elevated privileges Archives

Winsage

May 11, 2026

New GhostLock tool abuses Windows API to block file access

A security researcher has developed a proof-of-concept tool called GhostLock, which exploits a vulnerability in the Windows file API, specifically the 'CreateFileW' function. By manipulating the 'dwShareMode' parameter to grant exclusive access to files, GhostLock can prevent other users or applications from opening those files, resulting in a 'STATUSSHARINGVIOLATION' error. The tool automates the process of opening multiple files on SMB shares, causing access disruptions without requiring elevated privileges. This technique is intended as a disruption attack rather than a destructive one, similar to ransomware, and can serve as a diversion during intrusions. Detection of this attack relies on monitoring the open-file count with ShareAccess set to 0 at the file server layer. Dvash has provided resources for IT teams to enhance detection capabilities against this threat.

AppWizard

May 6, 2026

Google expands Android Binary Transparency to counter supply chain attacks

Supply chain attacks targeting mobile software have increased due to the reliance on smartphones for essential functions. In response, Google has launched an enhanced Binary Transparency program for Android, which includes a public ledger that records cryptographic entries for production applications. This program initially covers two software layers: Google Applications and Mainline Modules. For Pixel device owners, it complements the Pixel System Image Transparency feature introduced in 2023, allowing users to verify the authenticity of system images and Google applications. The program aims to address the gap in software trust by distinguishing between digital signatures, which confirm the identity of the binary's creator, and binary transparency, which indicates the intent for public release. If a Google-signed application released after May 1, 2026, is not listed in the ledger, it means Google did not authorize it as production software. Verification tools are available on GitHub for assessing software against the ledger. Google employs "defense-in-depth" protocols to mitigate insider risks, ensuring that no single individual can publish a binary without triggering cryptographic verification. The ledger acts as a public record to deter unauthorized modifications. Google is also working to extend Binary Transparency to third-party developers to enhance the security of the global software supply chain.

AppWizard

May 4, 2026

Evolving Verifiable Trust: Bringing Binary Transparency to the Android Ecosystem

Starting May 1, 2026, all production Android applications released by Google will include a cryptographic entry to verify their authenticity. This initiative establishes a "Source of Truth" for users to confirm that the software on their devices is genuine and unaltered. It includes Google Applications and Mainline Modules, with a production ledger that records all official updates. If a Google-signed application is not listed in this ledger, it indicates that the application was not intended for release by Google. This system aims to prevent unauthorized modifications and enhance user privacy and security. For Pixel users, it allows verification of both system images and Google applications. Google has also provided verification tools to check the transparency status of supported software types.

AppWizard

April 29, 2026

New Android spyware Morpheus linked to Italian surveillance firm

Morpheus is a new spyware identified by the nonprofit organization Osservatorio Nessuno, which spreads through counterfeit Android applications that appear as legitimate updates. Attackers use SMS messages to direct victims to a fraudulent website mimicking an Internet Service Provider (ISP). The spyware installs a dropper app that deploys a concealed payload, which disguises itself as legitimate system components and manipulates users into granting dangerous permissions, including Accessibility access. Once granted, Morpheus initiates a Permission Workflow that creates a fake update overlay, disabling the touchscreen to prevent user interaction. It ensures persistence by restarting after device reboots and can request device administrator privileges. The spyware exploits overlay windows and Accessibility features to gain control of the device and bypass security measures, including disabling antivirus solutions without requiring root access. Analysis suggests Morpheus has Italian origins, with connections to an Italian firm, IPS Intelligence, known for lawful interception technologies. The spyware is capable of invasive actions such as recording audio and video, linking to WhatsApp, and compromising device security. The report highlights a network of dubious companies and shared contacts linked to the spyware's distribution.

Winsage

April 18, 2026

RedSun: Windows 0day when Defender becomes the attacker

A vulnerability has been discovered in Windows Defender that allows standard users to exploit a logic error in the file remediation process, enabling code execution with elevated privileges without administrative access. This flaw, identified by security researcher Chaotic Eclipse, occurs because Windows Defender does not verify if the restoration location of flagged files has been altered through a junction point. The exploit, named RedSun, takes advantage of a missing validation in the MpSvc.dll file, allowing attackers to redirect file restoration to the C:WindowsSystem32 directory. RedSun operates by chaining together four legitimate Windows features: Opportunistic Locks (OPLOCKs), Cloud Files API, Volume Shadow Copy Service (VSS), and Junction Points. The execution of the exploit involves monitoring shadow copies, triggering Defender's detection, synchronizing OPLOCKs, and ultimately writing malicious binaries to the System32 directory. The root cause is the lack of reparse point validation in the restoration process, and currently, no patch or CVE has been assigned for this vulnerability. It affects Windows 10, Windows 11, and Windows Server 2019 and later, and organizations are advised to implement behavioral detection strategies until a fix is available.

Winsage

April 16, 2026

Fake Proton VPN sites are pushing NWHStealer malware to Windows users

A malware campaign is utilizing counterfeit Proton VPN websites and other deceptive tactics to distribute a Windows infostealer known as NWHStealer. This malware extracts sensitive information, including browser credentials and cryptocurrency wallet details, and operates stealthily by injecting itself into legitimate processes. Two primary infection vectors have been identified: malicious ZIP archives on a free web hosting platform and trojanized installers from fake Proton VPN sites. The malware employs DLL hijacking and can exfiltrate data to a command-and-control server while ensuring persistence through scheduled tasks and disguising payloads as legitimate system processes. It also exploits the Windows cmstp.exe utility to bypass User Account Control. Users are advised to avoid downloading software from unofficial sources and to verify file signatures and publisher information.

Tech Optimizer

April 16, 2026

Unpatched Microsoft Defender flaw lets hackers gain admin access

A security researcher named Chaotic Eclipse has discovered a significant vulnerability in Microsoft Defender that could allow hackers to gain administrative access to systems running Windows 10, Windows 11, and Windows Server. The vulnerability arises from Windows Defender's behavior of rewriting detected malicious files back to their original location instead of removing them, which can be exploited to overwrite system files and grant unauthorized users elevated privileges. This issue remains unaddressed by Microsoft, leaving millions of users vulnerable. Although there is no current evidence of active exploitation, the situation could change. Users are advised to consider additional antivirus solutions for enhanced security.

Winsage

April 14, 2026

Microsoft rolls out fast-track to reinstate Windows hardware dev accounts

Microsoft has implemented a fast-track reinstatement process for developers whose Windows Hardware Developer accounts were suspended due to incomplete identity verification. This initiative follows complaints from developers, including those of WireGuard and VeraCrypt, about unexpected account terminations that hindered their ability to publish Windows drivers and updates. Microsoft clarified that the suspensions were communicated to partners since October 2025 and emphasized the importance of identity verification for signing and distributing kernel-level drivers. Developers can expedite their reinstatement by opening a support case with a business justification. Microsoft has also provided guidance for navigating the support workflow and an alternative contact for those facing difficulties.

Winsage

April 6, 2026

ResokerRAT Hijacks Telegram API to Command Infected Windows PCs

A newly discovered Windows malware called ResokerRAT uses Telegram’s Bot API for its command-and-control operations, allowing it to monitor and manipulate infected systems without a conventional server. It obscures its communications by integrating with legitimate Telegram traffic, complicating detection. Upon execution, it creates a mutex to ensure only one instance runs and checks for debuggers to avoid analysis. It attempts to relaunch with elevated privileges and logs failures to its operator. ResokerRAT terminates known monitoring tools and installs a global keyboard hook to obstruct defensive key combinations. It operates through text-based commands sent via Telegram, allowing it to check processes, take screenshots, and modify system settings to evade detection. Persistence is achieved by adding itself to startup and altering UAC settings. The malware retrieves additional payloads from specified URLs and uses URL-encoded data for communication. Researchers have confirmed its Telegram traffic, and its behavior aligns with various MITRE ATT&CK techniques. Security teams are advised to monitor for unusual Telegram traffic and scrutinize registry keys related to startup and UAC.

Winsage

April 4, 2026

WhatsApp Malware Campaign Uses VBS to Hijack Windows

Microsoft has identified a cyberattack campaign that uses WhatsApp messages to distribute malicious Visual Basic Script (VBS) files targeting Windows systems. First detected in late February 2026, the campaign employs social engineering to trick users into executing the VBS files, which then create hidden directories and disguise themselves as legitimate Windows utilities. The malware downloads additional payloads from cloud platforms like AWS, Tencent Cloud, and Backblaze B2 to establish persistence and escalate privileges. It can bypass User Account Control (UAC), alter registry settings, and install malicious MSI packages, including remote access tools like AnyDesk, to maintain continuous access for attackers.