DLLs Archives

Winsage

June 16, 2026

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have identified two new Windows variants of the SprySOCKS backdoor, named WINDRV and WINPLUS, which were previously thought to be exclusive to Linux systems. Both variants feature hard-coded command-and-control configurations and can communicate via TCP, UDP, and WebSocket protocols. They support over 30 commands for operations such as system information collection and file management. WINDRV employs kernel drivers for stealth, obscuring network connections and allowing TCP traffic diversion. SprySOCKS was first documented by Trend Micro in September 2023, linked to the Chinese state-sponsored threat actor Earth Lusca, also known as FishMonger. The Windows variants belong to version 1.8 of SprySOCKS and utilize a kernel driver named RawWNPF for enhanced stealth. The attack chain begins with an initial access method that drops a batch script, leading to the installation of the backdoor. Evidence suggests these variants may have been used in attacks against government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The WINPLUS variant was first detected in July 2024 in Pakistan. There are indications of a potential UEFI bootkit involvement exploiting CVE-2023-24932, a vulnerability in the Windows Boot Manager.

Winsage

June 8, 2026

Meet the hidden Windows 11 tool that reveals what Task Manager misses

Microsoft has integrated Sysmon into Windows 11 through a system update, allowing it to operate in the background and log activities in the Windows Event Log. Indicators of suspicious processes include the absence of icons or descriptions, incorrect parent processes, spelling errors in names, unsigned executable files, packed executables, suspicious DLLs or services, open TCP/IP endpoints, and unusual URLs or character strings. To install Sysmon, users must access the Control Panel, enable Sysmon, and restart their PC. Activation requires running a command in the Command Prompt. Sysmon logs can be viewed in the Event Viewer under Microsoft > Windows > Sysmon > Operational. Users can filter events using an XML configuration file. After analysis, suspicious processes should be scanned with antivirus software, and files can be uploaded to VirusTotal for further examination. Sysmon continuously logs events, while Process Monitor captures snapshots of running processes, and both tools are available for free from Microsoft.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

Winsage

April 5, 2026

Wine 11.6 just made modding Windows games on Linux easier, and Proton could be next

Wine version 11.6 introduces DLL load-order heuristics to enhance the modding experience for gamers on Linux, allowing third-party mod DLLs to load automatically and prioritizing them over default Microsoft versions. The update also revives the Android driver, suggesting potential future support for running Android applications and games on Linux. Additionally, it includes various bug fixes and enhancements to VBScript compatibility, improving the functionality of Windows-based applications on Linux devices.

Winsage

April 4, 2026

Wine 11.6 is an exciting release to make modding Windows games on Linux simpler

Wine version 11.6 enhances the experience of running Windows games on Linux through Proton, focusing on game modding capabilities. Key features include the revival of the Android driver, implementation of DLL load order heuristics for better mod support, improved compatibility with VBScript, and 28 bug fixes for application and game performance. The update allows Wine to prioritize DLLs provided with mods over its own versions, facilitating the use of a wider array of mods without additional tweaks. These changes are expected to be integrated into Proton for Steam users.

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

AppWizard

December 11, 2025

AMD’s Redstone update could revitalize FSR for PC games – here’s why Nvidia should be worried

AMD has launched FSR Redstone, accessible through the AMD Adrenalin 25.12.1 driver, featuring FSR Frame Generation, Ray Regeneration, and Radiance Caching, along with enhanced FSR Upscaling technology, compatible exclusively with RDNA 4 hardware (Radeon RX 9060 XT and RX 9070 XT/RX 9070 GPUs). Ray Regeneration will debut in Call of Duty: Black Ops 7, with plans for future titles. The update aims to improve image quality and performance, closing the gap with Nvidia's DLSS 4 technology. However, it lacks backward compatibility with older GPUs, limiting its use to RDNA 4 hardware. FSR Radiance Caching is expected to enhance ray tracing performance in 2026, and the FSR Redstone SDK will facilitate easier integration into games.

Tech Optimizer

October 20, 2025

New DefenderWrite Tool Allows Attackers to Inject Malicious DLLs into AV Executable Folders

DefenderWrite is a new tool that uses whitelisted Windows programs to bypass antivirus protections and write files into executable folders. Developed by cybersecurity expert Two Seven One Three, it allows penetration testers to deploy payloads in secure locations without needing kernel-level access. The tool identifies whitelisted system programs, enabling attackers to inject malicious DLLs into antivirus folders. In tests on Windows 11 with Microsoft Defender, four vulnerable programs were identified: msiexec.exe, Register-CimProvider.exe, svchost.exe, and lsass.exe. DefenderWrite includes parameters for targeted operations and a PowerShell script for scanning executables. It highlights the need for antivirus vendors to improve their whitelisting policies and process isolation. The tool is publicly available, raising concerns about its potential use in real-world attacks.

Tech Optimizer

October 14, 2025

New IAmAntimalware Tool Injects Malicious Code Into Processes Of Popular Antiviruses

A new tool called IAmAntimalware was released on October 11, 2025, by a developer known as Two Seven One Three on GitHub. It is designed to infiltrate antivirus software by injecting malicious code, exploiting vulnerabilities in Windows service cloning and digital signature manipulation. IAmAntimalware can clone legitimate antivirus services, allowing it to bypass antivirus self-protection mechanisms. It modifies the Windows Cryptography API registry to hijack the cryptographic provider and supports COM object CLSID manipulation for component loading. The tool relies on a companion tool named CertClone to duplicate valid Windows certificates, making injected DLLs appear legitimate. Demonstrations have shown its ability to inject code into processes like Bitdefender’s BDProtSrv, creating unauthorized files within antivirus folders. Although widespread exploitation has not yet occurred, its open-source nature and straightforward design could lead to increased adoption. Security analysts rate the technique as medium severity due to its reliance on system access and lack of zero-day exploits, highlighting vulnerabilities in antivirus trust models. Experts recommend monitoring unusual module loads and enforcing strict certificate trust policies to mitigate risks associated with IAmAntimalware.