executables

Tech Optimizer
July 3, 2026
Cybercriminals are using a sophisticated method to bypass security measures by embedding malware within the VLC media player. This campaign exploits VLC to install ValleyRAT, a remote access trojan, through phishing emails that contain links to download a seemingly harmless file. Once the file is opened, it activates a hidden backdoor that evades detection by antivirus solutions. The malware has been active since 2023, with a significant increase in activity noted through 2025 and into 2026, particularly targeting Chinese and Japanese-speaking users. The infection process begins when a victim clicks a link in a phishing email, leading to a ZIP archive containing a disguised executable and a malicious DLL (libvlc.dll). The executable mimics a legitimate VLC file, and when executed, it loads the DLL, allowing the malware to run under the guise of VLC. The malware establishes persistence by creating a registry entry and connects to a remote server to retrieve the final payload. ValleyRAT employs evasion tactics to avoid detection, such as performing checks on system behavior and using a fileless approach to inject its payload directly into memory, avoiding storage on disk. Researchers recommend training employees to recognize suspicious filenames and deploying endpoint detection tools to identify DLL sideloading behavior. For organizations affected by this campaign, isolating compromised systems and reviewing security logs are critical initial steps. Indicators of compromise include a malicious email domain, a ZIP archive containing a fake VLC executable, and a download URL for ValleyRAT.
Winsage
June 25, 2026
Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.
Winsage
June 19, 2026
Microsoft has identified a Windows-based cryptocurrency clipper campaign that has been active since February 2026. This campaign uses clipboard-intercepting malware with self-spreading capabilities and operates through the Tor network. The clipper malware employs Windows Script Host and ActiveX to launch a Tor proxy and connect to a hidden command-and-control server. It focuses on stealing clipboard data, particularly cryptocurrency wallet addresses, and can exfiltrate screenshots. The malware is distributed via malicious Windows Shortcut (LNK) files on USB drives, which activate a worm that checks for existing infections and fetches the payload from a remote server. The clipper monitors the clipboard every 500 milliseconds for sensitive information and can replace copied wallet addresses with those controlled by attackers. Microsoft recommends behavioral detections, disabling AutoRun for removable media, blocking LNK execution from drives, and monitoring clipboard-related activities as mitigations against this threat.
Winsage
June 19, 2026
Microsoft is collaborating with Adobe to enhance the performance of Photoshop, a widely used image editing software. The partnership focuses on optimizing operations within Photoshop, which is primarily developed in C++ and compiled using Microsoft’s Visual C++ (MSVC) compiler. Microsoft aims to improve performance for CPU-intensive tasks, particularly those that are latency-sensitive, such as brush responsiveness and file-opening tasks. The engineering team activated MSVC’s "peak-performance" compilation mode and explored profile-guided optimization (PGO) to refine executables. However, due to the complexity PGO introduced, they shifted to Sample-based Profile Guided Optimizations (SPGO), which uses hardware performance samples from actual release binaries. This method allows for greater flexibility in data collection and typically yields performance improvements of 5% to 15%. By combining MSVC’s peak-performance mode with SPGO, the teams achieved a 20% performance boost on x64 Windows systems and a 13% enhancement on Arm architecture. These optimizations resulted in improved responsiveness for critical tasks in Photoshop, enhancing the user experience in professional creative workflows.
Winsage
June 8, 2026
Microsoft has integrated Sysmon into Windows 11 through a system update, allowing it to operate in the background and log activities in the Windows Event Log. Indicators of suspicious processes include the absence of icons or descriptions, incorrect parent processes, spelling errors in names, unsigned executable files, packed executables, suspicious DLLs or services, open TCP/IP endpoints, and unusual URLs or character strings. To install Sysmon, users must access the Control Panel, enable Sysmon, and restart their PC. Activation requires running a command in the Command Prompt. Sysmon logs can be viewed in the Event Viewer under Microsoft > Windows > Sysmon > Operational. Users can filter events using an XML configuration file. After analysis, suspicious processes should be scanned with antivirus software, and files can be uploaded to VirusTotal for further examination. Sysmon continuously logs events, while Process Monitor captures snapshots of running processes, and both tools are available for free from Microsoft.
Winsage
May 22, 2026
Microsoft's Digital Crimes Unit has filed a lawsuit against Fox Tempest, a criminal enterprise selling fraudulently signed malware to ransomware groups, affecting hospitals, schools, and critical infrastructure in ten countries. The lawsuit was filed on May 19 in the U.S. District Court for the Southern District of New York. Fox Tempest created a portal at signspace[.]cloud, offering a user-friendly interface for uploading malicious files and generating over 580 fraudulent Microsoft accounts to bypass identity verification. The group provided pre-configured virtual machines for customers to upload malicious payloads in exchange for signed binaries. Fox Tempest's operations were linked to a ransomware attack chain involving a counterfeit Microsoft Teams installer that deployed the Rhysida ransomware. This ransomware strain has caused significant breaches, including an October 2023 attack on the British Library, which resulted in a data exfiltration of about 600GB and recovery costs of £6 to £7 million, and a September 2024 attack on Seattle-Tacoma International Airport with a ransom demand of .8 million. Microsoft's civil litigation approach allowed for a quicker legal process, leading to the seizure of the signspace[.]cloud domain and the suspension of around 1,000 Fox Tempest accounts. Despite these actions, Fox Tempest has begun shifting to alternative code-signing services, highlighting the evolving nature of cybercrime and the need for users to verify software through independent channels. The confirmed targets of Fox Tempest included organizations in the United States, France, India, China, Brazil, Germany, Japan, the United Kingdom, Italy, and Spain.
Winsage
May 20, 2026
Bitdefender's research highlights the use of Microsoft's MSHTA utility in malware attacks, noting its default activation in Windows systems. Cybercriminals exploit MSHTA to execute malicious scripts under the guise of legitimate processes, linking it to various malware families like LummaStealer and PurpleFox. The study reports a rise in MSHTA-related detections, indicating a shift towards "living-off-the-land" tactics that utilize legitimate tools to evade security alerts. Social engineering is identified as a common entry point for attacks, employing deceptive methods such as fake software downloads and phishing links. MSHTA can retrieve and execute additional payloads through multi-stage chains, complicating detection efforts. The attacks target sensitive information, including credentials and financial data, and the continued presence of MSHTA poses risks as it allows threat actors to conceal malicious actions. To mitigate these threats, organizations are advised to restrict or disable legacy scripting tools and exercise caution with untrusted downloads. The report emphasizes the challenge of detecting unusual behaviors associated with legitimate utilities in the context of cyber threats.
Search