exploitation Archives

Winsage

June 3, 2026

Windows Netlogon CVE-2026-41089 exploited: Priority patch needed

Microsoft has addressed a critical vulnerability identified as CVE-2026-41089, which could allow unauthorized access to sensitive data. This vulnerability primarily affects specific Microsoft software and has been classified with a high severity rating. If unaddressed, it could lead to data breaches and unauthorized access. Microsoft recommends users apply the latest security patches and updates. The cybersecurity community emphasizes the importance of prioritizing cybersecurity strategies and collaboration among industry stakeholders to mitigate risks associated with such vulnerabilities.

Winsage

June 3, 2026

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers have identified an unpatched vulnerability that could expose NTLMv2 hashes to attackers, linked to the "search:" URI handler. This issue is similar to CVE-2026-33829, which involved a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler. The flaw allows attackers to trick users into connecting to their SMB servers, disclosing NTLMv2 hashes for authentication exploitation. The new vulnerability operates using "search:" and "crumb=location:" parameters, resulting in a similar Net-NTLMv2 leak. Microsoft has chosen not to address this issue, stating only vulnerabilities classified as Important or Critical would be fixed. Recommendations to mitigate risks include blocking outbound SMB traffic, enforcing SMB signing, and disabling NTLM authentication where possible.

AppWizard

June 3, 2026

Fake ‘Minecraft’ Mods Bring Malware to as Many as 116,000 Players

The "Minecraft" community is facing a cybersecurity threat from a malware operation called WeedHack, which disguises itself as fake mods to lure players into downloading it. This operation, run by a teenager, has affected over 116,000 players and uses social engineering tactics to distribute malicious mods, cheats, and clients. WeedHack spreads through trusted channels, including YouTube, and employs search engine optimization poisoning to mislead users. The malware operates by disseminating malicious Java Archive files that appear legitimate, compromising devices to extract sensitive information such as session IDs, browser cookies, and cryptocurrency wallet data. It can also steal credentials for applications like Discord, Steam, and Telegram, and includes remote control features for surveillance and keylogging. Approximately 2,000 new infections occur daily, primarily affecting users in the United States, Germany, India, the United Kingdom, and Italy. The low cost of access to this malware has led to its use by teenagers for online bullying and harassment.

AppWizard

June 2, 2026

Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk

A significant security vulnerability has been found in six Microsoft 365 Android applications, including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote, due to an active debug flag left in the production code. This oversight allowed untrusted apps to request and receive access tokens, compromising user account security. An attacker could exploit this vulnerability by embedding malicious code in a widely distributed app, enabling unauthorized access to sensitive information such as emails, documents, and communications. Microsoft confirmed the issues and issued CVE numbers CVE-2026-41100, -41101, and -41102, releasing patches through their Patch Tuesday mechanism and a specific patched build on the Google Play Store. Users are advised to update their applications to mitigate the risk.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

Winsage

June 2, 2026

New PHANTOMPULSE RAT Campaign Uses UAC Bypass in Windows Attacks

The REF6598 intrusion set has revealed a Remote Access Trojan (RAT) named PHANTOMPULSE, which is distributed via malicious Obsidian plugins. It uses advanced evasion techniques, including a blockchain-based command and control (C2) channel and a public User Account Control (UAC) bypass to infiltrate Windows systems. The malware disables security measures like the Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP) through a hardware-breakpoint technique, allowing it to avoid detection by signature-based memory scanners. PHANTOMPULSE hides its core files in encrypted registry blobs and creates scheduled tasks that appear as .NET Framework updates. Its decentralized C2 framework queries public blockchains for operational data, but it lacks sender authentication, which can be exploited by defenders. The malware inventories the system for antivirus software and targets high-value applications. It employs a UAC bypass technique called “schuac” to gain elevated permissions. Analysts attribute this campaign to DPRK-aligned threat actors, particularly the BlueNoroff group, due to its focus on cryptocurrency wallets and blockchain exploitation. Defenders can identify new infrastructure by searching blockchain ledgers for a specific hex signature associated with the malware's C2 encryption routine.

Winsage

June 1, 2026

Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild

Microsoft is facing scrutiny due to a critical remote execution vulnerability, CVE-2026-41089, rated at 9.8, affecting Windows Server domain controllers from version 2012 onward. This vulnerability allows unauthenticated users on the same network to send malformed UDP packets to a domain controller, potentially granting unauthorized system access or causing a reboot, leading to denial-of-service scenarios. The vulnerable service is Netlogon, and there are no immediate mitigations available; patches will be released on May 12. The vulnerability could allow attackers to create multiple accounts with various access levels, compromising the security of entire networks. Cybersecurity experts recommend patching all linked domain controllers simultaneously. The vulnerability is caused by a buffer overflow in the Netlogon service due to a field in a network packet exceeding its expected size. A GitHub repository exists with proof-of-concept code that can crash the LSASS service. Additionally, Microsoft is in conflict with security researcher Chaotic Eclipse, who has published zero-day exploits following a breakdown in negotiations.

Winsage

June 1, 2026

CISA gives Windows admins until June 3 to patch Nightmare Eclipse Defender flaws

Recent updates from CISA highlight critical vulnerabilities in Microsoft products, specifically CVE-2026-41091 and CVE-2026-45498. CVE-2026-41091 could allow attackers to execute arbitrary code, leading to unauthorized access and control over affected systems. CVE-2026-45498 may enable attackers to compromise system integrity, threatening sensitive data and operational continuity. Organizations using Microsoft products are urged to prioritize patching these vulnerabilities.

Winsage

June 1, 2026

Critical Windows Netlogon RCE flaw now exploited in attacks

The Centre for Cybersecurity Belgium (CCB) has warned about the exploitation of a critical vulnerability in Windows Netlogon, identified as CVE-2026-41089, which allows remote code execution on domain controllers without prior access or authentication. This vulnerability, characterized as a stack-based buffer overflow, was patched by Microsoft during the May 2026 Patch Tuesday. The CCB emphasized the urgency of patching vulnerable servers, noting that the vulnerability is actively being exploited. The CVSS score for this vulnerability is 9.8. Further details on the ongoing attacks have not been disclosed, and Microsoft has not updated its advisory on the vulnerability.

Winsage

May 29, 2026

Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump

The conflict between Microsoft and security researcher Nightmare Eclipse has intensified, with Nightmare threatening to release vulnerabilities on July 14. Nightmare has disclosed six zero-day vulnerabilities affecting Windows, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. Microsoft responded by stating that these vulnerabilities were not reported through official channels before their disclosure. Following the release of exploit code for three vulnerabilities, attackers began exploiting them, raising concerns about YellowKey (CVE-2026-45585), which remains unfixed. Nightmare accused Microsoft of silencing them by deleting their MSRC account, leading to frustration over their treatment. The cybersecurity community has noted the significant damage caused by Nightmare, with comparisons to advanced persistent threat groups. Experts criticized Microsoft's handling of the situation, emphasizing the need for better communication and collaboration with researchers. They pointed out that the responsibility for vulnerabilities lies with Microsoft as the code's creator and highlighted the challenges in vulnerability disclosure practices within the industry.