We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

PowerShell scripts

Malware disguises itself as an innocent photo on Dropbox. APT37's steganographic strategy
Winsage
August 4, 2025

Malware disguises itself as an innocent photo on Dropbox. APT37’s steganographic strategy

Specialists at the Genians Security Center have identified a new version of the RoKRAT malware linked to the North Korean APT37 group. This version uses steganography to hide its code in JPEG images, allowing it to bypass antivirus systems. The infection begins with a malicious .LNK link in a ZIP archive, which contains a large .LNK file that misleads users. The malware employs various encrypted components, including shellcode, PowerShell scripts, and batch files. Upon execution, PowerShell decrypts the shellcode using a XOR operation, and the malware injects itself into legitimate Windows processes without leaving traces on the disk. The RoKRAT loader is embedded in a JPEG image hosted on Dropbox, and it uses a double XOR transformation to extract the shellcode. The malware is activated through sideloading techniques using legitimate utilities and downloads from cloud platforms. RoKRAT can collect data, take screenshots, and transmit them to external servers. Recent samples have targeted “notepad.exe” for code injection, indicating ongoing development. Endpoint detection and response (EDR) systems are essential for monitoring unusual activities and protecting against these sophisticated attacks, as traditional defenses are inadequate.
North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections
Winsage
August 4, 2025

North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center discovered a new variant of the RoKRAT malware linked to the North Korean APT37 threat group. This malware uses steganography to hide malicious payloads within JPEG files, allowing it to evade traditional antivirus detection. It is typically distributed through malicious shortcut files within ZIP archives, often disguised as legitimate documents. The malware employs a two-stage encrypted shellcode injection method, utilizing PowerShell and batch scripts to execute its payloads in memory. It collects system information, documents, and screenshots, exfiltrating data via compromised cloud APIs. The command and control accounts associated with the malware are linked to Russian email services. Variants of RoKRAT have evolved to include different injection methods and reference specific PDB paths. Indicators of compromise include various MD5 hashes associated with the malware.
Secure Windows with Microsoft's Security Compliance Toolkit
Winsage
July 30, 2025

Secure Windows with Microsoft’s Security Compliance Toolkit

The Microsoft Security Compliance Toolkit is a suite of tools for administrators to assess Group Policy Objects (GPOs) against Microsoft's security baselines, helping to identify discrepancies and implement secure settings. It includes tools such as the Policy Analyzer, Local Group Policy Object (LGPO) utility, and Set Object Security application. Administrators can download the toolkit from Microsoft's website, which contains zip files for various security baseline packages. The Policy Analyzer compares GPOs with local security policies to identify inconsistencies, while the LGPO tool manages local security policies and allows for policy backup and verification. The Set Object Security tool applies security descriptors to objects like files and folders. For Windows Server, administrators should test security baselines in non-production environments before deployment. With Windows Server 2025, the OSConfig platform allows for direct application of security baselines through PowerShell, simplifying the update process and maintaining compliance.
These PowerShell scripts make it easy to migrate Windows installs
Winsage
July 13, 2025

These PowerShell scripts make it easy to migrate Windows installs

A PowerShell script developed by GitHub user Anduin2017 allows users to create a new Windows 11 installation on an empty physical drive while retaining access to files and applications from the existing installation. The process requires running the script in an elevated PowerShell window, providing inputs such as the location of the empty drive and the edition of Windows to install from an ISO file. Users can continue using their PC during the installation, and upon completion, they can choose between the existing and new installations upon reboot. To set up necessary applications, users can customize PowerShell modules using a sample install.ps1 file from the GitHub project. This method is particularly beneficial for users relying on cloud storage solutions like OneDrive, as it allows for a refreshed operating system with minimal downtime and easy access to data. The streamlined approach is designed for users who frequently encounter Windows issues and need clean installations, enabling rapid replication of a base system with essential programs.
Windows 11 25H2 has a new option to remove all unwanted Microsoft apps
Winsage
July 7, 2025

Windows 11 25H2 has a new option to remove all unwanted Microsoft apps

The upcoming Windows 11 25H2 update will introduce a new policy called the Remove Default Microsoft Store Packages, which allows users to remove unwanted Microsoft applications in a single action through Group Policy. This feature aims to simplify the process of debloating Windows 11, which has historically been cumbersome. Users can find this setting under Computer Configuration > Administrative Templates > Windows Components > App Package Deployment. The policy currently supports the removal of various Microsoft applications but does not extend to third-party software. While initial tests show the policy functions as intended, further refinement is needed to address issues like orphaned shortcuts. This feature will not be available to Windows 11 Home users.
Building a Windows Storage Dashboard, Part 2: Collecting Historical Data
Winsage
June 25, 2025

Building a Windows Storage Dashboard, Part 2: Collecting Historical Data

The process of gathering historical data for a Windows storage dashboard involves two steps: creating a PowerShell script to collect and save the data, and configuring the Windows Task Scheduler to run this script at set intervals. The script collects data on file system drives using the Get-PSDrive cmdlet, creating a custom PowerShell object with columns for Timestamp, Drive, UsedGB, FreeGB, and TotalGB, which is then exported to a CSV file. The script specifies the CSV file path, appends new data without overwriting existing data, and excludes type information from the header. The generated CSV file includes a header row and records for each drive with their respective usage statistics.
Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT
Tech Optimizer
June 17, 2025

Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT

Threat actors are using a fileless variant of AsyncRAT, targeting German-speaking individuals with a deceptive verification prompt. This prompt misleads users into executing harmful commands. The malware employs obfuscated PowerShell scripts to operate in memory without creating files on disk, complicating detection by antivirus solutions. The attack begins with a fake verification page prompting users to click "I’m not a robot," which copies a malicious command to the clipboard. This command uses conhost.exe to run a hidden PowerShell instance that retrieves a payload from a remote server. The malware establishes a connection to a command-and-control server and maintains persistence through registry keys, enabling remote control and data exfiltration. Key tactics include stealth execution, in-memory C# compilation, and TCP-based communication over non-standard ports. The campaign has been active since at least April 2025. Indicators of Compromise (IOCs) include: - IP: 109.250.111[.]155 (Clickfix Delivery) - FQDN: namoet[.]de (Clickfix / C2 Server) - Port: 4444 (TCP Reverse Shell Listener) - URL: hxxp[:]//namoet[.]de:80/x (PowerShell Payload) - Registry (HKCU): SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows (Persistence on Boot) - Registry (HKCU): SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin (Holds Obfuscated Command)
ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information
Tech Optimizer
June 9, 2025

ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has reported that ViperSoftX malware, first identified in 2020, continues to pose a significant threat, particularly targeting cryptocurrency-related information. It disguises itself as cracked software or eBooks on torrent sites and uses deceptive tactics to infect users globally. ViperSoftX exploits the Windows Task Scheduler to execute malicious PowerShell scripts and communicates with its command-and-control server to transmit detailed system information. The malware captures clipboard activity to steal cryptocurrency wallet addresses and employs mechanisms to avoid detection, including self-removal. It also deploys secondary payloads like Quasar RAT and ClipBanker, which hijacks wallet addresses during transactions. ASEC warns that infections can lead to total system compromise and advises users to avoid unverified downloads and maintain updated security measures. Indicators of Compromise (IOCs): - MD5: - 064b1e45016e8a49eba01878e41ecc37 - 0ed2d0579b60d9e923b439d8e74b53e1 - 0efe1a5d5f4066b7e9755ad89ee9470c - 197ff9252dd5273e3e77ee07b37fd4dd - 1ec4b69f3194bd647639e6b0fa5c7bb5 - URLs: - http://136.243.132.112/ut.exe - http://136.243.132.112:881/3.exe - http://136.243.132.112:881/APPDATA.exe - http://136.243.132.112:881/a.ps1 - http://136.243.132.112:881/firefoxtemp.exe - IPs: - 136.243.132.112 - 160.191.77.89 - 185.245.183.74 - 212.56.35.232 - 89.117.79.31
Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection
Tech Optimizer
May 23, 2025

Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has identified a new strain of backdoor malware that works with a Monero coin miner, utilizing the PyBitmessage library for covert P2P communications. This malware uses encryption to secure data exchanges and anonymize identities, complicating detection by security tools. It decrypts resources using XOR operations to deploy a Monero miner and a backdoor component. The Monero miner exploits the cryptocurrency's anonymity, while the backdoor, created with PowerShell, installs PyBitmessage and retrieves files from GitHub or a Russian file-sharing platform. Commands are executed as PowerShell scripts, making detection difficult. The malware may be distributed as legitimate software or cracked files. ASEC advises caution with unverified files and recommends keeping security solutions updated. Indicators of Compromise (IOCs): - MD5: 17909a3f757b4b31ab6cd91b3117ec50 - MD5: 29d43ebc516dd66f2151da9472959890 - MD5: 36235f722c0f3c71b25bcd9f98b7e7f0 - MD5: 498c89a2c40a42138da00c987cf89388 - MD5: 604b3c0c3ce5e6bd5900ceca07d587b9 - URLs: - http://krb.miner.rocks:4444/ - http://krb.sberex.com:3333/ - http://pool.karbowanec.com:3333/ - http://pool.supportxmr.com:3333/ - https://spac1.com/files/view/bitmessage-6-3-2-80507747/
Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network
Winsage
May 10, 2025

Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network

Threat actors are exploiting Windows Remote Management (WinRM) to navigate through Active Directory environments stealthily, allowing them to bypass detection systems, escalate privileges, and deploy malicious payloads. WinRM operates on HTTP port 5985 and HTTPS port 5986, enabling remote command execution and management tasks. Attackers can gain access through compromised credentials and use WinRM-enabled PowerShell commands for reconnaissance, deploying payloads while evading detection. The attack chain includes initial access, reconnaissance, payload deployment, persistence, and lateral movement, often utilizing techniques that obfuscate malicious activities. Detecting such attacks is challenging due to the use of built-in Windows functionalities and encrypted channels. Recommended mitigation strategies include monitoring for unusual activity, restricting WinRM access, enforcing credential hygiene, and implementing advanced monitoring solutions.
Search