Malicious files Archives

Tech Optimizer

April 16, 2026

Unpatched Microsoft Defender flaw lets hackers gain admin access

A security researcher named Chaotic Eclipse has discovered a significant vulnerability in Microsoft Defender that could allow hackers to gain administrative access to systems running Windows 10, Windows 11, and Windows Server. The vulnerability arises from Windows Defender's behavior of rewriting detected malicious files back to their original location instead of removing them, which can be exploited to overwrite system files and grant unauthorized users elevated privileges. This issue remains unaddressed by Microsoft, leaving millions of users vulnerable. Although there is no current evidence of active exploitation, the situation could change. Users are advised to consider additional antivirus solutions for enhanced security.

Tech Optimizer

April 11, 2026

Antivirus protection built into Windows

Windows 11 includes Microsoft Defender Antivirus, which is active from the moment the device is powered on and integrated into the operating system. It continuously updates to protect against various threats, including malicious files and unsafe links. Microsoft Defender SmartScreen evaluates the safety of websites and downloads, providing warnings for dubious content. Smart App Control prevents untrusted applications from executing, while Controlled folder access protects personal files from unauthorized modifications. Users can verify the operational status of Microsoft Defender Antivirus through Windows Security settings. Best practices for maintaining security include keeping the antivirus updated, using a single real-time antivirus engine, and enhancing security habits. Microsoft Defender Antivirus is generally sufficient for everyday risks, but additional third-party antivirus solutions may be considered based on individual needs.

AppWizard

April 10, 2026

These two huge PC performance app downloads have been infected by a virus

The download pages for CPU-Z and HWMonitor have been compromised, redirecting users to malware-infected files. Users should verify that downloaded files are named "hwmonitor1.63.exe" or "cpu-z2.19-en.exe" and be cautious of files like "HWiNFOMonitorSetup.exe." A virus scan is recommended, as Windows Defender has flagged the compromised versions. The malicious files were identified approximately nine hours ago, indicating a successful attack on the CPUID download site. The correct download links have been restored, but CPUID has not issued an official statement. The breach was reported by a Reddit user who experienced a warning from Windows Defender after downloading a suspicious file. CPUID's website and social media have not been updated since 2024, and users are advised to stay vigilant.

AppWizard

April 9, 2026

Project Zomboid bans rogue mods deploying “malicious code” to players’ PCs

The Indie Stone has removed a series of malicious mods associated with the 'True Moozic' soundtrack expander for Project Zomboid, which were found to generate harmful files outside the game’s directory. These mods were not linked to their original creator and have been taken down from the Steam Workshop. The developer banned the individual responsible for these uploads and advised players who downloaded the affected mods to take security precautions. A total of 14 mods from the same user were identified, with installations estimated between 500 and 2,200. The Indie Stone clarified that the exploit was limited to Build 42 branches and emphasized that the malicious uploads were unauthorized and not part of the True Moozic mod. Additionally, they released a security update for Build 41 to address a separate vulnerability, which has not been found to be exploited. The 'outdated unstable' branch has also been updated to ensure it remains one content update behind the 'unstable' branch.

AppWizard

April 9, 2026

Project Zomboid identifies and bans over a dozen Steam Workshop mods containing ‘heavily obfuscated code’ that was ‘creating malicious files’

The Indie Stone has identified a security issue involving 14 mods on the Steam Workshop for Project Zomboid, which contain heavily obfuscated code linked to the creation of malicious files outside the game's directory. Reports from players indicated that one mod was generating harmful code, prompting an investigation that confirmed the presence of the exploit across multiple mods uploaded by the same user. The affected mods had between 500 and 2,200 installations, and the user has been banned while the mods have been removed from the Steam Workshop. The exploit specifically affects Build 42 branches of Project Zomboid, with players using Build 41 being unaffected. The Indie Stone advises players who downloaded these mods to take security precautions beyond simply uninstalling them. The affected mods include various soundtracks, such as Risk of Rain 2 OST, NieR: Automata OST, and others, each with specific Workshop and Mod IDs.

Winsage

April 7, 2026

How to Reset Folder Permissions in Windows 11: 5 Proven Methods That Actually Work

Folder permissions in Windows 11 control access to files, determining who can read, modify, or delete them. Common issues arise from drive or file migration, Windows updates, malware, or user errors. Symptoms include "Access Denied" messages and ownership displayed as "unknown." Methods to resolve folder permission issues include: 1. Security Tab: Reset permissions through the Security tab by modifying access levels and ensuring proper inheritance. 2. Take Ownership: Claim ownership of a folder if the current owner is no longer valid, then reset permissions. 3. Command Prompt: Use commands like PLACEHOLDERfa5c045a85bc6cf0 and PLACEHOLDER14a87b7576573f58 to reset permissions quickly and efficiently. 4. PowerShell: Utilize PowerShell for advanced permission resets, allowing for conditional logic. 5. Windows Reset: As a last resort, reset Windows to restore default permissions while keeping personal files. To prevent future issues, back up permissions before changes, understand NTFS vs. share permissions, and avoid altering system folders. If problems persist, ensure commands are run as an administrator, check ownership settings, and verify that Group Policy or sync tools are not overriding changes.

Winsage

April 1, 2026

WhatsApp on Windows users targeted in new campaign, warns Microsoft

Microsoft researchers have identified a campaign that exploits WhatsApp attachments to infiltrate Windows machines, allowing attackers remote control. The attack uses social engineering tactics, where users receive a seemingly benign .vbs (Visual Basic Script) file that can be executed on Windows. This method does not rely on software vulnerabilities but on persuading victims to execute the malicious file. Attackers manipulate built-in Windows tools to download further malware, employing a technique known as living off the land (LOTL) to avoid detection. The malware seeks to elevate its privileges to administrator status, modifying User Account Control (UAC) prompts and registry settings for persistence. An unsigned MSI (Microsoft Installer) is deployed to establish remote-access software, granting continuous access to the compromised machine.

Winsage

March 31, 2026

What Is Conhost.exe?

Conhost.exe, or Console Window Host, is a legitimate Windows system process responsible for managing the display and behavior of console windows such as Command Prompt and PowerShell. It facilitates text rendering and manages input/output interactions with the graphical user interface. Each time a console application is launched, a new instance of conhost.exe is created, and multiple instances can appear in Task Manager based on active console applications. To verify the authenticity of conhost.exe, it should run from C:WindowsSystem32 or C:WindowsSysWOW64, have a valid Microsoft Windows Publisher digital signature, and not make outbound network connections. High CPU usage or unusual behavior may indicate malware masquerading as conhost.exe. Troubleshooting steps for issues related to conhost.exe include running a malware scan, checking for Windows updates, updating device drivers, and using the System File Checker. Disabling conhost.exe is not advisable as it is essential for the functioning of console applications.

Tech Optimizer

March 19, 2026

ClickFix Lures Power LeakNet’s Growing Ransomware Attack Chain

The ransomware group LeakNet has evolved its tactics, increasing its average targets from three per month and shifting from purchasing stolen network access to launching its own campaigns. They now use deceptive error screens and a new tool that executes malicious code in a computer's memory. Their strategy includes ClickFix lures, which compromise legitimate websites to display fake security checks, tricking users into executing malicious commands. This method broadens their victim reach and reduces costs. The Deno loader, part of this strategy, collects machine information and retrieves additional malicious code without leaving standard files, making detection difficult. After infiltrating a network, LeakNet checks for active user credentials and uses PsExec for lateral movement, employing Amazon S3 buckets for payload staging and data exfiltration. Defenders are advised to monitor for suspicious behavior rather than just known malicious files, focusing on unusual web commands and unexpected cloud storage connections.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.