exploits Archives

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

AppWizard

February 23, 2026

Minecraft Slimefun Dupe: Is It Real?

Slimefun is a server-side plugin for Minecraft that enhances the vanilla experience by adding new items, machines, and crafting possibilities without requiring client-side modifications. It allows players to create automated farms, develop tools, and build factories, encouraging experimentation and strategic planning through a complex crafting system. The plugin's modular design enables server administrators to customize it for different player preferences. There are rumors of item duplication glitches associated with Slimefun, with players claiming to find methods to multiply items. Historically, some legitimate glitches have existed, but developers actively patch these exploits. Engaging in item duplication is frowned upon as it disrupts the game’s economy, creates unfair advantages, and can lead to penalties such as temporary suspensions or permanent bans. Duplication undermines the integrity of gameplay, leading to disillusionment among honest players and potential technical issues on servers. Legitimate methods for duplicating items in Slimefun are largely nonexistent, as the plugin aims to maintain a balanced experience. Players are encouraged to build efficient farms and explore the game world for resource gathering, focusing on creativity and collaboration rather than unethical duplication methods.

AppWizard

February 22, 2026

Crafting Explosions: Custom TNT In Minecraft Bedrock

TNT in Minecraft Bedrock is crafted using five units of sand and four units of gunpowder, arranged in a cross shape in the crafting grid. It can be activated through various methods, resulting in significant explosions. Custom TNT allows players to create unique explosions using command blocks, redstone mechanics, and innovative designs like TNT cannons and traps. Advanced techniques include mastering redstone circuits, TNT duplication, and utilizing data packs for further customization. Safety measures are essential when testing custom TNT, including using a controlled environment, protective gear, and regular backups of the game world. Common issues include TNT not exploding, unexpected explosion effects, and lag, which can be resolved by checking redstone circuits, adjusting parameters, and limiting the number of TNT blocks used.

Tech Optimizer

February 22, 2026

Researchers Discover First Android Malware Using Generative AI for Persistence

Security researchers have identified a new Android Trojan named PromptSpy that uses generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers, PromptSpy leverages Google's Gemini AI model to analyze infected device screens and generate tailored instructions for embedding itself within recent apps lists. It includes a Virtual Network Computing (VNC) module that allows attackers full remote control over the device, enabling activities such as viewing the screen, performing actions remotely, capturing lock screen data, blocking uninstallation attempts, gathering device information, taking screenshots, and recording screen activity as video. The malware communicates with command-and-control servers using AES encryption and exploits Android Accessibility Services, making it difficult to remove. PromptSpy is distributed through a dedicated website and is financially motivated, adapting to various Android interfaces and operating system versions. ESET's analysis indicates that the malware is regionally targeted, with a focus on Argentina, and may have been developed in a Chinese-speaking environment. The same threat actor is believed to be responsible for both VNCSpy and PromptSpy.

Winsage

February 22, 2026

Download KRNL On Windows 8: A Simple Guide

KRNL is an exploit for the Roblox gaming platform that allows users to execute custom scripts to enhance gameplay. It is compatible with various Windows operating systems, including Windows 8, but compatibility issues may arise due to specific system configurations or outdated drivers. To prepare a Windows 8 system for KRNL, users should disable antivirus software temporarily, ensure the latest version of DirectX is installed, update graphics drivers, and create a system restore point. To download KRNL, users should find a reliable source, download the installer, extract files if necessary, run the installer, and complete the installation process. Common issues include KRNL not opening, DLL errors, crashing issues, and script execution problems, which can often be resolved by running as an administrator, reinstalling, updating drivers, or checking script syntax. For safety, users should download KRNL from trusted sources, keep antivirus software active (except during installation), be cautious with scripts, consider using a separate Roblox account for testing, and regularly update KRNL to the latest version.

Winsage

February 22, 2026

Windows 12 Forecast Six Expert Predictions

Microsoft is preparing for the release of Windows 12, which is expected to feature an AI-native experience with deep integration of Copilot, showcasing capabilities like on-screen comprehension, voice activation, and task automation. The hardware requirements will be elevated, necessitating 16GB of RAM, rapid NVMe storage, and a Neural Processing Unit (NPU) for advanced features. Windows on Arm is gaining momentum, with improvements in app compatibility and battery life, while a modular architecture called CorePC is being developed to facilitate faster updates and enhance security. Licensing for Windows 12 is expected to remain unchanged for consumers, with optional cloud-enhanced services available. The update cadence will increase, allowing for faster feature drops independent of major OS releases, with the Windows Insider Program continuing to test new features. Upon its release, Windows 12 will integrate Copilot, provide a more cohesive OS core, and support both x86 and Arm architectures.

AppWizard

February 19, 2026

PromptSpy Android Malware Abuses Google Gemini to Automate Recent-Apps Persistence

Cybersecurity researchers have identified a new Android malware named PromptSpy that utilizes Google's Gemini AI chatbot to enhance its capabilities and persistence on infected devices. PromptSpy can capture lockscreen data, obstruct uninstallation, gather device information, take screenshots, and record screen activity. It integrates Gemini to analyze the current screen and provide instructions to keep the malware active in the recent apps list. The malware uses a hard-coded AI model and communicates with a command-and-control server via the VNC protocol, allowing remote access to the victim's device. It is financially motivated, targeting users in Argentina, and was developed in a Chinese-speaking environment. PromptSpy is distributed through a dedicated website and is considered an advanced version of a previously unidentified malware called VNCSpy.

Tech Optimizer

February 19, 2026

We all need digital protection and the ESET Home Security Plan is the bees knees

ESET's HOME Security Ultimate is available for .99, down from its original price of .99, offering a 50% discount. The package includes features such as unlimited VPN, dark web scanning for identity protection, credit report monitoring, identity threat alerts, Social Security Number tracking, lost wallet assistance, and million insurance coverage. It provides real-time protection against malware, advanced AI-powered threat detection, a robust firewall, and network shield. The plan emphasizes proactive identity protection and secure online activities, including safe banking and browsing modes.