PowerShell scripts Archives

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Winsage

February 17, 2026

How to Uninstall and Reinstall Chrome on Windows 11 Using Winget CMD

Google Chrome can experience performance issues on Windows due to corrupted profiles, extension conflicts, broken updates, and crashes. A complete uninstall and reinstall often resolves these issues, and the Windows Package Manager (Winget) provides a command-line method for this process. To uninstall Chrome using Winget, open Terminal as an administrator and run the command PLACEHOLDER7836d906c03bd8f1. After uninstallation, verify it with PLACEHOLDER30cf24d62406b8ee, then reinstall using PLACEHOLDER76e40aae6965d719. For a clean reinstall, delete the leftover user data folder at PLACEHOLDER142352b706501488. Commands: - Check installed version: winget list Google.Chrome - Uninstall Chrome: winget uninstall Google.Chrome - Verify removal: winget list Google.Chrome - Reinstall Chrome: winget install Google.Chrome - Silent install: winget install Google.Chrome --silent - Delete leftover data: rmdir /s /q "%LocalAppData%GoogleChrome" Before executing commands, ensure Winget is available and updated, and that you have administrator privileges. Backup data by enabling Chrome Sync. Close Chrome completely before uninstalling to avoid process interference. A clean reinstall involves deleting the Chrome user data folder, which removes bookmarks, passwords, and other stored data. Winget is faster and more suitable for scripting and remote management compared to traditional uninstall methods through the Settings app or Control Panel. Common troubleshooting for Winget includes handling errors related to package recognition, installation blocks, and access issues. If uninstalling fails, terminate any running Chrome processes and retry the command. If unsuccessful, use the Settings app for removal and then Winget for reinstallation.

Winsage

December 19, 2025

Microsoft Phases Out RC4 Encryption by 2026 to Bolster Windows Security

Microsoft has announced the phased discontinuation of the RC4 encryption cipher, with full implementation expected by mid-2026. RC4, created in 1987, has been increasingly recognized as a vulnerability, exploited in various high-profile cyberattacks. Microsoft plans to disable RC4 by default in Windows Kerberos authentication, encouraging organizations to transition to more secure alternatives like AES-256. This decision follows years of warnings from the cybersecurity community and aims to eliminate long-standing cryptographic weaknesses. The transition will require organizations to audit and upgrade their infrastructures, as many legacy applications still depend on RC4. Disabling RC4 is expected to reduce the success rates of attacks exploiting weak encryption. Microsoft has introduced tools to help administrators identify hidden RC4 usage. The change reflects a commitment to zero-trust architectures and aligns with recommendations from organizations like NIST. Experts recommend a multi-step approach for organizations to navigate this transition effectively.

Winsage

December 10, 2025

Beyond RC4 for Windows authentication

Two new PowerShell scripts from the Microsoft Kerberos-Crypto GitHub repository have been introduced to enhance cybersecurity by streamlining the monitoring of Security Event logs on domain controllers. 1. List-AccountKeys.ps1: This script queries the Security Event Log for the Keys field, enumerating the keys associated with accounts in the event logs. It provides details such as the timestamp, account name, account type, and specific account keys. For example, it can show that accounts have access to keys like RC4, AES128-SHA96, AES256-SHA96, and AES128-SHA256. 2. Get-KerbEncryptionUsage.ps1: This script allows users to query events to determine which encryption types Kerberos utilized, revealing requests that employed AES256-SHA96. It also offers filtering options for specific encryption algorithms, such as RC4. Organizations can further enhance their security by using SIEM solutions like Microsoft Sentinel or built-in Windows event forwarding to query these logs.

Winsage

December 9, 2025

Windows PowerShell now warns when running Invoke-WebRequest scripts

Microsoft has updated Windows PowerShell to include a security warning for users running scripts with the Invoke-WebRequest cmdlet, addressing a high-severity remote code execution vulnerability (CVE-2025-54100). This feature is integrated into Windows PowerShell 5.1, the default version on Windows 10 and 11, aligning its security protocols with PowerShell 7. When executing scripts with Invoke-WebRequest, users will receive an alert about potential script execution from downloaded web pages. They can choose to cancel the operation or proceed with full HTML parsing, accepting the associated risks. The update advises using the -UseBasicParsing parameter for safer processing. IT administrators will see a confirmation prompt after installing the KB5074204 update, highlighting the risks of script execution. Administrators are encouraged to update their scripts to include the -UseBasicParsing parameter to prevent automation scripts from stalling. The curl command in PowerShell is also aliased to Invoke-WebRequest, meaning the new warnings will apply to curl commands as well. Most existing PowerShell scripts using Invoke-WebRequest will continue to function with little or no modification.

Winsage

December 4, 2025

Latest Windows 11 updates may break the OS’s most basic bits

Microsoft has acknowledged issues with Windows updates that affect key components like the Start menu and Explorer, primarily impacting enterprise environments using Windows 11 versions 24H2 or 25H2 after the July 2025 cumulative update. The problems arise from the failure to register certain XAML packages, leading to crashes or loading failures in XAML-dependent applications. Symptoms include black screens, startup crashes, and unresponsive Start menus and taskbars. Microsoft has not provided an immediate solution but suggests workarounds involving the Windows registry or PowerShell scripts. The issues are unlikely to affect personal devices but may occur if updates are installed before user logins on persistent or non-persistent OS installations.

Winsage

November 19, 2025

Microsoft Integrates System Monitor (Sysmon) into Windows 11

Microsoft will integrate its forensic tool, System Monitor (Sysmon), into the Windows kernel with the upcoming releases of Windows 11 and Server 2025. This integration will transform Sysmon from a standalone utility into a native “Optional Feature” that will be serviced automatically through Windows Update. Administrators will no longer need to manually distribute Sysmon; instead, it can be activated through the “Turn Windows features on or off” dialog or command-line instructions. The integration will ensure that updates flow through the standard Windows Update pipeline, providing official support and Service Level Agreements (SLAs) for Sysmon. Microsoft plans to utilize local computing capabilities for AI inferencing to enhance security measures, focusing on detecting credential theft and lateral movement patterns. Sysmon will maintain backward compatibility with existing workflows, allowing the use of custom configuration files and adhering to the XML schema while continuing to log events to the Windows event log. Community-driven configuration repositories will remain operational, preserving established community knowledge.

Winsage

November 5, 2025

Curly COMrades abuse Hyper-V for covert malware operations in VMs

Bitdefender researchers have identified advanced techniques used by the Curly COMrades threat actor, believed to have Russian backing, to exploit Microsoft’s Hyper-V virtualization platform. This group activates Hyper-V on compromised systems to deploy a lightweight virtual machine (VM) running Alpine Linux, which hosts malware tools CurlyShell and CurlCat. The operation began in early July with commands that activated Hyper-V and prepared the environment for the VM, using deceptive file names to avoid detection. The Alpine Linux VM is customized for each victim, allowing the attackers to maintain a low profile while facilitating reverse shell and proxy activities. The VM routes traffic through the host's network, masking communications as originating from the legitimate host IP. CurlyShell acts as a persistent reverse shell, while CurlCat manages SSH traffic tunneling, utilizing a private key for authentication. The attackers also employ various proxy and tunneling tools and utilize PowerShell scripts for tasks such as injecting Kerberos tickets into LSASS for lateral movement and creating local accounts to ensure ongoing access. Their command and control infrastructure involves compromised servers that relay traffic between infected hosts and the attackers' servers, with measures taken to limit forensic evidence. To detect and mitigate these threats, Bitdefender emphasizes the need for host-based network inspection and hardening, as well as monitoring for abnormal access to the LSASS process and suspicious Kerberos ticket activities. The findings indicate a shift in threat actor tactics towards using virtualization for stealth and persistence, highlighting the need for layered security measures.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.

Winsage

November 4, 2025

Russian Hackers Abuse Hyper-V to Hide Malware and Evade Endpoint Detection

A Russian-linked hacking group, Curly COMrades, is using Microsoft’s Hyper-V to conceal malware within compromised Windows systems. They install a small Alpine Linux virtual machine (VM) to run custom malware, evading endpoint detection and response (EDR) software since July. The group exploits Hyper-V's native features, enabling it on victim systems while disabling management clients to avoid detection. The VM, named “WSL,” hosts two C++ tools: ‘CurlyShell,’ a reverse shell, and ‘CurlCat,’ a reverse proxy, both designed to maintain persistence and obfuscate their activities. The VM occupies only 120MB of disk space and uses Hyper-V’s Default Switch for network traffic, making malicious communication appear to originate from the legitimate host. Additionally, Curly COMrades employs malicious PowerShell scripts for persistence and lateral movement, including creating local user accounts and using a modified TicketInjector for authentication across networks.