file upload Archives

Tech Optimizer

December 9, 2025

Warning! Engineered Linux Malware Can Bypass Next-Gen Anti-Virus Solutions – Open Source For You

The author created a custom reverse TCP payload using Python, packaged it into an .elf executable, and tested its stealthiness against antivirus software. The payload included functionalities such as webcam snapshots, keylogging, screen capture, and file transfers. Established tools for obfuscation often triggered antivirus alerts, prompting the author to develop a custom solution to avoid signature-based detection, maintain behavioral control, and gain insights into detection engines. The payload was designed to connect back to the attacker's machine and execute commands, while the listener processed incoming data. After compiling the binary, it was submitted to VirusTotal, where only four out of 64 antivirus engines flagged it, indicating that custom code can bypass many next-gen antivirus products.

Tech Optimizer

November 6, 2025

EndClient RAT Abuses Stolen Code-Signing Certificate to Evade Antivirus Detection

North Korean cyber actors have developed a Remote Access Trojan (RAT) called "EndClient RAT," targeting human rights defenders in South Korea and internationally. This malware evades antivirus detection by using stolen code-signing certificates and is delivered through a Microsoft Installer package named "StressClear.msi," which is signed by a Chinese firm. The RAT deploys an AutoIT-based payload, creates a scheduled task for persistence, and communicates with its command-and-control server using a custom protocol. Detection rates for EndClient RAT are low, with only 7 out of 64 detections for the dropper and 1 out of 64 for the payload script. Organizations are advised to block identified indicators of compromise and treat signed MSIs as untrusted until verified.

Winsage

November 1, 2025

First look at how Copilot will change Windows 11 taskbar search

Microsoft is introducing Ask Copilot in the Taskbar, an optional feature currently being rolled out to Windows Insiders in the Dev and Beta Channels with Preview Build 26220.7051 (KB5067115). Ask Copilot aims to enhance user experience by transforming the taskbar into a hub for accessing Copilot Voice and Vision, alongside an upgraded Windows Search. It combines functionalities of Windows Search and introduces semantic understanding for more intuitive interactions. The interface replaces the standard Windows Search bar and includes buttons for Copilot Vision and Voice, facilitating access to these features. Ask Copilot can search for files, applications, and settings using Windows’ existing Search indexing system, ensuring user privacy by not accessing personal files during searches. When users ask about changing settings in natural language, an Ask Copilot tag appears, redirecting them to the Copilot app, as it currently does not execute commands directly. The Copilot Vision and Voice features merely redirect users to the Copilot app, indicating further development is needed. Windows Search remains intact and will coexist with Ask Copilot. Ask Copilot is disabled by default and can be enabled in Settings. There is no timeline for a broader rollout to the general public, as it is currently available only to insiders.

Tech Optimizer

September 5, 2025

TAG-150 Hackers Deploy Custom Malware Families to Target Organizations

A new cyber threat actor, TAG-150, has emerged since March 2025, utilizing a sophisticated multi-tiered infrastructure and custom malware, including CastleLoader, CastleBot, and CastleRAT. TAG-150's infrastructure consists of four tiers, including command-and-control servers and intermediary layers to obscure operations. The CastleRAT trojan, available in Python and C variants, features advanced capabilities such as stealth evasion, system information collection, and remote surveillance functions. TAG-150 employs phishing techniques and fraudulent domains to compromise victims, achieving a 28.7% infection rate among those who interact with their schemes. The group utilizes privacy-focused services and frequently relocates its infrastructure to evade detection. Experts recommend proactive measures to counteract TAG-150's activities, including blocking identified infrastructure and monitoring for data exfiltration. Indicators of compromise include specific IP addresses associated with CastleLoader.

Winsage

August 21, 2025

Copilot on Windows: Semantic Search and new home begin rolling out to Windows Insiders

Microsoft has rolled out an update for the Copilot app on Windows, introducing several new features. The update includes a semantic file search feature that allows users to find files using natural language queries, such as "find images of bridges at sunset" or "find my CV." This feature is available on Copilot+ PCs and ensures user privacy by allowing management of permissions. The update also introduces a new Copilot home experience that consolidates recent apps, files, and conversations for easy access. Users can receive guided assistance by clicking on recent applications and can upload documents or photos into the Copilot chat for summarization and discussion. Copilot references the standard Windows "Recent" folder to display recently accessed files, ensuring privacy by not scanning the entire system. The Vision feature allows users to receive real-time guidance based on screen content or attached files. The update is being gradually rolled out (version 1.25082.132.0 and higher) across all Insider Channels via the Microsoft Store, and users are encouraged to provide feedback within the app. The app works with specific text, image, and document formats and is optimized for select languages. Supported file types for upload include .png, .jpeg, .svg, .pdf, .docx, .xlsx, .csv, .json, and .txt.

Winsage

June 25, 2025

New FileFix attack brings ClickFix social engineering to Windows File Explorer — how to stay safe

Researcher mr. d0x has introduced a new variant of the ClickFix social engineering tool called FileFix, which uses the Windows File Explorer address bar as its interface to deceive users into executing harmful commands. FileFix targets corporate employees and employs familiar elements like reCAPTCHA prompts or error messages to spread malware, including infostealers and ransomware. The method integrates malicious commands directly into Windows File Explorer, enhancing its effectiveness by utilizing the environment users are comfortable with. The phishing scheme includes a deceptive ‘Open Fixe Explorer’ button that activates File Explorer and copies a PowerShell command to the clipboard, initially displaying a fake path in the address bar. ClickFix tactics are effective because they manipulate victims into compromising their own security, often exploiting urgency and existing online behaviors. Users are advised to be cautious of verification pop-ups and requests to open command windows, and to share this knowledge to help others navigate safely.

Winsage

June 25, 2025

New FileFix Exploit Uses Windows File Explorer to Run Malicious Commands

A newly identified exploit called "FileFix" manipulates Windows File Explorer to execute harmful commands while remaining within a web browser. Developed by security researcher mr.d0x, it builds on the ClickFix social engineering attack. FileFix uses the file upload feature on websites, prompting users to copy a malicious PowerShell command disguised as a file path. When users paste this path into the File Explorer address bar, it executes the command without their knowledge. The attack exploits familiar workflows, bypassing user skepticism and does not require elevated privileges or complex malware. Security experts warn that FileFix could enable the delivery of infostealers, ransomware, or other malware, posing a significant risk to individuals and organizations. Users are advised to be cautious of instructions to copy and paste file paths from unfamiliar sources, monitor for suspicious processes initiated by browsers, and keep security software updated.

Winsage

June 24, 2025

FileFix attack weaponizes Windows File Explorer for stealthy commands

A cybersecurity researcher named mr.d0x has introduced a new attack method called FileFix, which is a variant of the ClickFix social engineering attack. FileFix allows malicious actors to execute harmful commands on a victim's system through the Windows File Explorer address bar, rather than using the traditional method of pasting commands into PowerShell. The attack still relies on a phishing page, which masquerades as a notification about a shared file, prompting users to paste a path into File Explorer. Attackers can conceal the malicious PowerShell command by embedding it within a dummy file path in a comment, making it invisible in the address bar. Mr.d0x has also implemented measures in the proof-of-concept code to prevent users from selecting files during the attack. The ClickFix method has been effective in deploying malware, including ransomware and state-sponsored operations, with notable examples involving the North Korean hacker group Kimsuky and cybercriminals impersonating Booking.com. FileFix represents an evolution in phishing attacks by providing a more user-friendly interface for executing commands.

AppWizard

May 16, 2025

Android users lose key Nextcloud feature because Google said so, and the reason doesn’t add up

Google has restricted file upload capabilities for the Nextcloud Files Android app by revoking the "All files access" permission, which has been essential for the app since 2011. This change prevents Android users from uploading various file types to their Nextcloud accounts. Nextcloud has expressed frustration over this decision, suggesting it is a strategic move by Google to maintain dominance in the cloud storage market and favor its own applications. The alternatives proposed by Google, such as the MediaStore API or Storage Access Framework (SAF), do not meet Nextcloud's functionality needs. Nextcloud draws parallels to past corporate tactics that limited competition and highlights ongoing concerns regarding fair competition and regulatory responses.