elevated permissions Archives

Winsage

June 2, 2026

New PHANTOMPULSE RAT Campaign Uses UAC Bypass in Windows Attacks

The REF6598 intrusion set has revealed a Remote Access Trojan (RAT) named PHANTOMPULSE, which is distributed via malicious Obsidian plugins. It uses advanced evasion techniques, including a blockchain-based command and control (C2) channel and a public User Account Control (UAC) bypass to infiltrate Windows systems. The malware disables security measures like the Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP) through a hardware-breakpoint technique, allowing it to avoid detection by signature-based memory scanners. PHANTOMPULSE hides its core files in encrypted registry blobs and creates scheduled tasks that appear as .NET Framework updates. Its decentralized C2 framework queries public blockchains for operational data, but it lacks sender authentication, which can be exploited by defenders. The malware inventories the system for antivirus software and targets high-value applications. It employs a UAC bypass technique called “schuac” to gain elevated permissions. Analysts attribute this campaign to DPRK-aligned threat actors, particularly the BlueNoroff group, due to its focus on cryptocurrency wallets and blockchain exploitation. Defenders can identify new infrastructure by searching blockchain ledgers for a specific hex signature associated with the malware's C2 encryption routine.

Winsage

May 30, 2026

How to Free Up Disk Space on Windows 11

Your C: drive may be full, causing Windows to send reminders about low disk space or updates failing to install. Windows 11 includes built-in tools to help reclaim disk space. The guide outlines methods for recovering space, starting with the quickest techniques. 1. Cleanup Recommendations: Navigate to Start > Settings > System > Storage > Cleanup recommendations to review and remove temporary files, large or unused files, and apps. Deleting the previous Windows installation can recover several gigabytes but is irreversible. 2. Clear Temporary Files Manually: Go to Start > Settings > System > Storage > Temporary files to manually select and remove temporary files. 3. Empty the Recycle Bin: Right-click the Recycle Bin and select Empty Recycle Bin to reclaim space from deleted files. 4. Find and Move Large Personal Files: Use File Explorer to locate and move large files from Videos, Music, Pictures, or Downloads to an external drive. 5. Uninstall Unused Apps: Uninstall applications via Start > Settings > Apps > Installed apps, the Start menu, or Control Panel. 6. Turn On Storage Sense: Activate Storage Sense in Start > Settings > System > Storage to automate cleanups. 7. Configure Storage Sense Schedule: Adjust the schedule for Storage Sense cleanups in Start > Settings > System > Storage > Storage Sense. 8. Use Classic Disk Cleanup: Access the classic Disk Cleanup tool by typing "disk cleanup" in the search box to remove system files and items overlooked by the Settings scan. 9. Free Up Local Space with OneDrive Files On-Demand: Enable Files On-Demand in OneDrive settings to keep files in the cloud and free up local space. 10. Redirect Where New Content Is Saved: Change the default save location for new files in Start > Settings > System > Storage > Advanced storage settings. 11. Use External Storage to Install a Stuck Update: Connect an external USB drive with at least 10 GB of free space to assist with installing updates. 12. Rule Out Malware: Run a Windows Security antivirus scan if disk space continues to disappear unexpectedly. Deleting files in File Explorer moves them to the Recycle Bin, and space is not reclaimed until it is emptied. Deleting the previous Windows installation is irreversible and can only be done within 10 days of an upgrade. The KB5074105 update changed the scan context for Temporary files, preventing certain admin-restricted items from being detected. Storage Sense operates only on the system drive and does not automatically delete files in Downloads or OneDrive unless configured.

AppWizard

May 28, 2026

Fake ‘Cockroach Janta Party’ Android app flagged as critical malware threat, report warns

A cybersecurity report released on May 22, 2026, identifies a counterfeit Android application posing as the official app of the Cockroach Janta Party as a significant malware threat. The malicious app, known as Cockroach.Janta.Party, functions as a Remote Access Trojan (RAT) and can infiltrate Android devices, steal sensitive information, intercept communications, and control infected smartphones. The genuine Cockroach Janta Party has no affiliation with this app and is a victim of brand impersonation. The app is distributed through WhatsApp, Telegram, and misleading websites, particularly a rogue domain, cockroachjantaparty[.]org. It targets Android devices running versions 8.0 to 14 and requests elevated permissions, including access to camera, SMS, call logs, and contacts, while misusing the Android Accessibility Service to read on-screen content and grant itself additional permissions. The app contains multiple malicious modules for data exfiltration and uses a Command and Control infrastructure based on the Telegram Bot API. Users are advised to uninstall the app, disable Accessibility permissions, reset banking credentials, enable two-factor authentication, and conduct a full mobile security scan. The legitimate Cockroach Janta Party is encouraged to issue a formal clarification regarding the impersonation.

Winsage

May 27, 2026

Is it time to move from Windows to Linux?

The evolution of software development has progressed from intricate coding practices in the era of Windows 3.1 to more user-friendly programming environments. Linux applications typically require less RAM, often functioning efficiently with 8 to 16 GB, compared to 32 GB for Windows. Users can explore Linux through platforms like WSL, Hyper-V, or VirtualBox without fully committing. Linux serves as a viable alternative for older PCs that cannot support Windows 11 and acquiring Linux development skills can enhance professional profiles. Linux updates generally do not require reboots, and users can choose when to install them. Windows systems tend to slow down over time due to registry clutter, while Linux maintains performance integrity. Windows runs numerous background processes that could be disabled for better performance, but users may not know which ones are safe to turn off. Developers may find Windows frustrating due to increasing restrictions and limited administrative privileges. In contrast, Linux provides transparency regarding telemetry data. Microsoft's Visual Studio Code is a leading text editor for Linux, highlighting Microsoft's influence on Linux development. The introduction of Python and C# on Linux has showcased its performance advantages. While Windows has an edge in GUI development, tools like Flutter are enabling Linux GUI application creation. Many Linux utilities work seamlessly from the terminal. Transitioning to full-time Linux use is a personal choice, especially for gamers or those with specific project needs. The ability to develop in languages like Rust, Flutter, and C# across both operating systems encourages exploration of various Linux distributions.

Winsage

May 26, 2026

How to Remove Microsoft Edge (Windows 10 and 11)

Removing Microsoft Edge from Windows can be complex due to its integration as a system component, especially in Windows 10 and standard Windows 11 installations. Edge may not have a straightforward Uninstall button in the Settings page, but methods exist for uninstallation, including using Edge's own installer or command-line approaches. In the EU, users may find an easier uninstall option in Settings due to the Digital Markets Act (DMA). To uninstall Edge, users should check their Windows version and region, install a replacement browser beforehand, and be aware that updates might reinstall Edge. Elevated permissions are typically required for uninstallation methods. Method A involves using Edge's setup.exe in uninstall mode from its Installer directory, which is widely compatible. Method B allows for a Settings-based uninstall in certain EU Windows 11 builds influenced by DMA. Method C uses PowerShell to remove Edge partially but may not be effective on newer builds. Method D suggests disabling Edge instead of fully uninstalling it for better system stability. Advanced techniques exist but carry risks, including potential system integrity issues. Users should consider application dependencies and the likelihood of Windows updates restoring Edge. For enterprise environments, policy-based control is preferred over complete removal. The EU DMA is driving changes toward a more modular Windows architecture, allowing for greater user choice regarding browser components.

Tech Optimizer

May 21, 2026

Nvidia tells users to update GPU drivers now or face possible attack — here’s what we know

NVIDIA has released an update to its GPU display drivers that addresses 14 vulnerabilities across its product lines, including GeForce, RTX, Quadro, Tesla, NVS, vGPU, and Cloud Gaming software. The most critical vulnerability is CVE‑2026‑24187, a high-severity use-after-free bug rated 8.8 out of 10, which could allow code execution, privilege escalation, data theft, or system crashes. Linux systems are vulnerable due to improper access to GPU resources at the kernel level, while Windows systems are at risk from a timing flaw. Two vulnerabilities in NVIDIA’s Unified Virtual Memory subsystem on Linux could lead to denial-of-service attacks without elevated permissions. The vGPU software also received patches for vulnerabilities in its virtual GPU manager component. Users can download the updated drivers from the NVIDIA Driver Downloads page or the NVIDIA Licensing Portal, with Windows users needing version 569.49 or newer and Linux users needing version 590.48.01. Users are advised to maintain their antivirus programs for enhanced security. NVIDIA thanked external security researchers for their responsible disclosure of these vulnerabilities.

AppWizard

May 15, 2026

Android 16 VPN Bypass Lets Apps Reveal Users’ Real IP Address

A security vulnerability in Android 16 allows malicious applications to expose a user's real IP address, even with "Always-On VPN" and "Block connections without VPN" features activated. Discovered by security researcher 0x33c0unt and disclosed on April 30, 2026, the flaw exploits the registerQuicConnectionClosePayload feature, which lacks permission checks. This vulnerability has been verified on a Pixel 8 with Proton VPN active. Google has not released a patch, but users can disable the feature via ADB commands.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

Winsage

April 18, 2026

‘They mopped the floor with me and pulled every childish game they could’: Disgruntled researcher releases second major Windows zero-day — claims Microsoft ‘would ruin my life, and they did’

A new zero-day vulnerability in Microsoft Defender has been disclosed by a researcher known as "Chaotic Eclipse," who has created a proof-of-concept exploit called "RedSun." This vulnerability allows local privilege escalation to SYSTEM level on Windows 10, Windows 11, and Windows Server when Microsoft Defender is active. The vulnerability has attracted attention from antivirus vendors, with some detecting it on VirusTotal due to an embedded EIRCAR in the executable. Chaotic Eclipse previously disclosed another vulnerability named BlueHammer, which also allowed local attackers to gain SYSTEM or elevated permissions. The researcher expressed dissatisfaction with Microsoft's vulnerability disclosure process, recounting negative interactions with the company. A Microsoft spokesperson stated the company's commitment to investigating security issues and supporting coordinated vulnerability disclosure.

Winsage

April 11, 2026

“We have discontinued SaRA”: Microsoft replaces its Windows 11 Recovery Assistant — here’s how to transition to Microsoft’s modern command-line replacement.

Microsoft has phased out the Support and Recovery Assistant (SaRA) utility with the March 2026 Security Update for Windows 11, replacing it with the new "Get Help" command-line tool. The SaRA was designed to troubleshoot and resolve common issues affecting Windows 11 and Microsoft 365 applications. Users are now encouraged to use the Get Help command-line tool, which offers enhanced functionality and security. To use the Get Help tool, users must download the files, extract them, and run specific commands in the Command Prompt. The tool addresses various issues, including Microsoft 365 activation challenges and Outlook profile errors.