indicator Archives

Winsage

May 11, 2026

New GhostLock tool abuses Windows API to block file access

A security researcher has developed a proof-of-concept tool called GhostLock, which exploits a vulnerability in the Windows file API, specifically the 'CreateFileW' function. By manipulating the 'dwShareMode' parameter to grant exclusive access to files, GhostLock can prevent other users or applications from opening those files, resulting in a 'STATUSSHARINGVIOLATION' error. The tool automates the process of opening multiple files on SMB shares, causing access disruptions without requiring elevated privileges. This technique is intended as a disruption attack rather than a destructive one, similar to ransomware, and can serve as a diversion during intrusions. Detection of this attack relies on monitoring the open-file count with ShareAccess set to 0 at the file server layer. Dvash has provided resources for IT teams to enhance detection capabilities against this threat.

Winsage

May 10, 2026

Microsoft Confirms KB5083769 Breaks Macrium and Acronis Backups

Microsoft's April 2026 Windows security update, KB5083769, may disrupt image-mount operations for backup applications such as Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup due to the addition of the psmounterex.sys kernel driver to its Vulnerable Driver Blocklist. This action was taken to address a high-severity buffer overflow vulnerability, CVE-2023-43896. The inclusion of this driver in the blocklist has rendered several backup products inoperable, and Microsoft will not retract the block for security reasons. Administrators can use Event ID 3077 in the Code Integrity log to confirm that the blocklist is causing the failures. Microsoft advises updating backup applications to versions that include necessary driver protections instead of uninstalling or pausing the security patch. Additionally, the April updates have caused other issues, such as failures in Windows Server installations and devices booting into BitLocker recovery mode.

Winsage

May 7, 2026

Windows 11 pulls back AI as Microsoft plans to remove Copilot where it doesn’t meet its promise

Microsoft is shifting its approach to AI features, particularly with the Copilot tool. Xbox CEO Asha Sharma announced plans to retire Copilot on mobile and halt its development on consoles, a move supported by Jacob Andreou, the Executive Vice President of Copilot. This decision aligns with Microsoft's commitment to improving Windows quality and reducing AI overload, as indicated by the removal of the "Ask Copilot" button and the rebranding of the Copilot logo in applications. Despite challenges faced by Windows 11, including bugs and performance issues, Copilot has seen success in the enterprise sector, with over 20 million subscribers. The launch of Apple's MacBook Neo has further pressured Microsoft to enhance Windows quality. Moving forward, Copilot is being repositioned as an enterprise tool rather than a consumer-facing product, while Microsoft continues to develop AI capabilities for corporate use.

Winsage

May 5, 2026

Windows 11 restarts several times after a recent update? Don’t panic

After the installation of the optional April 2026 update, users may experience multiple restarts of their PCs, which is normal due to the Secure Boot certificate refresh process. This behavior may also occur with future updates as Microsoft implements Secure Boot certificate refreshes. Windows updates typically require a single reboot, but significant feature updates or firmware and driver updates may necessitate two or three reboots. Many Windows devices manufactured before 2024 have outdated Secure Boot certificates that need updating, as these certificates will expire in June 2026. Microsoft began rolling out updated Secure Boot certificates in March, but this rollout is staggered. Users can check their PC's Secure Boot certificate status in Windows Security under "Device security." The status is indicated by colored icons: green (up to date), yellow (update pending), and red (action required). Older devices may face issues with the certificate refresh if they lack up-to-date firmware or compatible BIOS updates. If Windows reports an error, the device manufacturer is typically responsible for resolving it. Users should verify that Secure Boot certificates were installed correctly after updates to ensure continued secure booting beyond June.

AppWizard

May 1, 2026

April Xbox Update: Customize Your Console, Manually Add Your Favorite Games on PC, and More.

Users can now customize console colors by adjusting sliders for a unique hue, which will accentuate elements of the console interface. Quick Resume has been enhanced to allow disabling on a per-game basis. The Play History feature has been revamped with a new tab for easier access. A User Selected Resolution feature lets players choose streaming resolution, while a Network Quality Indicator provides real-time network health insights. PC gamers can manually add any installed game or app to their Xbox library. Users can pin up to three favorite games for quick access. A Gamepad Cursor feature allows navigation in non-controller apps. Xbox notifications can be repositioned on the Game Bar. The Xbox mobile app now includes wishlist alerts for game changes. Recent updates for the ROG Xbox Ally improve external display experiences. Microsoft Rewards is hosting a Total Prize Drop event with prizes up to ,000,000. The Handheld Compatibility Program has expanded, adding titles like Hades II as handheld optimized. Xbox Cloud Gaming now includes over 1,000 games for streaming.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

AppWizard

April 23, 2026

The best Dota 2 options and settings

In Dota 2, optimal settings are crucial for enhancing gameplay and performance. Key settings to prioritize include: - Hotkeys: - Quickcast Abilities for instant ability use. - Direct Key Bindings for customized control over abilities. - Unit Orders: - Auto Attack set to 'Standard' for automatic targeting. - Right-Click Allies to enable attacking friendly units. - Channels for managing teleport or channeled abilities. - Double-Tap to Self Cast for automatic self-use of abilities. - Disable Auto Attack When Stop is Held to prevent unintended movements. - Minimap: - Icons set to 'Hero with Arrow' for visibility. - Adjusted map position to reduce misclicks. - Use Extra Large Minimap for better visibility. - Minimap Hero Size between 100% and 130%. - Increased Minimap Misclick Protection Time. - Camera: - Center Camera on Hero on Respawn can be disabled. - Disable Camera Zoom to avoid accidental zooming. - Enable Screen Shake can be turned off if distracting. - Interface: - Show Ability Rangefinder While Casting for strategic planning. - Holding Alt Shows Neutral Spawnboxes and Tower Attack Range for quick checks. - Healthbars: - Visualize Damage/Healing can be turned off if distracting. - Display Names Over Healthbar switched to 'Hero Names' for easier tracking. - Miscellaneous: - Strict Solo Role Queue Matchmaking for solo players. - Network Quality set to Low for smoother gameplay. - Enable Console for expanded control. To set Dota 2 Launch Options, right-click the game in Steam, select 'properties,' and enter options in the text field. Recommended launch options include: - -autoconfig: Resets graphics settings. - -console: Enables console functionality. - -fullscreen: Forces fullscreen mode. - -high: Assigns high CPU priority. - -map dota: Loads the map in the background. - -noborder: Runs in borderless windowed mode. - -noprewarm: Disables resource loading at startup. - -novid: Skips the introductory video. - -safe_mode: Restores default rendering settings. - -useforcedmparms -noforcemaccel -noforcemspd: Adheres to Windows mouse settings. - -windowed: Runs in windowed mode. Players are encouraged to explore and experiment with these settings to optimize their individual playstyle.

Winsage

April 19, 2026

Zorin OS 18.1 adds guided migrations, stronger app compatibility and wider hardware support, making switching from Windows far more practical for millions [clone]

Zorin OS has released version 18.1, enhancing hardware compatibility and introducing fingerprint reader support for older devices. The update recommends native Linux alternatives when detecting Windows applications, making it easier for users transitioning from Windows. Since the end of support for Windows 10, Zorin OS has gained popularity, reaching 3.3 million downloads. The update supports over 240 Windows applications, suggesting compatible Linux versions, and includes improvements to desktop features and pre-installed applications. Zorin Lite has also been updated to version 17.3 with fingerprint reader support and a redesigned File Manager. Meanwhile, Windows 11 is facing challenges in adoption due to hardware requirements and design issues, prompting discussions about the potential need for Windows 12. Alternative operating systems like Zorin OS are becoming more appealing to users dissatisfied with Windows.

Winsage

April 16, 2026

Microsoft’s latest Windows update now confirms if your PC is Secure Boot-protected

Microsoft has introduced a new feature in Windows 11 and Windows 10 that informs users about the status of Secure Boot as part of the April Patch Tuesday update. This feature includes a visual indicator that shows whether devices have the latest Secure Boot certificates, which protect against bootkit malware. The Secure Boot icon can display in green, yellow, or red, indicating different security statuses: green means secure with no actions needed, yellow indicates a pending safety recommendation, and red signals that immediate attention is required. Users can check their Secure Boot status through Settings in both operating systems. It is important to install the latest Windows updates to ensure devices have the most recent Secure Boot certificates, as older certificates will expire in June. The April updates also address 164 vulnerabilities, including eight classified as critical and two identified as zero-day flaws. Users are advised to prioritize these updates to maintain system security.

Tech Optimizer

April 13, 2026

Fake Claude site installs malware that gives attackers access to your computer

Claude, an AI tool developed by Anthropic, receives nearly 290 million web visits monthly and has become a target for cybercriminals. A fake website has been found that impersonates Claude, distributing a trojanized installer named Claude-Pro-windows-x64.zip. This installer, while appearing legitimate, deploys PlugX malware, granting attackers remote access to users' systems. The fraudulent site mimics the official download page and uses passive DNS records linked to commercial bulk-email platforms, indicating active maintenance by the operators. The ZIP file contains an MSI installer that incorrectly spells "Claude" as "Cluade" and creates a desktop shortcut that launches a VBScript dropper. This script runs the legitimate claude.exe while executing malicious activities in the background, including copying files to the Windows Startup folder to ensure persistence after reboot. The attack utilizes a DLL sideloading technique recognized by MITRE as T1574.002, where a legitimate G DATA antivirus updater is exploited with a malicious DLL. Within 22 seconds of execution, the malware establishes a connection to an IP address associated with Alibaba Cloud, indicating control over the compromised system. The dropper script also employs anti-forensic measures to delete itself and the VBScript after deployment. Indicators of compromise include the filenames Claude-Pro-windows-x64.zip, NOVUpdate.exe, avk.dll, and NOVUpdate.exe.dat, along with the network indicator 8.217.190.58:443 (TCP) as the command and control destination. Users are advised to download Claude only from the official site and to remain vigilant against potential compromises.