL (Moq.dll) and its supporting libraries. The RAT can collect system metrics, capture screenshots, upload files via the Dropbox API, and execute commands from a command-and-control (C2) server. It ensures persistence by modifying a registry key to launch on user login. Mitigation strategies include monitoring the execution of legitimate binaries, enforcing application whitelisting, and educating users about the risks of downloading files from untrusted sources.

Tech Optimizer

September 25, 2025

LNK Malware Leverages Windows Binaries to Evade Security Tools and Run Malicious Code

Cybersecurity researchers have identified a malware campaign utilizing Windows shortcut (.LNK) files distributed via Discord to deploy a Remote Access Trojan (RAT). The malicious file, named “cyber security.lnk,” lures users with a fake job offer PDF while executing PowerShell commands in the background. It displays a decoy document titled “Cyber Security.pdf” to distract victims during the infection process. The malware exploits the legitimate Windows utility odbcconf.exe to execute a malicious DLL named Moq.dll without triggering security alerts. A PowerShell script extracts a ZIP file containing the payload and runs it using the command: odbcconf.exe /a {regsvr "C:UsersPublicNugetmoq.dll"}. This approach bypasses standard security measures by utilizing trusted binaries. Moq.dll employs advanced evasion techniques, including modifying the AmsiScanBuffer function to disable the Anti-Malware Scan Interface (AMSI) and altering the EtwEventWrite function in ntdll.dll to prevent monitoring through event logs. The malware ensures persistence by modifying the Windows registry to run with explorer.exe at user login and communicates with its command and control server at hotchickenfly.info. The RAT can capture screenshots, gather system information, and exfiltrate data via Dropbox’s API, using AES encryption for its communications. This threat was first observed in Israel and highlights the trend of malware authors leveraging legitimate Windows tools to evade detection. Security researchers from K7 Labs have identified the malware and recommend application whitelisting and monitoring of LOLBin usage as countermeasures. Indicators of Compromise (IOCs) include specific hash values associated with the Trojan.

Winsage

September 8, 2025

Docker Wine is a weird way to containerize and run Windows programs on Linux

Switching to Linux can require time to configure and may lead to challenges due to the incompatibility with Windows applications, which are often designed specifically for Windows. Docker Wine is a Docker image that provides a pre-configured Wine setup, allowing Windows applications to run in a self-contained Linux environment. This method avoids conflicts by creating a new container for each application, which disappears after use, ensuring the host system remains unaffected. Docker Wine can run both GUI applications and command-line tools, using specific commands to initiate the container and mount necessary directories. Additionally, Winetricks can be used within Docker Wine to create a persistent Wine environment for applications that require specific components. Docker Wine is particularly useful for users who need to test multiple Windows applications with conflicting dependencies without affecting their primary Linux setup.

Winsage

September 3, 2025

Solve shortcut chaos with PowerToys

PowerToys has introduced a hotkey conflict detection system in its latest update, which helps users identify and resolve overlapping keyboard shortcuts. The update also includes a search function in PowerToys Settings, a new "Gliding cursor" feature in Mouse Utilities, and enhancements to the installer for improved security and reliability. Additional improvements include bug fixes and updates across various utilities, such as Command Palette, Hosts File Editor, and Quick Accent, with a focus on usability and accessibility.

Winsage

August 4, 2025

North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center discovered a new variant of the RoKRAT malware linked to the North Korean APT37 threat group. This malware uses steganography to hide malicious payloads within JPEG files, allowing it to evade traditional antivirus detection. It is typically distributed through malicious shortcut files within ZIP archives, often disguised as legitimate documents. The malware employs a two-stage encrypted shellcode injection method, utilizing PowerShell and batch scripts to execute its payloads in memory. It collects system information, documents, and screenshots, exfiltrating data via compromised cloud APIs. The command and control accounts associated with the malware are linked to Russian email services. Variants of RoKRAT have evolved to include different injection methods and reference specific PDB paths. Indicators of compromise include various MD5 hashes associated with the malware.