Downloader Archives

AppWizard

December 22, 2025

Android Auto Lets You Install a Web Browser, and It Isn’t Actually Dangerous

Android Auto lacks a built-in web browser, but users can utilize the open-source AA Browser to access web content and streaming services while parked. The AA Browser disables itself when the vehicle is in motion for safety. To install AA Browser, users must enable developer mode in Android Auto settings, download the AAAD app, and install AA Browser from the list of available apps. Once installed, AA Browser appears in the Android Auto interface, allowing users to browse the internet, access bookmarks, and navigate using a touchscreen. Most websites are compatible, but some may not function properly. Users can exit the browser to return to other applications.

AppWizard

December 1, 2025

That popular YouTube alternative on Android TV was secretly distributing infected builds

SmartTube, a popular YouTube application for Android TV and Fire TV, was removed from these platforms due to malware that compromised the developer's build machine. Some versions released earlier this month contained this malware. Users are advised to reset their devices and review their YouTube and Google account information. Initially, it was thought that a digital signature leak was the reason for the app's removal, but it was later confirmed that the build environment was compromised. The developers are investigating which specific versions were affected, with versions 30.43 and 30.47 flagged as malicious. A new version, build number 30.56, has been released from a secure environment, but previous versions have been removed from GitHub. Users are recommended to perform a factory reset, review account permissions, and check YouTube activity for unusual activity.

Tech Optimizer

November 17, 2025

EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT

In November 2025, a sophisticated malware campaign emerged, combining social engineering with advanced data theft tools. The attack begins with a tactic called ClickFix, where users are tricked into executing commands in the Windows Run window, leading to the installation of Amatera Stealer, which extracts sensitive information from browsers, cryptocurrency wallets, and password managers. Following this, attackers deploy NetSupport RAT for remote access to the compromised computer. Amatera Stealer employs advanced evasion techniques, including obfuscated PowerShell code and XOR encryption to mislead security efforts. It was originally marketed as ACR Stealer by a group named SheldIO. The infection process starts with a .NET-based downloader that retrieves payloads encrypted with RC2 from platforms like MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. The malware disables AMSI by overwriting the "AmsiScanBuffer" string in memory, neutralizing Windows' security scanning. Amatera communicates with command servers through encrypted channels, using AES-256-CBC for traffic encryption, making inspection difficult. It aggregates stolen data into zip files and sends them to criminal servers, selectively executing additional payloads targeting high-value assets.

Winsage

November 6, 2025

Microsoft Store trying 16-at-once app installer

A new feature in the web version of the Microsoft Store allows Windows users to install multiple applications simultaneously. Users can select up to 16 apps from 48 options categorized into six groups: Productivity, Creativity, Social, Entertainment, Tools & Utilities, and Personalization. After selecting the desired apps, users can click "Install Selected" to download a single executable file that initiates the installation of all chosen applications. This feature is currently not available in the desktop app for Windows 11. The available app categories include well-known names such as Teams, Canva, Instagram, Netflix, and Speedtest. The feature is similar to Ninite, a third-party tool that offers a broader range of applications. Microsoft has been contacted for further information on potential enhancements to this feature.

Winsage

October 30, 2025

I don’t use the Windows Start menu anymore, because I have Raycast instead

Complaints about the Windows 11 Start menu are common, with users finding it sluggish and unreliable. Raycast, currently in beta for Windows, is an application launcher that allows for faster access to applications and system settings through customizable keyboard shortcuts. It includes built-in extensions like an emoji picker and clipboard history, enhancing its functionality. Raycast can be activated using various keyboard shortcuts, including the Windows key, making it easy to transition from the Start menu. It is effective across all operating systems, with a similar open-source alternative called Vicinae available for Linux users. Raycast has proven to enhance productivity significantly.

AppWizard

October 2, 2025

ElephTV Emerges South Africa Premier Android Streaming App for Endless Entertainment

ElephTV is a streaming app designed specifically for South African Android users, offering features such as seamless performance on various devices, a straightforward installation process, and a generous 3-day free VIP pass with an additional 4 days available through a South African phone number. The app claims to use approximately 30% less data than other major streaming services and allows users to download content for offline viewing. It provides a diverse library of local and international content and includes a referral program that rewards users for sharing the app. ElephTV plans to expand its local content and support for more local languages in the future.

Tech Optimizer

September 26, 2025

Malware Campaign Spreads Trojans via Hijacked Ads on Facebook, Google, YouTube

A recent malware campaign has transitioned from Meta’s advertising ecosystem to Google Ads and YouTube, initially targeting Facebook users through compromised business accounts. The threat originated from a Norwegian design agency’s hijacked Facebook Business account, promoting fraudulent ads for a fictitious “TradingView Premium” app that directed users to download malware. The malware is disseminated on YouTube through hijacked verified channels, leading victims to a downloader that installs Trojan.Agent.GOSL, capable of data theft and remote device control. Over 250 malicious apps targeting Android devices have been identified, equipped for credential theft and unauthorized access. Attackers compromise verified accounts to bypass scrutiny, altering page names to mimic official entities. The campaign exploits vulnerabilities in both Meta's and Google’s ad networks, utilizing OAuth URLs and ad placements to evade detection. Security experts recommend multi-layered defenses, enabling two-factor authentication, and verifying app sources to mitigate risks.

Tech Optimizer

September 15, 2025

HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks

Chinese-speaking users are experiencing a sophisticated SEO poisoning campaign that uses counterfeit software sites to spread malware. Researchers from Fortinet FortiGuard Labs discovered this activity in August 2025, which involves manipulating search rankings to redirect users to fraudulent sites that deliver malware through trojanized installers. The malware families identified include HiddenGh0st and Winos, both variants of the Gh0st RAT, linked to a cybercrime group known as Silver Fox. The attack mechanism involves a script named nice.js that orchestrates the malware delivery process, leading to the installation of a malicious DLL, "EnumW.dll," which performs anti-analysis checks and extracts another DLL, "vstdlib.dll." This second DLL inflates memory usage to evade detection and is responsible for launching the main payload. The malware aims to sideload a DLL, "AIDE.dll," which establishes a Command-and-Control (C2) communication, collects victim data, and monitors user activity. Additionally, a separate campaign targeting Chinese-speaking users has been flagged by Zscaler ThreatLabz, featuring a new malware called kkRAT. This malware shares code similarities with Gh0st RAT and employs fake installer pages to deliver multiple trojans. It uses techniques to bypass security software and targets specific antivirus programs, including 360 Total Security and Kingsoft Internet Security. The installer launches shellcode that retrieves additional malicious payloads, including kkRAT, which can perform various data-gathering tasks and manipulate clipboard data to replace cryptocurrency addresses.

AppWizard

August 31, 2025

Silver Fox APT Hackers Leveraging Vulnerable driver to Attack Windows 10 and 11 Systems by Evading EDR/AV

In mid-2025, a campaign attributed to the Silver Fox Advanced Persistent Threat (APT) began exploiting a vulnerable Microsoft-signed WatchDog Antimalware driver (amsdk.sys, version 1.0.600) to compromise modern Windows environments. The attackers use the driver's arbitrary process termination capability to bypass endpoint detection and antivirus protections on fully patched Windows 10 and 11 systems. The attack starts with a loader that checks for virtual machines and sandboxes before dropping two drivers into a new directory. These drivers are registered as kernel services, and the loader ensures persistence. The campaign's logic then terminates security service processes by exploiting the driver's vulnerabilities, allowing the injection of a ValleyRAT downloader module that connects to Chinese-hosted C2 servers. After the vulnerability was disclosed, a patched driver (wamsdk.sys, version 1.1.100) was released, but Silver Fox adapted by modifying the driver's signature timestamp to evade detection while maintaining the signature's validity.