Malicious files Archives

Winsage

December 3, 2025

Microsoft mitigates Windows LNK flaw exploited as zero-day

Microsoft has addressed a security vulnerability in Windows tracked as CVE-2025-9491, which allows malicious actors to embed harmful commands in Windows LNK files, requiring user interaction to exploit. Threat actors often distribute these files in ZIP formats to bypass email security. In March 2025, 11 hacking groups, including Evil Corp and Kimsuky, were actively exploiting this vulnerability using various malware payloads. Although Microsoft initially did not consider the issue urgent, it later modified the handling of LNK files in November updates to allow users to view the entire character string in the Target field. However, this change does not eliminate the malicious arguments embedded in the files. ACROS Security has released an unofficial patch that restricts shortcut target strings to 260 characters and alerts users about risks associated with long target strings, covering multiple Windows versions.

Tech Optimizer

December 2, 2025

Surfshark One Antivirus Down 88% in Cyber Monday Sale

Surfshark is offering its Surfshark One Antivirus plan for .19 per month over a 27-month period, which is an 88% discount from the regular rate. The total cost for this plan amounts to approximately . This bundle includes real-time antivirus scanning, a VPN, breach alerts, and a private search tool. The deal is particularly beneficial for holiday shoppers, as cybercriminal activity increases during this time. The plan is advantageous for frequent travelers, families, and students.

AppWizard

November 14, 2025

Malicious Android Photo Frame App Gives Hackers Full Device Control Without User Action

A security assessment has revealed that digital photo frames using Uhale technology are vulnerable to a new class of malicious Android applications that can take control of devices without user interaction. The pre-installed Uhale app can silently download and execute malware during device booting or software updates due to insecure connections and improper certificate verification. Attackers can intercept network traffic to execute remote code with a critical CVSS score of 9.4, allowing access to private photos and the potential to create botnets. Many affected devices run outdated Android versions (6.0/6.0.1) with SELinux disabled and rooted by default, facilitating privilege escalation and persistent malware installation. Additionally, the Uhale app's unsecured local network file transfer feature allows attackers on the same network to send malicious files or delete files without user consent. Researchers emphasize the need for improved software security in consumer electronics, urging manufacturers to adopt modern Android builds and enforce security protocols. Users are advised to disconnect or update their devices to mitigate risks.

Tech Optimizer

November 11, 2025

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

A critical security vulnerability (CVE-2025-12480) has been identified in Gladinet's Triofox platform, allowing attackers to bypass authentication and access sensitive configuration pages. This vulnerability has a CVSS score of 9.1 and has been exploited by a threat cluster known as UNC6485 since August 24, 2025. Despite patches issued by Gladinet, attackers created a new admin account to execute malicious code, including a batch script that downloaded tools for remote access. They used these tools for reconnaissance and privilege escalation. Mandiant recommends that Triofox users update to the latest version and audit admin accounts.

Winsage

November 3, 2025

Windows Graphics Vulnerabilities Allow Remote Attackers to Execute Arbitrary Code

Multiple vulnerabilities have been identified in Microsoft’s Graphics Device Interface (GDI), particularly related to Enhanced Metafile (EMF) formats, allowing potential remote code execution and information exfiltration. Key vulnerabilities include: - CVE-2025-30388: Rated Important with a CVSS score of 8.8, it involves out-of-bounds memory operations during processing of records, affecting Windows 10/11 and Office for Mac/Android. It allows attackers to read or write beyond allocated heap buffers. - CVE-2025-53766: Rated Critical with a CVSS score of 9.8, it permits remote code execution through out-of-bounds writes in the ScanOperation::AlphaDivide_sRGB function, affecting Windows 10/11 without requiring privileges. - CVE-2025-47984: Rated Important with a CVSS score of 7.5, it exploits a flaw in handling EMR_STARTDOC records, leading to information disclosure by exposing adjacent heap memory. Microsoft has released patches to address these vulnerabilities, and users are advised to apply them promptly. Recommendations include disabling EMF rendering in untrusted contexts and using sandboxed viewers for document access.

Winsage

October 31, 2025

Windows zero-day actively exploited to spy on European diplomats

A China-linked hacking group, identified as UNC6384 or Mustang Panda, is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats, particularly in Hungary, Belgium, Serbia, Italy, and the Netherlands. The attacks are initiated through spearphishing emails that disguise malicious LNK files as legitimate invitations to NATO and European Commission events. Once activated, these files allow the deployment of the PlugX remote access trojan (RAT), enabling persistent access to compromised systems for surveillance and data extraction. The vulnerability requires user interaction to exploit and resides in the handling of .LNK files, allowing attackers to execute arbitrary code remotely. As of March 2025, the vulnerability is being exploited by multiple state-sponsored groups and cybercrime organizations, but Microsoft has not yet released a patch for it. Network defenders are advised to restrict the use of .LNK files and block connections from identified command-and-control infrastructure.

Winsage

October 24, 2025

Microsoft Boosts Windows Security by Disabling File Preview for Downloads

Microsoft is implementing a security update for Windows File Explorer starting October 14, 2025, which will automatically disable the preview pane for files downloaded from the internet. This measure aims to address a vulnerability that could expose users' NTLM hashes, which are sensitive credentials used for network authentication. The update utilizes the “Mark of the Web” attribute to prevent previews of untrusted files, displaying a warning message instead. Local documents and files from trusted sources will still display previews normally. Users can override this protection for trusted downloads by unblocking the file in its properties. IT administrators can also add file shares to Local Intranet or Trusted Sites, although this should only be done for verified networks. The update enhances security in enterprise environments while maintaining usability.

Winsage

October 24, 2025

Microsoft disables File Explorer preview for downloads to block attacks

Microsoft has enhanced its File Explorer to improve user security against credential theft attacks by automatically blocking previews for files downloaded from the Internet. This update is active for users who have installed the latest Patch Tuesday security updates on Windows 11 and Windows Server systems. The preview functionality will be disabled by default for files accessed on an Internet Zone file share and those marked with the Mark of the Web (MotW). When users attempt to preview such files, a cautionary message will appear, warning that the file could harm their computer. This measure addresses vulnerabilities that could allow attackers to capture NTLM hashes through HTML tags in malicious files. Starting with security updates released on or after October 14, 2025, the preview feature will be automatically disabled for internet-downloaded files to further mitigate risks. Users can manually remove the block for trusted files by right-clicking the file, selecting Properties, and clicking the "Unblock" button. Additionally, the block can be lifted for all files on an Internet Zone file share by adding the file share’s address to the Trusted sites or Local intranet security zone in the Internet Options control panel.

Winsage

October 24, 2025

Microsoft Enhances Windows Security by Turning Off File Previews for Downloads

Microsoft is introducing an update to Windows File Explorer, effective with security updates released on or after October 14, 2025, which will automatically disable the preview pane for files downloaded from the internet. This change aims to enhance user security by mitigating vulnerabilities that could expose sensitive NTLM hashes used for network authentication. The update utilizes the "Mark of the Web" (MotW) attribute to tag files from untrusted sources, preventing previews and displaying a warning message. Local documents and trusted shares remain unaffected, and no additional setup is required for the protection to activate. Users can override the preview restriction by unblocking files in their properties. IT administrators can manage file shares by adding addresses to the Local Intranet or Trusted Sites zone, although this may lower defenses for all files from that source. The update encourages users to verify the legitimacy of sources before engaging with unfamiliar content.

AppWizard

October 16, 2025

Minecraft mods: When ‘hacking’ your game becomes a security risk

Minecraft and Roblox are popular platforms for creativity and community engagement among younger audiences, but they also attract cybercriminals who exploit players by disguising malware as mods, cheats, or automation tools. A mod, short for "modification," is a user-created software extension that alters gameplay in Minecraft, but these mods can be maliciously exploited. Recent threats include over 500 GitHub repositories distributing an infostealer disguised as Minecraft mods and attacks using popular modding platforms like Bukkit and CurseForge to spread malware. Attackers often present malware as essential mods, which can lead to harmful background processes once installed. Common types of malware masquerading as mods include Trojans, infostealers, ransomware, and cryptominers. To reduce risks, players should download mods from trusted platforms, verify developers' reputations, be cautious of unusual file types, and use security software to check downloads. If a suspicious mod is installed, players should delete it, run a full antimalware scan, reinstall Minecraft from the official website, change passwords, and consult cybersecurity professionals if needed. To stay safe while using mods, players should use non-administrator accounts, keep systems updated, maintain regular backups, and implement robust security measures.