malicious file Archives

Winsage

May 21, 2026

Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend Actively Exploited on Windows 10, 11, and Server (April 2026 CVE Analysis)

In April 2026, two zero-day vulnerabilities, RedSun and UnDefend, were discovered in Microsoft Defender, affecting Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities allow attackers to escalate privileges to SYSTEM and bypass Defender’s protections. RedSun exploits a flaw in Defender's remediation process, enabling low-privileged users to overwrite critical system files. UnDefend allows attackers to disrupt Defender’s updates, keeping it outdated and ineffective. Both vulnerabilities are actively being exploited, with attackers leveraging them to gain persistent access and deploy ransomware. The primary targets are organizations using Windows systems with Defender enabled, particularly in sectors like finance, healthcare, and government. Mitigation strategies include applying updates for related vulnerabilities, monitoring for suspicious activities, and implementing additional security measures.

Winsage

May 20, 2026

MSHTA abuse helps malware hide in Windows processes

Bitdefender's research highlights the use of Microsoft's MSHTA utility in malware attacks, noting its default activation in Windows systems. Cybercriminals exploit MSHTA to execute malicious scripts under the guise of legitimate processes, linking it to various malware families like LummaStealer and PurpleFox. The study reports a rise in MSHTA-related detections, indicating a shift towards "living-off-the-land" tactics that utilize legitimate tools to evade security alerts. Social engineering is identified as a common entry point for attacks, employing deceptive methods such as fake software downloads and phishing links. MSHTA can retrieve and execute additional payloads through multi-stage chains, complicating detection efforts. The attacks target sensitive information, including credentials and financial data, and the continued presence of MSHTA poses risks as it allows threat actors to conceal malicious actions. To mitigate these threats, organizations are advised to restrict or disable legacy scripting tools and exercise caution with untrusted downloads. The report emphasizes the challenge of detecting unusual behaviors associated with legitimate utilities in the context of cyber threats.

Tech Optimizer

April 16, 2026

Unpatched Microsoft Defender flaw lets hackers gain admin access

A security researcher named Chaotic Eclipse has discovered a significant vulnerability in Microsoft Defender that could allow hackers to gain administrative access to systems running Windows 10, Windows 11, and Windows Server. The vulnerability arises from Windows Defender's behavior of rewriting detected malicious files back to their original location instead of removing them, which can be exploited to overwrite system files and grant unauthorized users elevated privileges. This issue remains unaddressed by Microsoft, leaving millions of users vulnerable. Although there is no current evidence of active exploitation, the situation could change. Users are advised to consider additional antivirus solutions for enhanced security.

Tech Optimizer

April 6, 2026

Scammers Want Our Data, Yet CNET Finds Many of Us Aren’t Protecting Our Devices

- 78% of US adults currently own a personal laptop, with HP (32%) and Apple (26%) being the most popular brands. - 54% of laptop owners have encountered potential malware on their devices in the past year. - 88% of those who reported seeing potential malware took action, while 12% did not respond. - 68% of proactive laptop owners either deleted the suspicious file or closed the website or pop-up. - 37% of laptop owners received phishing emails in the past year. - Many modern devices come equipped with built-in antivirus solutions, such as Microsoft Defender for Windows 11 and XProtect for Mac users. - 60% of users who acted upon encountering potential malware manually deleted files or closed suspicious websites, while 35% initiated antivirus scans. - Antivirus software alone cannot safeguard against data breaches or identity theft; a comprehensive cybersecurity strategy involves various tools and practices. - Recommended tools for online security include Bitdefender for antivirus, Aura for identity theft protection, Bitwarden for password management, and ExpressVPN for VPN services.

Winsage

April 1, 2026

WhatsApp on Windows users targeted in new campaign, warns Microsoft

Microsoft researchers have identified a campaign that exploits WhatsApp attachments to infiltrate Windows machines, allowing attackers remote control. The attack uses social engineering tactics, where users receive a seemingly benign .vbs (Visual Basic Script) file that can be executed on Windows. This method does not rely on software vulnerabilities but on persuading victims to execute the malicious file. Attackers manipulate built-in Windows tools to download further malware, employing a technique known as living off the land (LOTL) to avoid detection. The malware seeks to elevate its privileges to administrator status, modifying User Account Control (UAC) prompts and registry settings for persistence. An unsigned MSI (Microsoft Installer) is deployed to establish remote-access software, granting continuous access to the compromised machine.

Winsage

March 31, 2026

What Is Conhost.exe?

Conhost.exe, or Console Window Host, is a legitimate Windows system process responsible for managing the display and behavior of console windows such as Command Prompt and PowerShell. It facilitates text rendering and manages input/output interactions with the graphical user interface. Each time a console application is launched, a new instance of conhost.exe is created, and multiple instances can appear in Task Manager based on active console applications. To verify the authenticity of conhost.exe, it should run from C:WindowsSystem32 or C:WindowsSysWOW64, have a valid Microsoft Windows Publisher digital signature, and not make outbound network connections. High CPU usage or unusual behavior may indicate malware masquerading as conhost.exe. Troubleshooting steps for issues related to conhost.exe include running a malware scan, checking for Windows updates, updating device drivers, and using the System File Checker. Disabling conhost.exe is not advisable as it is essential for the functioning of console applications.

Winsage

March 30, 2026

Microsoft’s March Security Update of High-Risk Vulnerability Notice for Multiple Products

On March 11, NSFOCUS CERT reported the release of Microsoft’s March Security Update, addressing 83 security vulnerabilities in products like Windows, Microsoft Office, Microsoft SQL Server, and Azure. The update includes eight critical vulnerabilities and 75 important ones, with risks such as privilege escalation and remote code execution. Key vulnerabilities include: - CVE-2026-26110: Microsoft Office Remote Code Execution Vulnerability (CVSS score: 8.4) - CVE-2026-26113: Microsoft Office Remote Code Execution Vulnerability (CVSS score: 8.4) - CVE-2026-26144: Microsoft Excel Information Disclosure Vulnerability (CVSS score: 7.5) - CVE-2026-23669: Windows Print Spooler Remote Code Execution Vulnerability (CVSS score: 8.8) - CVE-2026-24294: Windows SMB Server Privilege Escalation Vulnerability (CVSS score: 7.8) - CVE-2026-23668: Windows Graphics Component Privilege Escalation Vulnerability (CVSS score: 7.0) Affected product versions include various editions of Microsoft Office, Windows Server 2012 R2, Windows Server 2016, Windows 10, and Windows 11. Microsoft has released security patches for these vulnerabilities, and users are encouraged to install them promptly.

Tech Optimizer

March 27, 2026

Bogus Avast website fakes virus scan, installs Venom Stealer instead

A deceptive website impersonating Avast antivirus tricks users into downloading Venom Stealer malware, which steals passwords, session cookies, and cryptocurrency wallet information. The site conducts a fake virus scan, falsely reporting threats to encourage users to download a malicious file named Avastsystemcleaner.exe. This file mimics legitimate software and operates stealthily, targeting web browsers to harvest credentials and session cookies. It also captures screenshots and sends stolen data to the command-and-control domain app-metrics-cdn[.]com via unencrypted HTTP. The malware employs evasion techniques to avoid detection and is part of a long-standing cybercrime tactic that exploits user trust in security software. Indicators of compromise include the file hash SHA-256: ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d, the domain app-metrics-cdn[.]com, and the network indicator 104.21.14.89.

Tech Optimizer

February 24, 2026

Fake Zoom meeting “update” silently installs surveillance software

A deceptive website, uswebzoomus[.]com/zoom/, poses as a Zoom meeting platform and installs surveillance software on Windows devices without user consent. The software is a covert version of Teramind, a commercial monitoring tool. The site creates a fake Zoom waiting room experience, complete with scripted participants and background audio, to trick users into downloading a malicious file named zoomagentx64s-i(_941afee582cc71135202939296679e229dd7cced) (1).msi. This file is preconfigured to connect to an attacker-controlled Teramind server and operates in stealth mode, leaving minimal traces on the device. The installation process collects information about the device and is designed to evade detection by security tools. If users suspect they have been affected, they are advised not to open the downloaded file, check for its installation, and change passwords from a clean device.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.