execution Archives

Winsage

June 19, 2026

Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Microsoft has identified a Windows-based cryptocurrency clipper campaign that has been active since February 2026. This campaign uses clipboard-intercepting malware with self-spreading capabilities and operates through the Tor network. The clipper malware employs Windows Script Host and ActiveX to launch a Tor proxy and connect to a hidden command-and-control server. It focuses on stealing clipboard data, particularly cryptocurrency wallet addresses, and can exfiltrate screenshots. The malware is distributed via malicious Windows Shortcut (LNK) files on USB drives, which activate a worm that checks for existing infections and fetches the payload from a remote server. The clipper monitors the clipboard every 500 milliseconds for sensitive information and can replace copied wallet addresses with those controlled by attackers. Microsoft recommends behavioral detections, disabling AutoRun for removable media, blocking LNK execution from drives, and monitoring clipboard-related activities as mitigations against this threat.

Winsage

June 19, 2026

Microsoft finally admits its default Windows 11 25H2, 24H2 action broke key legacy component

Microsoft released Patch Tuesday updates for Windows 11, specifically KB5094126 and KB5093998, along with dynamic updates KB5094149, KB5095971, and KB5094156. Two issues have been acknowledged: malfunctioning Office applications and complications with the Recycle Bin. In July 2025, Microsoft changed the default settings of Windows 11 to JScript9Legacy in versions 24H2 and later, continuing with version 25H2 in October 2025. This change aimed to enhance security by addressing vulnerabilities related to legacy scripting, particularly cross-site scripting (XSS). A support article details a compatibility issue arising from the transition from jscript9.dll to jscript9legacy.dll, which affects how JScript manages execution context. Functions and definitions established by one script are no longer accessible to subsequent scripts, leading to failures in legacy applications. To address this, Microsoft released the KB5077241 update, which requires manual activation of persistent JScript execution context through a Registry setting. The steps to implement this solution involve creating a feature control registry key and configuring a DWORD value for specific processes or all processes.

AppWizard

June 19, 2026

4 security upgrades in Android 17 you didn’t know about, but will be glad to have

Google's Android 17 update is being deployed to Pixel devices, introducing new features such as multitasking bubbles, expanded dark theme controls, and a revamped screen recording interface. Key user preferences from a poll indicate that 32% favor multitasking app bubbles, while other features received varying levels of support. The update includes App Memory Limits to prevent excessive RAM usage by apps, enhancing performance. It also restricts apps from scanning local networks without explicit permission, improving user privacy. Additionally, Android 17 tightens restrictions on dynamic code loading to strengthen malware protection and implements Certificate Transparency protections by default for secure HTTPS connections. Overall, these changes aim to enhance performance, security, and user experience.

Winsage

June 19, 2026

Windows Platform Security and the Race to Secure AI Agents

Microsoft has introduced the Microsoft Execution Containers (MXC) SDK to establish Windows as a reliable operating system for autonomous agents, focusing on containment, identity, and manageability. The MXC framework serves as a policy-driven execution layer for agents on Windows and Windows Subsystem for Linux (WSL), allowing developers to set access permissions using JSON or TypeScript. It employs process and session isolation for agent containment and identity. Future enhancements will include micro-VM support for high-risk tasks and integration with Windows 365 for cloud PC workloads. IT teams can manage MXC policies through Entra ID and Intune, while Defender and Purview provide protection and observability. The MXC framework is built on Microsoft's security initiatives, including Secure Boot and passwordless sign-in, allowing agents to inherit a secure foundation. However, early commentary expresses caution regarding MXC's perception as a comprehensive security solution, noting issues with overly permissive policies and the lack of outbound network filtering. Other platforms, such as Linux, are also enhancing security for agents with kernel-level isolation and secure environments like NVIDIA's OpenShell runtime. Various projects are focusing on agent sandboxes within Kubernetes, employing technologies like gVisor and Kata Containers for isolation. Overall, no singular dominant platform security model for AI agents has emerged, with Windows' MXC still considered nascent compared to existing solutions in Linux and Kubernetes ecosystems.

Winsage

June 18, 2026

How to check if your PC is Secure Boot ready

Microsoft has announced enhancements to its Secure Boot technology to improve system security by ensuring only trusted software is loaded during the boot process. ASUS will integrate advanced Secure Boot capabilities into its hardware, aligning with Microsoft's security protocols. This collaboration aims to enhance device integrity and protect user data against cyber threats. The updated Secure Boot technology will help prevent the execution of malicious software during startup, and both companies seek to boost consumer confidence in their products.

Winsage

June 18, 2026

Microsoft once used its own brand of ‘Lego’ to optimize Windows

Former Microsoft engineer Dave Plummer reflected on software performance challenges during the '90s, specifically the limitations of machines with 12 MB of RAM. He discussed the Basic Block Tool (BBT), which optimized software binaries by reorganizing their structures to enhance execution speed. A typical binary contained around 10 MB of code, but only about 300 KB was necessary for startup. If this essential code was scattered, it led to performance degradation due to excessive page access. BBT defragmented binaries, grouping related code to streamline access and improve user experience, particularly for large products like Windows and Office. Modern tools like BOLT and HP's Dynamo continue to optimize binary layouts and runtime code, but Plummer cautioned about the risks of manipulating binaries. He noted that while computational power has increased, modern software faces similar performance challenges, with larger binaries and complex dependency graphs. He emphasized the importance of locality in software design, advising to keep hot data and code together to enhance performance.

Tech Optimizer

June 18, 2026

Here’s What Actually Happens When Antivirus Software Scans Your PC

Interactions with antivirus software occur during installation and when issues arise, while the software operates quietly in the background. Modern antivirus solutions continuously monitor for threats using various detection methods, including real-time scanning, which actively scrutinizes files as they are downloaded or accessed. The signature database is essential for identifying malware by comparing files against known signatures, but it can only detect documented threats. Heuristic detection and behavioral analysis help catch unknown malware by evaluating suspicious characteristics and monitoring file actions during execution. Sandboxing allows suspicious files to run in a controlled environment, logging their behavior to determine if they are malicious. Quarantine neutralizes threats by locking files in a secure location, allowing users to review them before deletion. Full scans are resource-intensive and can slow down system performance, while real-time scanning is less demanding. Users can schedule scans during idle times, exclude trusted folders, or consider cloud-based solutions to mitigate performance impacts.

Tech Optimizer

June 18, 2026

Retro gaming fans are the new target for fake GitHub malware

Retro gaming enthusiasts should be cautious when exploring GitHub projects for tools or plugins, as cybercriminals may disguise malware as homebrew software. A specific incident involved a project called EQVita, which pretended to be a free audio tool for PlayStation Vita but actually contained Windows malware. The downloaded file included three files: Launch.bat, luajit.exe, and x64.txt, with the latter concealing a hidden script that connected to the attacker's server upon execution. This scam is part of a broader trend where counterfeit GitHub repositories distribute SmartLoader malware, which retrieves additional malicious software aimed at stealing passwords and cryptocurrency wallets. The PS Vita community, despite the console's production ceasing, remains active in modding, making it a target for attackers. Legitimate plugins typically come in Vita-compatible formats, while fake ones may feature polished marketing materials and AI-generated descriptions. Users are advised to verify sources, be cautious of suspicious downloads, and utilize security tools like Malwarebytes. If someone has executed the malicious EQVitav1.3.zip file, they should conduct a malware scan, change important passwords, and monitor accounts for unauthorized access. Indicators of compromise include the domains https://github.com/Voistace/EQVita and https://voistace.github.io, and the IP address 85.137.52.21.

Winsage

June 17, 2026

Windows SprySOCKS Malware: Advanced Kernel-Level Rootkit Targets Government Organizations via Supply Chain Vulnerabilities

The Windows variant of SprySOCKS malware, developed by the Chinese threat group Earth Lusca, targets government entities globally and features advanced capabilities such as rootkit-level stealth and extensive command-and-control (C2) functionalities. It operates on Windows systems, utilizing two main variants: WINDRV, which includes kernel drivers for stealth operations, and WINPLUS, a streamlined backdoor. The malware can communicate over TCP, UDP, and WebSocket, offering over 30 C2 commands for various operations, including system information gathering and keystroke logging. WINDRV loads a driver named ‘RawWNPF’ into memory using another signed kernel driver, allowing it to conceal processes and achieve persistence. The malware's design incorporates open-source elements and exploits vulnerabilities in the software supply chain, notably using a leaked certificate for driver signing. To combat SprySOCKS, organizations are advised to implement advanced endpoint detection and response (EDR) solutions, maintain regular patching, and manage supply chain risks vigilantly. The malware's adaptability and reliance on legitimate certificates complicate detection efforts, necessitating continuous refinement of security practices.

Winsage

June 16, 2026

A Brief History Of Unix Commands On Windows: CoreUtils (Again)

The interaction between Unix/Linux and Windows has historically been marked by significant differences in their architectures and philosophies. Unix uses a fork() function for process management, while Windows employs CreateProcess(), complicating the implementation of Unix-like tools on Windows. Early solutions to bridge this gap included the MKS Toolkit, which provided Unix-like commands for Windows, and UWIN from AT&T Bell Labs, which aimed to create a Unix interface layer on Windows. Cygwin offered a compatibility DLL to run Unix software on Windows, but required rebuilding from source. Microsoft's initiatives included POSIX, Interix, and later Services for UNIX. The introduction of the Windows Subsystem for Linux (WSL) allowed users to run a Linux userland directly on Windows, with WSL 2 incorporating a real Linux kernel. Recently, Microsoft released Coreutils for Windows, providing native builds of Unix-style tools to enhance cross-platform consistency.