Injection Archives

Winsage

September 9, 2025

5 apps that are way better on Linux than they are on Windows

GIMP and Krita perform better on Linux due to their native integration with system libraries (GTK for GIMP and Qt for Krita), resulting in a more responsive user experience compared to Windows. Kdenlive, a video editing software, is more stable on Linux, with fewer crashes and better performance due to its native MLT framework, while the Windows version often experiences issues. OBS Studio benefits from direct access to hardware resources on Linux, leading to lower latency and reduced CPU/GPU load, while capturing per-application audio is easier on Linux. VLC Media Player on Linux comes with full codec support out of the box, unlike the Windows version, which requires additional downloads. Linux's package management system allows for centralized software distribution and efficient dependency tracking, making it more secure and streamlined than Windows' fragmented approach to software management.

Winsage

September 5, 2025

GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

Cybersecurity researchers have identified a new threat cluster named GhostRedirector, which has compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam. The attacks involve the installation of a C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor is believed to have been active since at least August 2024. Rungan can execute commands on compromised servers, while Gamshen provides SEO fraud services by manipulating search engine results, specifically targeting Googlebot to avoid detection by regular users. GhostRedirector has also impacted entities in various countries, including the U.S., Canada, and India, across multiple sectors. Initial access is likely gained through SQL injection vulnerabilities, followed by the use of PowerShell to deliver additional malware from a staging server. Rungan listens for commands from a specific URL and supports various functions, including user creation and command execution. Gamshen is part of a family of IIS malware and operates similarly to previously documented malware. The group employs deceptive SEO techniques to generate artificial backlinks to promote gambling websites. Evidence suggests that GhostRedirector may be linked to a China-based threat actor, supported by Chinese strings in the code and a certificate from a Chinese company. This group exemplifies persistence by using multiple remote access tools and creating rogue user accounts for long-term access.

Winsage

September 5, 2025

New China-aligned crew poisons Windows servers for SEO fraud

A cybercrime group named GhostRedirector has infiltrated at least 65 Windows servers worldwide, using undocumented malware to manipulate Google search rankings for gambling sites. The group's activities began in December, with indications of operation since at least August 2024. They employ two malware variants, Rungan (a C++ backdoor) and Gamshen (an IIS trojan), to execute SEO fraud by altering website responses to Googlebot and creating fake backlinks. Most compromised servers are located in Brazil, Peru, Thailand, Vietnam, and the United States, with a focus on South America and South Asia. The initial breach likely occurred via an SQL injection vulnerability, followed by the use of PowerShell to download privilege escalation tools and malware from a server identified as 868id[.]com. Tools used include EfsPotato and BadPotato, which are signed with a certificate linked to Shenzhen Diyuan Technology. GhostRedirector also utilizes a custom library called Comdai for various backdoor functionalities and another tool named Zunput for gathering information about active websites. Rungan executes backdoor commands, while Gamshen facilitates the SEO manipulation process.

Tech Optimizer

September 5, 2025

New Malware Exploits Windows Character Map to Evade Defender and Mine Crypto

Darktrace's autonomous detection system identified suspicious activity when a desktop initiated an unusual HTTP connection using a PowerShell user agent. The attack began with the download of a PowerShell script named “infect.ps1” from the IP address 45.141.87[.]195:8000, which dropped both legitimate and malicious binaries into the user’s AppData directory, including a signed version of AutoIt.exe and various encoded payloads. The attackers exploited Windows’ built-in Character Map (charmap.exe) to inject the miner code into its process space, evading antivirus detection. The loader performed checks for task manager presence, user privileges, and antivirus software, and bypassed User Account Control prompts. Once activated, the cryptominer operated discreetly, connecting to external mining pools like asia.ravenminer.com and monerooceans[.]stream. The malware was designed for persistence, re-downloading itself if terminated. Darktrace monitored the infected device, noting DNS requests and connections to Monero mining endpoints, which triggered high-fidelity alerts. Darktrace's Rapid Autonomous Response blocked the device’s outbound communications, preventing the malware from connecting to the mining pool and stopping over 130 attempted calls to external endpoints. The malware exhibited significant obfuscation, utilized legitimate binaries for side-loading, manipulated registry keys for persistence, and injected processes into trusted Windows applications. The incident underscores the threat posed by adaptive cryptojacking malware, which can drain productivity and inflate energy costs. Darktrace's AI-driven detection intercepted the attack early, mapping the kill chain and enabling rapid mitigation. Indicators of Compromise (IoCs) include: - 45.141.87[.]195:8000/infect.ps1 – Malicious PowerShell script - gulf.moneroocean[.]stream – Monero Endpoint - monerooceans[.]stream – Monero Endpoint - 152.53.121[.]6:10001 – Monero Endpoint - 152.53.121[.]6 – Monero Endpoint - https://api[.]chimera-hosting[.]zip/frfnhis/zdpaGgLMav/nbminer[.]exe – NBMiner executable - Db3534826b4f4dfd9f4a0de78e225ebb – NBMiner loader hash

Winsage

August 30, 2025

Silver Fox APT Hackers Leveraging Vulnerable driver to Attack Windows 10 and 11 Systems by Evading EDR/AV

In mid-2025, a campaign attributed to the Silver Fox Advanced Persistent Threat (APT) began exploiting a vulnerable Microsoft-signed WatchDog Antimalware driver (amsdk.sys, version 1.0.600) to compromise modern Windows environments. The attackers use the driver's arbitrary process termination capability to bypass endpoint detection and antivirus protections on fully patched Windows 10 and 11 systems. The attack starts with a loader that checks for virtual machines and sandboxes before dropping two drivers into a new directory. These drivers are registered as kernel services, and the loader ensures persistence. The campaign's logic then terminates security service processes by exploiting the driver's vulnerabilities, allowing the injection of a ValleyRAT downloader module that connects to Chinese-hosted C2 servers. After the vulnerability was disclosed, a patched driver (wamsdk.sys, version 1.1.100) was released, but Silver Fox adapted by modifying the driver's signature timestamp to evade detection while maintaining the signature's validity.

Tech Optimizer

August 29, 2025

NodeBB Vulnerability Let Attackers Inject Boolean-Based Blind and PostgreSQL Error-Based Payloads

NodeBB version 4.3.0 has a critical vulnerability (CVE-2025-50979) in its search-categories API endpoint that allows unauthenticated remote attackers to perform boolean-based blind and PostgreSQL error-based SQL injection attacks. This vulnerability can lead to unauthorized access to sensitive data and information disclosure. The search parameter is inadequately sanitized, enabling the injection of malicious payloads. NodeBB maintainers have released a patch in version 4.3.1 to address this issue. Temporary mitigations include implementing a Web Application Firewall (WAF), restricting API access to trusted IP ranges, and monitoring logs for suspicious activity. The CVSS 3.1 score for this vulnerability is 9.8, indicating a critical severity level.

Tech Optimizer

August 27, 2025

AI Boosts Ransomware Attacks 70%, Fueling Cybersecurity Arms Race

Ransomware is being enhanced by artificial intelligence, with cybercriminals using generative AI tools to create sophisticated malware. A notable example is PromptLock, identified as the first fully AI-driven ransomware, discovered on August 27, 2025. It utilizes OpenAI’s gpt-oss-20b model to dynamically generate malicious code, complicating detection efforts. ESET's analysis indicates that PromptLock processes operations locally on the victim's device, minimizing external communications and reducing its digital footprint. The first half of 2025 saw a 70% increase in ransomware victims, largely due to AI-enhanced phishing campaigns. Akamai Technologies reported a 37% increase in ransomware incidents in 2024, fueled by generative AI. Governments are beginning to respond with regulations for quicker breach disclosures, and cybersecurity experts emphasize the need for continuous monitoring and adaptive defenses.

Tech Optimizer

August 18, 2025

Critical PostgreSQL Vulnerabilities Allow Arbitrary Code Execution During Backup Restoration

The PostgreSQL Global Development Group has released security and maintenance updates for versions 17.6, 16.10, 15.14, 14.19, 13.22, and the third beta of PostgreSQL 18. The updates address three critical vulnerabilities: 1. CVE-2025-8714 (CVSS 8.8) - Allows code injection during dump restoration via pg_dump operations. 2. CVE-2025-8715 (CVSS 8.8) - Enables SQL injection through newline injection in object names during pg_dump. 3. CVE-2025-8713 (CVSS 3.1) - Exposes optimizer statistics data. The update also improves BRIN index performance, logical replication, and resolves WAL segment removal issues. PostgreSQL 13 will reach end-of-life on November 13, 2025. The third beta of PostgreSQL 18 is in development, with general availability expected in September-October 2025. Administrators should perform reindexing after the upgrade if using specific BRIN indexes.

Tech Optimizer

August 18, 2025

Critical PostgreSQL Vulnerabilities Allow Arbitrary Code Injection During Restoration

The PostgreSQL Global Development Group has released emergency security updates for versions 13 through 17 to address three critical vulnerabilities that could allow attackers to execute arbitrary code during database restoration processes. The vulnerabilities are tracked as CVE-2025-8714, CVE-2025-8715, and CVE-2025-8713, with CVE-2025-8714 and CVE-2025-8715 both rated with a CVSS score of 8.8. CVE-2025-8714 allows malicious superusers to inject arbitrary code during restoration via the pg_dump utility, while CVE-2025-8715 exploits improper neutralization of newlines in object names to trigger code execution. CVE-2025-8713, with a CVSS score of 3.1, permits unauthorized access to restricted data within optimizer statistics. The fixed PostgreSQL versions are 17.6, 16.10, 15.14, 14.19, and 13.22, released on August 14, 2025. Organizations are advised to upgrade immediately and implement strict access controls.

Tech Optimizer

August 18, 2025

Critical PostgreSQL Flaws Allow Code Injection During Restoration

The PostgreSQL Global Development Group released emergency security updates on August 14, 2025, to address three critical vulnerabilities affecting PostgreSQL versions 13 through 17. The vulnerabilities include: 1. CVE-2025-8714: Allows arbitrary OS code execution via pg_dump meta-commands, with a CVSS score of 8.8. 2. CVE-2025-8715: Facilitates code/SQL injection through improper newline handling in object names, also with a CVSS score of 8.8. 3. CVE-2025-8713: Exposes sensitive data via optimizer statistics, with a CVSS score of 3.1. Organizations are advised to upgrade to PostgreSQL versions 17.6, 16.10, 15.14, 14.19, or 13.22 immediately. Cloud providers have begun emergency fleet updates, and development teams should audit their CI/CD pipelines for pg_dump usage. The vulnerabilities were disclosed responsibly by several individuals, and PostgreSQL 13 will reach its end-of-life on November 13, 2025.