Malicious files Archives

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affecting various Windows operating systems, including Windows 7, Server 2008 R2, Windows 11 v24H2, and Server 2025, allows attackers to capture NTLM authentication credentials through interactions with malicious files in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been fully documented. Security researchers have developed micropatches available for free until Microsoft releases a permanent fix. These micropatches support a wide range of Windows versions, including legacy and currently supported systems. The micropatches have been automatically distributed to affected systems with the 0patch Agent installed.

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affects all Windows operating systems from Windows 7 to Windows 11 v24H2 and Server 2025, allowing attackers to capture NTLM authentication credentials through malicious files viewed in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view previously downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been publicly documented. Security researchers have developed micropatches through 0patch to temporarily mitigate the issue, which will be available at no cost until Microsoft releases a permanent solution. The micropatches support various Windows versions, including legacy and currently supported systems, and can be automatically deployed without requiring system reboots.

Winsage

March 26, 2025

New Windows Zero-Day Vulnerability Exposes NTLM Credentials – Unofficial Patch Now Available

A zero-day vulnerability has been identified in the Windows operating system, affecting versions from Windows 7 and Server 2008 R2 to Windows 11 v24H2 and Server 2025. This vulnerability allows attackers to obtain NTLM credentials by tricking users into opening malicious files in Windows Explorer. Microsoft has been notified, and while there is no official CVE number yet, an unofficial patch is available through 0patch. The flaw is similar to previous vulnerabilities related to NTLM hash disclosures but has not been widely discussed. To exploit it, attackers need network access to the victim's system or a way to relay stolen credentials. 0patch has created micropatches for all affected Windows versions, which are available for free until Microsoft provides an official fix. This is the fourth zero-day vulnerability reported by 0patch recently, with previous vulnerabilities including those in Windows Theme files and the Mark of the Web issue on Server 2012. 0patch also offers patches for NTLM-related vulnerabilities that Microsoft has classified as “wont fix.” Users can create a free account with 0patch for automatic protection against these vulnerabilities. Micropatches are available for various Windows versions, including both legacy and currently supported systems, and will remain free until an official Microsoft fix is released.

Winsage

March 25, 2025

New Windows zero-day leaks NTLM hashes, gets unofficial patch

A newly discovered zero-day vulnerability in Windows allows remote attackers to steal NTLM credentials by tricking users into opening malicious files in Windows Explorer. This flaw affects various Windows versions, including Windows 7 through Windows 11 and Server 2008 R2 to Server 2025. The vulnerability, identified by ACROS Security researchers, has not been assigned a CVE-ID and enables attackers to obtain NTLM credentials through methods like accessing shared folders or USB drives. While the exploit's criticality is moderate and depends on specific conditions, it has been linked to actual attacks. ACROS Security has released free micropatches for all affected Windows versions via its 0Patch service until Microsoft provides an official fix. Users can install the micropatch easily by creating an account and activating the 0patch agent, which applies the patch automatically.

Tech Optimizer

March 25, 2025

What the Tech? Avoiding malware threats

The ABC 6 News Team reports on the Infostealer malware, which has compromised over 2 billion credentials by using fake websites to trick users into providing sensitive information. Infostealer targets searches for free software, cracked software, game cheats, and activation tools, employing tactics such as search engine ads, SEO manipulation, social media promotions, and typosquatting to lure victims. Once installed, Infostealer can steal passwords, credit card information, cryptocurrency wallet data, and personal information. To mitigate risks, users are advised to download software from reputable sources, be cautious of offers that seem too good to be true, install robust antivirus software, enable ad blockers, verify URLs, use multi-factor authentication, keep software updated, and stay informed about cybersecurity threats. Additionally, users can check if their email addresses or passwords have been involved in data breaches at www.haveibeenpwned.com.

AppWizard

March 24, 2025

Malicious Game Infects Steam Users With Info-Stealing Malware

Steam removed the game Sniper: Phantom's Resolution due to a security breach involving malware designed to extract sensitive user information. The malware was disguised as a legitimate Windows process and employed tactics like executing Node.js scripts and establishing startup persistence. A month earlier, another game, PirateFi, was found to be spreading the Vidar infostealer, affecting up to 1,500 users. Both incidents highlight the risks associated with malware hosted on trusted platforms like Steam, which may exploit vulnerabilities in submission processes. Users often identified suspicious behavior before the platforms did, indicating delayed detection and response times. The lack of timely communication regarding breaches further exacerbates user concerns.

Winsage

March 22, 2025

Windows Shortcut Zero-Day Under Active Attack

A zero-day vulnerability in Windows shortcut (.lnk) files has been exploited by state-sponsored hacking groups since 2017, allowing attackers to execute arbitrary code on compromised systems. Microsoft has classified this vulnerability as “not meeting the bar servicing,” meaning no security updates will be issued. Trend Micro tracks it as ZDI-CAN-25373 and has linked it to cyber-espionage campaigns involving 11 nation-state actors from countries like North Korea, Iran, Russia, and China. Nearly 1,000 malicious .lnk samples exploiting this flaw have been identified, with many more potentially undetected. Attackers often use phishing emails to deliver these malicious files, which can download additional malware, granting full control over the compromised machine. Organizations are advised to scan their systems and implement security measures against this vulnerability.

Winsage

March 20, 2025

China, Russia, North Korea Hackers Exploit Windows Security Flaw

Almost a dozen state-sponsored threat groups from nations including China, Russia, Iran, and North Korea are exploiting a security vulnerability in Microsoft Windows, identified as ZDI-CAN-25373, to conduct espionage and gather sensitive information. This vulnerability affects how Windows handles .lnk files, allowing attackers to execute hidden malicious commands. Since 2017, these groups have targeted government, military, and critical infrastructure organizations globally, with 11 state-sponsored groups identified, primarily focusing on espionage (70%) and financial motives (20%). North Korea accounts for 45.5% of the exploitation, with Iran and Russia at 18.2% each, and China at 18.1%. The United States has experienced the most attacks (343 incidents), followed by Canada (39), Russia (25), and South Korea (23). Despite being notified, Microsoft does not plan to issue a patch for this vulnerability, categorizing it as "low severity."

AppWizard

March 20, 2025

Signal Messenger Exploited in Targeted Attacks on Defense Industry Employees

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned about targeted cyberattacks against employees in the defense-industrial complex and members of the Defense Forces of Ukraine, which have been ongoing since at least summer 2024 and have intensified recently. Attackers are using the Signal messenger app to distribute malicious files by compromising trusted contacts' accounts. In March 2025, CERT-UA observed that attackers were sending archived messages through Signal, which included a PDF and an executable file called DarkTortilla, designed to activate the DarkCrystal RAT (DCRAT) software. The focus of these deceptive messages has shifted to critical topics like unmanned aerial vehicles (UAVs) and electronic warfare equipment. CERT-UA has labeled this activity UAC-0200 and advises reporting any suspicious messages immediately. They have also compiled indicators related to the attacks, including specific file hashes, IP addresses, and URLs linked to the attackers' infrastructure.

Tech Optimizer

March 20, 2025

What the Tech: Stolen passwords

Infostealer is a type of malware that has stolen over a billion credentials, posing significant risks such as identity theft and financial fraud. It targets users through specific search terms related to free software, cracked software, game cheats, and activation tools. Cybercriminals use tactics like search engine ads, SEO manipulation, social media promotions, and typosquatting to direct users to malicious sites. Once infected, Infostealer can steal saved passwords, credit card information, cryptocurrency wallet data, and personal information. To mitigate risks, individuals should download software from reputable sources, be cautious of too-good-to-be-true offers, install robust antivirus software, enable ad blockers, verify URLs, use multi-factor authentication, keep software updated, and educate themselves about cybersecurity threats. Additionally, checking for compromised email addresses or passwords at www.haveibeenpwned.com is recommended.