We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

obfuscation techniques

Researchers Trick ChatGPT into Disclosing Windows Product Keys
Winsage
July 10, 2025

Researchers Trick ChatGPT into Disclosing Windows Product Keys

Researchers have successfully bypassed ChatGPT's guardrails, allowing the AI to disclose valid Windows product keys by disguising requests as a guessing game. The technique involved using HTML tags to hide sensitive terms from filters while still enabling AI comprehension. They extracted real Windows Home/Pro/Enterprise keys by establishing game rules and using the phrase "I give up" to trigger disclosure. This vulnerability highlights flaws in keyword-based filtering and suggests that similar techniques could expose other restricted content. The attack exploits weaknesses in AI's contextual interpretation and emphasizes the need for improved content moderation strategies, including enhanced contextual awareness and detection of deceptive framing patterns.
Qwizzserial Android Malware Poses as Legit Apps to Steal Banking Info and Bypass 2FA via SMS Interception
AppWizard
July 8, 2025

Qwizzserial Android Malware Poses as Legit Apps to Steal Banking Info and Bypass 2FA via SMS Interception

A newly identified Android malware family, Qwizzserial, has emerged as a significant threat in Uzbekistan, disguising itself as legitimate financial and government applications. It spreads primarily through Telegram, using deceptive channels to impersonate authorities and financial institutions, luring victims with offers of financial assistance. Upon installation, Qwizzserial requests permissions related to SMS and phone state, prompting users to input sensitive information such as phone numbers and bank card details, which it exfiltrates via the Telegram Bot API or HTTP POST requests. The malware intercepts incoming SMS messages, including one-time passwords (OTPs) for two-factor authentication, and can extract financial information from messages. Analysts from Group-IB have tracked around 100,000 infections linked to Qwizzserial, with confirmed financial losses exceeding ,000,000 within three months. The malware's infection pattern follows a Pareto distribution, with a small subset of samples causing the majority of infections, particularly those impersonating financial institutions. Security solutions have developed detection rules for Qwizzserial, and organizations are encouraged to implement user education and monitoring to mitigate risks. End-users are advised against installing applications from untrusted sources and to scrutinize app permissions. Indicators of Compromise (IOC) include specific C2 domains and file hashes for both example and latest samples of Qwizzserial.
XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses
Tech Optimizer
July 7, 2025

XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses

The XWorm Remote Access Trojan (RAT) has evolved its attack strategies by incorporating advanced stagers and loaders to evade detection. It is known for its capabilities, including keylogging, remote desktop access, data exfiltration, and command execution, and is particularly targeted at the software supply chain and gaming sectors. Recent campaigns have paired XWorm with AsyncRAT for initial access before deploying ransomware using the leaked LockBit Black builder. XWorm utilizes various file formats and scripting languages for payload delivery, often through phishing campaigns with deceptive lures like invoices and shipping notifications. It employs obfuscation techniques, including Base64 encoding and AES encryption, and manipulates Windows security features to avoid detection. Persistence mechanisms such as registry run keys and scheduled tasks ensure sustained access. XWorm conducts system reconnaissance, queries for antivirus software, and attempts to disable Microsoft Defender. It can propagate via removable media and execute commands from command-and-control servers. The Splunk Threat Research Team has developed detections for suspicious activities related to XWorm infections. Indicators of compromise include various file hashes for different scripts and loaders associated with XWorm.
Hackers Abuse Legitimate Inno Setup Installer to Deliver Malware
Tech Optimizer
July 5, 2025

Hackers Abuse Legitimate Inno Setup Installer to Deliver Malware

Cybercriminals are using legitimate software installer frameworks like Inno Setup to distribute malware, taking advantage of its trusted appearance and scripting capabilities. A recent campaign demonstrated how a malicious Inno Setup installer can deliver information-stealing malware, such as RedLine Stealer, through a multi-stage infection process. This process includes evasion techniques like detecting debuggers and sandbox environments, using XOR encryption to obscure strings, and conducting WMI queries to identify malware analysis tools. The installer retrieves a payload from a command-and-control server via a TinyURL link and creates a scheduled task for persistence. The payload employs DLL sideloading to load HijackLoader, which ultimately injects RedLine Stealer into a legitimate process to steal sensitive information. RedLine Stealer uses obfuscation techniques and disables security features in browsers to avoid detection. The Splunk Threat Research Team has developed detection methods focusing on indicators such as unsigned DLL sideloading and suspicious browser behaviors. Indicators of Compromise (IOC): - Malicious Inno Setup Loader Hash 1: 0d5311014c66423261d1069fda108dab33673bd68d697e22adb096db05d851b7 - Malicious Inno Setup Loader Hash 2: 0ee63776197a80de42e164314cea55453aa24d8eabca0b481f778eba7215c160 - Malicious Inno Setup Loader Hash 3: 12876f134bde914fe87b7abb8e6b0727b2ffe9e9334797b7dcbaa1c1ac612ed6 - Malicious Inno Setup Loader Hash 4: 8f55ad8c8dec23576097595d2789c9d53c92a6575e5e53bfbc51699d52d0d30a
Qwizzserial Android Malware as Legitimate Apps Steals Banking Data & Intercepts 2FA SMS
AppWizard
July 3, 2025

Qwizzserial Android Malware as Legitimate Apps Steals Banking Data & Intercepts 2FA SMS

A sophisticated Android malware campaign named Qwizzserial has emerged as a significant threat to banking security in Central Asia, particularly affecting users in Uzbekistan. Initially identified in mid-2024, it disguises itself as legitimate applications to deceive users into installation. Analysts from Group-IB uncovered it, noting its distribution network resembles the Classiscam fraud infrastructure. The campaign has reportedly infected around 100,000 users, resulting in financial losses exceeding ,000 within three months. The primary distribution channel is Telegram, where cybercriminals pose as government entities. Qwizzserial requests critical permissions upon installation and collects personal and financial information, systematically harvesting existing SMS messages. Recent iterations have incorporated obfuscation techniques and enhanced persistence mechanisms.
Windows Shortcut (LNK) Malware Strategies
Winsage
July 2, 2025

Windows Shortcut (LNK) Malware Strategies

There has been a significant increase in the exploitation of Windows shortcut files (LNK files) for malware delivery, with malicious LNK samples rising from 21,098 in 2023 to 68,392 in 2024. LNK files, identifiable by their .lnk extension, allow users to access files and applications easily, but can also execute malicious content. Key fields in LNK files that indicate malicious intent include LINKTARGETIDLIST (99.53% of malicious LNK files), RELATIVEPATH (75.49%), and COMMANDLINEARGUMENTS (35.52%). LNK malware is categorized into four types: LNK exploits, malicious file execution, in-argument script execution, and overlay content execution. Indicators of compromise for LNK malware include specific SHA256 hashes for various samples.
Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT
Tech Optimizer
June 17, 2025

Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT

Threat actors are using a fileless variant of AsyncRAT, targeting German-speaking individuals with a deceptive verification prompt. This prompt misleads users into executing harmful commands. The malware employs obfuscated PowerShell scripts to operate in memory without creating files on disk, complicating detection by antivirus solutions. The attack begins with a fake verification page prompting users to click "I’m not a robot," which copies a malicious command to the clipboard. This command uses conhost.exe to run a hidden PowerShell instance that retrieves a payload from a remote server. The malware establishes a connection to a command-and-control server and maintains persistence through registry keys, enabling remote control and data exfiltration. Key tactics include stealth execution, in-memory C# compilation, and TCP-based communication over non-standard ports. The campaign has been active since at least April 2025. Indicators of Compromise (IOCs) include: - IP: 109.250.111[.]155 (Clickfix Delivery) - FQDN: namoet[.]de (Clickfix / C2 Server) - Port: 4444 (TCP Reverse Shell Listener) - URL: hxxp[:]//namoet[.]de:80/x (PowerShell Payload) - Registry (HKCU): SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows (Persistence on Boot) - Registry (HKCU): SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin (Holds Obfuscated Command)
Hackers Allegedly Selling Windows Crypter Claims Bypass of All Antiviruses
Tech Optimizer
June 2, 2025

Hackers Allegedly Selling Windows Crypter Claims Bypass of All Antiviruses

Underground cybercriminal forums are seeing an increase in advanced malware tools, including a Windows crypter that claims to bypass major antivirus solutions. This crypter is marketed as fully activated and capable of achieving Full Undetectable (FUD) status against contemporary antivirus engines. It employs advanced obfuscation techniques to evade detection, including code injection methods, entropy manipulation, and anti-debugging features. The tool allows for granular control over obfuscation parameters, enabling customization for specific target environments. The rise of such sophisticated evasion tools poses challenges for traditional endpoint security, making organizations vulnerable if they rely solely on signature-based antivirus solutions. To defend against these threats, organizations should adopt multi-layered security architectures, including behavioral analysis and endpoint detection and response (EDR) solutions.
Search