PC Manager Archives

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 15, 2025

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

A new malware called RONINGLOADER specifically targets Chinese users and can disable security tools. It operates as a multi-stage loader that spreads a modified version of gh0st RAT and bypasses antivirus protections. RONINGLOADER infiltrates systems through fake software installers that mimic legitimate applications like Google Chrome and Microsoft Teams. Once inside, it disables Windows Defender and Chinese security solutions such as Qihoo 360 Total Security and Huorong. The malware uses a signed driver that appears legitimate to Windows but is designed to terminate security processes. If one method of disabling security fails, RONINGLOADER has multiple fallback strategies. The Dragon Breath APT group is behind this campaign, having refined their techniques based on previous operations. The infection begins with a trojanized NSIS installer that drops components onto the victim's system. One installer deploys genuine software, while the other initiates the attack chain. RONINGLOADER creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts tp.png using XOR encryption and a rotation operation, then loads new system libraries to eliminate security hooks. It elevates privileges using the runas command and scans for active security software, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. To terminate these processes, it uses a signed driver named ollama.sys, which is digitally signed by Kunming Wuqi E-commerce Co., Ltd. This driver can terminate processes using kernel-level APIs that standard security tools cannot intercept. Additionally, RONINGLOADER blocks network connections for Qihoo 360 before injecting code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection.

Tech Optimizer

April 12, 2025

I abandoned third-party antivirus tools, and here’s what I do instead

The author has transitioned from using third-party antivirus solutions to relying on Windows Security, which is built into Windows 10 and 11, due to its effectiveness and lack of cost. They emphasize the importance of keeping Windows Security updated and performing regular virus scans for added peace of mind. Ransomware protection features, such as Controlled Folder Access, are highlighted as essential. The Microsoft PC Manager app is recommended for optimizing system performance and security. The author advocates for good security hygiene, including avoiding suspicious emails and enabling two-factor authentication, as effective practices to maintain security without third-party antivirus software.

Tech Optimizer

April 10, 2025

6 overlooked security practices I implemented at home and I regret not using sooner

- Safeguarding technology is crucial in the digital age due to potential threats from various devices. - Two-factor authentication (2FA) enhances online account security by requiring a second code sent to a phone, email, or authentication app. - Biometric verification methods and hardware authentication devices like YubiKeys can further enhance security. - Backup codes should be printed when setting up 2FA, and passkeys offer a passwordless solution for securing accounts. - Ransomware can lock users out of data until a ransom is paid, and Windows 10 and 11 have a feature called Controlled Folder Access (CFA) to protect essential folders. - Windows Security provides baseline protection for PCs, and users should regularly check for updates and conduct manual scans. - Microsoft's PC Manager utility enhances system security by offering features for storage and app management alongside virus scanning. - Securing web browsers is vital, with unique settings available in browsers like Microsoft Edge, Firefox, and Chrome to improve privacy and security. - Regularly clearing browsing history and keeping browsers updated helps mitigate risks from malware and phishing attacks. - Securing Wi-Fi routers involves changing the default admin password and SSID, using strong encryption like WPA3, and regularly updating firmware. - Custom firmware like DD-WRT or OpenWrt can enhance router security and functionality.

Winsage

March 10, 2025

4 things holding Microsoft PC Manager back from being a great app

Microsoft PC Manager includes a Deep cleanup feature that can slow down system performance by deleting Windows Prefetch files, which are intended to improve application loading times. The System protection feature focuses on restoring default settings rather than providing robust security options, which may not appeal to users who prefer customization. The PC Boost feature offers only temporary relief from memory usage, with results quickly reverting back to previous levels. Additionally, the app promotes Microsoft Edge, often ignoring users' default browser settings, which can be intrusive and detracts from its overall utility.

Winsage

March 2, 2025

Microsoft now offers a free tool for Windows 10 and 11 users to refresh their PCs

Microsoft has introduced a free, built-in tool called PC Manager for Windows 10 and Windows 11 users, aimed at optimizing system performance without the need for third-party software. After a successful launch in China, PC Manager is now available globally. Key features include: - PC Boost: Automatically clears temporary files, reduces RAM usage, and shuts down unnecessary background processes. Smart Boost identifies and removes files over 1GB. - Deep Cleanup: Targets outdated system files, browser caches, and the recycle bin to free up storage and improve performance. - Startup Management: Allows users to manage and disable unnecessary startup applications to enhance boot speed. - Process Management: Provides an intuitive interface to identify and terminate resource-hogging processes easily. - Large Files Locator: Helps users identify oversized files for better disk space management. PC Manager is currently available in multiple languages and is expected to expand further, with plans for future updates based on user feedback.

Winsage

February 13, 2025

Windows 10 and 11 Users Can Now Clean and Refresh Their PCs with Microsoft’s Free Tool

Microsoft has introduced PC Manager, a free, built-in tool for Windows 10 and 11 designed to optimize system performance without the need for third-party software. After testing in China, it has been rolled out globally. Key features include: - PC Boost: Automatically clears temporary files, reduces RAM usage, and terminates unnecessary processes. Smart Boost identifies and removes files over 1GB. - Deep Cleanup: Targets outdated system files, browser caches, and the recycle bin to free up storage. - Startup Management: Allows users to disable unnecessary startup programs to improve boot speed. - Process Management: Provides an interface to quickly identify and close resource-hogging processes. - Large Files Locator: Scans for oversized files to help manage disk space. PC Manager is available in multiple languages and is expected to receive updates based on user feedback.

Winsage

November 13, 2024

Zero Day Initiative — The November 2024 Security Update Review

Microsoft has addressed a limited number of critical vulnerabilities, including two related to privilege escalation: one associated with VMSwitch that allows low-privileged users on a guest OS to execute code with SYSTEM privileges on the host OS, and another in a cloud service that has been mitigated. The updates include over 50 code execution vulnerabilities, primarily affecting SQL Server, with CVE-2024-49043 requiring urgent attention for updates to OLE DB Driver versions 18 or 19. Several vulnerabilities in Office components were identified, and the Telephony service revealed six remote code execution vulnerabilities, notably an SMBv3 vulnerability that can exploit a malicious SMB client against an affected SMB server in SMB over QUIC configurations. A CVSS 9.9 rated vulnerability in Azure CycleCloud could allow root-level access, and an RCE vulnerability in TouchGeo was also identified. Over two dozen fixes for privilege escalation vulnerabilities were released, including USB Video Class System vulnerabilities requiring physical access and vulnerabilities in Azure Database for PostgreSQL that could grant SuperUser privileges. Two Security Feature Bypass vulnerabilities were addressed, one in Word and another in Windows Defender Application Control. Two spoofing vulnerabilities were identified in Exchange Server and DNS, and four denial-of-service vulnerabilities were reported, including one in Hyper-V that could facilitate cross-VM attacks. The final Patch Tuesday of 2024 is scheduled for December 10.

Winsage

October 31, 2024

Free PC Manager app for Windows 10 and 11 just got even better

Microsoft has launched version 3.14 of its PC Manager, a free utility for Windows 10 and Windows 11, featuring real-time internet speed monitoring from the taskbar, improved storage management to efficiently eliminate unnecessary files, and integration with Windows 11 Widgets for easier access to its features. The tool has received positive feedback for its user-friendly interface and maintenance capabilities.

Winsage

October 31, 2024

Windows 11 performance booster Microsoft PC Manager adds new features

Microsoft's PC Manager is receiving an update to version 3.14, which introduces new features for Windows 11 and Windows 10 users. Key improvements include real-time internet speed monitoring from the desktop toolbar and an upgraded disk cleanup algorithm for better storage optimization. Developed by Microsoft China, PC Manager is available in select countries via the Microsoft Store but is not accessible in Europe and some other regions due to privacy regulations. The application helps free up RAM and storage to enhance PC performance. The update, which began rolling out on October 24, also supports Windows 11’s Widgets board, allowing users to boost performance directly from the widgets. Additionally, the deep cleanup feature has been enhanced to identify and remove more temporary files than built-in Windows solutions, and users can now analyze disk usage for better storage management.