espionage Archives

Winsage

December 4, 2025

Microsoft Patches Widely Exploited Windows LNK Zero-Day

Cybercriminals are exploiting a vulnerability in Windows LNK (.lnk shortcut) files, identified as CVE-2025-9491, to deliver malware in targeted attacks. This flaw allows attackers to hide malicious commands within shortcut files, which execute when a user opens the crafted shortcut, leading to malware installation. The vulnerability has been actively exploited by at least 11 threat actor groups, including Evil Corp and Mustang Panda, with malware such as Ursnif and Trickbot being delivered through this exploit. Microsoft released a patch for this vulnerability in November 2025 after initially delaying it, citing the need for user interaction to trigger the exploit. Security recommendations include avoiding suspicious .LNK files, implementing strict email filtering, and applying the latest security updates.

Winsage

December 3, 2025

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

Microsoft has addressed a long-standing security vulnerability, identified as CVE-2025-9491, which has been exploited since 2017. This vulnerability involves a misinterpretation issue within Windows Shortcut (LNK) files, potentially allowing remote code execution. The flaw was highlighted in the November 2025 Patch Tuesday updates, with a CVSS score of 7.8/7.0. It allows crafted .LNK files to obscure harmful content, making it invisible to users, thus enabling attackers to execute code under the current user's context. The vulnerability was exploited by various state-sponsored groups, including those from China, Iran, North Korea, and Russia, for data theft and espionage. Microsoft initially deemed the flaw not warranting immediate attention, citing user interaction requirements and existing system warnings. Subsequent investigations revealed its exploitation by cyber espionage groups, including XDSpy and China-affiliated actors targeting European entities. The recent patch aims to ensure that the entire Target command is displayed in the Properties dialog, while 0patch provides warnings for LNK files exceeding 260 characters.

AppWizard

November 30, 2025

Signal’s president warns AI agents are an existential threat to secure messaging apps

Meredith Whittaker, president of Signal, expresses strong concerns about the rise of AI agents, describing them as an “existential threat” to secure messaging platforms and app developers. AI agents require access to sensitive information, creating new vulnerabilities that can be exploited by cybercriminals. Whittaker points out the risk of prompt injection attacks, which can manipulate AI to execute harmful actions, leading to data breaches. She argues that unrestricted access to user communications by AI agents poses a significant risk to privacy and security, undermining the foundational security of the internet. Whittaker criticizes the reckless implementation of AI by Big Tech companies, suggesting it compromises cybersecurity in favor of rapid deployment and financial pressures.

AppWizard

November 27, 2025

Galaxy Princess Zorana is like if you made BG3 passive checks into a whole game, a great tale of political intrigue, and will give you like 4,000 ways to die embarrassingly

Galaxy Princess Zorana's reign ended abruptly during a space-football game orchestrated by the Pope, resulting in her untimely death. The event was broadcast live, shocking the citizens of her interplanetary realm. Zorana, the inexperienced heir to a fractured empire, struggles with court politics and her education after her father's suspicious death. Players engage in a sports event to gain favor with the church, but her awkward interactions lead to an unfavorable outcome at Space Old Trafford. The narrative emphasizes the complexities of leadership and the balance between diplomacy and espionage.

AppWizard

November 26, 2025

Hackers Bypass Signal, Telegram And WhatsApp Encryption To Read Messages

CISA has issued a warning about spyware targeting users of instant messaging applications, particularly highlighting the Sturnus trojan, which poses significant risks to Android smartphone users. Sturnus, identified as a banking trojan, can bypass encrypted messaging by capturing messages after they are decrypted on the smartphone screen, rather than cracking the encryption itself. Security expert Aditya Sood noted that Sturnus uses a combination of plaintext, RSA, and AES-encrypted communication, complicating detection efforts. The trojan can read everything displayed on the smartphone screen in real time, including sensitive messages and contacts. CISA also identified tactics used by cyber threat actors, such as phishing, zero-click exploits, and impersonation to gain unauthorized access to messaging apps. Users are advised to keep Google’s Play Protect activated, avoid unauthorized app stores, and be cautious with accessibility permissions to protect against these threats.

Tech Optimizer

November 20, 2025

Fortinet admits it found another worrying zero-day being exploited in attacks

Fortinet has released a critical patch for a high-severity vulnerability, CVE-2025-58034, in its FortiWeb web application firewall (WAF), which is actively being exploited with around 2,000 recorded attack attempts. The vulnerable FortiWeb versions include 7.0.0 to 7.0.11, 7.2.0 to 7.2.11, 7.4.0 to 7.4.10, 7.6.0 to 7.6.5, and 8.0.0 to 8.0.1. This vulnerability enables OS command injection attacks, posing significant risks to organizations. FortiWeb is designed to filter malicious traffic for websites and APIs. Historical exploitation of similar vulnerabilities has been linked to cyber-espionage and ransomware incidents, including an attack by the Chinese state-sponsored group Volt Typhoon against a Dutch Ministry of Defence network in February 2025.

AppWizard

November 5, 2025

Arc Raiders quests list and all rewards

Arc Raiders features a variety of quests that players can undertake to enhance their gameplay experience. The quests are available from different NPCs, each offering unique rewards. Players can complete these quests in any order, and they will appear in the player's logbook once accepted. Quests can be accessed through the menu of their respective trader, and players can view available quests by selecting the trader and clicking on the quests tab. Completing quests often yields valuable mechanical components and other rewards, making them beneficial for players, especially when tackled with friends. Here is a list of the current Arc Raiders quests along with their rewards and associated NPCs: 1. Picking Up the Pieces - Shani - Rewards: Rattler III, 80x Medium Ammo 2. Clearer Skies - Shani - Rewards: 3x Sterilized Bandage, Light Shield, Black backpack (Hiker) 3. Trash Into Treasure - Shani - Rewards: Tactical MK. 1 Augment, 3x Adrenaline Shot 4. Off the Radar - Shani - Rewards: 2x Defibrillator 5. Small But Sinister - Shani - Rewards: 2x Lure Grenade 6. Controlled Demolition - Apollo - Rewards: 2x Jump Mines 7. Fight Fire With Fire - Tian Wen - Rewards: 3x Blaze Grenades 8. Hatch Repairs - Shani - Rewards: 10x Metal parts, 5x Steel Spring, 5x Duct Tape 9. The Right Tool - Tian Wen - Rewards: Cheer Emote, Stitcher II, Extended Light Mag I 10. Safe Passage - Apollo - Rewards: 5x Lil Smoke Grenade, 3x Shrapnel Grenade, 3x Barricade Kit 11. A Better Use - Tian Wen - Rewards: Extended Light Mag I, Stable Stock I, Muzzle Brake II 12. Down to Earth - Shani - Rewards: Combat MK.1, Medium Shield 13. The Trifecta - Shani - Rewards: Orange Camo outfit, Dam Control Tower Key, Raider Hatch Key, 2x Defibrillator 14. What Goes Around - Apollo - Rewards: 3x Blaze Grenade, 2x Noisemaker, Cans backpack 15. Finders Keepers - Tian Wen - Rewards: 2x Heavy Fuse Grenade 16. Wasps and Hornets - Shani - Rewards: Wasp Driver, Hornet Driver, Mechanical Components, Electrical Components 17. From a Distance - Shani - Rewards: Photoelectric Cloak 18. Movie Night - Apollo - Rewards: 2x Show Stopper 19. Sparks Fly - Apollo - Rewards: Trigger Nade Blueprint, 4x Crude Explosives, 2x Processor 20. Greasing Her Palms - Celeste - Rewards: Lure Grenade Blueprint, 3x Speaker Component, 3x Electrical Components 21. A First Foothold - Apollo - Rewards: 3x Shrapnel Grenade, 3x Snap Blast Grenade, 3x Heavy Fuze Grenade 22. Dormant Barons - Shani - Rewards: 3x Door Blocker, 3x Li'l Smoke Grenade 23. Mixed Signals - Shani - Rewards: Photoelectric Cloak, Raider Hatch Key 24. What We Left Behind - Tian Wen - Rewards: Photoelectric Cloak, Raider Hatch Key 25. Doctor's Orders - Lance - Rewards: 3x Adrenaline Shot, 3x Sterilized Bandage, Surge Shield Recharger 26. Medical Merchandise - Lance - Rewards: Banana backpack charm, 3x Defibrillator, 2x Vita Shot 27. A Reveal in Ruins - Lance - Rewards: Tactical Mk. 3 Healing Augment, Surge Shield Recharger 28. Broken Monument - Tian Wen - Rewards: Arpeggio I, Compensator II, 80x Medium Ammo 29. Marked for Death - Tian Wen - Rewards: Shotgun Choke II, Angled Grip II 30. Straight Record - Tian Wen - Rewards: 5x Medium Gun Parts, 3x Advanced Mechanical Components 31. A Lay of the Land - Rewards: Dam Testing Annex Key, 3x Zipline, 2x Smoke Grenade 32. Market Correction - Tian Wen - Rewards: Silencer II, Extended Light Mag I, Compensator I 33. Keeping the Memory - Celeste - Rewards: 5x Simple Gun Parts, 5x Duct Tape, 5x Magnet 34. Reduced to Rubble - Rewards: Zipline, 3x Barricade Kit, 3x Doorblocker 35. With a Trace - Rewards: Medium Shield 36. Eyes on the Prize - Tian Wen - Rewards: Extended Shotgun Mag II, Extended Medium Mag II 37. Echoes of Victory Ridge - Celeste - Rewards: 6x Crude Explosives, 2x Processor, Music Box 38. Industrial Espionage - Tian Wen - Rewards: 3x Mechanical Components, 3x Simple Gun Parts 39. Unexpected Initiative - Tian Wen - Rewards: Il Toro I, Shotgun Choke II 40. A Symbol of Unification - Celeste - Rewards: 3x Mod Components, 5x Duct Tape 41. Celeste's Journals - Celeste - Rewards: Magnetic Accelerator, 3x Heavy Gun Parts, Exodus Modules 42. Back on Top - Tian Wen - Rewards: Renegade I, Stable Stock III, 80x Medium Ammo 43. The Major's Footlocker - Tian Wen - Rewards: Hullcracker Blueprint 44. Out of the Shadows - Shani - Rewards: 3x Surge Shield Recharger, 2x Wolfpack 45. Eyes in the Sky - Rewards: Vita Spray, 5x Yellow Light Stick 46. Our Presence Up There - Shani - Rewards: Buried City Town Hall Key, Raider Hatch Key, Jolt Mine 47. Communication Hideout - Shani - Rewards: Anvil III, 40x Heavy Ammo 48. After Rain Comes - Celeste - Rewards: 5x Blue Light Stick, 3x Antiseptic, 5x Durable Cloth 49. A Balanced Harvest - Celeste - Rewards: 3x Advanced Mechanical Components, 3x Medium Gun Parts, 10x Steel Spring 50. Untended Garden - Celeste - Rewards: 3x Advanced Mechanical Components, 3x Heavy Gun Parts, 5x Canister 51. The Root of the Matter - Celeste - Rewards: 3x Advanced Mechanical Components, 3x Heavy Gun Parts, 3x Canister 52. Water Troubles - Rewards: 3x Mechanical Components, 3x Simple Gun Parts, 3x Steel Spring 53. Into the Fray - Rewards: Radio Renegade outfit, Burgerboy backpack charm, Vulcano III, 40x Shotgun Ammo 54. Source of the Contamination - Rewards: 5x Steel Spring, 5x Duct Tape, Mod Components 55. Switching the Supply - Celeste - Rewards: 3x Synthesized Fuel 56. A Warm Place to Rest - Rewards: 3x Noisemaker, 5x Blue Light Stick 57. Prescriptions of the Past - Rewards: Heavy Shield, Tactical Mk. 3 Healing Augment 58. Power Out - Celeste - Rewards: 5x Wires, 5x Explosive Compound, 5x Oil 59. Lost in Transmission - Rewards: 1x Snap Hook 60. Flickering Threat - Celeste - Rewards: 5x Medium Gun Parts, 3x Advanced Mechanical Components 61. Bees! - Rewards: Advanced Electrical Components, 3x Sensors 62. Espresso - Apollo - Rewards: Coffee Pot, 3x Adrenaline Shot 63. Life of a Pharmacist - Lance - Rewards: Defibrillator, Surge Shield Recharger, 3x Sterilized Bandage 64. Tribute to Toledo - Celeste - Rewards: 5x Magnet, 2x Advanced Mechanical Components, 3x Synthesized Fuel 65. Digging Up Dirt - Celeste - Rewards: 2x Advanced Electrical Components, 4x Speaker Component 66. Turnabout - Celeste - Rewards: 2x Heavy Gun Parts, 2x Medium Gun Parts 67. Building a Library - Apollo - Rewards: 2x Heavy Gun Parts, 2x Medium Gun Parts 68. A New Type of Plant - Rewards: Vita Shot, 5x Antiseptic 69. Armored Transports - Rewards: 3x Smoke Grenade, 3x Defibrillator 70. Lance's Tea Party - Lance - Rewards: 2x Defibrillator 71. Handover - Tian Wen - Rewards: 2x Jolt Mine 72. Pied Piper - Apollo - Rewards: 3x Gas Grenades 73. Powering up the Greenhouse - Tian Wen - Rewards: Raider Augment III 74. The Bandage Run - Lance - Rewards: 3x Herbal Bandages 75. The Control Tower - Shani - Rewards: 1x Snap Hook 76. ESR Analyzer - Lance - Rewards: Tempest I 77. Raider Versus Rocketeer - Shani - Rewards: 2x WolfPack 78. Bringing Down a Bison - Shani - Rewards: Equalizer

AppWizard

November 5, 2025

6 Android Apps Caught Recording Conversations

Security researchers from ESET discovered that 12 malicious Android chat applications, including Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat رفاق, and Chit Chat, were found to covertly harvest users’ messages and deploy a remote access trojan called VajraSpy. Six of these apps were available on Google Play before being flagged for suspicious activity, resulting in approximately 1,400 downloads, primarily targeting users in India and Pakistan. The spyware could extract messages from encrypted chat platforms, record ambient sounds in real time, and intercept communications on apps like WhatsApp and Signal. The operators used honey-trap tactics to entice users into installing the apps, which requested permissions typical of espionage tools, such as RECORD_AUDIO and access to notifications and accessibility services. Users are advised to uninstall these apps and review permissions to protect against potential threats.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.

Winsage

November 4, 2025

Russian Hackers Abuse Hyper-V to Hide Malware and Evade Endpoint Detection

A Russian-linked hacking group, Curly COMrades, is using Microsoft’s Hyper-V to conceal malware within compromised Windows systems. They install a small Alpine Linux virtual machine (VM) to run custom malware, evading endpoint detection and response (EDR) software since July. The group exploits Hyper-V's native features, enabling it on victim systems while disabling management clients to avoid detection. The VM, named “WSL,” hosts two C++ tools: ‘CurlyShell,’ a reverse shell, and ‘CurlCat,’ a reverse proxy, both designed to maintain persistence and obfuscate their activities. The VM occupies only 120MB of disk space and uses Hyper-V’s Default Switch for network traffic, making malicious communication appear to originate from the legitimate host. Additionally, Curly COMrades employs malicious PowerShell scripts for persistence and lateral movement, including creating local user accounts and using a modified TicketInjector for authentication across networks.