malicious payload Archives

Tech Optimizer

March 11, 2026

Attackers Use Malformed ZIP Archives to Evade Antivirus and EDR Tools

Cybersecurity researchers at the CERT Coordination Center (CERT/CC) have identified a new evasion technique, VU#976247, used by threat actors to exploit malformed ZIP archives and bypass Antivirus (AV) and Endpoint Detection and Response (EDR) systems. Attackers manipulate the internal headers of ZIP files, particularly altering the compression method field, which causes security tools to fail in analyzing the malicious payload. While some security products may flag the modified files as corrupted, they often do not detect the underlying malicious code. Standard extraction tools typically trust the tampered metadata and may return errors, leaving the hidden payload undisclosed. Attackers use custom malware loaders to extract and execute the malicious data, circumventing traditional AV detection. Cisco has been confirmed as affected, while other vendors, including AhnLab, Avast, Bitdefender, and Avira, have an “Unknown” status regarding their vulnerability. To mitigate this threat, organizations should enhance archive handling processes, avoid relying solely on declared metadata, adopt aggressive detection modes, flag metadata inconsistencies, and consult with AV and EDR providers about vulnerabilities.

Tech Optimizer

March 11, 2026

Malformed ZIP Files Allows Attackers to Bypass Antivirus and EDR Detections

A vulnerability identified as CVE-2026-0866 allows malicious actors to exploit malformed ZIP headers to bypass antivirus and Endpoint Detection and Response (EDR) systems. This flaw occurs because most security solutions rely on metadata within ZIP archives to scan and process files. When the compression method field is altered, security scanners may fail to decompress the archive correctly, resulting in a false negative and leaving the malicious payload undetected. Attackers can then use a custom loader to access the embedded malicious data, circumventing standard extraction tools. Cisco has been confirmed as affected by this vulnerability, while nearly 30 other security vendors have not disclosed their status. The cybersecurity community is urged to evolve scanning methodologies, including not relying solely on declared metadata and implementing aggressive detection modes. Organizations should verify their antivirus and EDR solutions for vulnerability to CVE-2026-0866 and monitor for custom loaders.

Tech Optimizer

February 11, 2026

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

MicroWorld Technologies confirmed a breach of its eScan antivirus update infrastructure, allowing attackers to deliver a malicious downloader to enterprise and consumer systems. Unauthorized access was detected, leading to the isolation of affected update servers for over eight hours. A patch was released to revert the changes made by the malicious update, and impacted organizations were advised to contact MicroWorld for assistance. The attack occurred on January 20, 2026, when a compromised update was distributed within a two-hour window. The malicious payload, introduced through a rogue "Reload.exe" file, hindered eScan's functionality, blocked updates, and contacted an external server for additional payloads. This rogue executable was signed with a fake digital signature and employed techniques to evade detection. It also included an AMSI bypass capability and assessed whether to deliver further payloads based on the presence of security solutions. The malicious "CONSCTLX.exe" altered the last update time of eScan to create a false sense of normalcy. The attack primarily targeted machines in India, Bangladesh, Sri Lanka, and the Philippines, highlighting the rarity and seriousness of supply chain attacks through antivirus products.

Tech Optimizer

January 29, 2026

Top antivirus hacked to push out a malicious update – find out if you’re affected

Recent reports indicate that the antivirus program eScan experienced a security breach, leading MicroWorld Technologies to conduct an internal investigation. A threat actor exploited compromised update servers to distribute malware to users who downloaded updates during a two-hour window on January 20, 2026. The exact number of affected users is unknown, but the company has isolated the compromised infrastructure and refreshed credentials while assisting impacted users. The eScan product itself was not altered, and the victims were limited to a specific regional cluster. The malware, identified as CONSCTLX, operates as a backdoor and downloader, allowing attackers to maintain access and execute commands on infected devices. The identity of the attackers is unknown, but North Korean cybercriminals previously exploited eScan's update mechanism in 2024. MicroWorld Technologies has provided support to millions of customers but has not disclosed the total number of eScan users.

Tech Optimizer

January 22, 2026

Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

A large-scale campaign is exploiting the truesight.sys Windows security driver from Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions, facilitating the deployment of ransomware and remote access malware. This attack utilizes over 2,500 validly signed variants of the driver, allowing attackers to manipulate legacy driver signing rules to load pre-2015 signed drivers on Windows 11 machines. The vulnerable TrueSight driver exposes an IOCTL command that enables attackers to terminate security processes, providing them with kernel-level access to bypass user-mode protections. The infection chain typically starts with phishing emails or compromised sites, leading to the installation of a downloader that retrieves additional malicious components. The malware establishes persistence and deploys an EDR killer module targeting nearly 200 security products. Once defenses are disabled, the final payload, often a remote access trojan or ransomware, executes with minimal visibility, completing the attack in as little as 30 minutes.

AppWizard

December 2, 2025

New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control

A new Android malware named Albiriox has emerged, marketed as malware-as-a-service (MaaS). It features a hard-coded list of over 400 applications, including banking and cryptocurrency platforms, and is distributed through social engineering tactics using dropper applications. Initially advertised in late September 2025, it became a full MaaS offering by October, with Russian-speaking threat actors behind its development. Albiriox allows remote control of compromised devices via an unencrypted TCP socket connection and Virtual Network Computing (VNC), enabling attackers to extract sensitive information and perform overlay attacks for credential theft. One campaign targeted victims in Austria using German-language lures and counterfeit Google Play Store listings. Albiriox also utilizes Android's accessibility services to bypass security measures and employs a novel distribution strategy involving a counterfeit website that collects phone numbers. Additionally, another Android MaaS tool, RadzaRat, was introduced, masquerading as a file management utility while offering extensive surveillance and remote control capabilities. RadzaRat can log keystrokes and maintain persistence through specific permissions, highlighting a trend in the availability of sophisticated cybercrime tools.

AppWizard

December 1, 2025

Android malware Albiriox abuses 400+ financial apps in on-device fraud and screen manipulation attacks

A new malware-as-a-service (MaaS) called Albiriox has emerged, targeting banking and cryptocurrency applications, particularly focusing on Austrian users. It is marketed on the dark web and employs deceptive tactics, such as mimicking legitimate businesses and creating fake landing pages and app listings on the Google Play Store. Victims are tricked into providing their phone numbers, leading to the delivery of a malicious APK file via SMS or WhatsApp. This APK acts as a dropper, designed to bypass detection methods and requests permissions under the guise of a “software update” to download the actual malicious payload. Once installed, it can take control of the device or function as an infostealer, extracting sensitive information like phone numbers and passwords, which is sent to a Telegram channel. Cleafy researchers suggest that the Albiriox campaign is linked to Russian cyber actors based on their activities on cybercrime forums and communication style.

AppWizard

October 24, 2025

New Python RAT Mimic as Legitimate Minecraft App Steals Sensitive Data from Users Computer

A Python-based remote access trojan (RAT) has emerged in the gaming community, disguised as a legitimate Minecraft client named “Nursultan Client.” It uses the Telegram Bot API for command and control, allowing attackers to exfiltrate sensitive data and interact with compromised machines. The malware is packaged with PyInstaller and has a large executable size of 68.5 MB to evade security tools. Upon execution, it hides its console window and presents a fake installation progress bar. Researchers identified the executable with the SHA256 hash 847ef096af4226f657cdd5c8b9c9e2c924d0dbab24bb9804d4b3afaf2ddf5a61. It attempts to create a registry key for persistence but has a flawed startup command. The malware includes a hardcoded Telegram Bot Token (8362039368:AAGj_jyw6oYftV2QQYiYoUslJOmXq6bsAYs) and a restricted list of user IDs (6804277757) for command authorization. It targets Discord authentication tokens and scans local storage and user data directories of major web browsers to extract tokens. Additionally, it features surveillance capabilities like screenshot capture and webcam photography, compiling detailed system profiles.

Winsage

October 24, 2025

Microsoft Issues Emergency Patch for Actively Exploited Critical WSUS Vulnerability

Microsoft has released out-of-band security updates to address a critical vulnerability in the Windows Server Update Service (WSUS), identified as CVE-2025-59287, which has a CVSS score of 9.8 and is actively being exploited. The vulnerability allows unauthorized remote code execution due to unsafe deserialization of untrusted data. It affects various supported versions of Windows Server, including 2012, 2012 R2, 2016, 2019, 2022, and 2025 (23H2 Edition, Server Core installation). Microsoft recommends applying the patch and rebooting the system, or alternatively, disabling the WSUS Server Role or blocking inbound traffic to Ports 8530 and 8531. The Dutch National Cyber Security Centre (NCSC) reported active exploitation on the same day the updates were released. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to address it by November 14, 2025.

Tech Optimizer

October 20, 2025

Goodbye to security on WhatsApp Web—the SORVEPOTEL virus uses your contacts to spread and is already worrying cybersecurity experts

Cybersecurity experts have identified a new virus called SORVEPOTEL that is affecting WhatsApp Web, primarily in Brazil, with 477 reported infections, 457 of which are in Brazil. This malware spreads by sending phishing messages containing ZIP files that appear legitimate but contain a hidden Windows shortcut that activates and downloads the virus. Once installed, it disrupts systems and can lead to account suspensions due to suspicious activity. To protect against SORVEPOTEL, users are advised to disable automatic downloads, avoid opening ZIP files from unknown sources, keep antivirus software updated, and educate themselves about online safety.