investigation Archives

AppWizard

April 21, 2026

NGate NFC malware targets Android users through trojanized payment app

NFC-based payment fraud targeting Android users in Brazil has been linked to a campaign using a trojanized version of the HandyPay app, part of the NGate malware family, since November 2025. The malware is distributed through a counterfeit website mimicking a lottery and a fraudulent Google Play page. The operators chose HandyPay for its low cost and minimal permissions required. The malware requests users to set it as the default NFC payment app, allowing it to capture payment card PINs and relay NFC card data to attackers. ESET Research identified this campaign and discovered logs from compromised devices containing sensitive information. The trojanized app has never been on the official Google Play store, and ESET has notified Google and the HandyPay developer about the issue.

AppWizard

April 20, 2026

I thought this sci-fi mystery looked cool, but my interest dropped when I realized it’s another multiplayer survival-crafting game

Blind Descent is a multiplayer co-op survival game set on Mars, where players navigate a hidden world beneath the surface, encountering alien technology and mutation-inducing plants. The game features crafting elements and emphasizes teamwork and resourcefulness. It is set to launch into early access on Steam later this year.

Tech Optimizer

April 19, 2026

This legit-looking software is actually antivirus-killing adware

Security researchers at Huntress discovered adware signed by Dragon Boss Solutions LLC, which was designed to deliver unwanted advertisements and disrupt user experience. The software had a sophisticated update mechanism that disabled antivirus programs and prevented their reactivation. Huntress found that the primary update domain and its fallback had not been registered, creating a vulnerability that could have allowed malicious actors to take control of the compromised network. In response, Huntress acquired the domains to prevent further exploitation, observing tens of thousands of compromised endpoints attempting to connect. They identified 324 infected devices in high-value sectors, including 221 academic institutions, 41 Operational Technology networks, 35 municipal governments and public utilities, 24 educational institutions, and 3 healthcare organizations. Additionally, networks of multiple Fortune 500 companies were also compromised. Researchers advised monitoring for specific WMI event subscriptions and processes associated with Dragon Boss Solutions LLC to mitigate risks.

AppWizard

April 18, 2026

Türkiye probes ‘Minecraft Parodies’ channel over alleged school violence incitement

The Istanbul Chief Public Prosecutor’s Office has launched an investigation into the YouTube channel “Minecraft Parodileri,” which has over 7.5 million subscribers, due to concerns that its content may incite violence among school-age viewers. A court order has been secured to block access to the channel, following a series of armed incidents in educational institutions. The investigation is based on allegations that the channel promotes or normalizes violent behavior, particularly among children, and is being conducted under Articles 214 and 215 of the Turkish Penal Code, which address incitement to commit a crime and praising crime or criminals. The Istanbul Criminal Judgeship of Peace approved the access ban, citing findings that the channel's content could incite violence and legitimize criminal actions among younger audiences.

Winsage

April 18, 2026

RedSun: Windows 0day when Defender becomes the attacker

A vulnerability has been discovered in Windows Defender that allows standard users to exploit a logic error in the file remediation process, enabling code execution with elevated privileges without administrative access. This flaw, identified by security researcher Chaotic Eclipse, occurs because Windows Defender does not verify if the restoration location of flagged files has been altered through a junction point. The exploit, named RedSun, takes advantage of a missing validation in the MpSvc.dll file, allowing attackers to redirect file restoration to the C:WindowsSystem32 directory. RedSun operates by chaining together four legitimate Windows features: Opportunistic Locks (OPLOCKs), Cloud Files API, Volume Shadow Copy Service (VSS), and Junction Points. The execution of the exploit involves monitoring shadow copies, triggering Defender's detection, synchronizing OPLOCKs, and ultimately writing malicious binaries to the System32 directory. The root cause is the lack of reparse point validation in the restoration process, and currently, no patch or CVE has been assigned for this vulnerability. It affects Windows 10, Windows 11, and Windows Server 2019 and later, and organizations are advised to implement behavioral detection strategies until a fix is available.

Winsage

April 17, 2026

Microsoft’s April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025

Microsoft has acknowledged that the April 2026 security update for Windows Server, patch KB5082063, has caused significant disruptions for some enterprise domain controllers, leading to continuous reboot cycles in non-Global Catalog domain controllers used in Privileged Access Management (PAM) deployments. This has resulted in the unavailability of Active Directory authentication and directory services on affected servers. Additionally, the installation of KB5082063 may fail on some Windows Server 2025 systems. This issue marks the third consecutive year that April security updates have caused problems for Windows Server domain controllers. In previous years, Microsoft issued emergency fixes for similar issues, including crashes and complications with NTLM authentication. Administrators currently have limited options, including delaying the update, isolating a test domain controller, or engaging with Microsoft Support for tailored mitigation steps.

AppWizard

April 16, 2026

The shooting at a school in Zakarpattia is being investigated as a terrorist act. The teenager, allegedly, was following instructions from unknown individuals via a messenger app

A shooting incident at a school in Zakarpattia has been classified as a terrorist act by authorities. A 15-year-old student discharged several rounds from a modified blank gun, injuring a classmate, who received prompt medical attention and is not in critical condition. Preliminary investigations indicate that the teenager acted under duress from unidentified individuals who threatened harm to his relatives if he did not comply with their demands. The shooter fled but was apprehended by patrol police shortly after. The Uzhhorod District Prosecutor's Office is overseeing the pre-trial investigation, which falls under Part 1 of Article 258 of the Criminal Code of Ukraine.

Tech Optimizer

April 16, 2026

‘Anyone with $10 could have walked straight through’: Report warns this legit-looking software is actually antivirus-killing adware

Security researchers at Huntress discovered adware signed by Dragon Boss Solutions LLC that primarily displayed unwanted advertisements and redirected users to various sites. The malware included a sophisticated update mechanism that disabled antivirus programs. The primary update domain and its backup were not registered, making them exploitable. Tens of thousands of endpoints were compromised, affecting universities, operational technology networks, government agencies, and Fortune 500 firms.

Tech Optimizer

April 15, 2026

Postgres to Iceberg in 13 minutes: How Supermetal compares to Flink, Kafka Connect, and Spark

Supermetal introduced Iceberg sink support, allowing for data transfer from Postgres to Iceberg. In a performance comparison, Supermetal completed snapshotting in 13 minutes, while Flink took 90 to 116 minutes, Kafka Connect required 120 minutes, and Spark exceeded 3 hours. The tests focused on throughput during the snapshotting phase rather than latency. The setup used the TPC-H dataset with a scale factor of 50 and involved AWS infrastructure. Supermetal operates independently of Kafka, enabling direct data delivery from source to sink. It utilizes a JSON configuration file for deployment, supporting various catalogs and advanced configuration options. Supermetal's Iceberg writer can adjust settings based on the CDC source phase. Throughout the tests, Supermetal maintained low CPU and memory usage, while other tools faced challenges with performance and resource management. Data synchronization was validated across all tools, with Supermetal achieving at least 7x faster snapshotting performance without tuning.

Winsage

April 14, 2026

This fake Windows 11 24H2 update looks perfect, until it avoids antivirus and steals your passwords

Cybercriminals are using sophisticated tactics to deceive users, particularly with a counterfeit website posing as a legitimate Windows 11 update. This site operates under the domain microsoft-update[.]support and is designed to trick individuals into downloading malware that compromises sensitive information. The site is written in French and mimics a genuine cumulative update for Windows 11, version 24H2, featuring a convincing KB article number and a blue download button. The malware is packaged as a Windows update using the WiX Toolset 4.0.0.5512 and is labeled "WindowsUpdate 1.0.0.msi," with properties that suggest it is from Microsoft. At the time of analysis, VirusTotal showed no detections for the malware, which conceals its harmful code within an Electron shell, making it difficult to identify. Users are advised to download updates directly through the Windows Settings app or from Microsoft's official support hub.