evasion Archives

Winsage

June 2, 2026

New PHANTOMPULSE RAT Campaign Uses UAC Bypass in Windows Attacks

The REF6598 intrusion set has revealed a Remote Access Trojan (RAT) named PHANTOMPULSE, which is distributed via malicious Obsidian plugins. It uses advanced evasion techniques, including a blockchain-based command and control (C2) channel and a public User Account Control (UAC) bypass to infiltrate Windows systems. The malware disables security measures like the Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP) through a hardware-breakpoint technique, allowing it to avoid detection by signature-based memory scanners. PHANTOMPULSE hides its core files in encrypted registry blobs and creates scheduled tasks that appear as .NET Framework updates. Its decentralized C2 framework queries public blockchains for operational data, but it lacks sender authentication, which can be exploited by defenders. The malware inventories the system for antivirus software and targets high-value applications. It employs a UAC bypass technique called “schuac” to gain elevated permissions. Analysts attribute this campaign to DPRK-aligned threat actors, particularly the BlueNoroff group, due to its focus on cryptocurrency wallets and blockchain exploitation. Defenders can identify new infrastructure by searching blockchain ledgers for a specific hex signature associated with the malware's C2 encryption routine.

AppWizard

June 2, 2026

Tile matching roguelite action game Chivalware announced for PC

Publishers The Arcade Crew and Imperfect Games, along with developer Regal Pigeon, have announced a dynamic tile-matching roguelite action game called Chivalware. The game features real-time, grid-based combat mechanics and will be available on PC through Steam, with a demo currently accessible. Players take on the role of a Disk Knight, tasked with defeating a mad King while navigating a grid battlefield and utilizing weapon disks. The gameplay involves matching tiles to charge weapons, evading enemy attacks, and strategically planning counterattacks. Players can choose from four distinct Disk Knights, unlock over 80 weapons and 150 upgrades, and face various bosses. An announcement trailer and screenshots are available for viewing.

AppWizard

May 25, 2026

The new game from the makers of Botanicula and Chuchel is like 1984 meets the Keystone Kops, but in a way that actually works

Phonopolis, developed by Amanita Design, was released last week and has received positive early impressions. The game features straightforward puzzles that resemble interactive toys, with a notable sequence involving evasion during a parade. It is inspired by the works of Karel Čapek and George Orwell, showcasing themes of class division, surveillance, and punishment. The soundtrack by Tomáš Dvořák contrasts the game's harsh environment with a gentle, dreamy lullaby. The game is described as having overt thematic elements, making it feel heavier and less joyful than previous titles like Machinarium and Botanicula. Phonopolis is available for purchase on Steam, Epic, and GOG for .49/£18/€19.79, with a collector's edition and a demo also offered on Steam.

Winsage

May 21, 2026

Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend Actively Exploited on Windows 10, 11, and Server (April 2026 CVE Analysis)

In April 2026, two zero-day vulnerabilities, RedSun and UnDefend, were discovered in Microsoft Defender, affecting Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities allow attackers to escalate privileges to SYSTEM and bypass Defender’s protections. RedSun exploits a flaw in Defender's remediation process, enabling low-privileged users to overwrite critical system files. UnDefend allows attackers to disrupt Defender’s updates, keeping it outdated and ineffective. Both vulnerabilities are actively being exploited, with attackers leveraging them to gain persistent access and deploy ransomware. The primary targets are organizations using Windows systems with Defender enabled, particularly in sectors like finance, healthcare, and government. Mitigation strategies include applying updates for related vulnerabilities, monitoring for suspicious activities, and implementing additional security measures.

AppWizard

May 20, 2026

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Cybersecurity researchers have identified an ad fraud and malvertising operation called Trapdoor, targeting Android users with 455 malicious applications and 183 command-and-control domains. Users often download these disguised apps, which initiate malvertising campaigns and lead to further downloads of malicious applications. At its peak, Trapdoor generated 659 million bid requests daily, with over 24 million downloads of the associated apps, primarily from the United States. The operation exploits install attribution tools to activate malicious activities only for users acquired through fraudulent ad campaigns, while suppressing such behavior for organic downloads. Trapdoor employs advanced evasion techniques, including obfuscation and impersonation of legitimate software, to avoid detection. Google has removed the identified malicious apps from the Play Store in response to the threat.

AppWizard

May 9, 2026

This underloved Dead by Daylight rival is just $1, thanks to Fanatical’s latest bundle

Dead by Daylight is a popular asymmetrical horror game celebrating its 10th anniversary, where players can escape as survivors or hunt as killers. Killer Klowns from Outer Space is a competing game featuring seven survivors against three clowns, with gameplay focused on survival and evasion. The game has received an 8/10 rating from a review in 2024, praising its balance and engagement. Currently, Killer Klowns from Outer Space: The Game is available for approximately .15 through Fanatical's Killer Bundle, which requires the purchase of five games for a total of about .75. The bundle includes other titles like Sniper Elite 4 and Baldur's Gate 1 and 2, offering a cost-effective way to acquire multiple games.

AppWizard

April 30, 2026

LofyStealer Uses Node.js Loader Against Minecraft Gamers

Cybersecurity threat hunters have discovered an active infostealer campaign targeting the gaming community, involving malware called LofyStealer (or GrabBot) that disguises itself as a Minecraft hack named “Slinky.” The attackers use the official game icon to trick young gamers into executing the malware. The Brazilian cybercrime group LofyGang has enhanced its technical capabilities, utilizing a sophisticated two-stage modular architecture. The initial stage features a 53.5 MB loader file named load.exe, which is a Node.js runtime environment that obscures malicious signatures. The loader connects to the attacker’s server and decrypts a 1.4 MB C++ payload, chromelevator.exe, which targets eight web browsers to extract sensitive information like cookies and passwords. The stolen data is compressed, encrypted, and sent to the attacker’s server. LofyGang has evolved into a Malware-as-a-Service platform, offering a web panel for operators to monitor victims and generate custom executables. The campaign highlights the increasing threats to the gaming community, with advanced evasion techniques being employed by cybercriminals. Security professionals are advised to monitor network traffic and conduct audits for suspicious activities.

AppWizard

April 25, 2026

NoVoice malware hit 2.3 million Android devices through apps Google never should have approved

McAfee researchers discovered a complex Android rootkit campaign, dubbed Operation NoVoice, that infiltrated 50 applications on Google Play, exploiting vulnerabilities in the kernel that had been patched but not uninstalled. The malware was resilient enough to survive factory resets and was concealed within seemingly benign apps, which collectively garnered 2.3 million downloads. The malicious payload was hidden in the com.facebook.utils package and used steganography to embed an encrypted payload within a PNG image. The malware conducted multiple checks to avoid detection and established contact with a command-and-control server, polling for exploit packages every 60 seconds. It utilized 22 distinct exploits, including vulnerabilities that had received patches between 2016 and 2021. The malware disabled SELinux enforcement and installed a persistent rootkit that could survive factory resets. Google confirmed the removal of the infected apps but noted that users who had already downloaded them remained at risk, especially if their devices were running unpatched Android versions. McAfee advised affected users to treat their devices as compromised and consider professional inspection or hardware-level storage wiping for remediation.

AppWizard

April 21, 2026

NGate Android malware uses HandyPay NFC app to steal card data

A new variant of the NGate malware targets Android users by disguising itself within a trojanized version of the HandyPay app, which is a legitimate mobile payment processing application. This malware, documented since mid-2024, siphons payment card information through the mobile device's near-field communication (NFC) chip and sends the stolen data directly to attackers, who create virtual cards for unauthorized purchases or cash withdrawals from NFC-enabled ATMs. The new variant has been injected with malicious code into the HandyPay app, which has been available on Google Play since 2021. The code includes emojis, indicating the possible use of a generative AI tool in its development. The shift from previous iterations, which used an open-source tool named NFCGate, to HandyPay is likely motivated by financial considerations and the need for evasion, as HandyPay is more affordable and requires fewer permissions. This NGate variant has been active since November 2025, primarily targeting Android devices in Brazil. It employs two main distribution methods: a counterfeit app named “Proteção Cartão” hosted on a fraudulent Google Play page and a fake lottery website that redirects users to WhatsApp to download the malicious APK. Upon installation, the app prompts users to set it as their default NFC payment application, requests their card PIN, and instructs them to tap their card on the phone for reading, transmitting all collected information to an attacker's email address. To protect against such threats, Android users are advised to avoid downloading APKs from outside Google Play, disable NFC when not in use, and use Play Protect to scan for threats.

AppWizard

April 19, 2026

Mirror’s Edge review (2009)

Wes Fenlon reflects on the evolution of the Mirror's Edge franchise, noting that only six years separated the original game from its sequel, Mirror's Edge Catalyst. Despite Catalyst's mixed reception, Fenlon maintains nostalgia for the original, particularly its vibrant cityscape and the iconic cloth physics supported by Nvidia's PhysX. A review by Graham Smith highlights the early levels of Mirror's Edge for their embodiment of free-running, with a design that emphasizes evasion over traditional combat, which can lead to frustration. The game's physicality and attention to detail enhance immersion, while the sensation of speed adds excitement to gameplay. Players navigate through jumping puzzles and environments that blend challenge and satisfaction, although the story mode is brief, taking about six hours to complete. Additional modes like Speed Run and Time Trial offer further challenges focused on movement. Overall, Mirror's Edge is recognized as a bold experiment in merging first-person platforming with traditional gameplay elements.