DLLs

Winsage
June 30, 2026
The 'file in use' error in Windows indicates that a file is currently being accessed by a program, preventing deletion or renaming to avoid data corruption. This error can persist even after closing an application due to reasons such as antivirus software scanning the file, network references from other devices, or files loaded as Dynamic Link Libraries (DLLs) that remain in memory. To identify the process causing the error, Mark Russinovich developed the command-line tool Handle, which shows all open file handles, and Process Explorer, which provides a graphical interface to find and manage these handles. Microsoft is integrating Sysinternals tools into PowerToys for easier access, including the File Locksmith tool that allows users to unlock files directly. A recommended workaround for the error is to rename the file instead of deleting it, as Windows permits renaming even when a file is open.
Winsage
June 25, 2026
Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.
Winsage
June 22, 2026
The Windows desktop experience has a streamlined interface, but its command line interface (CLI) offerings, particularly the cmd.exe shell, have been criticized for lacking the features found in UNIX/BSD/Linux environments. Microsoft’s transition to PowerShell has disappointed users who prefer a more traditional CLI experience. Despite Windows NT operating systems being POSIX compliant, they have historically lacked a suitable shell. MSYS2 provides a solution by offering a Linux-like experience with a Bash shell and the pacman package manager, allowing users to run shell scripts and access various tools. However, binaries compiled in MSYS2 may depend on shared libraries not included in the Windows system path. Upon installation, users can choose from different terminal options, with the UCRT terminal recommended for its usability. MSYS2 facilitates a streamlined development workflow, enabling the use of familiar tools across multiple platforms, but it does not achieve perfect integration within Windows and has some limitations, such as issues with stdout output in Bash.
Winsage
June 16, 2026
Cybersecurity researchers have identified two new Windows variants of the SprySOCKS backdoor, named WINDRV and WINPLUS, which were previously thought to be exclusive to Linux systems. Both variants feature hard-coded command-and-control configurations and can communicate via TCP, UDP, and WebSocket protocols. They support over 30 commands for operations such as system information collection and file management. WINDRV employs kernel drivers for stealth, obscuring network connections and allowing TCP traffic diversion. SprySOCKS was first documented by Trend Micro in September 2023, linked to the Chinese state-sponsored threat actor Earth Lusca, also known as FishMonger. The Windows variants belong to version 1.8 of SprySOCKS and utilize a kernel driver named RawWNPF for enhanced stealth. The attack chain begins with an initial access method that drops a batch script, leading to the installation of the backdoor. Evidence suggests these variants may have been used in attacks against government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The WINPLUS variant was first detected in July 2024 in Pakistan. There are indications of a potential UEFI bootkit involvement exploiting CVE-2023-24932, a vulnerability in the Windows Boot Manager.
Winsage
June 8, 2026
Microsoft has integrated Sysmon into Windows 11 through a system update, allowing it to operate in the background and log activities in the Windows Event Log. Indicators of suspicious processes include the absence of icons or descriptions, incorrect parent processes, spelling errors in names, unsigned executable files, packed executables, suspicious DLLs or services, open TCP/IP endpoints, and unusual URLs or character strings. To install Sysmon, users must access the Control Panel, enable Sysmon, and restart their PC. Activation requires running a command in the Command Prompt. Sysmon logs can be viewed in the Event Viewer under Microsoft > Windows > Sysmon > Operational. Users can filter events using an XML configuration file. After analysis, suspicious processes should be scanned with antivirus software, and files can be uploaded to VirusTotal for further examination. Sysmon continuously logs events, while Process Monitor captures snapshots of running processes, and both tools are available for free from Microsoft.
Winsage
April 5, 2026
Wine version 11.6 introduces DLL load-order heuristics to enhance the modding experience for gamers on Linux, allowing third-party mod DLLs to load automatically and prioritizing them over default Microsoft versions. The update also revives the Android driver, suggesting potential future support for running Android applications and games on Linux. Additionally, it includes various bug fixes and enhancements to VBScript compatibility, improving the functionality of Windows-based applications on Linux devices.
Winsage
April 4, 2026
Wine version 11.6 enhances the experience of running Windows games on Linux through Proton, focusing on game modding capabilities. Key features include the revival of the Android driver, implementation of DLL load order heuristics for better mod support, improved compatibility with VBScript, and 28 bug fixes for application and game performance. The update allows Wine to prioritize DLLs provided with mods over its own versions, facilitating the use of a wider array of mods without additional tweaks. These changes are expected to be integrated into Proton for Steam users.
Tech Optimizer
February 24, 2026
A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.
Winsage
January 12, 2026
A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.
Search