persistence

Tech Optimizer
July 15, 2026
Cybersecurity firm ArcticWolf has identified 292 malicious GitHub repositories that impersonate legitimate software tools, part of a campaign to deliver a new variant of the BoryptGrab infostealer. This malware can extract sensitive information from 19 web browsers, 32 cryptocurrency wallets, messaging applications like Telegram and Discord, gaming platforms such as Steam, and Windows Credential Manager. It can also exfiltrate files from users' Desktop and Documents folders and capture screenshots. This variant bypasses Chrome’s App-Bound Encryption using direct code injection and does not include an anti-analysis layer or conceal itself, aiming to harvest data quickly without persistence. The malicious activity began in late June, with most repositories removed from GitHub, though several dozen remain active. GitHub's status as a key platform in the open-source community makes it a target for cybercriminals, emphasizing the need for developers to thoroughly vet code before integration.
Tech Optimizer
July 10, 2026
Cybercriminals are exploiting the VLC media player to install ValleyRAT, a remote access trojan, by embedding malware in a seemingly harmless file linked in phishing emails. The attack starts with an email that prompts the victim to download a ZIP archive containing a fake VLC executable and a malicious DLL named libvlc.dll. This method uses DLL sideloading to execute the malware under the guise of a legitimate application. Once executed, the malware establishes persistence by creating a registry entry and connects to a remote server to retrieve the final payload. ValleyRAT employs evasion tactics to avoid detection, including assessing system characteristics before executing harmful actions and using a fileless approach to deliver the payload directly into memory. Researchers have identified indicators of compromise, including specific SHA1 hashes and URLs associated with the malicious campaign.
Winsage
July 8, 2026
A bug in Windows 11 can cause significant disk space loss, with some users losing up to 500GB due to the CapabilityAccessManager.db-wal file, which should normally be a few megabytes. The file's size can exceed 100GB, indicating potential issues. Users can check their system file sizes through Settings > System > Storage. Tools like WizTree, TreeSize, or WinDirStat can help examine the folder contents. Microsoft has addressed the issue in the June 23 optional preview update, which improves disk space usage for the file. This update can be found under Settings and Windows Update, with a mandatory fix scheduled for the official Patch Tuesday on July 14.
Tech Optimizer
July 3, 2026
Cybercriminals are using a sophisticated method to bypass security measures by embedding malware within the VLC media player. This campaign exploits VLC to install ValleyRAT, a remote access trojan, through phishing emails that contain links to download a seemingly harmless file. Once the file is opened, it activates a hidden backdoor that evades detection by antivirus solutions. The malware has been active since 2023, with a significant increase in activity noted through 2025 and into 2026, particularly targeting Chinese and Japanese-speaking users. The infection process begins when a victim clicks a link in a phishing email, leading to a ZIP archive containing a disguised executable and a malicious DLL (libvlc.dll). The executable mimics a legitimate VLC file, and when executed, it loads the DLL, allowing the malware to run under the guise of VLC. The malware establishes persistence by creating a registry entry and connects to a remote server to retrieve the final payload. ValleyRAT employs evasion tactics to avoid detection, such as performing checks on system behavior and using a fileless approach to inject its payload directly into memory, avoiding storage on disk. Researchers recommend training employees to recognize suspicious filenames and deploying endpoint detection tools to identify DLL sideloading behavior. For organizations affected by this campaign, isolating compromised systems and reviewing security logs are critical initial steps. Indicators of compromise include a malicious email domain, a ZIP archive containing a fake VLC executable, and a download URL for ValleyRAT.
Search