persistence Archives

AppWizard

March 4, 2026

Esoteric Ebb Review

Esoteric Ebb is a role-playing game inspired by Disco Elysium, focusing on exploration rather than combat, and features a narrative rich in literary and political themes. The game blends narrative depth with mechanics similar to Dungeons & Dragons. - Price: £21 - Release Date: March 3, 2026 - Developer: Christoffer Bodegård - Publisher: Raw Fury - Reviewed on: Steam Deck, Windows 11 (Core i5 12600K, RX 9070 XT, 32GB RAM) - Steam Deck: Verified - Official site link available Gameplay includes strategic challenges, such as an early ambush by an assassin where players can use spells creatively. Some minor complaints include a cluttered user interface on the Steam Deck, cumbersome inventory management, typographic errors, and occasional UI glitches. There are also reports of bugged feats affecting gameplay. Despite these issues, the game is considered compelling for RPG enthusiasts and offers good value for its price.

Winsage

March 4, 2026

PoC Exploit Released for Microsoft Windows Error Reporting ALPC Privilege Escalation

A proof-of-concept exploit for CVE-2026-20817, a local privilege escalation vulnerability in the Windows Error Reporting (WER) service, has been released by security researcher oxfemale on GitHub. This vulnerability allows low-privileged users to gain SYSTEM-level access through crafted Advanced Local Procedure Call (ALPC) messages. The flaw is located in the WER service's SvcElevatedLaunch method, which fails to validate caller privileges before executing WerFault.exe with user-supplied command line parameters. The CVSS v3.1 base score for this vulnerability is 7.8, indicating a high severity level. It affects unpatched versions of Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 prior to the January 2026 update. Demonstrations have shown successful exploitation on Windows 11 23H2. Security teams are advised to monitor for unusual processes related to WerFault.exe, investigate missing SeTcbPrivilege in SYSTEM tokens, and review WER-related activities from low-privilege users. Immediate application of the January 2026 security patches is recommended, and a temporary workaround involves disabling the WER service.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

Tech Optimizer

February 25, 2026

Effective ways to prevent the download of malicious code

Malware is malicious software designed to disrupt normal system operations, often infiltrating devices through activities like web browsing or opening documents. In 2023, SonicWall Capture Labs reported over 6 billion malware attacks, an 11% increase from the previous year. Common types of malware include viruses, worms, Trojans, spyware, adware, ransomware, fileless malware, and bots. Malware spreads through email attachments, phishing links, compromised websites, fake apps, and removable media. Its effects can include performance issues, data theft, and financial damage. Signs of malware presence include sluggish performance, unexpected crashes, and unauthorized changes. Recommended actions if malware is suspected include disconnecting the device, running a malware scan, and changing passwords. Preventative measures include using security software, practicing safe browsing, keeping software updated, and building security awareness.

Tech Optimizer

February 24, 2026

Fake Zoom meeting “update” silently installs surveillance software

A deceptive website, uswebzoomus[.]com/zoom/, poses as a Zoom meeting platform and installs surveillance software on Windows devices without user consent. The software is a covert version of Teramind, a commercial monitoring tool. The site creates a fake Zoom waiting room experience, complete with scripted participants and background audio, to trick users into downloading a malicious file named zoomagentx64s-i(_941afee582cc71135202939296679e229dd7cced) (1).msi. This file is preconfigured to connect to an attacker-controlled Teramind server and operates in stealth mode, leaving minimal traces on the device. The installation process collects information about the device and is designed to evade detection by security tools. If users suspect they have been affected, they are advised not to open the downloaded file, check for its installation, and change passwords from a clean device.

Tech Optimizer

February 24, 2026

Fake Huorong Site Delivers ValleyRAT Backdoor in Targeted Malware Campaign

A cyber operation is targeting users of Huorong Security antivirus software through a typosquatted domain, huoronga[.]com, which mimics the legitimate site huorong.cn. Users who mistakenly visit the counterfeit site may download a file named BR火绒445[.]zip, which contains a trojanized installer that leads to the installation of ValleyRAT, a remote access trojan. The malware employs various techniques to evade detection, including using an intermediary domain for downloads, creating Windows Defender exclusions, and establishing a scheduled task for persistence. The backdoor facilitates activities such as keylogging and credential access while disguising its operations within legitimate processes like rundll32.exe. Attribution points to the Silver Fox APT group, and there has been a significant increase in ValleyRAT samples documented in recent months. Security measures include ensuring software downloads are from the official site and monitoring for specific malicious activities.

Tech Optimizer

February 22, 2026

Researchers Discover First Android Malware Using Generative AI for Persistence

Security researchers have identified a new Android Trojan named PromptSpy that uses generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers, PromptSpy leverages Google's Gemini AI model to analyze infected device screens and generate tailored instructions for embedding itself within recent apps lists. It includes a Virtual Network Computing (VNC) module that allows attackers full remote control over the device, enabling activities such as viewing the screen, performing actions remotely, capturing lock screen data, blocking uninstallation attempts, gathering device information, taking screenshots, and recording screen activity as video. The malware communicates with command-and-control servers using AES encryption and exploits Android Accessibility Services, making it difficult to remove. PromptSpy is distributed through a dedicated website and is financially motivated, adapting to various Android interfaces and operating system versions. ESET's analysis indicates that the malware is regionally targeted, with a focus on Argentina, and may have been developed in a Chinese-speaking environment. The same threat actor is believed to be responsible for both VNCSpy and PromptSpy.

AppWizard

February 22, 2026

IIJAZZGHOST’s Epic Minecraft One Block Adventure

The One Block Challenge in Minecraft begins with players on a single block of grass in the void, where they gather resources, build shelters, and aim to defeat the Ender Dragon. Each time the block is broken, a new one appears, providing various materials and creatures. Players transition through different biomes, each with unique opportunities and challenges. IIJAZZGHOST is a notable player who demonstrates effective strategies, such as resource management, building farms, and creating cobblestone generators. Essential tips for the challenge include efficient resource gathering, establishing shelter and food sources, planning base expansion, and adapting to new biomes. The One Block Challenge has evolved with community contributions, introducing different block types, customized biomes, and mods, enhancing gameplay and fostering a vibrant community.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

AppWizard

February 19, 2026

PromptSpy Android Malware Abuses Google Gemini to Automate Recent-Apps Persistence

Cybersecurity researchers have identified a new Android malware named PromptSpy that utilizes Google's Gemini AI chatbot to enhance its capabilities and persistence on infected devices. PromptSpy can capture lockscreen data, obstruct uninstallation, gather device information, take screenshots, and record screen activity. It integrates Gemini to analyze the current screen and provide instructions to keep the malware active in the recent apps list. The malware uses a hard-coded AI model and communicates with a command-and-control server via the VNC protocol, allowing remote access to the victim's device. It is financially motivated, targeting users in Argentina, and was developed in a Chinese-speaking environment. PromptSpy is distributed through a dedicated website and is considered an advanced version of a previously unidentified malware called VNCSpy.