malicious activities Archives

Winsage

May 11, 2026

New GhostLock tool abuses Windows API to block file access

A security researcher has developed a proof-of-concept tool called GhostLock, which exploits a vulnerability in the Windows file API, specifically the 'CreateFileW' function. By manipulating the 'dwShareMode' parameter to grant exclusive access to files, GhostLock can prevent other users or applications from opening those files, resulting in a 'STATUSSHARINGVIOLATION' error. The tool automates the process of opening multiple files on SMB shares, causing access disruptions without requiring elevated privileges. This technique is intended as a disruption attack rather than a destructive one, similar to ransomware, and can serve as a diversion during intrusions. Detection of this attack relies on monitoring the open-file count with ShareAccess set to 0 at the file server layer. Dvash has provided resources for IT teams to enhance detection capabilities against this threat.

Tech Optimizer

May 8, 2026

CrowdStrike Falcon: What US Businesses Need to Know Right Now About the Security Platform

CrowdStrike Falcon is a cloud-native endpoint protection platform (EPP) and extended detection and response (XDR) solution used by many U.S. organizations to combat modern cyber threats such as ransomware and supply chain attacks. It utilizes behavioral analysis, machine learning, and real-time telemetry instead of traditional signature-based detection methods. Falcon features a lightweight agent that operates on various endpoints, collecting telemetry data for analysis. Key modules include Falcon Prevent for blocking malware, Falcon Insight for monitoring endpoint activity, and Falcon OverWatch for managed detection and response services. The platform also offers identity protection and cloud workload security, integrating telemetry from various environments for a comprehensive threat view. Falcon is particularly beneficial for medium to large-sized organizations with dedicated security teams and complex IT infrastructures. However, it may not be suitable for smaller businesses due to its licensing model and operational complexity. Its strengths include rapid deployment, scalability, and advanced detection capabilities, while its limitations involve reliance on proper configuration and cloud connectivity. Competitors include Microsoft Defender for Endpoint and SentinelOne. Organizations considering Falcon should evaluate their security needs, existing infrastructure, and budget, as well as the total cost of ownership.

BetaBeacon

May 6, 2026

North Korean hackers targeted ethnic Koreans in China with Android ‘BirdCall’ malware

North Korean hackers targeted ethnic Koreans in China with a malware disguised as a popular Android mobile game called BirdCall, allowing them to steal personal data from victims.

Tech Optimizer

April 13, 2026

Fake Claude site installs malware that gives attackers access to your computer

Claude, an AI tool developed by Anthropic, receives nearly 290 million web visits monthly and has become a target for cybercriminals. A fake website has been found that impersonates Claude, distributing a trojanized installer named Claude-Pro-windows-x64.zip. This installer, while appearing legitimate, deploys PlugX malware, granting attackers remote access to users' systems. The fraudulent site mimics the official download page and uses passive DNS records linked to commercial bulk-email platforms, indicating active maintenance by the operators. The ZIP file contains an MSI installer that incorrectly spells "Claude" as "Cluade" and creates a desktop shortcut that launches a VBScript dropper. This script runs the legitimate claude.exe while executing malicious activities in the background, including copying files to the Windows Startup folder to ensure persistence after reboot. The attack utilizes a DLL sideloading technique recognized by MITRE as T1574.002, where a legitimate G DATA antivirus updater is exploited with a malicious DLL. Within 22 seconds of execution, the malware establishes a connection to an IP address associated with Alibaba Cloud, indicating control over the compromised system. The dropper script also employs anti-forensic measures to delete itself and the VBScript after deployment. Indicators of compromise include the filenames Claude-Pro-windows-x64.zip, NOVUpdate.exe, avk.dll, and NOVUpdate.exe.dat, along with the network indicator 8.217.190.58:443 (TCP) as the command and control destination. Users are advised to download Claude only from the official site and to remain vigilant against potential compromises.

Winsage

April 8, 2026

Microsoft Rolls Out New Defender Update for Windows 11, 10, and Server Images

Microsoft released a security intelligence update for Microsoft Defender Antivirus on April 7, 2026, enhancing protection for Windows 11, Windows 10, and Windows Server. The update introduces refined threat detection capabilities to combat malware and zero-day attacks, utilizing advanced detection logic and cloud-based protection. The security intelligence version is 1.447.209.0, engine version is 1.1.26020.3, and platform version is 4.18.26020.6. Updates are automatically delivered via Windows Update, but can also be manually initiated or deployed using standalone installer packages. The update supports legacy platforms, including Windows 7 and Windows 8.1, provided they have SHA-2 code signing support enabled. Additionally, updates to the Network Inspection System (NIS) are available for certain environments.

AppWizard

April 3, 2026

NCSC warns of messaging app targeting by Russia-linked actors

The UK National Cyber Security Centre (NCSC) has warned of an increase in cyber threats from Russia-based actors, targeting high-risk individuals through messaging applications like WhatsApp, Signal, and Messenger. These threats involve deceptive tactics such as coaxing users for login codes, unauthorized device access, group chat infiltration, impersonation of trusted contacts, and phishing links. The targeting is linked to state-affiliated groups from Russia, China, and Iran. High-risk individuals are those with access to sensitive information or influential roles. The NCSC recommends several protective measures: enabling two-step verification, not sharing verification codes, monitoring linked devices, being cautious with unknown contacts, limiting personal app use for work, and using disappearing messages to reduce data exposure.

AppWizard

April 1, 2026

NCSC warns of messaging app targeting | National Cyber Security Centre

The National Cyber Security Centre (NCSC) has issued guidelines for individuals vulnerable to targeted attacks via messaging applications, particularly due to increased malicious activities from actors based in Russia. High-risk individuals, such as those with access to sensitive information, are especially susceptible. Past incidents involve state-affiliated groups like APT31 from China, the Russian FSB actor Star Blizzard, and Iran's IRGC targeting government officials. Attackers may use deceptive methods to obtain login codes, add devices to accounts, infiltrate group chats, impersonate contacts, and execute phishing attempts. To mitigate risks, individuals should avoid sharing sensitive information via messaging apps, use corporate services for work-related communications, refrain from sharing verification codes, activate two-step verification, utilize passkeys, regularly review linked devices, stay alert for impersonations, and consider using disappearing messages. The NCSC also provides guidance for enhancing account and device security for high-risk individuals.

AppWizard

March 19, 2026

Google To Impose 24-Hour Safety Wait To Activate Android App Sideloading

Google is introducing a mandatory 24-hour waiting period for sideloading apps from unverified developers on Android devices to enhance security and combat scams and malware. This new measure is part of an "advanced flow for sideloading" and follows a reconsideration of Google's previous policy requiring all app installations to come from verified developers. Users must enable developer mode, receive a warning prompt about potential scams, restart their devices, and then wait 24 hours before installing apps from unverified sources. This delay is intended to counteract the urgency exploited by scammers. The 24-hour delay applies only to unverified developers, while verified developers remain unaffected. The new sideloading process is set to roll out in August, initially in Brazil, Indonesia, Singapore, and Thailand, with a broader global implementation planned for 2027. In response to criticism, Google will offer free, limited distribution accounts for students and hobbyists to share apps without requiring identification or fees.

AppWizard

March 19, 2026

New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Cybersecurity researchers have identified a new family of Android malware called Perseus, designed for device takeovers and financial fraud. It utilizes Accessibility-based remote sessions for real-time monitoring and interaction with infected devices, particularly targeting Turkey and Italy. Perseus monitors user notes to extract personal or financial information and is distributed through dropper applications via phishing websites. It expands on the codebase of previous malware like Phoenix and employs disguises as IPTV services to reduce user suspicion. Once operational, it performs overlay attacks and captures keystrokes to steal credentials from financial applications. The malware allows operators to issue commands through a command-and-control panel, enabling various malicious actions, including capturing note content and initiating remote visual streams. Perseus also conducts environment checks to evade detection and ensure it operates on legitimate devices.

Winsage

March 6, 2026

Chinese hackers hide malware in Windows and Google Drive to hit targets

Chinese state-sponsored threat actors, specifically a group known as Silver Dragon, have been conducting espionage operations across Southeast Asia and Europe since at least mid-2024. They have targeted government entities in countries such as Russia, Poland, Hungary, Italy, Japan, Myanmar, and Malaysia. Silver Dragon is believed to be affiliated with APT41 and primarily uses phishing emails to initiate attacks, often containing weaponized documents or links. They employ a custom backdoor called GearDoor, which utilizes Google Drive for command-and-control operations, allowing them to exfiltrate stolen intelligence. The group also hijacks legitimate Windows services to load malicious code and uses tools like SSHcmd and Cobalt Strike for post-exploitation activities. Their tactics involve blending malicious activities with normal system operations, making detection difficult and increasing their dwell time within targeted networks.