modified version Archives

AppWizard

March 11, 2026

New BeatBanker Android malware poses as Starlink app to hijack devices

A newly identified Android malware called BeatBanker disguises itself as a Starlink application on fake Google Play Store websites. It functions as a banking trojan and includes Monero mining capabilities, allowing it to steal credentials and manipulate cryptocurrency transactions. Researchers at Kaspersky traced BeatBanker to campaigns targeting users in Brazil. The latest version uses the BTMOB RAT for remote access, enabling keylogging, screen recording, camera access, GPS tracking, and credential capture. BeatBanker is distributed as an APK file that decrypts and loads hidden code into memory, conducting environment checks before activation. It presents a fake Play Store update screen to trick users into granting permissions for additional payloads. To avoid detection, it delays malicious operations and plays a nearly inaudible MP3 file to maintain persistent activity. The malware uses a modified version of the XMRig miner to mine Monero on Android devices, connecting to mining pools through encrypted TLS connections. It can start or stop mining based on device conditions and uses Firebase Cloud Messaging to relay device information to its command-and-control server. Currently, BeatBanker infections have only been observed in Brazil, but there are concerns about its potential spread. Users are advised to avoid side-loading APKs from untrusted sources and to review app permissions regularly.

AppWizard

January 7, 2026

Don’t want to pay for YouTube Premium? Morphe picks up where Revanced left off.

Several developers and contributors have left the Revanced project, leading to the creation of the Morphe app, an open-source alternative for YouTube and YouTube Music. Morphe enhances user experience by unlocking features typically reserved for Premium subscribers. Key features include SponsorBlock integration to skip sponsored segments, YouTube Dislike support, Shorts content management, and thumbnail customization. Users can access these features through Settings > Morphe in the patched YouTube app. To use Morphe, users must download the original YouTube APK (version 20.37.48) and follow a straightforward setup process that includes installing microG. The patched version of YouTube coexists with the stock app and has its own icon. Users can rename the patched app for personalization. After signing in via microG, Morphe resembles the original YouTube app but omits the Shorts tab and plus icon, replacing them with a notifications tab and offering customization options in the settings menu. The future of Morphe is uncertain due to potential disfavor from Google regarding free access to Premium features. Further details and download options are available on the official Morphe website.

Winsage

December 30, 2025

4 Easy Ways to Install Windows 11 on Unsupported CPU

The transition to Windows 11 is significant due to new features, enhanced security, and improved performance. Users with unsupported CPUs may face challenges when upgrading, including installation warnings, potential performance issues, lack of Microsoft support, and possible bugs. Preparations for installation include backing up files, creating a system image, and disconnecting unnecessary devices. Four methods to install Windows 11 on unsupported CPUs are: 1. 4DDiG Partition Manager: This tool bypasses checks for TPM 2.0, CPU, and Secure Boot. 2. Registry Editor: Modify settings to skip hardware checks by creating a DWORD value named “AllowUpgradesWithUnsupportedTPMOrCPU” and setting it to “1”. 3. Rufus: Create a modified Windows 11 USB installer that bypasses checks for TPM, Secure Boot, RAM, and CPU. 4. Replace appraiserres.dll File: Swap the appraiserres.dll file in the installation media with a modified version to bypass hardware checks.

Winsage

December 27, 2025

Windows 11 Users Demand Leaner OS to Cut AI Bloat and Boost Speed

Microsoft is facing significant user criticism regarding Windows 11, particularly due to its emphasis on artificial intelligence features, which many users find unnecessary and detrimental to performance. Complaints include sluggish interfaces, increased resource consumption, and a cluttered user experience, leading to calls for a more streamlined version that prioritizes speed, reliability, and efficiency. Users have reported issues such as slow file explorers and excessive RAM usage, often linking these problems to AI-driven functionalities. Community-driven alternatives like Tiny11 have emerged, focusing on eliminating bloatware and AI features to enhance efficiency, especially on older hardware. Microsoft has acknowledged user concerns and promised improvements, but the integration of AI tools continues to dominate updates. The company is also reconsidering its strategy in response to backlash, including relaxing system requirements for certain versions of Windows. However, there remains a strong demand for a lightweight version that balances innovation with core functionalities, as users express frustration over imposed features and a lack of choice.

Winsage

December 18, 2025

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

A newly identified cyber threat cluster called LongNosedGoblin has been linked to cyber espionage attacks targeting governmental entities in Southeast Asia and Japan, with activities traced back to at least September 2023. The group uses Group Policy to spread malware and employs cloud services like Microsoft OneDrive and Google Drive for command and control. Key tools include NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, and NosyLogger, which perform functions such as collecting browser history, executing commands, and logging keystrokes. ESET first detected LongNosedGoblin's activities in February 2024, identifying malware on a governmental system. The attacks showed a targeted approach, with specific tools affecting select victims. Additionally, a variant of NosyDoor was found targeting an organization in an EU country, indicating a possible connection to other China-aligned threat groups.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 15, 2025

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

A new malware called RONINGLOADER specifically targets Chinese users and can disable security tools. It operates as a multi-stage loader that spreads a modified version of gh0st RAT and bypasses antivirus protections. RONINGLOADER infiltrates systems through fake software installers that mimic legitimate applications like Google Chrome and Microsoft Teams. Once inside, it disables Windows Defender and Chinese security solutions such as Qihoo 360 Total Security and Huorong. The malware uses a signed driver that appears legitimate to Windows but is designed to terminate security processes. If one method of disabling security fails, RONINGLOADER has multiple fallback strategies. The Dragon Breath APT group is behind this campaign, having refined their techniques based on previous operations. The infection begins with a trojanized NSIS installer that drops components onto the victim's system. One installer deploys genuine software, while the other initiates the attack chain. RONINGLOADER creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts tp.png using XOR encryption and a rotation operation, then loads new system libraries to eliminate security hooks. It elevates privileges using the runas command and scans for active security software, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. To terminate these processes, it uses a signed driver named ollama.sys, which is digitally signed by Kunming Wuqi E-commerce Co., Ltd. This driver can terminate processes using kernel-level APIs that standard security tools cannot intercept. Additionally, RONINGLOADER blocks network connections for Qihoo 360 before injecting code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection.

Tech Optimizer

November 13, 2025

Hackers Using RMM Tools LogMeIn and PDQ Connect to Deploy Malware as Legitimate Software

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have discovered an attack campaign that uses legitimate Remote Monitoring and Management (RMM) tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on users' systems. Attackers lure victims to fake download sites that mimic legitimate software pages for utilities like Notepad++, 7-Zip, and VLC Media Player, delivering modified versions of LogMeIn Resolve. The malicious installers are disguised with filenames such as "notepad++.exe" and "chatgpt.exe." Once executed, these files install the RMM tool and additional malware capable of stealing sensitive information. ASEC has identified three CompanyId values associated with the attacks: 8347338797131280000, 1995653637248070000, and 4586548334491120000. The malware, known as PatoRAT, is a Delphi-developed backdoor that gathers system information and has extensive malicious capabilities, including keylogging and remote desktop access. Users are advised to download software only from official websites and verify digital signatures, while organizations should monitor for unauthorized RMM installations and the identified indicators of compromise.

BetaBeacon

November 7, 2025

Android gaming handhelds are having their ‘Steam Deck moment’ as new devices like the AYN Odin 3 and KONKR Pocket FIT deliver Snapdragon 8 Elite power and full PC game emulation at unprecedented budget prices, ushering in a golden age for portable gaming

The Steam Deck originally launched with a price tag of 9, cheaper than other x86 handhelds. AYANEO and AYN have now released Android gaming handhelds powered by the Snapdragon 8 Elite, offering top spec models for 9 and 9 respectively. These handhelds can run Windows emulation and offer a user-friendly experience for gaming. The Snapdragon 8 Elite is capable of emulating other consoles, including Switch games. AYANEO, AYN, and Retroid are releasing handhelds with a similar price-to-performance ratio as the Steam Deck.

Winsage

October 19, 2025

Microsoft won’t give up on Windows 11’s Widgets board as it gets another UI makeover

The Discover feed on the Widgets board in Windows 11 is being redesigned with rounded corners, multiple dashboards, and curated stories powered by Copilot. Users can customize or disable their Discover feed. This update will be part of the Windows 11 25H2 update. Widgets originated from Windows Vista's Gadgets in 2007, which included mini-apps like weather updates and calendars. Windows 11 reintroduced Widgets as a standalone feature in October 2021, though it has not been as popular as Gadgets. Copilot Discover, announced in June, aims to summarize content from trusted MSN publishers and is currently being tested in Insider builds. The new Widgets board will support multiple dashboards and feature a left-side navigation bar. User feedback on Widgets is mixed, with some finding the design outdated and cluttered. The effectiveness of the Copilot-curated widget will depend on the quality of news selected for users. The rollout of the new features will occur server-side and through updates to the Copilot app, with personalization options available in the Widgets settings.