exploit Archives

Winsage

March 3, 2026

PoC Exploit Released for Windows Error Reporting ALPC Privilege Escalation

A critical local privilege escalation vulnerability, tracked as CVE-2026-20817, affects Microsoft Windows through the Windows Error Reporting (WER) service. This flaw allows authenticated users with low-level privileges to execute arbitrary code with full SYSTEM privileges. The vulnerability resides in the SvcElevatedLaunch method (0x0D) and fails to validate user permissions, enabling attackers to launch WerFault.exe with malicious command-line parameters from a shared memory block. The exploit affects all versions of Windows 10 and Windows 11 prior to January 2026, as well as Windows Server 2019 and 2022. Microsoft addressed this vulnerability in the January 2026 Security Update. Organizations are advised to apply security patches and monitor for unusual WerFault.exe processes.

AppWizard

March 2, 2026

Best Secure and Encrypted Messaging Apps in 2026

Your text messages and calls can be intercepted by hackers, corporations, and government entities, putting your private information at risk. Corporations may use your messages for targeted advertising or sell your data, while hackers may exploit it for identity theft or fraud. Governments may monitor communications under the guise of national security. Secure messaging apps are essential to protect your communications, as many default options expose sensitive information through metadata or lack proper security. Signal is recognized as the most secure messaging app, offering end-to-end encryption, being open-source, and free of charge, though it requires a phone number for registration. Threema allows complete anonymity without data collection but has no free version. Telegram, while popular, has security concerns as not all communications are end-to-end encrypted by default. WhatsApp and Keybase are discouraged due to ownership issues affecting privacy. Characteristics to look for in a secure messaging app include end-to-end encryption, third-party testing, open-source code, self-destructing messages, and minimal user data collection.

Winsage

March 2, 2026

RAT Malware Via Windows Explorer Puts Crypto at Risk

Cofense Intelligence reported that threat actors are exploiting Windows File Explorer and WebDAV servers to deliver Remote Access Trojans (RATs) to corporate systems, bypassing browser security measures. This method allows attackers to infiltrate machines without using web browsers, taking advantage of File Explorer's ability to connect to remote WebDAV servers. Despite WebDAV being deprecated by Microsoft in November 2023, it is still supported in Windows, creating a vulnerability. The campaigns began in February 2024, with a significant increase in September 2024, and 87% of these campaigns deliver multiple RATs, including XWorm, Async RAT, and DcRAT. Victims typically receive phishing emails disguised as invoices, containing URL or LNK shortcut files that initiate a WebDAV connection. The attacks often utilize Cloudflare Tunnel for hosting malicious WebDAV servers, making the traffic appear legitimate. Notably, 50% of affected campaigns are in German, while 30% are in English. The report emphasizes the risks posed to individuals holding digital assets, as RATs can access sensitive information, including crypto wallet files. Organizations are advised to monitor network traffic for Cloudflare Tunnel instances and educate users about the risks associated with File Explorer's capabilities.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

Winsage

February 26, 2026

PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs

Security researchers have developed a working Proof of Concept (PoC) exploit for a vulnerability in the Windows kernel, identified as CVE-2026-2636, which allows low-privileged users to induce a Blue Screen of Death (BSoD), resulting in a Denial of Service. This vulnerability is linked to the Windows Common Log File System (CLFS) driver, specifically the CLFS.sys component, and arises from improper handling of invalid or special elements within CLFS (CWE-159). The PoC demonstrates that a non-administrative user can trigger the bug by executing a crafted ReadFile operation on a handle linked to an opened .blf log file without the expected I/O Request Packet (IRP) flags set. This leads to a critical inconsistency in the driver, causing Windows to invoke the kernel routine KeBugCheckEx, which results in a BSoD. The CVE-2026-2636 has a CVSS score of 5.5 (Medium) and poses a high impact on availability, allowing any authenticated user to crash the host reliably. Microsoft addressed this vulnerability in the September 2025 cumulative update, protecting systems running Windows 11 2024 LTSC and Windows Server 2025 by default. However, older or unpatched builds remain vulnerable. Organizations are advised to verify the deployment of the September 2025 updates, prioritize patching multi-user systems, and monitor for unusual spikes in BSoD events.

AppWizard

February 24, 2026

Local school district files civil complaint against Roblox, Microsoft and creator of Minecraft

The Champion Local School District has filed a civil complaint against gaming companies Roblox, Mojang AB, and Microsoft in the U.S. District Court for the Northern District of Ohio. The lawsuit claims these companies contribute to a mental health crisis among children by designing addictive video games that utilize operant conditioning to encourage prolonged gameplay. The district alleges that this addiction leads to increased anxiety, depression, declining academic performance, chronic absenteeism, and worsened ADHD symptoms among students. The district has had to hire counselors and implement measures to address video game addiction. The lawsuit also criticizes the companies' marketing strategies for portraying their products as educational while allowing access to younger players than recommended. The district is seeking a jury trial, damages, court costs, and attorney fees. The defendants have not yet responded to the allegations.

AppWizard

February 23, 2026

Minecraft Slimefun Dupe: Is It Real?

Slimefun is a server-side plugin for Minecraft that enhances the vanilla experience by adding new items, machines, and crafting possibilities without requiring client-side modifications. It allows players to create automated farms, develop tools, and build factories, encouraging experimentation and strategic planning through a complex crafting system. The plugin's modular design enables server administrators to customize it for different player preferences. There are rumors of item duplication glitches associated with Slimefun, with players claiming to find methods to multiply items. Historically, some legitimate glitches have existed, but developers actively patch these exploits. Engaging in item duplication is frowned upon as it disrupts the game’s economy, creates unfair advantages, and can lead to penalties such as temporary suspensions or permanent bans. Duplication undermines the integrity of gameplay, leading to disillusionment among honest players and potential technical issues on servers. Legitimate methods for duplicating items in Slimefun are largely nonexistent, as the plugin aims to maintain a balanced experience. Players are encouraged to build efficient farms and explore the game world for resource gathering, focusing on creativity and collaboration rather than unethical duplication methods.

Winsage

February 22, 2026

Download KRNL On Windows 8: A Simple Guide

KRNL is an exploit for the Roblox gaming platform that allows users to execute custom scripts to enhance gameplay. It is compatible with various Windows operating systems, including Windows 8, but compatibility issues may arise due to specific system configurations or outdated drivers. To prepare a Windows 8 system for KRNL, users should disable antivirus software temporarily, ensure the latest version of DirectX is installed, update graphics drivers, and create a system restore point. To download KRNL, users should find a reliable source, download the installer, extract files if necessary, run the installer, and complete the installation process. Common issues include KRNL not opening, DLL errors, crashing issues, and script execution problems, which can often be resolved by running as an administrator, reinstalling, updating drivers, or checking script syntax. For safety, users should download KRNL from trusted sources, keep antivirus software active (except during installation), be cautious with scripts, consider using a separate Roblox account for testing, and regularly update KRNL to the latest version.

AppWizard

February 21, 2026

Android users put on high alert: Malware hides in TV streaming apps

A new strain of malware called Massiv has been identified by the fraud detection firm ThreatFabric. This malware disguises itself as legitimate IPTV applications to steal financial information and identities. IPTV refers to Internet Protocol Television, often associated with unauthorized content streaming. Many of these malicious apps are not found on reputable platforms, leading users to unofficial sources where malware can be embedded. The malware can monitor screens in real-time and extract data from the phone's Accessibility Service, allowing attackers to interact with devices without users' knowledge. Cybercriminals can then open bank accounts in victims' names, leading to debts with banks the victims have never interacted with. ThreatFabric has noted an increase in fake IPTV applications used for malware delivery, particularly in Portugal, Spain, France, and Turkey. Many of these apps do not provide free content but instead deliver malware. Users are advised to avoid sideloading applications from untrusted sources.

AppWizard

February 20, 2026

Dangerous Massiv Android malware poses as IPTV app to infect devices and steal banking info

Security researchers from ThreatFabric have identified a deceptive application named “Massiv,” which masquerades as a legitimate IPTV service but is actually a banking trojan designed to compromise users' financial security. The malware primarily targets users in Portugal, using tactics like screen overlays and keylogging to steal sensitive data. Many users download unofficial IPTV apps, which are often fraudulent and do not provide access to pirated broadcasts. The stolen information is exploited by cybercriminals to open fraudulent bank accounts and launder money, putting victims in precarious financial situations and posing risks to the integrity of financial systems.