PowerShell Archives

Tech Optimizer

February 11, 2026

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

MicroWorld Technologies confirmed a breach of its eScan antivirus update infrastructure, allowing attackers to deliver a malicious downloader to enterprise and consumer systems. Unauthorized access was detected, leading to the isolation of affected update servers for over eight hours. A patch was released to revert the changes made by the malicious update, and impacted organizations were advised to contact MicroWorld for assistance. The attack occurred on January 20, 2026, when a compromised update was distributed within a two-hour window. The malicious payload, introduced through a rogue "Reload.exe" file, hindered eScan's functionality, blocked updates, and contacted an external server for additional payloads. This rogue executable was signed with a fake digital signature and employed techniques to evade detection. It also included an AMSI bypass capability and assessed whether to deliver further payloads based on the presence of security solutions. The malicious "CONSCTLX.exe" altered the last update time of eScan to create a false sense of normalcy. The attack primarily targeted machines in India, Bangladesh, Sri Lanka, and the Philippines, highlighting the rarity and seriousness of supply chain attacks through antivirus products.

Winsage

February 10, 2026

Windows shortcut weaponized in Phorpiex-linked ransomware campaign

The Global Group has shifted to a local execution strategy for ransomware, complicating detection and response efforts. Their infection process begins when a user opens a shortcut file with a double extension (e.g., “Document.doc.lnk”), which appears as a legitimate document due to Windows' default settings that hide file extensions. The shortcut icon mimics that of a Microsoft Word file. When executed, the .lnk file activates Windows utilities like cms.exe and PowerShell to retrieve and execute the next-stage payload, effectively bypassing traditional security controls focused on malicious documents or executable attachments.

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

Tech Optimizer

January 29, 2026

eScan Antivirus Update Server Hacked to Push Malicious Update packages

A supply chain breach has affected MicroWorld Technologies' eScan antivirus product, allowing malicious actors to use the vendor's update infrastructure to spread malware. Discovered on January 20, 2026, by Morphisec, the attack involved a trojanized update package that deployed multi-stage malware on enterprise and consumer endpoints globally. The initial compromise occurred through a malicious update replacing the legitimate Reload.exe binary, which was digitally signed with a valid eScan certificate. This led to the execution of a downloader (CONSCTLX.exe) and further malware stages that evaded defenses and disabled security features. The malware obstructs automatic updates by altering system configurations, including the hosts file and registry keys. Indicators of compromise include specific file names and SHA-256 hashes for the trojanized update and downloader. Network administrators are advised to block traffic to identified command and control domains and IPs. Affected organizations should verify their systems for signs of compromise and contact MicroWorld Technologies for a manual patch.

Winsage

January 21, 2026

Copilot AI: What You’re Missing on Windows 10 PCs — Virtualization Review

Microsoft's Copilot AI experience differs significantly between Windows 11 and Windows 10. On Windows 11, Copilot is integrated at the system level, allowing it to perform tasks such as opening specific Settings pages, toggling system settings, launching built-in applications, and providing contextual guidance with UI navigation. In contrast, Windows 10 users can only access Copilot through browser-based interfaces, limiting its functionality to providing written instructions without the ability to execute actions or interact with local system features. Copilot on Windows 10 lacks awareness of the operating system and cannot manage system configurations or settings directly, while Windows 11 allows for direct interaction with cloud-managed settings.

Winsage

January 19, 2026

I always make these 9 tweaks in Windows Terminal for a more readable and consistent experience on Windows 11 — and they’re for more than just aesthetics

Windows Terminal serves as a unified shell for various command-line tools, including PowerShell, Command Prompt, and WSL. Users can enhance their experience by customizing settings, which improves readability and consistency across devices. To back up Windows Terminal settings, users can export configurations to a JSON file by accessing the Settings option, opening the JSON file, saving it as backup-settings.json, and selecting a save location. To restore settings, users must locate the backup file, edit it in Notepad, copy the content, and replace the existing configuration in Windows Terminal before saving the changes. Additionally, users can set a different default shell in Windows Terminal.

Winsage

January 13, 2026

New Windows updates replace expiring Secure Boot certificates

Microsoft is enhancing security for Windows 11 24H2 and 25H2 users by automatically replacing expiring Secure Boot certificates on eligible devices. Secure Boot protects against malicious software by ensuring only trusted bootloaders are executed during startup. Many Secure Boot certificates are set to expire starting in June 2026, which could jeopardize secure booting capabilities if not updated. The update includes a mechanism to identify devices eligible for automatic receipt of new Secure Boot certificates. IT administrators are advised to install the new certificates to maintain Secure Boot functionality and prevent loss of security updates. Organizations can also deploy Secure Boot certificates through various methods. IT administrators should inventory their devices, verify Secure Boot status, and apply necessary firmware updates before installing Microsoft's certificate updates.

Winsage

January 12, 2026

How to remove Copilot AI from Windows 11 today

Microsoft's Copilot AI has received mixed reviews from users, with many preferring a more reliable operating system over new AI features. Users have reported inaccuracies in Copilot's responses and raised concerns about privacy and resource consumption. To disable or remove Copilot in Windows 10 and 11, users can access Task Manager, navigate to Startup apps, and disable Copilot. Additionally, tools like "Remove Windows AI" and "Flyoobe" can help manage AI components, with the latter allowing users to disable specific AI settings after installation.

Winsage

January 12, 2026

Windows 11 File Explorer Lag: Legacy XP Feature Fix via Registry Tweak

File Explorer in Windows 11 has been reported to have performance issues, particularly delays when navigating folders with many media files or documents. This problem is linked to the auto-discovery feature, which optimizes folder display settings based on content but incurs a significant computational burden. Disabling this feature through registry modifications can lead to improved performance, with users experiencing faster navigation and reduced folder load times. Microsoft has acknowledged these issues and plans to preload File Explorer for quicker launches, but the underlying problems remain largely unaddressed. Users have shared their experiences and solutions, including registry tweaks that set folder types to "NotSpecified" to eliminate scanning overhead. Despite some incremental updates from Microsoft, many users still face core lags, prompting ongoing community-driven fixes and discussions about the need for deeper audits of legacy code.

Winsage

January 11, 2026

I uninstalled Windows 11’s WhatsApp WebView2 and replaced it with the old native app with a new trick

WhatsApp's transition to a Chromium-based web wrapper has resulted in a significant increase in resource consumption for Windows 11 users, with RAM usage reportedly surging to 2GB, compared to less than 1GB for the older version. Users can revert to the older version, which utilizes native code and is more efficient, by following a series of steps involving enabling Developer Mode, downloading a specific package, and using PowerShell commands. The older version maintains a steady resource usage, with memory consumption peaking at 400 MB during status updates and remaining under 300 MB for general messaging. However, reverting to the older version will prevent users from receiving new updates, and it may eventually be phased out by Meta.