exploiting Archives

Winsage

March 6, 2026

Microsoft’s Secure Boot certificates expire in June 2026, but older PCs may never get the fix

Every Secure Boot-enabled Windows PC relies on cryptographic certificates issued by Microsoft in 2011 for boot process integrity. The first of these certificates will expire on June 24, 2026, impacting the ability to receive future security updates. Microsoft is rolling out replacement certificates through Windows Update, requiring collaboration between Microsoft, PC manufacturers, and users. Three critical certificates will expire: the Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 in June 2026, and the Microsoft Windows Production PCA 2011 in October 2026. The new certificates introduced in 2023 have a restructured functionality to enhance security. Not all PCs are affected; newer devices manufactured since 2024 come with the new certificates. Windows 10 users face challenges as support ends in October 2025, and unsupported devices will not receive updates. Home users should ensure automatic Windows updates and check for firmware updates, while enterprise environments must verify firmware updates before applying certificate updates. The first certificate expiration is on June 27, 2026.

Winsage

March 6, 2026

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a social engineering campaign named ClickFix that exploits the Windows Terminal application to deploy Lumma Stealer malware. Detected in February 2026, this campaign instructs users to access Windows Terminal using the Windows + X → I shortcut, enhancing its perceived legitimacy. Attackers evade detection by manipulating users into executing harmful commands through deceptive prompts. The attack chain involves pasting a hex-encoded command into Windows Terminal, which opens additional Terminal and PowerShell instances, leading to a PowerShell process that decodes a script. This process downloads a ZIP payload containing a renamed 7-Zip binary, which extracts files and initiates a multi-stage attack, including retrieving payloads, establishing persistence, configuring Microsoft Defender exclusions, exfiltrating data, and deploying Lumma Stealer by injecting it into "chrome.exe" and "msedge.exe." Lumma Stealer targets browser artifacts to harvest credentials. A secondary attack pathway involves downloading a batch script that writes a Visual Basic Script to the Temp folder and connects to Crypto Blockchain RPC endpoints, also using QueueUserAPC() for code injection into browsers to extract data.

Winsage

March 2, 2026

RAT Malware Via Windows Explorer Puts Crypto at Risk

Cofense Intelligence reported that threat actors are exploiting Windows File Explorer and WebDAV servers to deliver Remote Access Trojans (RATs) to corporate systems, bypassing browser security measures. This method allows attackers to infiltrate machines without using web browsers, taking advantage of File Explorer's ability to connect to remote WebDAV servers. Despite WebDAV being deprecated by Microsoft in November 2023, it is still supported in Windows, creating a vulnerability. The campaigns began in February 2024, with a significant increase in September 2024, and 87% of these campaigns deliver multiple RATs, including XWorm, Async RAT, and DcRAT. Victims typically receive phishing emails disguised as invoices, containing URL or LNK shortcut files that initiate a WebDAV connection. The attacks often utilize Cloudflare Tunnel for hosting malicious WebDAV servers, making the traffic appear legitimate. Notably, 50% of affected campaigns are in German, while 30% are in English. The report emphasizes the risks posed to individuals holding digital assets, as RATs can access sensitive information, including crypto wallet files. Organizations are advised to monitor network traffic for Cloudflare Tunnel instances and educate users about the risks associated with File Explorer's capabilities.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

AppWizard

February 24, 2026

Russia probes Telegram founder Durov to crush messaging app

Moscow is conducting a criminal investigation into Telegram's founder, Pavel Durov, over accusations of terrorism, as reported by the state-run Rossiyskaya Gazeta. The Russian government aims to control Telegram, which has over 1 billion active users, and is promoting a state-supported alternative, MAX. The investigation is based on allegations that Telegram assists terrorist activities, with claims that it serves as a tool for hybrid threats and poses risks to national security. Kremlin spokesperson Dmitry Peskov noted substantial violations linked to Telegram's operations. In response to the ongoing conflict in Ukraine, Russia is increasing its repressive measures and digital surveillance, targeting VPNs and messaging apps to enhance national security. Despite these challenges, Telegram remains a crucial news source in Russia and is used by various groups, including Kremlin officials and opposition figures. Durov opposes government censorship and argues that the crackdown aims to push citizens towards a state-controlled app. He has previously faced scrutiny for his refusal to comply with Russian authorities and has criticized other governments for their influence on digital freedoms. The Russian FSB claims that Ukraine is exploiting data from Telegram for military purposes.

AppWizard

February 23, 2026

Minecraft Slimefun Dupe: Is It Real?

Slimefun is a server-side plugin for Minecraft that enhances the vanilla experience by adding new items, machines, and crafting possibilities without requiring client-side modifications. It allows players to create automated farms, develop tools, and build factories, encouraging experimentation and strategic planning through a complex crafting system. The plugin's modular design enables server administrators to customize it for different player preferences. There are rumors of item duplication glitches associated with Slimefun, with players claiming to find methods to multiply items. Historically, some legitimate glitches have existed, but developers actively patch these exploits. Engaging in item duplication is frowned upon as it disrupts the game’s economy, creates unfair advantages, and can lead to penalties such as temporary suspensions or permanent bans. Duplication undermines the integrity of gameplay, leading to disillusionment among honest players and potential technical issues on servers. Legitimate methods for duplicating items in Slimefun are largely nonexistent, as the plugin aims to maintain a balanced experience. Players are encouraged to build efficient farms and explore the game world for resource gathering, focusing on creativity and collaboration rather than unethical duplication methods.

AppWizard

February 22, 2026

Minecraft Players Just Discovered a Hidden Trick That Changes Survival Mode!

Minecraft has revealed a new survival-mode strategy that enhances resource gathering, mob management, and the early-game experience. This strategy involves a combination of existing game mechanics, allowing players to improve efficiency in resource farming while reducing damage taken. It conserves tools and enables faster acquisition of essential materials without cheats or mods. The trick has gained popularity within the community, leading to tutorials and discussions about its potential impact on gameplay, including faster early-game progression, reduced risk during mob encounters, improved tool durability, and adjustments in multiplayer server strategies. It is not considered a glitch, works on all platforms, and there are no indications that it will be removed in future updates.

AppWizard

February 20, 2026

Witchspire is the League of Legends Star Guardian survival game of my dreams, even if it needs a little more polish

Witchspire is a survival game developed by Envar Studio, known for its League of Legends splash arts. It features a Sailor Moon-inspired anime trailer and Ghibli-esque visuals. The game includes a captivating narrative voiced by actors like Victoria Atkin and Matthew Mercer. Players assume the role of a witch in a mysterious realm, combating corruption while utilizing familiar survival mechanics such as crafting and upgrading weapons. Unique to Witchspire are the Familiars, companion creatures that assist players in combat. The game allows players to gather resources easily and features a magical sickle for cutting down trees. The combat mechanics have some flaws, particularly with AI behavior during encounters. Witchspire's gameplay is accessible, lacking hunger and stamina meters, and includes an Astral Projection system for strategic advantages. The game offers lore drops and voice lines that enhance storytelling. The demo is available on Steam, featuring the first island, Vyr's Landing, and supports multiplayer for up to four players.

Tech Optimizer

February 18, 2026

Fake Antivirus Program Threatens Android Phones and Steals Data – Jordan News | Latest News from Jordan, MENA

Cybersecurity experts have identified a malicious campaign targeting Android users through a counterfeit antivirus application called TrustBastion. This app serves as a vehicle for distributing malware that steals personal and banking information and provides attackers with remote access to infected devices. TrustBastion has been found on Hugging Face, complicating detection for users. The app masquerades as a legitimate security tool, prompting users to install a “necessary update” that contains malicious code. Once activated, the malware captures screenshots, displays fake login pages for financial services, and records sensitive information, which is sent to the hackers' servers. Attackers frequently re-upload modified versions of the app, maintaining its harmful functionality. Users are advised to download apps only from official stores, review ratings, and avoid untrusted APK files. Installing reputable antivirus solutions and activating Google Play Protect is recommended for enhanced security.

Tech Optimizer

February 16, 2026

Phishing Lures Spread XWorm Remote Access Trojan

A cyber-espionage campaign is utilizing the XWorm Remote Access Trojan (RAT) to infiltrate systems via phishing emails and a Microsoft Office vulnerability (CVE-2018-0802). XWorm, first detected in 2022, allows attackers remote control over infected computers for surveillance and data theft. The campaign uses business-oriented phishing emails with malicious Excel attachments that exploit the vulnerability to execute a fileless attack. The malware connects to a command-and-control server, encrypting communications and transmitting system details. XWorm features a plugin architecture with over 50 modules for various malicious activities, including credential theft and DDoS attacks. Security experts highlight the ongoing risk of legacy software vulnerabilities and recommend patching outdated components.