infection Archives

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

AppWizard

November 23, 2025

New dark fantasy looter shooter mixes dungeon crawling, corporate greed, and the co-op magic of Peak and Lethal Company

Vision Quest is a dark fantasy looter shooter game developed by Wizmud Games, set in a consumer goods conglomerate mega dungeon. Players embark on an online co-op adventure to investigate "data mining used for dark rituals" and redeem the legendary Sweepstakes Code. The game supports squads of up to four players and features a mix of medieval and modern weapons. It includes 3D in-world voice chat and a unique loot-carrying mechanic. Players face various threats, including monsters and illness, and can assist each other with items. If a player dies, they can control a plastic toy called a 'Freakopop' for additional vision. Wizmud Games has partnered with Pocketpair for marketing and promotions, and Vision Quest is set to launch in 2026, with a wishlist available on Steam.

Tech Optimizer

November 20, 2025

Windows Has Another Hidden Malware Scanner Tool – How and When to Use It

Microsoft Defender is the primary security tool for Windows systems, while the Malicious Software Removal Tool (MSRT) serves as an additional defense against malware. MSRT is updated monthly through Windows updates and operates in Quiet Mode, targeting common malware infections such as trojans, rootkits, and worms. It enhances its capabilities with each update by adding new malware families and removing outdated ones. MSRT not only eliminates infections but also aims to reverse any damage caused by malware. MSRT is beneficial in several scenarios: it can be used alongside third-party antivirus programs to enhance security, it can undo changes made by malware, and it remains effective even when other security tools are compromised. By default, MSRT runs monthly but can also be initiated on demand by typing "mrt" in the Run dialog. Users can choose from Quick, Full, or Customized scans, and the tool automatically addresses any detected infections. After scanning, a report detailing the findings is available for review.

Tech Optimizer

November 20, 2025

Why Your Apple Device Isn’t as Invincible as You Think

Many Apple users believe that their devices are nearly impervious to malware and cyber threats, but this is a misconception. While macOS has built-in protections like Gatekeeper and XProtect, no system is completely foolproof. Cybercriminals are increasingly targeting Macs, and users can fall victim to phishing schemes, ransomware, and other malware. Antivirus software for Mac provides an additional layer of defense, detecting malware and blocking phishing attempts. It can also protect sensitive information and offer features like secure browsing and Wi-Fi protection. Regular software updates and cautious behavior are essential for security, but relying solely on these measures is risky. Integrating antivirus into security routines is a practical step to minimize risks.

BetaBeacon

November 18, 2025

Resident Evil Survival Unit Available Now on iOS and Android

- Resident Evil Survival Unit is a mobile game based on Capcom's Resident Evil series. - The game offers a strategic experience with real-time strategy elements set in a parallel world inspired by the Resident Evil universe. - Players can build bases, secure resources, battle creatures, and form alliances with others. - Iconic characters from the Resident Evil franchise are featured in the game. - Renowned artist Yoshitaka Amano contributed the original creature "Mortem" to the game. - The game is free-to-play with in-app purchases and was launched on November 18, 2025. - The game is available on iOS and Android in 151 countries and regions worldwide.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 17, 2025

EVALUSION Campaign Using ClickFix Technique to deploy Amatera Stealer and NetSupport RAT

In November 2025, a sophisticated malware campaign emerged, combining social engineering with advanced data theft tools. The attack begins with a tactic called ClickFix, where users are tricked into executing commands in the Windows Run window, leading to the installation of Amatera Stealer, which extracts sensitive information from browsers, cryptocurrency wallets, and password managers. Following this, attackers deploy NetSupport RAT for remote access to the compromised computer. Amatera Stealer employs advanced evasion techniques, including obfuscated PowerShell code and XOR encryption to mislead security efforts. It was originally marketed as ACR Stealer by a group named SheldIO. The infection process starts with a .NET-based downloader that retrieves payloads encrypted with RC2 from platforms like MediaFire. This downloader is packed with Agile.net, complicating analysis for cybersecurity teams. The malware disables AMSI by overwriting the "AmsiScanBuffer" string in memory, neutralizing Windows' security scanning. Amatera communicates with command servers through encrypted channels, using AES-256-CBC for traffic encryption, making inspection difficult. It aggregates stolen data into zip files and sends them to criminal servers, selectively executing additional payloads targeting high-value assets.

BetaBeacon

November 15, 2025

I hand picked 16 of today’s Meta Quest games announcements you need to see, plus several stealth releases you can play right now!

- Vampire Survivors is now available in virtual reality. - Hotel Infinity is a VR game that features shifting and changing worlds with impossible architecture. - Glassbreakers: Champions of Moss is a MOBA spinoff that is a real-time strategy game. - Syberia VR is a remastered point-and-click adventure game from the early 2000s playable in VR. - EXOSHOCK is a co-op PvE sci-fi squad shooter with unique combat and art style. - Banners & Bastions is a strategy puzzle game with new content and improvements. - Dimensional Double Shift is a multiplayer game where players work together in different dimensions.

Tech Optimizer

November 15, 2025

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

A new malware called RONINGLOADER specifically targets Chinese users and can disable security tools. It operates as a multi-stage loader that spreads a modified version of gh0st RAT and bypasses antivirus protections. RONINGLOADER infiltrates systems through fake software installers that mimic legitimate applications like Google Chrome and Microsoft Teams. Once inside, it disables Windows Defender and Chinese security solutions such as Qihoo 360 Total Security and Huorong. The malware uses a signed driver that appears legitimate to Windows but is designed to terminate security processes. If one method of disabling security fails, RONINGLOADER has multiple fallback strategies. The Dragon Breath APT group is behind this campaign, having refined their techniques based on previous operations. The infection begins with a trojanized NSIS installer that drops components onto the victim's system. One installer deploys genuine software, while the other initiates the attack chain. RONINGLOADER creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts tp.png using XOR encryption and a rotation operation, then loads new system libraries to eliminate security hooks. It elevates privileges using the runas command and scans for active security software, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. To terminate these processes, it uses a signed driver named ollama.sys, which is digitally signed by Kunming Wuqi E-commerce Co., Ltd. This driver can terminate processes using kernel-level APIs that standard security tools cannot intercept. Additionally, RONINGLOADER blocks network connections for Qihoo 360 before injecting code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection.