PowerShell script Archives

Winsage

January 6, 2026

ClickFix attack uses fake Windows BSOD screens to push malware

A new social engineering attack campaign called ClickFix is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into executing malware. Initially identified in December by Securonix as "PHALT#BLYX," the campaign involves phishing emails that appear to be notifications from Booking.com, often mentioning significant refunds to create urgency. Victims are directed to a counterfeit Booking.com site that mimics the legitimate one and displays a fake error message prompting them to execute a malicious command. This command launches a PowerShell script that downloads and compiles malware known as DCRAT, a remote access Trojan that allows attackers to control infected devices, exfiltrate data, and spread within networks.

Winsage

January 5, 2026

Microsoft’s Windows AI Features Lack Official Disable Options, Forcing Users To Third-Party Tools

Microsoft's latest Windows 25H2 builds have introduced AI features, but users cannot easily disable them through the interface, leading many to use third-party tools like the RemoveWindowsAI PowerShell script to eliminate components such as Copilot, Recall, and Input Insights. Windows Recall captures screenshots for AI-driven searches, raising privacy concerns due to the creation of a local database of full screenshots. Microsoft has also disabled phone activation for Windows 11, requiring internet connectivity for activation. The RemoveWindowsAI tool removes appx packages associated with AI, ensuring they cannot be reinstalled. Microsoft has announced the discontinuation of support for Windows 11 SE by October 13, 2026, impacting schools that rely on this version. Virtualization, such as using Proxmox, is recommended for users wary of telemetry practices. The RemoveWindowsAI project is evolving to enhance its capabilities in response to Microsoft's AI feature additions. Enterprise deployments are advised to test removal strategies in controlled environments, though some antivirus programs may flag the tool as malicious. Privacy advocates are concerned about the implications of Microsoft's changes on user control and data collection.

Winsage

December 19, 2025

Automatically Remove AI Features From Windows 11

The 'Remove Windows AI' project on GitHub, developed by zoicware, aims to simplify the process of disabling AI features in Windows 11 for users who find them unwelcome. It requires a Windows 11 system running at least version 25H2 and a PowerShell script with Administrator privileges to manipulate the Windows Registry and prevent Windows Update from reversing changes. The script automates the disabling of features such as Copilot, Recall, AI Actions, and integrations within applications like Edge and Paint. A graphical user interface (GUI) is also available for easier toggling of settings. The project includes a custom package to prevent the reinstallation of removed components and provides a list for manually toggling settings that cannot be disabled automatically. Alternatives for further customization include Winaero Tweaker and Open-Shell, which offers a Windows 2000-style start menu.

Tech Optimizer

December 18, 2025

Chinese hackers fake Teams downloads in false flag ploy

A cybersecurity investigation by ReliaQuest has revealed that a Chinese state-linked hacking group, Silver Fox (also known as Void Arachne), is using search engine optimization tactics to create a counterfeit Microsoft Teams download site at "teamscn[.]com." This site targets Chinese-speaking users and employs a typo-squatting strategy. Victims attempting to download the software receive a trojanized installer labeled "Setup.exe," which checks for the presence of antivirus software and executes obfuscated PowerShell commands to modify Windows Defender exclusion lists. The malware also drops a file named "Verifier.exe" and installs a functional version of Microsoft Teams to disguise its activities. The compromised system communicates with the domain "Ntpckj[.]com" to deliver the ValleyRAT payload, allowing remote access for data exfiltration and command execution. Silver Fox is linked to both state-sponsored espionage and financially motivated activities, having previously conducted similar SEO poisoning campaigns. The campaign primarily targets Chinese-speaking personnel in global organizations, particularly those with ties to China, and poses a significant risk to organizations lacking robust security measures. Security teams are advised to enhance logging and monitoring practices to detect suspicious activities.

TrendTechie

December 16, 2025

В торрентах с одним из самых популярных фильмов года рассылают опасный вирус

Recent reports indicate that torrent files for the film "Battle for Battle" are concealing a Trojan known as Agent Tesla, which can steal credentials, monitor computer activity, and take control of infected systems. The infection occurs when users download what appears to be the film file, which contains files like CD.lnk or Part2.subtitles.srt. Opening the first file executes a PowerShell script that interacts with the second file, leading to the installation of the Trojan. This malware can evade detection by Windows and antivirus programs by using harmless file types and PowerShell, complicating identification and mitigation efforts.

Winsage

December 10, 2025

De-Enshittifing Windows 11 Version 25H2: Win11Debloat ⭐

Tiny11 Builder requires a clean installation of Windows 11 to enhance the user experience. Key criteria for any utility aimed at replicating Tiny11 Builder's benefits include disabling telemetry, removing preinstalled bloatware, addressing issues with Microsoft Edge (including uninstallation), and mitigating problems linked to Microsoft OneDrive (also through uninstallation). Utilities mentioned for further refining Windows 11 include: - Rufus: Creates installation media without requiring a Microsoft account sign-in or hardware checks. - MSEdgeDirect: Allows the use of a preferred web browser for accessing stories from Widgets and web-based search results. - ExplorerPatcher: Addresses performance and reliability concerns within File Explorer. Win11Debloat is highlighted as a utility that meets optimization requirements, having undergone changes since August 2024. The updated process allows users to launch a Terminal with admin privileges to download and run Win11Debloat directly. It features three modes: Default mode, Custom mode, and App removal. Custom mode offers options for app removal, disabling telemetry, turning off tips and suggestions, and disabling Bing web search, Bing AI, and Cortana, among others.

Winsage

December 4, 2025

Latest Windows 11 updates may break the OS’s most basic bits

Microsoft has acknowledged issues with Windows updates that affect key components like the Start menu and Explorer, primarily impacting enterprise environments using Windows 11 versions 24H2 or 25H2 after the July 2025 cumulative update. The problems arise from the failure to register certain XAML packages, leading to crashes or loading failures in XAML-dependent applications. Symptoms include black screens, startup crashes, and unresponsive Start menus and taskbars. Microsoft has not provided an immediate solution but suggests workarounds involving the Windows registry or PowerShell scripts. The issues are unlikely to affect personal devices but may occur if updates are installed before user logins on persistent or non-persistent OS installations.

Tech Optimizer

December 3, 2025

Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems

A malicious Rust package named "evm-units," uploaded by a user called "ablerust" to crates.io in mid-April 2025, poses a significant threat to developers on Windows, macOS, and Linux. It has over 7,000 downloads and is designed to execute its payload stealthily, depending on the victim's operating system and the presence of Qihoo 360 antivirus. The package disguises itself as a function that returns the Ethereum version number and can detect Qihoo 360 antivirus software. It downloads and executes different payloads based on the operating system: a script for Linux, a file for macOS, and a PowerShell script for Windows. If the antivirus is not detected, it creates a Visual Basic Script wrapper to run a hidden PowerShell script. The package targets the Web3 community, particularly developers, and is linked to the widely used "uniswap-utils" package. Both "evm-units" and "uniswap-utils" have been removed from the repository.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 17, 2025

Custom Windows Event Viewer log notifications upped my debugging game

Windows Task Scheduler can be configured to monitor system events and send notifications for anomalies, allowing users to proactively address issues before they escalate. Users can set up custom notifications by specifying Event IDs in the Task Scheduler. Common Event IDs for debugging include: - Application crash: Event ID 1000 (Application Error) - Application hang: Event ID 1002 (Application Hang) - Service failure: Event ID 7000 (Service Control Manager) - Service stopped: Event ID 7036 (Service Control Manager) - Disk/I/O issues: Event ID 129 (Disk or NTFS) - Group policy failure: Event ID 1058 (Microsoft-Windows-GroupPolicy) - Driver error: Event ID 7023 (Service Control Manager or Kernel-PnP) - Failed logon: Event ID 4625 (Microsoft-Windows-Security-Auditing) - User account locked out: Event ID 4740 (Microsoft-Windows-Security-Auditing) - Audit log cleared: Event ID 1102 (EventLog) - Unexpected system shutdown: Event ID 41 (Kernel-Power) To set up notifications, users can create a PowerShell script that performs specific actions based on the event type, such as sending an email for critical alerts or displaying on-screen messages for less critical events. This setup enables effective monitoring without the need for third-party applications.