endpoint Archives

Winsage

November 25, 2025

New ClickFix attacks use fake Windows Updates to swipe creds

A surge in ClickFix attacks is occurring, where attackers use deceptive Windows update screens to trick users into downloading infostealer malware. This method has become the primary means of initial access for cybercriminals, as reported by Microsoft. State-sponsored actors and organized crime groups are increasingly using this tactic. Huntress security experts have noted a shift from traditional prompts to convincing fake Windows update screens, showcasing the attackers' adaptability. Cyber adversaries are utilizing a steganographic loader to deliver infostealing malware like Rhadamanthys, encoding malicious code within PNG images to evade detection. Between September 29 and October 30, 2025, Huntress investigated 76 incidents linked to this campaign across various regions, with one incident involving the IP address 141.98.80[.]175. Victims typically visit a malicious site that triggers a full-screen blue Windows Update screen, leading them to install a “critical security update” through a series of commands. This process involves executing a command that runs PowerShell code to deploy a steganographic loader, ultimately leading to the installation of Rhadamanthys, which captures login credentials. Comments in the lure site's source code are in Russian, suggesting the attackers' identity remains unknown. As of November 19, multiple domains continue to host the lure page, although the payload is no longer actively hosted. Organizations can defend against these attacks by blocking access to the Windows Run box and educating employees about the ClickFix technique.

Tech Optimizer

November 25, 2025

Protect sensitive data with dynamic data masking for Amazon Aurora PostgreSQL

Amazon Aurora PostgreSQL-Compatible Edition has introduced a dynamic data masking feature that provides column-level protection, enhancing security alongside PostgreSQL’s row-level security. This feature is available for Aurora PostgreSQL versions 16.10 and higher, as well as 17.6. Dynamic data masking allows organizations to maintain a single copy of their data while applying role-based access controls, ensuring sensitive information is protected in real-time without data duplication. The pg_columnmask extension enables policy-based masking and runtime query rewriting, allowing different users to see varying levels of data based on their roles. For example, customer service representatives may see only the last four digits of account numbers, while executives see full details. The feature supports compliance with regulations such as GDPR, HIPAA, and PCI DSS. Users can create masking policies using standard SQL commands, and the policies can be defined to utilize built-in or custom functions for data masking.

Tech Optimizer

November 24, 2025

Computer Security for Consumer Market Size Reache at US$ 56.06 billion by 2031 | NortonLifeLock, Fortinet, McAfee, Avast

The global Computer Security for Consumer market is projected to grow from an estimated value of US$ 31.23 billion in 2024 to approximately US$ 56.06 billion by 2031, with a compound annual growth rate (CAGR) of 8.9% from 2025 to 2031. Key drivers include the surge in cybersecurity threats and increased reliance on digital technologies. Major players like NortonLifeLock, Fortinet, McAfee, Avast, and Trend Micro hold over 25% of the market share, with North America contributing over 40% of consumer revenue. Antivirus software accounts for over 35% of consumer revenue, while there is a shift towards comprehensive security suites. Future trends indicate growth in AI-powered threat detection and demand for privacy-centric solutions. The market is segmented by type (Network Security, Identity Theft, Endpoint Security, Computer Virus, Others) and application (Traditional Terminal Device Security, IoT Security). The report includes a geographic assessment of regions such as North America, Europe, Asia-Pacific, and Latin America.

Tech Optimizer

November 20, 2025

ESET your business on the path to success and save 30% off ESET with our exclusive code

ESET is offering a 30% discount on all its products for a limited time during the holiday shopping season. The ESET Protect packages, including ESET Protect Advanced and ESET Protect Complete, are highlighted as effective cybersecurity solutions. ESET Protect received a four out of five-star review, noted for being a well-rounded endpoint security solution compatible with major desktop and smartphone operating systems, and featuring a user-friendly interface.

Winsage

November 19, 2025

Microsoft Integrates System Monitor (Sysmon) into Windows 11

Microsoft will integrate its forensic tool, System Monitor (Sysmon), into the Windows kernel with the upcoming releases of Windows 11 and Server 2025. This integration will transform Sysmon from a standalone utility into a native “Optional Feature” that will be serviced automatically through Windows Update. Administrators will no longer need to manually distribute Sysmon; instead, it can be activated through the “Turn Windows features on or off” dialog or command-line instructions. The integration will ensure that updates flow through the standard Windows Update pipeline, providing official support and Service Level Agreements (SLAs) for Sysmon. Microsoft plans to utilize local computing capabilities for AI inferencing to enhance security measures, focusing on detecting credential theft and lateral movement patterns. Sysmon will maintain backward compatibility with existing workflows, allowing the use of custom configuration files and adhering to the XML schema while continuing to log events to the Windows event log. Community-driven configuration repositories will remain operational, preserving established community knowledge.

Winsage

November 19, 2025

Windows 11 Adds New Recovery Tools to Minimize Downtime

Microsoft unveiled new Windows Recovery tools during the Ignite 2025 keynote to help IT teams reduce downtime and streamline remediation processes. Enhancements to Quick Machine Recovery (QMR) include WinRE networking support, which will initially support Ethernet and later add Enterprise Wi-Fi capabilities. Autopatch can now manage and approve QMR updates, currently in public preview. Microsoft Intune's remote recovery via WinRE allows IT administrators to monitor devices in recovery mode and deploy scripts directly from the console, extending to Windows Server VMs through the Azure Portal. New recovery options for Windows PCs include a point-in-time restore feature for reverting to previous states and a Cloud rebuild feature for remotely reinstalling Windows 11 on malfunctioning devices. These updates are expected to be generally available to commercial customers in the first half of 2026. Microsoft has also introduced Autopatch update readiness in preview, providing real-time insights into device update readiness through a unified Intune dashboard. Additionally, new tools for incident management include Mission Critical Services for Microsoft 365, allowing collaboration with Windows engineers, and Windows 365 Reserve, which offers secure temporary Cloud PCs. Microsoft Intune will issue alerts when devices enter WinRE to prioritize recovery efforts, and a Digital Signage mode will prevent error messages on non-interactive public displays.

Tech Optimizer

November 18, 2025

SilentButDeadly: New Tool Blocks Network Traffic to Bypass EDR and Antivirus

A newly released open-source tool called SilentButDeadly, developed by Ryan Framiñán and launched on November 2, 2025, can disable Endpoint Detection and Response (EDR) systems and antivirus software without terminating processes. It exploits the Windows Filtering Platform to sever cloud connectivity for security products, leaving systems vulnerable to attacks. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges, then scanning for active EDR processes like SentinelOne and Windows Defender. It establishes network filters that block communications for these security applications, preventing them from receiving updates or transmitting telemetry data. The tool also attempts to disable EDR services by changing their startup types. SilentButDeadly features dynamic, self-cleaning filters and builds on techniques from EDRSilencer, introducing enhanced operational safety. Organizations using cloud-based threat detection face risks when their security solutions lose connectivity. Security teams are advised to monitor Windows event logs for specific filter creation events and implement real-time monitoring and redundant communication channels for EDR telemetry.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 17, 2025

EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT

In November 2025, a sophisticated malware campaign emerged, combining social engineering with advanced data theft tools. The attack begins with a tactic called ClickFix, where users are tricked into executing commands in the Windows Run window, leading to the installation of Amatera Stealer, which extracts sensitive information from browsers, cryptocurrency wallets, and password managers. Following this, attackers deploy NetSupport RAT for remote access to the compromised computer. Amatera Stealer employs advanced evasion techniques, including obfuscated PowerShell code and XOR encryption to mislead security efforts. It was originally marketed as ACR Stealer by a group named SheldIO. The infection process starts with a .NET-based downloader that retrieves payloads encrypted with RC2 from platforms like MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. The malware disables AMSI by overwriting the "AmsiScanBuffer" string in memory, neutralizing Windows' security scanning. Amatera communicates with command servers through encrypted channels, using AES-256-CBC for traffic encryption, making inspection difficult. It aggregates stolen data into zip files and sends them to criminal servers, selectively executing additional payloads targeting high-value assets.

Tech Optimizer

November 17, 2025

SilentButDeadly – A Network Communication Blocker That Neutralizes EDR and AV Tools

A new endpoint detection and response (EDR) evasion technique called SilentButDeadly has been identified, which exploits vulnerabilities in security software by using a network communication blocker that leverages the Windows Filtering Platform (WFP). This technique disrupts EDR and antivirus solutions' cloud connectivity without terminating processes or manipulating the kernel. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges and discovering EDR solutions like SentinelOne and Windows Defender. It establishes dynamic WFP sessions with high-priority filtering rules to block outbound telemetry and inbound command-and-control communications, preventing EDR solutions from receiving updates and executing remote management commands. Additionally, it attempts to disable EDR services, hindering automatic restarts and background monitoring. This technique highlights a significant architectural vulnerability in EDR systems that rely on network connectivity. To mitigate this threat, security teams can monitor Windows event logs for specific Event IDs related to WFP filter creation and implement real-time monitoring and redundant communication channels. SilentButDeadly requires administrator privileges and is ineffective against EDR solutions protected by kernel-level network drivers.