endpoint detection Archives

Tech Optimizer

March 27, 2026

Bogus Avast website fakes virus scan, installs Venom Stealer instead

A deceptive website impersonating Avast antivirus tricks users into downloading Venom Stealer malware, which steals passwords, session cookies, and cryptocurrency wallet information. The site conducts a fake virus scan, falsely reporting threats to encourage users to download a malicious file named Avastsystemcleaner.exe. This file mimics legitimate software and operates stealthily, targeting web browsers to harvest credentials and session cookies. It also captures screenshots and sends stolen data to the command-and-control domain app-metrics-cdn[.]com via unencrypted HTTP. The malware employs evasion techniques to avoid detection and is part of a long-standing cybercrime tactic that exploits user trust in security software. Indicators of compromise include the file hash SHA-256: ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d, the domain app-metrics-cdn[.]com, and the network indicator 104.21.14.89.

Tech Optimizer

March 19, 2026

How AI And Hacking Professionalism Are Overwhelming Endpoint Security

The digital landscape is transforming due to the professionalization of cybercrime, which is now a significant part of organized crime, second only to drug trafficking. Malware includes various types such as viruses, browser hijackers, password stealers, Trojans, botnet malware, and ransomware. Traditional antivirus solutions rely on signature-based detection, heuristic analysis, and behavior monitoring, but these methods can lead to false positives and negatives. The evolution of cybersecurity has seen the rise of "Ransomware-as-a-Service" (RaaS) and the use of polymorphic malware that changes its signature, making traditional defenses ineffective. Hackers are also using AI and machine learning to evade behavioral monitoring. New defense strategies include Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR), which focus on monitoring for breaches rather than preventing them. Leading vendors in this space include CrowdStrike, SentinelOne, Microsoft, and Palo Alto Networks. The zero trust security framework treats all access attempts as potentially hostile and emphasizes the integration of various security technologies. Emerging startups like FinalAV Security are developing zero trust solutions for consumers and small businesses, focusing on prevention rather than detection.

Tech Optimizer

March 16, 2026

What Is a Crypto Miner Virus?

A crypto miner virus, or cryptojacking malware, secretly uses a device’s CPU or GPU to mine cryptocurrency for an attacker, leading to increased electricity costs and potential hardware damage for the victim. It typically infects devices through phishing emails, pirated software, compromised websites, and malicious browser extensions. Monero is the preferred cryptocurrency for mining due to its efficiency on standard CPUs and privacy features. Signs of infection include overheating, high CPU usage, and increased electricity bills. Detection involves monitoring system performance and running antivirus scans. Prevention includes using antivirus software, keeping systems updated, and avoiding pirated software. Notable incidents include attacks on a European water utility and the Los Angeles Times website.

Tech Optimizer

March 11, 2026

Attackers Use Malformed ZIP Archives to Evade Antivirus and EDR Tools

Cybersecurity researchers at the CERT Coordination Center (CERT/CC) have identified a new evasion technique, VU#976247, used by threat actors to exploit malformed ZIP archives and bypass Antivirus (AV) and Endpoint Detection and Response (EDR) systems. Attackers manipulate the internal headers of ZIP files, particularly altering the compression method field, which causes security tools to fail in analyzing the malicious payload. While some security products may flag the modified files as corrupted, they often do not detect the underlying malicious code. Standard extraction tools typically trust the tampered metadata and may return errors, leaving the hidden payload undisclosed. Attackers use custom malware loaders to extract and execute the malicious data, circumventing traditional AV detection. Cisco has been confirmed as affected, while other vendors, including AhnLab, Avast, Bitdefender, and Avira, have an “Unknown” status regarding their vulnerability. To mitigate this threat, organizations should enhance archive handling processes, avoid relying solely on declared metadata, adopt aggressive detection modes, flag metadata inconsistencies, and consult with AV and EDR providers about vulnerabilities.

Tech Optimizer

March 11, 2026

Malformed ZIP Files Allows Attackers to Bypass Antivirus and EDR Detections

A vulnerability identified as CVE-2026-0866 allows malicious actors to exploit malformed ZIP headers to bypass antivirus and Endpoint Detection and Response (EDR) systems. This flaw occurs because most security solutions rely on metadata within ZIP archives to scan and process files. When the compression method field is altered, security scanners may fail to decompress the archive correctly, resulting in a false negative and leaving the malicious payload undetected. Attackers can then use a custom loader to access the embedded malicious data, circumventing standard extraction tools. Cisco has been confirmed as affected by this vulnerability, while nearly 30 other security vendors have not disclosed their status. The cybersecurity community is urged to evolve scanning methodologies, including not relying solely on declared metadata and implementing aggressive detection modes. Organizations should verify their antivirus and EDR solutions for vulnerability to CVE-2026-0866 and monitor for custom loaders.

Winsage

March 2, 2026

RAT Malware Via Windows Explorer Puts Crypto at Risk

Cofense Intelligence reported that threat actors are exploiting Windows File Explorer and WebDAV servers to deliver Remote Access Trojans (RATs) to corporate systems, bypassing browser security measures. This method allows attackers to infiltrate machines without using web browsers, taking advantage of File Explorer's ability to connect to remote WebDAV servers. Despite WebDAV being deprecated by Microsoft in November 2023, it is still supported in Windows, creating a vulnerability. The campaigns began in February 2024, with a significant increase in September 2024, and 87% of these campaigns deliver multiple RATs, including XWorm, Async RAT, and DcRAT. Victims typically receive phishing emails disguised as invoices, containing URL or LNK shortcut files that initiate a WebDAV connection. The attacks often utilize Cloudflare Tunnel for hosting malicious WebDAV servers, making the traffic appear legitimate. Notably, 50% of affected campaigns are in German, while 30% are in English. The report emphasizes the risks posed to individuals holding digital assets, as RATs can access sensitive information, including crypto wallet files. Organizations are advised to monitor network traffic for Cloudflare Tunnel instances and educate users about the risks associated with File Explorer's capabilities.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

Tech Optimizer

February 10, 2026

Researchers Use Windows Minifilter Drivers to Detect Ransomware in Real Time

A security researcher has developed a proof-of-concept tool called Sanctum, available on GitHub, aimed at combating ransomware within the Windows operating system. Sanctum utilizes a Windows feature known as a "filter driver" to monitor file operations at a strategic chokepoint between applications and the hard drive. It employs two primary callbacks: IRPMJCREATE, which detects rapid file write or delete requests indicative of ransomware activity, and IRPMJSET_INFORMATION, which identifies changes in file metadata, such as renaming with malicious extensions. Upon detecting suspicious activity, Sanctum blocks the action and identifies the source of the threat, logging events for security teams. Future enhancements may include real-time encryption detection and the ability to freeze malicious threads. This kernel-level approach offers greater visibility and speed compared to traditional antivirus solutions.

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

Tech Optimizer

January 28, 2026

Top Android Antivirus Apps for 2026: Reviews and Key Features

Android users face increasing cyber threats as we approach 2026, with AI-driven malware and ransomware becoming more prevalent. The antivirus market has evolved to include advanced features like real-time threat intelligence and integrated privacy tools. Norton Mobile Security is noted for its machine learning-powered malware detection, VPN, app advisor, and dark web monitoring, achieving a 99.9% detection rate. TotalAV offers user-friendly antivirus scanning and system optimization, with features like real-time phishing protection and cloud-based scanning. Aura Antivirus combines antivirus with identity theft protection and family safety features, excelling in AI-driven behavioral analysis. Bitdefender Mobile Security is recognized for its lightweight design, anti-theft features, and effective web protection. McAfee Mobile Security provides secure Wi-Fi scanning and IoT integration, with high user satisfaction reported. Norton leads in predictive analytics, while TotalAV includes a VPN for remote workers. Aura offers family-oriented tools and compliance-friendly features, incorporating blockchain technology for secure identity verification. Bitdefender is efficient in battery usage and has a high detection rate. McAfee supports multi-device protection and has strong customer support. Norton’s dark web monitoring helps prevent identity theft, and TotalAV blocks trackers and ads. Aura links antivirus protection to financial security with credit monitoring. Bitdefender automates threat responses and has a strong anti-ransomware module. McAfee scans for vulnerabilities in smart devices and provides threat intelligence feeds. Future developments may include quantum-resistant encryption. TotalAV is praised for its user interface, while Aura encourages user feedback for improvements. Bitdefender uses machine learning to reduce false positives, and McAfee employs predictive modeling for personalized security. Organizations must evaluate antivirus solutions based on integration with existing security frameworks, cost, and performance impact. Emerging trends include biometric authentication and deeper hardware-level security protections.