phishing emails Archives

Winsage

March 2, 2026

RAT Malware Via Windows Explorer Puts Crypto at Risk

Cofense Intelligence reported that threat actors are exploiting Windows File Explorer and WebDAV servers to deliver Remote Access Trojans (RATs) to corporate systems, bypassing browser security measures. This method allows attackers to infiltrate machines without using web browsers, taking advantage of File Explorer's ability to connect to remote WebDAV servers. Despite WebDAV being deprecated by Microsoft in November 2023, it is still supported in Windows, creating a vulnerability. The campaigns began in February 2024, with a significant increase in September 2024, and 87% of these campaigns deliver multiple RATs, including XWorm, Async RAT, and DcRAT. Victims typically receive phishing emails disguised as invoices, containing URL or LNK shortcut files that initiate a WebDAV connection. The attacks often utilize Cloudflare Tunnel for hosting malicious WebDAV servers, making the traffic appear legitimate. Notably, 50% of affected campaigns are in German, while 30% are in English. The report emphasizes the risks posed to individuals holding digital assets, as RATs can access sensitive information, including crypto wallet files. Organizations are advised to monitor network traffic for Cloudflare Tunnel instances and educate users about the risks associated with File Explorer's capabilities.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Tech Optimizer

February 16, 2026

Phishing Lures Spread XWorm Remote Access Trojan

A cyber-espionage campaign is utilizing the XWorm Remote Access Trojan (RAT) to infiltrate systems via phishing emails and a Microsoft Office vulnerability (CVE-2018-0802). XWorm, first detected in 2022, allows attackers remote control over infected computers for surveillance and data theft. The campaign uses business-oriented phishing emails with malicious Excel attachments that exploit the vulnerability to execute a fileless attack. The malware connects to a command-and-control server, encrypting communications and transmitting system details. XWorm features a plugin architecture with over 50 modules for various malicious activities, including credential theft and DDoS attacks. Security experts highlight the ongoing risk of legacy software vulnerabilities and recommend patching outdated components.

Winsage

February 16, 2026

Multiple Flaws Found in Microsoft Windows & Office — Could Let Hackers In

Microsoft has identified at least six zero-day vulnerabilities in Windows and Microsoft Office that were actively being exploited by hackers before patches were released. These vulnerabilities allow attackers to compromise systems with minimal user interaction, such as clicking on malicious links or opening compromised Office documents. Notable examples include a Windows Shell Security Bypass (CVE-2026-21510) and an Office File Exploit that can execute malicious code. The vulnerabilities pose serious risks, including active exploitation, remote code execution, and the potential for malware installation and credential theft. Microsoft has released security patches to address these vulnerabilities, and users are urged to install them immediately. The affected systems include all supported versions of Windows and Microsoft Office applications. Users are advised to install updates, be cautious with emails and links, enable security tools, and keep software up to date.

Tech Optimizer

February 11, 2026

NordVPN Stopped Most Phishing Emails in Third-Party Testing, Study Says

NordVPN's Threat Protection Pro blocked 92% of phishing websites in an independent lab test conducted by AV-Comparatives, which evaluated 15 products against 250 verified phishing URLs. The test took place between January 7 and January 19, using Google Chrome for assessments. NordVPN's product ranked fourth, while the top three performers were Avast Free Antivirus and Norton Antivirus Plus (both at 95%) and Webroot SecureAnywhere Internet Security Plus (93%). The software provides protection against phishing attempts and malware infections, even when not connected to a VPN. Phishing attacks have surged by 4,151% since the introduction of ChatGPT in 2022, with companies facing significant financial losses per breach. AI is being used to enhance phishing tactics, including deepfake videos and voice impersonations. Despite its effectiveness, NordVPN's Threat Protection Pro cannot remove existing malware on devices.

Tech Optimizer

January 22, 2026

Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

A large-scale campaign is exploiting the truesight.sys Windows security driver from Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions, facilitating the deployment of ransomware and remote access malware. This attack utilizes over 2,500 validly signed variants of the driver, allowing attackers to manipulate legacy driver signing rules to load pre-2015 signed drivers on Windows 11 machines. The vulnerable TrueSight driver exposes an IOCTL command that enables attackers to terminate security processes, providing them with kernel-level access to bypass user-mode protections. The infection chain typically starts with phishing emails or compromised sites, leading to the installation of a downloader that retrieves additional malicious components. The malware establishes persistence and deploys an EDR killer module targeting nearly 200 security products. Once defenses are disabled, the final payload, often a remote access trojan or ransomware, executes with minimal visibility, completing the attack in as little as 30 minutes.

Tech Optimizer

January 19, 2026

PDFSIDER Malware Actively Used by Threat Actors to Bypass Antivirus and EDR Defenses

PDFSIDER is a sophisticated backdoor malware that bypasses modern endpoint detection and response systems. It is distributed through targeted spear-phishing campaigns that exploit vulnerabilities in legitimate PDF software. The malware is delivered via spear-phishing emails containing ZIP archives with a trojanized executable disguised as the PDF24 App. When executed, it uses DLL side-loading to load a malicious DLL (cryptbase.dll) alongside the legitimate PDF24.exe, allowing attackers to execute code without detection. PDFSIDER establishes encrypted command-and-control channels using the Botan 3.0.0 cryptographic library with AES-256 in GCM mode and operates mainly in memory to minimize detectable artifacts. It collects system information and executes commands through hidden cmd.exe processes. The malware employs advanced techniques to evade detection in sandbox and virtual machine environments, including checks for available RAM and debugger presence. Indicators of compromise include the malicious file cryptbase.dll and various clean files associated with the legitimate PDF24 application. Organizations are advised to enforce strict controls on executable files, provide user awareness training, and monitor DNS queries and encrypted traffic to detect PDFSIDER communications. The malware's behavior aligns with tactics used in state-sponsored espionage rather than financially motivated cybercrime.

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Winsage

January 6, 2026

ClickFix attack uses fake Windows BSOD screens to push malware

A new social engineering attack campaign called ClickFix is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into executing malware. Initially identified in December by Securonix as "PHALT#BLYX," the campaign involves phishing emails that appear to be notifications from Booking.com, often mentioning significant refunds to create urgency. Victims are directed to a counterfeit Booking.com site that mimics the legitimate one and displays a fake error message prompting them to execute a malicious command. This command launches a PowerShell script that downloads and compiles malware known as DCRAT, a remote access Trojan that allows attackers to control infected devices, exfiltrate data, and spread within networks.