endpoint security Archives

AppWizard

April 30, 2026

LofyStealer Uses Node.js Loader Against Minecraft Gamers

Cybersecurity threat hunters have discovered an active infostealer campaign targeting the gaming community, involving malware called LofyStealer (or GrabBot) that disguises itself as a Minecraft hack named “Slinky.” The attackers use the official game icon to trick young gamers into executing the malware. The Brazilian cybercrime group LofyGang has enhanced its technical capabilities, utilizing a sophisticated two-stage modular architecture. The initial stage features a 53.5 MB loader file named load.exe, which is a Node.js runtime environment that obscures malicious signatures. The loader connects to the attacker’s server and decrypts a 1.4 MB C++ payload, chromelevator.exe, which targets eight web browsers to extract sensitive information like cookies and passwords. The stolen data is compressed, encrypted, and sent to the attacker’s server. LofyGang has evolved into a Malware-as-a-Service platform, offering a web panel for operators to monitor victims and generate custom executables. The campaign highlights the increasing threats to the gaming community, with advanced evasion techniques being employed by cybercriminals. Security professionals are advised to monitor network traffic and conduct audits for suspicious activities.

AppWizard

April 30, 2026

Minecraft Players Targeted by LofyStealer Using Node.js Loader and In-Memory Browser Injection

A new infostealer malware called LofyStealer is targeting the gaming community, particularly Minecraft players, by disguising itself as a cheat tool named “Slinky.” It employs a two-stage attack to extract sensitive information from eight major web browsers, including Chrome and Firefox, while evading detection by security software. The malware siphons off cookies, saved passwords, payment card information, and session tokens. Researchers at Zenox.ai identified LofyStealer, linking it to the Brazilian cybercrime group LofyGang, which has been active since October 2022. The malware uses social engineering tactics to appear legitimate and operates as a Malware-as-a-Service platform, offering both Free and Premium tiers to buyers. Its technical sophistication is evident in its method of in-memory browser injection, which allows it to bypass security defenses. The stolen data is compressed and sent to a command-and-control server. Users are advised to avoid downloading unofficial game mods and enable multi-factor authentication to reduce the risk of credential theft. Security teams should monitor for specific behavioral indicators related to the malware's operations.

Tech Optimizer

April 24, 2026

Fileless Malware and Email Authentication Gaps

Fileless malware operates stealthily within networks, utilizing legitimate system tools like PowerShell and Windows Management Instrumentation (WMI) to execute malicious code in memory without leaving traces on disk. Traditional antivirus solutions struggle to detect these threats due to their reliance on file signatures. The primary vector for fileless malware is email, where attackers use spoofed messages to trick users into activating malicious scripts. Misconfigurations in Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records create vulnerabilities that attackers exploit to deliver spoofed emails. Traditional endpoint protection mechanisms are inadequate against fileless attacks, necessitating a shift towards behavioral analysis for detection. Organizations must assess their preparedness by ensuring proper email authentication configurations and enhancing endpoint security capabilities. Integration among security teams and updated employee security awareness programs are also essential. Sendmarc helps organizations mitigate vulnerabilities by providing visibility into SPF, DKIM, and DMARC configurations and enforcing DMARC to block unauthenticated messages.

Tech Optimizer

April 19, 2026

Avast Antivirus: Between Free Tier Strength and Privacy Risks, Things Are Getting Interesting

Avast Antivirus offers free protection against malware, phishing, and unsafe websites, featuring real-time scanning, ransomware protection, and a behavior-based detection system. The free edition includes protective shields for files, emails, and web browsing, while Avast Premium Security provides advanced ransomware defense and a secure browser. Avast One bundles additional features like a VPN and parental controls. Gen Digital acquired Avast in 2022, positioning it as a key part of its consumer cybersecurity strategy, with a freemium model that attracts users and encourages upgrades to premium plans. Avast has a user base of 435 million, with millions transitioning to paid subscriptions annually. The global antivirus market is experiencing double-digit growth, driven by increasing cyber threats. Avast competes with major players like Norton, Bitdefender, and Kaspersky, while facing challenges from free alternatives like Windows Defender. The company previously faced privacy issues related to the sale of anonymized browsing data but has since implemented transparency measures and compliance with EU regulations. Avast is exploring AI-driven detection methods and post-quantum defenses to enhance its offerings.

Tech Optimizer

March 19, 2026

How AI And Hacking Professionalism Are Overwhelming Endpoint Security

The digital landscape is transforming due to the professionalization of cybercrime, which is now a significant part of organized crime, second only to drug trafficking. Malware includes various types such as viruses, browser hijackers, password stealers, Trojans, botnet malware, and ransomware. Traditional antivirus solutions rely on signature-based detection, heuristic analysis, and behavior monitoring, but these methods can lead to false positives and negatives. The evolution of cybersecurity has seen the rise of "Ransomware-as-a-Service" (RaaS) and the use of polymorphic malware that changes its signature, making traditional defenses ineffective. Hackers are also using AI and machine learning to evade behavioral monitoring. New defense strategies include Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR), which focus on monitoring for breaches rather than preventing them. Leading vendors in this space include CrowdStrike, SentinelOne, Microsoft, and Palo Alto Networks. The zero trust security framework treats all access attempts as potentially hostile and emphasizes the integration of various security technologies. Emerging startups like FinalAV Security are developing zero trust solutions for consumers and small businesses, focusing on prevention rather than detection.

Tech Optimizer

March 11, 2026

Attackers Use Malformed ZIP Archives to Evade Antivirus and EDR Tools

Cybersecurity researchers at the CERT Coordination Center (CERT/CC) have identified a new evasion technique, VU#976247, used by threat actors to exploit malformed ZIP archives and bypass Antivirus (AV) and Endpoint Detection and Response (EDR) systems. Attackers manipulate the internal headers of ZIP files, particularly altering the compression method field, which causes security tools to fail in analyzing the malicious payload. While some security products may flag the modified files as corrupted, they often do not detect the underlying malicious code. Standard extraction tools typically trust the tampered metadata and may return errors, leaving the hidden payload undisclosed. Attackers use custom malware loaders to extract and execute the malicious data, circumventing traditional AV detection. Cisco has been confirmed as affected, while other vendors, including AhnLab, Avast, Bitdefender, and Avira, have an “Unknown” status regarding their vulnerability. To mitigate this threat, organizations should enhance archive handling processes, avoid relying solely on declared metadata, adopt aggressive detection modes, flag metadata inconsistencies, and consult with AV and EDR providers about vulnerabilities.

Winsage

March 3, 2026

New Defender deployment tool streamlines Windows device onboarding with single executable

Microsoft has enhanced its Defender deployment tool for Windows to streamline the onboarding process for device security management. The tool now features improved progress visibility and additional administrative controls, consolidating onboarding files into a single downloadable .exe file for both modern and legacy systems. It supports silent and non-interactive options for large-scale deployments, integrates with Group Policy or Configuration Manager, and allows for custom package identifiers. Administrators can monitor deployment events through the device timeline and advanced hunting tabs for real-time insights. The updated tool is accessible via Settings > Endpoints > Onboarding > Windows and extends support to Linux. Comprehensive onboarding and offboarding guides are available on the Defender portal.

Tech Optimizer

February 24, 2026

Hackers Are Using Fake Invitations to Take Over Your PC

Cybercriminals are sending counterfeit email invitations that, when clicked, install a backdoor on the victim's computer, allowing hackers full control. The scam often involves downloading a file named “invites.msi,” which is a Windows Installer package. This file can install ScreenConnect, a legitimate remote support tool that can be exploited by attackers to monitor screens, access files, and deploy additional malware. Many security engines fail to flag this software as malicious, making it difficult to detect. If someone suspects they have fallen victim to this scam, they should disconnect from the internet, check for and uninstall any remote management software, run a comprehensive antivirus scan, change passwords for critical accounts, enable two-factor authentication, inform their IT department if applicable, and consider performing a full Windows reset. The scam originated from a compromised email account, which was used to send the malicious link to contacts. Implementing two-factor authentication and using a password manager can help prevent such incidents. Users should be cautious of any email invitations that require downloading and running installer files.

Tech Optimizer

January 26, 2026

Do You Still Need Antivirus Software? Here’s What Experts Say

Browser extensions are important for online security, but their effectiveness depends on avoiding pirated software and untrustworthy applications. Regular updates to antivirus software, such as Microsoft Defender, are crucial to prevent vulnerabilities, and it is recommended to configure Windows Security settings for auto-updates. While Microsoft Defender can protect against malware, it may not be sufficient against advanced threats like ransomware and phishing, particularly for individuals handling sensitive data. Alternatives to Microsoft Defender include Bitdefender Total Security and Norton 360, which offer additional features. Upgrading from Windows 11 Home to Pro provides enhanced security features. For enterprise use, AhnLab V3 Endpoint Security and Avast Ultimate Business Security are recommended for their protection and performance.

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.