keylogger Archives

Winsage

March 16, 2026

Microsoft has lost the plot: 5 Windows “features” nobody asked for

Windows 11 has faced criticism for design choices that prioritize corporate interests over user experience, including aggressive monetization strategies and privacy concerns. The Recall app was designed to take frequent screenshots of the desktop but functioned like a keylogger, leading to privacy issues. Initially set to be enabled by default on new Copilot+ PCs, backlash prompted Microsoft to make it an opt-in feature during setup, allowing users to uninstall it. Microsoft also introduced biometric encryption and moved screenshot processing to secure enclaves for data protection. The Start Menu has shifted to include third-party advertisements in the "Recommended" section, turning it into a platform for promotions rather than a personal navigation tool. Microsoft replaced the right Control or Menu key with a dedicated Copilot key, disrupting standard keyboard layouts and complicating workflows for users. Setting up a new PC now requires an active internet connection and a Microsoft account, making it difficult to operate without relinquishing digital identity. This change illustrates a shift towards subscription revenue and data collection. Windows 11 often ignores users' default browser choices, defaulting to Microsoft Edge and Bing for web searches initiated from the taskbar, reflecting a trend of prioritizing Microsoft's ecosystem over user autonomy. These developments indicate a strategy by Microsoft to erode user control, suggesting users are becoming products rather than customers as the company focuses on data collection and subscription services.

Winsage

December 15, 2025

VolkLocker Emerges as a Cross-Platform Ransomware Threat Targeting Linux and Windows

A pro-Russian hacktivist group, CyberVolk, has re-emerged in 2025 with a new ransomware-as-a-service (RaaS) operation called VolkLocker, which targets both Windows and Linux systems using Golang. The group utilizes Telegram bots for command-and-control operations, allowing affiliates to manage ransomware interactions. Despite its advancements, coding errors in the ransomware enable victims to recover encrypted files without paying a ransom. VolkLocker employs AES-256 encryption but has a critical flaw where the master encryption key is hard-coded and saved in plaintext, allowing easy decryption. The ransomware also ensures persistence by replicating itself and disabling essential system tools. CyberVolk offers additional RAT and keylogger add-ons for sale, with complete RaaS packages priced between [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A newly rebooted pro-Russian hacktivist group, CyberVolk, has made a notable comeback in 2025, unveiling a new ransomware-as-a-service (RaaS) operation dubbed VolkLocker, as detailed in recent research by SentinelOne. After a prolonged period of dormancy following extensive bans on Telegram, this group has re-emerged with a Golang-based ransomware solution that targets both Windows and Linux systems. This latest initiative signifies CyberVolk's commitment to revitalizing its operations, showcasing what analysts refer to as the “CyberVolk 2.x” generation of tools. Despite the group's advancements, their integration of sophisticated Telegram-based automation has inadvertently led to coding errors that allow victims to recover their encrypted files without the need to pay a ransom. Telegram-Fueled Automation and Functionality VolkLocker is heavily reliant on Telegram bots for its command-and-control operations, which form the core of its new RaaS model. All interactions between operators and the ransomware's ecosystem, from onboarding new customers to managing victims, are facilitated through a Telegram bot known as CyberVolk_Kbot. This bot provides various commands such as /decrypt, /list, and /status, enabling affiliates to monitor infections and communicate with compromised systems in real time. Operators tasked with creating new ransomware payloads must input several configuration details, including a Bitcoin address, Telegram bot token ID, chat ID, encryption deadline, and file extension. Decryption triggered via backed-up key file This design approach aligns with CyberVolk’s goal of simplifying deployment for affiliates with limited technical skills. The Golang-based payloads, compiled for both Linux and Windows platforms, utilize the “ms-settings” UAC bypass technique (MITRE ATT&CK T1548.002) for privilege escalation. Once operational, VolkLocker performs system reconnaissance, checks for virtual machine environments by matching MAC address prefixes, and strategically excludes key system paths from encryption. Encryption Flaws and System Destruction Features VolkLocker employs AES-256 in Galois/Counter Mode (GCM) for file encryption; however, its encryption design reveals a significant oversight. The master encryption key is hard-coded within the binary and is also saved in a plaintext file named system_backup.key located in the %TEMP% directory. This easily accessible key allows victims to decrypt their files without paying the ransom, highlighting a critical flaw in CyberVolk’s development process. In addition to its encryption capabilities, VolkLocker ensures persistence by replicating itself across multiple directories and disabling essential tools such as Task Manager, Windows Defender, and Command Prompt through registry modifications. It also deletes Volume Shadow Copies and can trigger a Blue Screen of Death (BSOD) using the Windows NtRaiseHardError() function when the countdown timer expires or when incorrect decryption keys are repeatedly entered. Despite these coding missteps, CyberVolk is expanding its offerings, providing RAT and keylogger add-ons for 0 each, along with complete RaaS packages ranging from 0 to ,200. SentinelOne researchers caution that this resurgence underscores how politically motivated groups are increasingly leveraging Telegram infrastructure to commercialize their ransomware operations. Indicators of Compromise: Windows Sample: dcd859e5b14657b733dfb0c22272b82623466321 Linux Sample: 0948e75c94046f0893844e3b891556ea48188608 Bitcoin Wallet: bc1qujgdzl0v82gh9pvmg3ftgnknl336ku26nnp0vy Telegram Bot: 8368663132:AAHBfe3xYPtg1IMynKhQy1BRzuF5UZRZspw Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates" max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and ,200. Indicators of compromise include specific Windows and Linux sample hashes, a Bitcoin wallet address, and a Telegram bot ID.

AppWizard

October 14, 2025

Top 4 Instagram Monitoring Apps for Android Devices

Monitoring Instagram activity on Android devices is increasingly popular among parents, employers, and individuals focused on online safety. Four notable Instagram monitoring apps for Android are: 1. uMobix: - Monitors Instagram messages, posts, and stories in real-time. - Offers GPS tracking, geofencing, and a keylogger. - Operates in stealth mode and supports multiple devices. - Requires physical access for installation and has subscription-based pricing. 2. mSpy: - Provides insights into Instagram direct messages and media files. - Monitors other social media, tracks GPS, and offers ambient recording. - Operates in stealth mode and includes customer support. - Requires physical access for installation and some features are limited to higher-tier plans. 3. Eyezy: - Monitors Instagram messages and stories, with keystroke capture and live screen streaming. - Emphasizes user privacy and supports multiple devices. - Some features may need additional permissions, and pricing can be higher than competitors. 4. Spynger: - Tracks Instagram direct messages and media files, with real-time alerts. - Specializes in detecting suspicious behavior and provides detailed reports. - Easy installation but has limited features compared to more comprehensive apps.

Tech Optimizer

October 7, 2025

New Fully Undetectable FUD Android RAT Discovered and Publicly Released for Download on GitHub

A new Android Remote Access Trojan (RAT) has appeared on GitHub, described as fully undetectable and capable of bypassing advanced permission and background process restrictions in customized Chinese ROMs like MIUI and EMUI. This malware utilizes a multi-layer dropper to integrate its payload within legitimate applications, allowing it to overcome autostart restrictions and battery optimization features. Upon installation, it escalates privileges to gain comprehensive access to the device, using AES-128-CBC encryption for command-and-control communication to evade detection. The RAT can record and delete call logs, intercept voice calls, manipulate SMS messages, and capture keystrokes through a keylogger. It also has capabilities for live screen captures, camera access, audio and video recording, and clipboard hijacking. Additionally, it can encrypt files and lock the device, demanding a ransom for access. The malware employs social engineering tactics, such as spoofed notifications and phishing prompts, to facilitate credential theft. Its persistence mechanisms allow it to operate with minimal resource usage, making detection difficult. The attacker interface is web-based, enabling control from any standard browser without specialized infrastructure. The public release of this RAT raises concerns about the misuse of open-source repositories for distributing malicious tools, prompting calls for stricter oversight on platforms like GitHub.

Tech Optimizer

August 30, 2025

New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

Cybersecurity experts have identified a new malware framework called PS1Bot, which features a modular architecture allowing it to perform various malicious actions, including information theft, keylogging, reconnaissance, and establishing persistent access. PS1Bot employs stealth techniques, such as in-memory execution, to minimize its digital footprint and complicate forensic investigations. Active since early 2025, it uses malvertising as a primary infection vector, delivering a compressed archive containing a JavaScript payload that downloads and executes a PowerShell script. This script connects to a command-and-control server to retrieve additional commands and can perform actions like antivirus detection, screen capture, data extraction from cryptocurrency wallets, and maintaining persistence on the infected system. The information stealer module is particularly concerning due to its ability to locate sensitive files related to cryptocurrency. PS1Bot shares technical similarities with AHK Bot and is linked to previous ransomware campaigns using Skitnet. In response to these threats, Google has implemented advanced AI systems to combat invalid traffic, achieving a 40% reduction in deceptive ad practices.

AppWizard

August 25, 2025

Malicious Android apps with 19M installs removed from Google Play

Zscaler's ThreatLabs team discovered 77 malicious Android applications on Google Play that collectively garnered over 19 million downloads. The Anatsa (Tea Bot) banking trojan was identified as the main threat, evolving to target 831 banking and cryptocurrency apps. More than 66% of the malicious apps contained adware, while nearly 25% were infected with Joker malware, which can perform intrusive actions like sending texts and accessing sensitive information. A variant of Joker, named Harly, disguises itself within legitimate applications. Anatsa employs various evasion tactics, including using a decoy app to download its payload post-installation and altering package names to complicate detection. Following the findings, Google removed the identified malicious apps from the Play Store, and users are advised to ensure their Play Protect service is active and to take precautions if infected.

Tech Optimizer

August 25, 2025

New Android Spyware Masquerading as Antivirus Targets Business Executives

Doctor Web’s antivirus laboratory has identified a sophisticated Android backdoor malware named Android.Backdoor.916.origin, which has been evolving since January 2025. This spyware primarily targets Russian businesses through focused attacks, disseminated via private messages as a fake antivirus application called “GuardCB.” The app's icon resembles the Central Bank of the Russian Federation's emblem and is presented in Russian. Variants of the malware include names like “SECURITY_FSB” and “FSB,” falsely claiming to be security tools linked to Russian law enforcement. Upon execution, the malware simulates an antivirus scan, requesting extensive system permissions for surveillance and data exfiltration, including access to geolocation, audio recording, SMS, contacts, call logs, media files, and camera functions. It establishes connections to command-and-control servers, allowing attackers to send and receive sensitive data, initiate audio and video feeds, and execute commands. The malware employs keylogger functionality to intercept keystrokes and monitor specific applications for content theft. Doctor Web has notified domain registrars to disrupt the malware's infrastructure and confirms that all known variants are detected and neutralized by their antivirus solutions. Organizations are advised to enforce strict APK sideloading policies and verify app authenticity to counter such threats.

AppWizard

August 25, 2025

Corporate Leaders Targeted by Android Spyware Masquerading as Security Apps

Security experts at Doctor Web have identified a sophisticated Android spyware campaign targeting Russian business leaders, utilizing malware named Android.Backdoor.916. First detected in January 2025, this malware is distributed through APK files disguised as security applications, particularly under the name GuardCB, which mimics the emblem of the Central Bank of the Russian Federation. Other variants include “SECURITY_FSB” and “FSB,” and the app interface is exclusively in Russian. The malware is disseminated via private messages on popular messaging platforms, avoiding official app stores. Upon installation, it simulates device scans and generates fictitious threat reports while activating extensive spyware modules that request permissions for geolocation, camera and microphone usage, SMS and contact access, call logs, and background operation. It can transmit SMS messages, upload contact lists, forward call history and location data, and exfiltrate media. It also enables real-time audio streaming, video capture, and screen activity monitoring, using Accessibility Service to maintain a keylogger for intercepting sensitive content from various applications. Control over the malware is maintained through a modular system that reconnects to the command server every minute, with fallback connectivity options to multiple hosting providers. The malware is designed for targeted cyber-espionage rather than mass infections, focusing on corporate executives and business figures. Doctor Web's antivirus solutions for Android can detect and eliminate known variants of this backdoor, highlighting the vulnerability of high-value individuals to mobile spyware disguised as legitimate applications. Experts recommend enhancing mobile security policies and educating high-risk employees about social engineering tactics.

Tech Optimizer

August 24, 2025

New Android malware poses as antivirus from Russian intelligence agency

A new strain of Android malware, named 'Android.Backdoor.916.origin,' has emerged from Russia's Federal Security Services (FSB) and targets executives in Russian businesses. Identified by Dr. Web, this malware is a standalone entity with no ties to previous malware families. It has capabilities including monitoring conversations, streaming video from the camera, logging user input, and exfiltrating data from messaging applications. Since its detection in January 2025, it has shown multiple iterations, indicating ongoing enhancements. The malware is specifically designed for Russian enterprises, using the Russian language in its interface and employing branding efforts that impersonate the Central Bank of Russia and the FSB. The malware masquerades as an antivirus tool but lacks protective features, simulating scans that yield false positives. It requests high-risk permissions such as geo-location access, SMS and media file access, and camera and audio recording capabilities. Once installed, it can exfiltrate SMS messages, contacts, call history, geo-location data, and stored images, activate the microphone and camera, capture text input from messaging and browser applications, and execute shell commands. It can switch between 15 different hosting providers, indicating resilience and adaptability. Dr. Web has made the complete indicators of compromise related to this malware available on their GitHub repository.

AppWizard

August 20, 2025

Fake Antivirus App Spreads Android Malware to Spy on Russian Users

Cybersecurity experts at Doctor Web have identified a new variant of Android malware called Android.Backdoor.916.origin, active since January 2025. This malware can eavesdrop on conversations, steal messages, stream video, and log keystrokes. It targets Russian business representatives rather than average users, being distributed through direct messages as a fake antivirus app named GuardCB, which mimics the Russian Central Bank's emblem. The app requests extensive permissions, including geolocation, audio recording, camera access, and SMS data, and can function as a keylogger. It is designed for persistence, launching background services and communicating with multiple command-and-control servers. The malware can livestream audio, broadcast video, capture text, and upload contacts and call history. It exploits Android’s Accessibility Service to capture keystrokes and prevent uninstallation. The interface is exclusively in Russian, indicating it is specifically designed for a targeted group. Users in Russia are advised to download applications only from trusted sources to mitigate risks.