Network Connections Archives

Winsage

November 18, 2025

Microsoft is bringing native Sysmon support to Windows 11, Server 2025

Microsoft is integrating Sysmon into Windows 11 and Windows Server 2025, eliminating the need for separate deployments of Sysinternals tools. This integration will allow users to utilize custom configuration files for filtering captured events, which will be logged in the Windows event log. Sysmon is a free tool that monitors and blocks suspicious activities while logging events such as process creation, DNS queries, and executable file creation. It will be easily installable via the "Optional features" settings in Windows 11, with updates delivered through Windows Update. Sysmon will retain its standard features, including support for custom configuration files and advanced event filtering. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Winsage

November 18, 2025

Microsoft to integrate Sysmon directly into Windows 11, Server 2025

Microsoft will integrate Sysmon into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. Sysmon will allow users to utilize custom configuration files for event filtering, logging events in the Windows event log. It tracks events such as process creation, DNS queries, executable file creation, changes to the clipboard, and auto-backup of deleted files. Users can access Sysmon through "Optional features" in Windows 11 and receive updates via Windows Update. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

AppWizard

November 16, 2025

Google to flag Android apps with excessive battery use on the Play Store

Google is implementing measures to enhance battery performance on Android devices by monitoring apps in the Google Play Store for high background activity and excessive battery drain. Applications that exceed a defined "bad behavior threshold" may be flagged, affecting their visibility. Developers must adapt their apps to a new metric called "excessive partial wake locks" by March 1, 2026. This metric tracks the duration apps maintain background activity while the screen is off and will measure non-exempt wake locks over a 28-day period. An app is considered excessive if it accumulates over two hours of non-exempt wake locks in a 24-hour period, with the threshold set at 5% of user sessions. Developers exceeding this threshold will be notified. The initiative aims to improve user experience by addressing excessive resource consumption, though it is not specifically targeting malware.

Tech Optimizer

November 15, 2025

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

A new malware called RONINGLOADER specifically targets Chinese users and can disable security tools. It operates as a multi-stage loader that spreads a modified version of gh0st RAT and bypasses antivirus protections. RONINGLOADER infiltrates systems through fake software installers that mimic legitimate applications like Google Chrome and Microsoft Teams. Once inside, it disables Windows Defender and Chinese security solutions such as Qihoo 360 Total Security and Huorong. The malware uses a signed driver that appears legitimate to Windows but is designed to terminate security processes. If one method of disabling security fails, RONINGLOADER has multiple fallback strategies. The Dragon Breath APT group is behind this campaign, having refined their techniques based on previous operations. The infection begins with a trojanized NSIS installer that drops components onto the victim's system. One installer deploys genuine software, while the other initiates the attack chain. RONINGLOADER creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts tp.png using XOR encryption and a rotation operation, then loads new system libraries to eliminate security hooks. It elevates privileges using the runas command and scans for active security software, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. To terminate these processes, it uses a signed driver named ollama.sys, which is digitally signed by Kunming Wuqi E-commerce Co., Ltd. This driver can terminate processes using kernel-level APIs that standard security tools cannot intercept. Additionally, RONINGLOADER blocks network connections for Qihoo 360 before injecting code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection.

Winsage

October 17, 2025

CISA Issues Warning Over Microsoft Windows Vulnerability Actively Exploited by Attackers

CVE-2025-59230 is a significant vulnerability affecting Microsoft Windows, classified as an improper access control flaw that allows authorized attackers to escalate their privileges on compromised systems. It is embedded within the Windows Remote Access Connection Manager and enables attackers to execute malicious code with elevated rights, access sensitive data, and move laterally across network segments. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on October 14, mandating federal civilian executive branch agencies to apply security patches by November 4, in accordance with Binding Operational Directive 22-01. Organizations are encouraged to apply Microsoft’s security updates promptly, follow BOD 22-01 guidance, and isolate affected systems if patches cannot be applied.

AppWizard

October 8, 2025

How to Fix the GETSOCKOPT Error in Minecraft

The GETSOCKOPT error in Minecraft occurs when the game cannot establish a network connection, often indicated by messages like “Connection timed out: getsockopt” or “Connection refused: getsockopt.” This error is not a bug in Minecraft but relates to network reachability or permission issues from the system or router configuration. Common causes include incorrect IP address or port, server being offline or misconfigured, firewall or antivirus interference, missing router port forwarding, double NAT or CGNAT from the ISP, and router limitations. In a LAN setup, AP isolation or a “Public” network type can also cause issues. VPNs or proxy services may disrupt connections as well. To troubleshoot the GETSOCKOPT error, players can take several steps: 1. Run Minecraft as Administrator to grant necessary permissions. 2. Double-check the IP address and port for accuracy. 3. Use a VPN to bypass routing issues or ISP restrictions. 4. Reconnect the Wi-Fi or Ethernet to refresh the network adapter. 5. Temporarily disable antivirus and allow Minecraft through the firewall. 6. Set up port forwarding for self-hosted servers to ensure inbound traffic reaches the device. 7. Contact the ISP to check for blocked ports or restrictive NAT policies.

AppWizard

October 4, 2025

You’re using AI more than you realize: Here’s how it powers your everyday tasks

Artificial intelligence (AI) is a fundamental aspect of how Android devices function, operating in the background of daily interactions. Smartphones utilize AI for optimizing network connections when connecting to Wi-Fi or Bluetooth, enhancing app performance through Google Play Services with tools like LiteRT, and improving security via Google Play Protect, which scans applications for malicious activities. AI also optimizes battery management by analyzing usage patterns, enhances communication features such as autocorrect and voice recognition, and plays a crucial role in photography by processing images to improve quality.

Winsage

September 26, 2025

New LNK Malware Uses Windows Binaries to Bypass Security Tools and Execute Malware

A new form of malware exploiting Windows shortcut files (.LNK) has emerged since late August 2025, raising concerns among security teams. This malware is primarily spread through spear-phishing emails and compromised websites, using embedded commands to invoke legitimate Windows utilities for executing additional malware. Victims report unusual PowerShell calls and unexpected network connections as signs of compromise. The attacks target enterprise and consumer endpoints, particularly users with elevated privileges, using emails that mimic IT notifications to lure recipients into clicking on seemingly harmless shortcut attachments. Upon execution, the .LNK file activates Windows Explorer, loading a hidden payload that utilizes built-in binaries like mshta.exe and rundll32.exe to evade detection. The malicious .LNK file contains an OLE object pointing to a remote HTML application script, which, when executed, downloads a payload using Base64-encoded PowerShell commands. The payload is executed in memory to minimize disk writes, and the malware establishes persistence by creating a registry run key to ensure it launches automatically upon user login. Indicators of compromise include network requests to suspicious domains, anomalous process trees involving mshta.exe and rundll32.exe, and unrecognized registry entries.

Winsage

September 23, 2025

7 ancient Windows commands that are still helpful for troubleshooting today

The Windows Command Prompt is a key tool for PC troubleshooting, especially for IT professionals. - Netstat -a -n -o: Initial release in 1983; used for diagnosing network errors by revealing active connections, ports, and their states. Parameters -a, -n, and -o provide additional insights. - Ping -n 100 IP or webaddress: Initial release in 1983; checks connectivity to a network location, measuring latency and hops. The -n parameter specifies the number of packets, and the -t option allows continuous testing. - ipconfig /release and ipconfig /renew: Initial release in 1998; essential for displaying network hardware status and resolving IP conflicts by refreshing network configurations. - DISM /Online /Cleanup-image /RestoreHealth: Initial release in 2009; maintains Windows installation images by checking and repairing the Windows Component Store. - Sfc /scannow: Initial release in 1998; verifies and repairs the integrity of the operating system, useful for resolving certain errors. - powercfg.exe /hibernate off: Initial release in 2004; disables hibernation to free up disk space by deleting the hiberfil.sys file. - OOBEbypassnro: Initial release in 2020; allows bypassing Microsoft account registration during Windows 11 installation, though its future is uncertain due to planned removal in an upcoming update.

Tech Optimizer

September 15, 2025

HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks

Chinese-speaking users are experiencing a sophisticated SEO poisoning campaign that uses counterfeit software sites to spread malware. Researchers from Fortinet FortiGuard Labs discovered this activity in August 2025, which involves manipulating search rankings to redirect users to fraudulent sites that deliver malware through trojanized installers. The malware families identified include HiddenGh0st and Winos, both variants of the Gh0st RAT, linked to a cybercrime group known as Silver Fox. The attack mechanism involves a script named nice.js that orchestrates the malware delivery process, leading to the installation of a malicious DLL, "EnumW.dll," which performs anti-analysis checks and extracts another DLL, "vstdlib.dll." This second DLL inflates memory usage to evade detection and is responsible for launching the main payload. The malware aims to sideload a DLL, "AIDE.dll," which establishes a Command-and-Control (C2) communication, collects victim data, and monitors user activity. Additionally, a separate campaign targeting Chinese-speaking users has been flagged by Zscaler ThreatLabz, featuring a new malware called kkRAT. This malware shares code similarities with Gh0st RAT and employs fake installer pages to deliver multiple trojans. It uses techniques to bypass security software and targets specific antivirus programs, including 360 Total Security and Kingsoft Internet Security. The installer launches shellcode that retrieves additional malicious payloads, including kkRAT, which can perform various data-gathering tasks and manipulate clipboard data to replace cryptocurrency addresses.