persistence Archives

AppWizard

May 21, 2025

Android 16 QPR1 bug prevents new apps from appearing on home screen

Android 16 QPR1 has introduced design changes and user interface adjustments, but a bug has emerged that prevents newly installed apps from appearing on the home screen, despite the relevant setting being enabled. Users can find this setting by long-pressing the home screen and navigating to home settings. The bug is considered minor, as newly installed apps remain accessible through the app drawer. Google is expected to address the issue in a future update, but no timeline for a fix has been provided.

Tech Optimizer

May 17, 2025

New ‘Defendnot’ tool tricks Windows into disabling Microsoft Defender

A tool named Defendnot can disable Microsoft Defender on Windows devices by registering a counterfeit antivirus product using an undocumented Windows Security Center (WSC) API. Developed by researcher es3n1n, it exploits the API to register a fictitious antivirus that meets Windows' validation criteria, leading to the automatic disabling of Microsoft Defender. Defendnot circumvents security measures by injecting a dummy antivirus DLL into the trusted Taskmgr.exe process. It also includes a loader for configuration customization and establishes an autorun entry through the Windows Task Scheduler for persistence. Microsoft Defender currently detects and quarantines Defendnot as a Win32/Sabsik.FL.!ml.

Winsage

May 10, 2025

Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network

Threat actors are exploiting Windows Remote Management (WinRM) to navigate through Active Directory environments stealthily, allowing them to bypass detection systems, escalate privileges, and deploy malicious payloads. WinRM operates on HTTP port 5985 and HTTPS port 5986, enabling remote command execution and management tasks. Attackers can gain access through compromised credentials and use WinRM-enabled PowerShell commands for reconnaissance, deploying payloads while evading detection. The attack chain includes initial access, reconnaissance, payload deployment, persistence, and lateral movement, often utilizing techniques that obfuscate malicious activities. Detecting such attacks is challenging due to the use of built-in Windows functionalities and encrypted channels. Recommended mitigation strategies include monitoring for unusual activity, restricting WinRM access, enforcing credential hygiene, and implementing advanced monitoring solutions.

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Tech Optimizer

May 5, 2025

Chimera Malware: Outsmarting Antivirus, Firewalls, and Human Defenses

X Business, an e-commerce store specializing in handmade home décor, experienced a cybersecurity incident involving a malware strain called Chimera. The attack began during a routine update to their inventory management system and escalated within 12 hours, resulting in halted customer orders, locked employee accounts, and a crashed website. The attackers demanded a ransom of 0,000 in cryptocurrency, threatening to expose sensitive customer data. Chimera is an AI-driven malware that adapts its code to evade detection, targeting both Windows and macOS systems. It exploited a zero-day vulnerability in Windows' Print Spooler service and bypassed macOS security measures by forging code signatures. The malware used social engineering tactics to deceive employees into activating malicious payloads, leading to compromised systems and encrypted customer data. The recovery process took 48 hours, utilizing cybersecurity tools like CrowdStrike Falcon and SentinelOne Singularity to identify and isolate the malware. Data restoration was achieved through Acronis Cyber Protect and macOS Time Machine, while vulnerabilities were addressed with Qualys and emergency patch deployment via WSUS. The network security framework was improved using Cisco Umbrella and Zscaler Private Access to implement a Zero Trust architecture. The incident highlights the need for small enterprises to adopt proactive cybersecurity strategies, including a 3-2-1 backup approach, Zero Trust models, investment in AI-driven defense tools, and employee training to recognize social engineering attempts.

Winsage

May 1, 2025

Microsoft RDP apparently lets you log in with expired passwords – and it apparently doesn’t have plans to fix the issue

Security researcher Daniel Wade has revealed that Microsoft’s Remote Desktop Protocol (RDP) allows users to log into systems using previously revoked passwords, raising concerns about user security. Wade highlights that this feature undermines the trust users place in password management, as changing passwords is expected to prevent unauthorized access. This issue affects a wide range of users, from individuals to employees in small businesses and hybrid work environments. Despite the increasing sophistication of cyberattacks on password managers, Microsoft has stated it will not change this RDP functionality.

AppWizard

April 10, 2025

SpyNote Android malware resurfaces in campaign using spoofed app install pages

A report from DomainTools LLC reveals that cybercriminals are using newly registered domains to distribute the SpyNote Android remote access trojan (RAT) by creating fake websites that resemble legitimate Google Play app installation pages. These counterfeit pages often include familiar visual elements to deceive users into downloading harmful APK files, such as a site mimicking the TikTok installation page. The downloaded files typically contain variants of SpyNote, which can conduct surveillance, harvest sensitive information, and execute remote commands on compromised devices. The delivery mechanism involves a two-stage process where a dropper APK installs a secondary APK with core spyware functionalities, utilizing JavaScript to trigger downloads from fake install buttons. Common characteristics of the domains distributing SpyNote include registration with NameSilo LLC and XinNet Technology Corp., hosting on infrastructure linked to Lightnode Ltd and Vultr Holdings LLC, and the presence of SSL certificates. The malware delivery sites contain code in both English and Chinese, suggesting a Chinese-speaking threat actor may be involved. SpyNote has been associated with advanced persistent threat groups targeting individuals in South Asia, including those in the Indian defense sector. Once installed, SpyNote requests intrusive permissions to access SMS, contacts, call logs, camera, microphone, and location services, and employs persistence mechanisms that make it difficult to remove. DomainTools advises users to be vigilant against spoofed app pages and avoid sideloading APKs from unverified sources.

Tech Optimizer

April 3, 2025

1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

A cryptojacking campaign has targeted over 1,500 organizations by exploiting inadequately secured PostgreSQL database servers. The attackers, identified as JINX-0126, use advanced techniques including credential brute-forcing and fileless execution to deploy Monero (XMR)-mining malware. Approximately 30% of cloud-hosted PostgreSQL servers are affected due to weak or default credentials. The attackers execute commands using PostgreSQL’s COPY FROM PROGRAM function, bypassing standard detection mechanisms. They have been linked to three cryptocurrency wallets with around 550 active mining workers, generating a hashrate of 4.04 GH/s and approximately €10.40 per hour in XMR revenue. The attack begins with credential spraying against default accounts, followed by an SQL injection to fetch the payload. The malware operates in memory, modifies PostgreSQL’s configuration to maintain persistence, and creates cron jobs for reactivation. The campaign reveals significant security gaps in cloud environments, with recommendations for improved access controls and monitoring.

Tech Optimizer

April 2, 2025

Over 1,500 PostgreSQL Servers Hit by Fileless Malware Attack

A malware campaign has compromised over 1,500 PostgreSQL servers using fileless techniques to deploy cryptomining payloads. The attack, linked to the threat actor group JINX-0126, exploits publicly exposed PostgreSQL instances with weak or default credentials. The attackers utilize advanced evasion tactics, including unique hashes for binaries and fileless execution of the miner payload, making detection difficult. They exploit PostgreSQL’s COPY ... FROM PROGRAM function to execute malicious payloads and perform system discovery commands. The malware includes a binary named “postmaster,” which mimics legitimate processes, and a secondary binary named “cpu_hu” for cryptomining operations. Nearly 90% of cloud environments host PostgreSQL databases, with about one-third being publicly exposed, providing easy entry points for attackers. Each wallet associated with the campaign had around 550 active mining workers, indicating the extensive scale of the attack. Organizations are advised to implement strong security configurations to protect their PostgreSQL instances.