DNS Archives

Tech Optimizer

April 13, 2026

Fake Claude site installs malware that gives attackers access to your computer

Claude, an AI tool developed by Anthropic, receives nearly 290 million web visits monthly and has become a target for cybercriminals. A fake website has been found that impersonates Claude, distributing a trojanized installer named Claude-Pro-windows-x64.zip. This installer, while appearing legitimate, deploys PlugX malware, granting attackers remote access to users' systems. The fraudulent site mimics the official download page and uses passive DNS records linked to commercial bulk-email platforms, indicating active maintenance by the operators. The ZIP file contains an MSI installer that incorrectly spells "Claude" as "Cluade" and creates a desktop shortcut that launches a VBScript dropper. This script runs the legitimate claude.exe while executing malicious activities in the background, including copying files to the Windows Startup folder to ensure persistence after reboot. The attack utilizes a DLL sideloading technique recognized by MITRE as T1574.002, where a legitimate G DATA antivirus updater is exploited with a malicious DLL. Within 22 seconds of execution, the malware establishes a connection to an IP address associated with Alibaba Cloud, indicating control over the compromised system. The dropper script also employs anti-forensic measures to delete itself and the VBScript after deployment. Indicators of compromise include the filenames Claude-Pro-windows-x64.zip, NOVUpdate.exe, avk.dll, and NOVUpdate.exe.dat, along with the network indicator 8.217.190.58:443 (TCP) as the command and control destination. Users are advised to download Claude only from the official site and to remain vigilant against potential compromises.

AppWizard

April 11, 2026

This Russian military intelligence group has been stealing people’s sensitive data, so you might want to connect your router through a VPN

The National Cyber Security Centre (NCSC) in the UK has reported that the Russian military intelligence group APT28 is exploiting vulnerabilities in routers to redirect internet traffic through malicious servers, siphoning off sensitive information from users. This includes login credentials, search histories, and private messages. APT28's servers function as anti-VPNs, designed to extract user data rather than protect it. The group appears to be gathering data for strategic objectives, particularly targeting businesses in sectors like manufacturing and military contracting, while also potentially weaponizing information from individuals to influence public opinion. The NCSC has issued guidance for businesses on online privacy, and recommends the use of VPNs as a protective measure for individuals, with NordVPN being highlighted as a top choice among various reliable options.

Tech Optimizer

March 21, 2026

Avast VPN: An in-depth review of its speed, security and value

Avast launched its VPN service, Avast Secureline VPN, in 2017, focusing on encryption, a no-logs policy, and DNS leak protection. The company operates outside the 5, 9, or 14 Eyes alliances, which limits data-sharing with intelligence agencies. In January 2020, Avast faced criticism for collecting user data for its subsidiary, Jumpshot, but ceased this practice shortly after. The VPN offers dedicated servers for streaming and torrenting, basic split tunneling, and a kill switch, but lacks comprehensive features compared to competitors. Supported protocols include WireGuard, OpenVPN, and IPsec, with encryption standards generally secure. Avast claims to operate 700 servers across 27 countries, with a limited selection of streaming-optimized servers. The app supports various platforms but lacks support for Linux or routers. Speed tests showed an average download speed of 275.69 Mbps, but performance in unblocking content was disappointing, with limited success on streaming services. Avast's privacy policy indicates extensive data collection, despite claims of addressing past issues. Customer support includes 24/7 access for paying customers. Pricing tiers include a 60-day free trial, with competitive rates but limited features. Pros include decent speeds and reasonable pricing, while cons highlight controversial data practices, limited information, poor streaming performance, and fewer features compared to competitors.

Winsage

March 5, 2026

Microsoft’s latest Windows 11 updates are “deleting the internet” for many: Possible fixes explored

A critical bug in Windows 11 builds 24H2 and 25H2 is causing users with Ethernet connections to lose internet access after installing updates KB5066835 and KB5065789. Users have reported issues on Microsoft’s Q&A forums, and rolling back the operating system is recommended. Possible fixes include performing a full network reset, flushing DNS and resetting TCP/IP via Command Prompt, editing the registry, and using hardware bypass solutions like USB-to-Ethernet or USB-to-WiFi adapters.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

Winsage

February 28, 2026

Announcing Windows 11 Insider Preview Build 28020.1673 (Canary Channel)

Windows 11 Insider Preview Build 28020.1673 has been released to the Canary Channel. Key updates include: - Emoji 16.0 release with new emojis available in the emoji panel. - Introduction of a sign-in restore experience for Windows Backup for Organizations, reinstating user settings and Microsoft Store apps. - Quick Machine Recovery (QMR) is now automatically enabled for enterprise-managed Windows Professional devices. - A built-in network speed test accessible from the taskbar for measuring network performance. - Enhanced account menu in the Start menu directing users to Microsoft account benefits. - Pan and tilt controls for supported cameras available in the Settings app. - Widget Settings have been updated to a full-page experience. - Search function in the taskbar now displays group headers with the number of results and allows previewing results. - Support for Remote Server Administration Tools (RSAT) on Windows 11 Arm64 devices. - Improvements to dark mode in File Explorer and fixes for unexpected window behavior. - Reliability improvements in Settings for Bluetooth & Devices options. - Enhanced reliability for sending larger files via nearby sharing. Features are gradually rolled out, and a clean installation is required to exit the Canary Channel.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

AppWizard

February 15, 2026

Max Cometh: What The Blocking Of WhatsApp, Telegram Means For Millions Of Russians

Russian authorities have been implementing a "sovereign Internet" initiative, which involves controlling digital communication and filtering information accessed by citizens. Recently, on February 11, Roskomnadzor removed WhatsApp from the National Domain Name System, effectively erasing it from the Russian digital landscape, which impacts over 100 million users. Two days earlier, Telegram experienced significant slowdowns, leading to fines for alleged non-compliance with Russian law. The government has been promoting the state-controlled messaging app, Messenger Max, developed by VK, as an alternative to popular platforms like WhatsApp and Telegram. The recent removal of 13 domain names, including those of major news outlets, marks a significant escalation in efforts to control digital information and is part of a broader strategy established since 2019 to impose stringent Internet regulations. This includes the establishment of a Russian National Domain System that allows Roskomnadzor to dictate website accessibility within the country, raising concerns about the potential instability and isolation of the Russian Internet.

AppWizard

February 13, 2026

Russia blocks YouTube and WhatsApp

Russia's internet regulator, Roskomnadzor, has made YouTube inaccessible in the country by removing its domain from the National Domain Name System (NDNS) servers, which prevents direct access without a VPN. YouTube is now blocked along with WhatsApp, as part of a broader crackdown on digital communication tools. The NDNS serves as a government-mandated alternative directory that restricts telecommunications providers to using it exclusively, allowing centralized control over website accessibility. Roskomnadzor has removed 13 domain names from NDNS, including those of international news outlets and social media platforms. A survey indicates that 46% of Russian users utilize VPNs to access YouTube, but 24% still experience connectivity issues. Users report frustration with internet access quality and potential repercussions from government legislation against searching for "extremist material" or using VPNs. Experts warn that reliance on NDNS could limit normal DNS functionality and highlight risks associated with VPN use, including government manipulation of IP addresses. Roskomnadzor cites violations of Russian law to justify its control over platforms like Telegram.

TrendTechie

February 12, 2026

США конфисковали домены трех крупнейших торрент-трекеров ЕС

U.S. law enforcement, in collaboration with Bulgarian authorities, has seized the domains zamunda.net, arenabg.com, and zelka.org due to copyright infringement related to pirated content. This operation was authorized by a U.S. District Court ruling and coordinated by the U.S. Department of Homeland Security, Europol, and Bulgarian officials. The domains, which were managed by U.S.-based registrars, have been redirected to U.S. control, displaying an official seizure notice. A significant portion of the content on these sites is owned by American companies, allowing U.S. jurisdiction. Bulgaria has been working to combat piracy since at least 2020 and was recently placed back on the U.S. Trade Representative's "Special 301 Report" list for insufficient progress. The servers hosting the trackers may be located outside Bulgaria, complicating their seizure. This operation highlights the risks faced by piracy platforms linked to international domains.