endpoint Archives

Winsage

March 2, 2026

RAT Malware Via Windows Explorer Puts Crypto at Risk

Cofense Intelligence reported that threat actors are exploiting Windows File Explorer and WebDAV servers to deliver Remote Access Trojans (RATs) to corporate systems, bypassing browser security measures. This method allows attackers to infiltrate machines without using web browsers, taking advantage of File Explorer's ability to connect to remote WebDAV servers. Despite WebDAV being deprecated by Microsoft in November 2023, it is still supported in Windows, creating a vulnerability. The campaigns began in February 2024, with a significant increase in September 2024, and 87% of these campaigns deliver multiple RATs, including XWorm, Async RAT, and DcRAT. Victims typically receive phishing emails disguised as invoices, containing URL or LNK shortcut files that initiate a WebDAV connection. The attacks often utilize Cloudflare Tunnel for hosting malicious WebDAV servers, making the traffic appear legitimate. Notably, 50% of affected campaigns are in German, while 30% are in English. The report emphasizes the risks posed to individuals holding digital assets, as RATs can access sensitive information, including crypto wallet files. Organizations are advised to monitor network traffic for Cloudflare Tunnel instances and educate users about the risks associated with File Explorer's capabilities.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

Winsage

February 26, 2026

Announcing new Cloud PC devices designed for Windows 365

In 2024, Microsoft launched Windows 365 Link, a new category of devices designed for quick access to Windows 365 Cloud PCs, enhancing IT management and security. Microsoft is collaborating with ASUS and Dell to expand the Cloud PC device portfolio. The ASUS NUC 16 for Windows 365 is a mini-PC with a 0.7L design, supporting up to three displays, expected to be available in Europe and the U.S. by Q3 2026. The Dell Pro Desktop for Windows 365 is a compact, fanless desktop that also supports three displays and will be available in 58 countries by Q3 2026. Both devices boot directly into Windows 365 and are managed through Microsoft Intune. Key updates for the Windows CPC operating system are planned for Q2 2026, including Bluetooth pairing support and tenant branding features. Windows 365 Link is currently available in 20 countries, with plans for market expansion.

Winsage

February 25, 2026

Microsoft Releases February Optional Updates for Windows 11

Microsoft has released optional February updates for Windows 11 versions 25H2 and 24H2, which include several enhancements: - A network speed test tool accessible from the taskbar for measuring Ethernet, Wi-Fi, and cellular connections. - Enhanced camera settings with new pan and tilt options for supported cameras. - A built-in version of the System Monitor (Sysmon) tool, available as an optional feature. - Improvements to Remote Server Administration Tools (RSAT) for Windows 11 Arm64 devices. - A new automatic recovery tool for Windows 11 Professional devices not domain-joined. - Support for .webp images as desktop backgrounds. - Introduction of new emojis in the Emoji 16.0 release. - BitLocker improvements to prevent devices from becoming unresponsive after entering a recovery key. Additionally, Microsoft has shared release notes for an upcoming optional update for Windows 11 version 26H1, which is currently only available to Insiders on the Canary Channel and is expected to debut on new devices with advanced silicon.

Tech Optimizer

February 24, 2026

Hackers Are Using Fake Invitations to Take Over Your PC

Cybercriminals are sending counterfeit email invitations that, when clicked, install a backdoor on the victim's computer, allowing hackers full control. The scam often involves downloading a file named “invites.msi,” which is a Windows Installer package. This file can install ScreenConnect, a legitimate remote support tool that can be exploited by attackers to monitor screens, access files, and deploy additional malware. Many security engines fail to flag this software as malicious, making it difficult to detect. If someone suspects they have fallen victim to this scam, they should disconnect from the internet, check for and uninstall any remote management software, run a comprehensive antivirus scan, change passwords for critical accounts, enable two-factor authentication, inform their IT department if applicable, and consider performing a full Windows reset. The scam originated from a compromised email account, which was used to send the malicious link to contacts. Implementing two-factor authentication and using a password manager can help prevent such incidents. Users should be cautious of any email invitations that require downloading and running installer files.

Winsage

February 18, 2026

Releasing Windows 11 Builds 26100.7918 and 26200.7918 to the Release Preview Channel

Windows 11 Builds 26100.7918 and 26200.7918 (KB5077241) have been released for Insiders in the Release Preview Channel, covering versions 24H2 and 25H2. The update features a gradual rollout method for updates and includes various new features and enhancements: - Emoji 16.0 introduces a selection of new emojis. - Windows Backup for Organizations now includes a first sign-in restore experience. - Quick Machine Recovery (QMR) is activated for non-domain joined Windows Professional devices. - A built-in network speed test is accessible from the taskbar. - Taskbar improvements enhance the visual experience of the overflow area. - A new entry point in the account menu directs users to the Microsoft account benefits page. - Windows supports Microsoft Entra ID group and role SID resolution. - Users can control pan and tilt for supported cameras in the Settings app. - Sysmon functionality is now included natively in Windows for capturing system events. - Widget Settings now opens as a full-page experience in the Widgets app. - Users can set .webp image files as their desktop background. - The search process icon in Task Manager has been updated. - Storage Settings dialogs have been modernized, and performance for scanning temporary files has improved. - Enhancements have been made to Windows Update Settings for better responsiveness. - Reliability improvements have been implemented for the login screen and Nearby Sharing. - The Windows print service has been optimized for smoother performance during high-volume tasks. - File Explorer has received several improvements, including an extract all option for non-ZIP archive folders and enhanced reliability for displaying devices on the Network page. - Performance enhancements have been made to reduce resume-from-sleep time on heavily loaded systems. - Minor visual issues related to the taskbar, Windows Security pop-up credential fields, and the print dialog have been addressed.

Winsage

February 15, 2026

Microsoft Blocks Credential Autofill to Fix Windows Hello Flaw

Microsoft has blocked credential autofill functionality in Windows 11 as part of the February 2026 Patch Tuesday updates to address the critical vulnerability CVE-2026-20804, which allows unauthorized access by tampering with Windows Hello authentication. This vulnerability was first identified in August 2025 and allows local administrators to inject biometric data. The restriction was documented in the January 2026 Patch Tuesday release notes. Enhanced Sign-in Security (ESS) operates at a hypervisor virtual trust level but is limited by hardware compatibility issues, particularly affecting AMD-based systems. Post-update, credential dialogs do not respond to virtual keyboard inputs from remote desktop or screen-sharing applications, preventing autofill during remote support sessions. Microsoft has provided a risky workaround that allows applications to operate with elevated administrator privileges, but this reintroduces the vulnerability. Organizations must now choose between disrupted remote support workflows or risking exposure to credential injection attacks, leading to operational challenges for IT teams and help desk staff.

Winsage

February 14, 2026

Microsoft Fixes Critical Windows 11 Notepad Flaw

Microsoft has released a patch for a significant vulnerability in Notepad on Windows 11 that could allow attackers to execute code by opening a Markdown file and clicking on a malicious link. This vulnerability was due to how Notepad processed links within Markdown files, which could trigger unverified protocols to load remote content. The patch now includes a security warning before such links can be activated. Users are advised to check for updates via Windows Update and the Microsoft Store to ensure Notepad and related components are up to date. Security tips include inspecting URLs before clicking and keeping Microsoft Defender features enabled.

Tech Optimizer

February 13, 2026

MyDoom virus: What it is and why it mattered

In January 2004, the MyDoom computer worm quickly spread to email inboxes in 168 countries, becoming one of the fastest-spreading pieces of malware in internet history. It exploited human behavior by enticing users to open email attachments that appeared to be delivery errors or system notifications. MyDoom replicated itself through email without corrupting files or destroying data, harvesting email addresses from infected computers to send copies to new victims. The two main variants, MyDoom.A and MyDoom.B, targeted the SCO Group and Microsoft, respectively, and demonstrated the potential for email worms to be weaponized for coordinated attacks. MyDoom primarily targeted Windows-based operating systems and used deceptive emails to propagate. Once infected, it installed a backdoor for unauthorized remote access, forming a botnet for further attacks. MyDoom's effectiveness was due to its alignment with user behavior and the limited security measures of the time, leading to significant disruptions in email communication and an estimated economic impact of approximately billion. Although no longer a current threat, MyDoom's legacy influenced modern email security protocols, leading to improved filtering, behavior-based detection, and multi-layered defense strategies.

Tech Optimizer

February 12, 2026

Build a custom solution to migrate SQL Server HierarchyID to PostgreSQL LTREE with AWS DMS

Data migration from SQL Server to Amazon RDS for PostgreSQL or Amazon Aurora PostgreSQL-Compatible Edition often requires adjustments to the database schema or SQL commands. AWS provides DMS Schema Conversion to aid in converting existing database schemas and AWS Database Migration Service (AWS DMS) to assist in data migration, featuring enhanced security and minimized downtime. SQL Server uses the HierarchyID data type for managing hierarchical data, while PostgreSQL employs the LTREE extension for similar purposes. The migration process involves preparing both the source SQL Server and target PostgreSQL environments, creating tables, installing the LTREE extension, and converting schemas using AWS DMS Schema Conversion. The migration steps include creating sample tables in SQL Server with HierarchyID columns, enabling change data capture (CDC), creating the LTREE extension in PostgreSQL, and preparing the target table structure. AWS DMS endpoints are created for both source and target databases, followed by the creation and execution of an AWS DMS migration task. Post-migration, the original HierarchyID column is replaced with the LTREE column, and the IDENTITY column behavior is reverted to its original state. The migration process is verified by inserting rows in PostgreSQL and ensuring they are in the correct LTREE format. Common functions from SQL Server's HierarchyID are mapped to their PostgreSQL LTREE equivalents, facilitating the transition between the two systems.