investigations

Winsage
July 6, 2026
To check for excessive storage consumption in Windows 11, navigate to Settings > Storage > System & Reserved. A file named CapabilityAccessManager.db-wal can cause significant storage issues, potentially consuming hundreds of gigabytes. This file is associated with the Windows Capability Access Manager service, which manages app permissions for features like microphone and camera access. Normally, this file should occupy only a few megabytes, but reports indicate it can expand to sizes like 200GB or even 513GB. Microsoft acknowledged this issue in the release notes for Windows 11 KB5095093, stating that an update to improve disk space usage for this file is scheduled for July 14, 2026. To check if your system is affected, tools like WizTree or TreeSize can be used, or a command can be executed in Command Prompt to verify the file size. If the file is excessively large, it is recommended to wait for the update or rename the file to allow Windows to regenerate it, rather than deleting it.
Tech Optimizer
July 3, 2026
Cybercriminals are using a sophisticated method to bypass security measures by embedding malware within the VLC media player. This campaign exploits VLC to install ValleyRAT, a remote access trojan, through phishing emails that contain links to download a seemingly harmless file. Once the file is opened, it activates a hidden backdoor that evades detection by antivirus solutions. The malware has been active since 2023, with a significant increase in activity noted through 2025 and into 2026, particularly targeting Chinese and Japanese-speaking users. The infection process begins when a victim clicks a link in a phishing email, leading to a ZIP archive containing a disguised executable and a malicious DLL (libvlc.dll). The executable mimics a legitimate VLC file, and when executed, it loads the DLL, allowing the malware to run under the guise of VLC. The malware establishes persistence by creating a registry entry and connects to a remote server to retrieve the final payload. ValleyRAT employs evasion tactics to avoid detection, such as performing checks on system behavior and using a fileless approach to inject its payload directly into memory, avoiding storage on disk. Researchers recommend training employees to recognize suspicious filenames and deploying endpoint detection tools to identify DLL sideloading behavior. For organizations affected by this campaign, isolating compromised systems and reviewing security logs are critical initial steps. Indicators of compromise include a malicious email domain, a ZIP archive containing a fake VLC executable, and a download URL for ValleyRAT.
AppWizard
June 27, 2026
The Kentucky State Police (KSP) has opened applications for Cadet Class 108, as announced by Governor Andy Beshear. The starting salary for sworn officers has been increased to ,000 annually, with opportunities for 100 hours of overtime. Cadets will receive mileage reimbursement while attending the academy, which features a revamped 22-week training curriculum. This training includes over 1,000 hours of classroom instruction and field study covering various topics such as constitutional law, crisis response, and weapons use. Cadet Class 108 will begin in May 2027, and applications must be submitted by October 15, 2026, through JoinKSP.com.
AppWizard
June 23, 2026
Telegram has established an advertising model that focuses on monetizing public channels, selling ads based on channel topics rather than user identity. Revenue generated from ads is split evenly between Telegram and the channel owner, with no data-mining or behavioral targeting involved. The primary ad format is Sponsored Messages, which appear in public channels with at least 1,000 subscribers and consist of a text block and optional call-to-action button. Advertisers can purchase these ads through a self-serve portal without demographic targeting, ensuring no personal data is used for placements. Public channels are treated as independent units, with 50% of ad revenue going to channel owners, paid in Toncoin. Telegram's ad system has become more accessible by lowering minimum spend requirements. In addition to Sponsored Messages, Telegram is developing Mini Apps funded by its in-app currency, Stars. Regulatory scrutiny has increased, with various countries imposing bans or restrictions on Telegram for reasons related to content moderation and compliance, such as a temporary ban in India in June 2026 due to exam fraud investigations.
AppWizard
June 18, 2026
On June 13, 2026, the National Students Union of India (NSUI) held a protest in Hyderabad against alleged exam paper leaks related to the National Eligibility-cum-Entrance Test (NEET). The Indian government temporarily blocked access to the messaging platform Telegram to combat exam fraud, with the National Testing Agency (NTA) announcing the ban will last until June 22 and disabling the message editing feature until June 30. The NEET-UG exam was canceled on May 12, affecting approximately 2.2 million students, following allegations of a paper leak. Telegram channels were found soliciting payments for leaked exam papers, while the NTA denied any papers were available outside secured channels. Political ramifications included calls from opposition leader Rahul Gandhi for the resignation of Education Minister Dharmendra Pradhan. The Cockroach Janta Party organized protests nationwide demanding accountability for the examination discrepancies.
Tech Optimizer
June 6, 2026
Researchers have identified a new malware called JS.MonoGlyphRAT, which disguises itself as business documents to infiltrate corporate networks. It is primarily spread through phishing emails targeting various sectors in the U.S. and has been reported in countries like Germany, Sweden, and Australia. The malware is classified as "Unknown malware" on threat intelligence platforms, making traditional antivirus solutions ineffective. It establishes a persistent presence in the network by executing a JavaScript file and communicating with command-and-control (C2) servers over HTTP. Key indicators of compromise include unusual HTTP traffic, registry changes, and the execution of specific JavaScript files. The malware can download additional payloads and execute commands without leaving traces on disk. Indicators of compromise include specific IP addresses, URLs, file hashes, and registry keys associated with the malware's operation.
Search