infection Archives

Tech Optimizer

April 13, 2025

Panda Dome review

Panda Security, a Spanish antivirus company, has introduced various cybersecurity innovations since its founding, including daily signature updates in 1998, behavioral monitoring in 2004, and cloud scanning in 2007. It offers several plans for home users: Panda Dome Essential, Advanced, Complete, and Premium, each with increasing features such as firewall protection, WiFi security, online shopping safeguards, and a Dark Web Scanner. All plans include a 30-day free trial. Panda Dome received an AAA award from SE Labs for a Total Accuracy Rating of 99% without false positives between October and December 2024, outperforming Microsoft Defender and Webroot but not achieving the perfect scores of Avast, Kaspersky, and McAfee. The AV-Test Product Review awarded Panda a score of 6/6 for protection and usability, and 5.5/6 for performance. However, Panda Free Antivirus had a higher number of false alarms in AV-Comparatives’ False Alarm Test. The Panda Dome Advanced plan, priced at .99 for the first year, includes parental controls and enhanced ransomware protection. It offers multiple scanning options and reasonable scan times. Its anti-ransomware features include behavior-based detection, file access control, and backup capabilities. Panda Dome Complete, priced at .99 for the first year, adds system cleanup tools and a password manager, allowing users to optimize system performance and securely manage passwords. It also includes file encryption and shredding features. Panda Dome Premium, priced at .99 for the first year, provides unrestricted VPN access, an update manager, and unlimited premium technical support. It allows secure browsing across over 60 countries for up to five devices and includes features to keep systems updated and secure.

Winsage

April 10, 2025

Windows 11 update reportedly creates a mysterious folder on your system drive, which is certainly confusing

A new folder named ‘inetpub’ has appeared on Windows 11 24H2 system drives following the April update, linked to Microsoft’s web server software for developers. The folder is empty, harmless, and can be deleted without adverse effects. Many users have reported removing it safely, while others may choose to keep it if it doesn't cause inconvenience. The folder's creation may be related to adjustments made to IIS components and has caused confusion among users, with reports of its appearance across various devices. There is a possibility that the folder could reappear even after deletion, indicating a need for a permanent fix from Microsoft.

Tech Optimizer

April 7, 2025

Sakura RAT Released on GitHub Can Bypass Antivirus and EDR Tools

Sakura RAT is a newly developed remote administration tool available on GitHub, designed for use by malware analysts and security researchers. It features capabilities such as hidden browsing, hidden virtual network computing (HVNC), fileless execution, multi-session control, and anti-detection mechanisms to evade antivirus and endpoint detection systems. While marketed for research purposes, its open availability raises concerns about potential misuse by cybercriminals for activities like data exfiltration and ransomware deployment. Cybersecurity experts are advocating for the removal of the repository from GitHub and calling for improved detection systems to combat the risks posed by such advanced tools.

Tech Optimizer

April 3, 2025

1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

A cryptojacking campaign has targeted over 1,500 organizations by exploiting inadequately secured PostgreSQL database servers. The attackers, identified as JINX-0126, use advanced techniques including credential brute-forcing and fileless execution to deploy Monero (XMR)-mining malware. Approximately 30% of cloud-hosted PostgreSQL servers are affected due to weak or default credentials. The attackers execute commands using PostgreSQL’s COPY FROM PROGRAM function, bypassing standard detection mechanisms. They have been linked to three cryptocurrency wallets with around 550 active mining workers, generating a hashrate of 4.04 GH/s and approximately €10.40 per hour in XMR revenue. The attack begins with credential spraying against default accounts, followed by an SQL injection to fetch the payload. The malware operates in memory, modifies PostgreSQL’s configuration to maintain persistence, and creates cron jobs for reactivation. The campaign reveals significant security gaps in cloud environments, with recommendations for improved access controls and monitoring.

AppWizard

April 1, 2025

The Last of Us Part II Remastered Coming to PC On April 3, 2025

“The Last of Us Part II Remastered” will be released on PC on April 3, 2025, available on Steam and the Epic Games Store. This marks the first time Windows users can access the game, which previously received over 300 Game of the Year awards on PlayStation. The remastered edition includes enhancements such as improved graphics, performance, and new content, including a roguelike mode called “No Return.” Pre-orders are currently available. The PC version will support customizable graphics settings, ultrawide monitor support, and full DualSense controller features. New playable characters Bill and Marlene will be introduced in the “No Return” mode, alongside a Guitar Free Play mode and restored cut content. The game will require a minimum of an Intel Core i3-8100 or AMD Ryzen 3 1300x processor and 16GB RAM.

Tech Optimizer

March 31, 2025

Watch Out for This Info-Stealing Malware on Windows

A new malware strain called CoffeeLoader has been identified, posing a significant risk to gamers by masquerading as a legitimate ASUS utility, specifically the Armoury Crate software. Once it infiltrates a system, it deploys the Rhadamanthys infostealer, which can extract sensitive information such as credentials from web browsers, email clients, cryptocurrency wallets, and password managers. CoffeeLoader evades detection by most security tools by operating on the GPU instead of the CPU and using advanced techniques like call stack spoofing, sleep obfuscation, and exploiting Windows fibers. To protect against CoffeeLoader, users should exercise caution when downloading software, navigate directly to official websites, avoid suspicious links, and adhere to basic cybersecurity practices. If infection is suspected, users should disconnect from the internet, reboot in safe mode, delete temporary files, and check Task Manager for unusual activity. Employing a reliable malware scanner can help identify and eliminate infections.

Tech Optimizer

March 31, 2025

Ransomware crews add EDR killers to their arsenal

Antivirus and endpoint security tools are increasingly challenged by ransomware groups that use sophisticated strategies to disable defenses early in attacks. Cisco Talos reported that in nearly half of the ransomware incidents they handled in 2024, attackers successfully employed "EDR killers" to neutralize endpoint detection and response (EDR) systems, achieving success 48 percent of the time. Tools such as EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator pose significant threats to organizational security. EDRKillShifter exploits vulnerable drivers on Windows machines to terminate EDR products, a tactic observed in operations by rival gangs like Medusa, BianLian, and Play. The primary goal of these tools is to disable EDR protections, allowing attackers to operate undetected, complicating system recovery efforts. Recovery often requires wiping and rebuilding entire networks if robust backups are available. Some EDR killers, like HRSword, are legitimate software tools misused by ransomware actors to disable endpoint protection systems. Attackers have exploited misconfigured systems, particularly EDR products set to audit-only mode, which detect but do not block malicious activity. LockBit has remained the most active ransomware-as-a-service group for the third consecutive year, accounting for 16 percent of claimed attacks in 2024. Newcomer RansomHub secured the second position with 11 percent of posts to leak sites. The effectiveness of law enforcement actions plays a significant role in shaping the ransomware landscape.

AppWizard

March 28, 2025

PJobRAT Android Malware Masquerades as Dating and Messaging Apps to Target Military Personnel

PJobRAT is an Android Remote Access Trojan that re-emerged in 2023, targeting users in Taiwan. Initially known for targeting Indian military personnel, it now disguises itself as benign apps like ‘SangaalLite’ and ‘CChat’, distributed via defunct WordPress sites operational from January 2023 to October 2024, with domain registrations dating back to April 2022. The malware is spread through counterfeit applications resembling legitimate messaging services, prompting users to grant extensive permissions. Enhanced capabilities allow it to execute shell commands, access data from any app, root devices, and communicate with command-and-control servers via Firebase Cloud Messaging and HTTP. The campaign appears to have concluded, highlighting the evolving tactics of threat actors. Users are advised against installing apps from untrusted sources and to use mobile threat detection software.

AppWizard

March 28, 2025

PJobRAT Android RAT as Dating & Instant Messaging Apps Attacking Military Personnel

PJobRAT is an Android Remote Access Trojan (RAT) that re-emerged in 2023 with improved capabilities and a refined targeting strategy, previously known for attacking Indian military personnel in 2021. It is now targeting users in Taiwan through social engineering tactics, disguising itself as legitimate dating and messaging apps. The malware is distributed via compromised WordPress sites hosting fake applications like “SaangalLite” and “CChat.” The infection footprint is small, indicating highly targeted attacks rather than widespread campaigns. PJobRAT retains its core functionality of exfiltrating sensitive information, including SMS messages, contacts, and media files, while enhancing command execution capabilities. Upon installation, the malicious apps request extensive permissions to operate continuously in the background. The malware uses a dual-channel communication infrastructure, with Firebase Cloud Messaging (FCM) as the primary command channel and a secondary HTTP-based channel for data exfiltration to a command-and-control server. The campaign appears to have concluded, but the evolution of PJobRAT highlights the ongoing threat of sophisticated mobile malware targeting high-value individuals.

AppWizard

March 28, 2025

PJobRAT makes a comeback, takes another crack at chat apps

In 2021, PJobRAT, an Android Remote Access Trojan (RAT), targeted Indian military personnel through deceptive apps. A new campaign was discovered in 2023, focusing on users in Taiwan, with malicious apps like ‘SangaalLite’ and CChat disguised as instant messaging applications. These apps were available for download from WordPress sites, which have since been taken down. The campaign began in January 2023, with domains registered as early as April 2022, and the latest sample detected in October 2024. The number of infections was low, indicating a targeted approach rather than a broad attack. The distribution methods remain unclear, but may involve SEO poisoning, malvertising, or phishing. Once installed, the apps request extensive permissions and feature basic chat functionality. Recent versions of PJobRAT have shifted from stealing WhatsApp messages to executing shell commands, allowing greater control over compromised devices. PJobRAT communicates with its command-and-control (C2) servers using Firebase Cloud Messaging (FCM) and HTTP, enabling the upload of various data types, including SMS, contacts, and files. The now inactive C2 server was located in Germany.