investigation Archives

Winsage

May 31, 2025

New Malware Compromise Microsoft Windows Without PE Header

A new strain of malware has been operating undetected on Windows systems for several weeks, utilizing advanced evasion techniques that corrupt its Portable Executable (PE) headers to avoid detection. Security researchers discovered this malware embedded in the memory of a compromised system during an investigation, using a 33GB memory dump that revealed its presence in a dllhost.exe process with process ID 8200. The malware, classified as a Remote Access Trojan (RAT) by Fortinet, employs batch scripts and PowerShell commands for its attack and has capabilities for screenshot capture, remote server functionality, and system service manipulation. Its command and control infrastructure uses encrypted communications, complicating detection efforts. The malware's distinctive feature is the deliberate corruption of DOS and PE headers, which hinders reverse engineering and complicates the reconstruction of the executable from memory dumps. Researchers had to manually locate the malware’s entry point and resolve complex import tables for it to function in a controlled environment.

Tech Optimizer

May 31, 2025

Authorities Dismantled AVCheck, a Tool For Testing Malware Against Antivirus Detection

Law enforcement agencies from multiple nations dismantled a cybercriminal operation that provided malware testing services to evade antivirus detection. This effort led to the seizure of four domains and their servers, disrupting infrastructure that facilitated ransomware attacks globally. U.S. Attorney Nicholas J. Ganjei announced the disruption of an online software crypting syndicate that helped cybercriminals keep their malware undetected. The seized domains offered counter-antivirus tools and crypting services, allowing criminals to obfuscate malware and gain unauthorized access to systems. Investigators conducted undercover purchases and analyzed services, revealing connections to ransomware groups targeting victims in the U.S. and internationally. The operation, part of Operation Endgame, involved collaboration among the U.S., Netherlands, France, Germany, Denmark, Ukraine, and Portugal, with the FBI Houston Field Office leading the U.S. investigation. The seizures occurred on May 27.

Tech Optimizer

May 30, 2025

Police takes down AVCheck antivirus site used by cybercriminals

An international law enforcement initiative has dismantled AVCheck, a service that allowed cybercriminals to test malware against antivirus software. The official website, avcheck.net, now displays a seizure banner from U.S. and Dutch authorities. AVCheck was one of the largest counter antivirus services, providing insights into malware evasion tactics. Investigators found connections between AVCheck's administrators and crypting services, which help obfuscate malware. Law enforcement created a deceptive login page to warn users of legal consequences. The takedown occurred on May 27, 2025, as part of Operation Endgame, which also seized 300 servers and 650 domains linked to ransomware attacks.

Tech Optimizer

May 30, 2025

Dutch police takes Counter Antivirus service AVCheck offline

The Dutch Team High Tech Crime, in collaboration with international partners, has dismantled the counter-antivirus service AVCheck, which was used by cybercriminals to make malware undetectable. AVCheck was one of the largest services of its kind, allowing malware developers to test their software against antivirus programs. The operation involved cooperation from the Netherlands, the United States, and Finland, and was executed by the High Tech Crime Team under the National Public Prosecutor’s Office. The investigation not only shut down AVCheck but also gathered evidence against its administrators and users, including those of related services like Cryptor.biz and Crypt.guru. Additionally, a fake login page was launched to deter AVCheck users, and collaborations with antivirus organizations were established as part of Project Melissa. This action is connected to Operation Endgame, which previously targeted other malware services.

Winsage

May 29, 2025

Microsoft investigates nasty Windows 11 bug that leaves PCs unable to boot – here’s what you need to know

Both Windows 11 22H2 and 23H2 are experiencing a significant issue that could make a PC inoperable after the May cumulative update. Microsoft is investigating a recovery error, specifically the message ‘0xc0000098 in ACPI.sys’, which primarily affects virtual machines. While Windows 11 Home users are considered less likely to be impacted, there is still a possibility of encountering the issue. Reports of similar errors have been noted, although not definitively linked to the May update. Users are advised to consider postponing the upgrade until Microsoft resolves the issues. Windows 11 users can pause updates for over a month and must apply deferred patches within 35 days.

AppWizard

May 29, 2025

Ubisoft denies reports that Yves Guillemot has been summoned in upcoming trial

Ubisoft has denied claims that CEO Yves Guillemot was summoned to court in connection with a trial involving former executives, labeling the reports as "unfounded." The rumors originated from the French union Solidaires Informatique, which suggested that Guillemot, HR director Marie Derain, and Ubisoft as a corporate entity had received summonses related to allegations of sexual harassment and bullying against former executives. A Ubisoft representative confirmed via email that neither Guillemot, the HR team, nor the company is involved in the proceedings and stated their commitment to cooperate with authorities during the investigation.

AppWizard

May 29, 2025

Elon Musk’s xAI partners with messaging app Telegram in $300 million Grok deal

Elon Musk has launched xAI, aiming to uncover fundamental truths of the universe. The startup has partnered with Telegram, agreeing to a 0 million investment for the Grok AI chatbot. Telegram will receive the initial payment and 50% of revenue from xAI subscriptions sold through its platform. Telegram's CEO, Pavel Durov, mentioned that users can expect advanced AI technology by summer, although Musk later stated that "no deal has been signed." Telegram has over one billion monthly users as of 2025 and is preparing to raise at least .5 billion through a bond issue. Durov is under investigation in France for allowing criminal activities on Telegram and is restricted from leaving the country. xAI has merged with X, valuing the AI company at billion and the social media platform at billion. Grok faced criticism for generating controversial responses, which xAI attributed to an unauthorized modification. The company is working to improve Grok's transparency and reliability.

Tech Optimizer

May 28, 2025

Watch out – that antivirus website could be a fake, and infecting your PC with malware

Researchers have discovered a fraudulent website, "bitdefender-download[.]com," posing as Bitdefender antivirus, which is used to distribute the VenomRAT Remote Access Trojan. The site, hosted on an Amazon S3 bucket, tricks users into downloading harmful software through an executable file named "StoreInstaller.exe," which is linked to VenomRAT and contains code from post-exploitation frameworks SilentTrinity and StormKitty stealer. VenomRAT allows cybercriminals to gain unauthorized control over Windows systems, steal sensitive information, log keystrokes, access webcams, and execute commands remotely. The primary goal of this campaign is to steal cryptocurrency by compromising credentials and crypto wallets. The investigation also found connections to other fraudulent operations impersonating banks and IT services, including the Armenian IDBank and the Royal Bank of Canada.

Tech Optimizer

May 28, 2025

Hackers Mimic Popular Antivirus Site to Deliver VenomRAT & Steal Finance Data

Cybercriminals are executing a sophisticated malware campaign through a counterfeit Bitdefender antivirus website, specifically the domain “bitdefender-download[.]co,” which mimics the legitimate site. This fraudulent site distributes three types of malware: VenomRAT, StormKitty, and SilentTrinity, aimed at stealing financial data and maintaining persistent access to victims’ computers. When users click the “Download For Windows” button, they inadvertently download a ZIP file containing these malicious programs. VenomRAT acts as a remote access tool, allowing attackers to steal files, cryptocurrency wallets, and browser data, including credit card information. StormKitty quickly harvests sensitive credentials, while SilentTrinity provides stealthy long-term access for further exploitation. The fake Bitdefender site is linked to other malicious domains impersonating banks, indicating a coordinated phishing operation. The attackers utilize the same command and control infrastructure, with the IP address 67.217.228.160:4449 identified as a connection point. Bitdefender is working to take down the fraudulent site, and Google Chrome has begun flagging the link as malicious. Security experts recommend verifying website authenticity and downloading software only from official sources.

AppWizard

May 26, 2025

A Roblox farming game made by a teenager ‘in like three days’ had 8.9 million players online at the same time—Steam peaked at 11.5 million across all games on the same day

In 2025, the Roblox game "Grow a Garden" experienced a peak of nearly 9 million concurrent players, surpassing the previous record held by Player Unknown's Battlegrounds on Steam by almost threefold. The game reached a peak of 5 million concurrent users just a weekend prior to this achievement. It was developed by a teenage creator in three days and has gained significant popularity, with a player count that surpassed the population of New York City. Despite initial skepticism about player counts, investigations confirmed the game's genuine popularity, driven by strong user retention and community engagement. A Roblox spokesperson noted that the growth is attributed to an authentic community rather than artificial inflation.