RDP Archives

Winsage

November 24, 2025

In wake of Windows 10 retirement, over 780,000 Windows users skip Win 11 for Linux, says Zorin OS developers — distro hits unprecedented 1 million downloads in five weeks

Zorin OS 18 has surpassed one million downloads, with over 78% of these coming from Windows systems. The latest version features a redesigned interface that combines elements of Windows 11 and MacOS, introduces Windows-style window tiling, and allows web-app integration for services like Office 365 and Google Docs. It includes a "Search Everywhere" function in the Files app, RDP remote-login support, and improved Bluetooth audio through the PipeWire audio stack. Zorin OS 18 is a Long Term Support release, guaranteeing updates until 2029. The release coincides with the end of support for Windows 10, leading to increased interest in alternatives among Windows users.

Winsage

November 13, 2025

U.S. CISA adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include critical flaws in WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox. 1. WatchGuard Firebox Vulnerability (CVE-2025-9242): This vulnerability has a CVSS score of 9.3 and allows unauthenticated attackers to execute arbitrary code through an out-of-bounds write flaw. It affects Fireware OS versions 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1. The vulnerability impacts the Mobile User VPN and Branch Office VPN configured with IKEv2. 2. Gladinet Triofox Vulnerability (CVE-2025-12480): This improper access control vulnerability allows threat actors to bypass authentication and upload remote access tools. It has been linked to threat cluster UNC6485 and is the third Triofox issue exploited this year, following CVE-2025-30406 and CVE-2025-11371. 3. Microsoft Windows Vulnerability (CVE-2025-62215): This race condition vulnerability has a CVSS score of 7 and allows an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. Federal agencies must address these vulnerabilities by December 3, 2025, as per Binding Operational Directive (BOD) 22-01. Private organizations are also advised to review the KEV catalog to strengthen their cybersecurity measures.

Tech Optimizer

November 11, 2025

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

A critical security vulnerability (CVE-2025-12480) has been identified in Gladinet's Triofox platform, allowing attackers to bypass authentication and access sensitive configuration pages. This vulnerability has a CVSS score of 9.1 and has been exploited by a threat cluster known as UNC6485 since August 24, 2025. Despite patches issued by Gladinet, attackers created a new admin account to execute malicious code, including a batch script that downloaded tools for remote access. They used these tools for reconnaissance and privilege escalation. Mandiant recommends that Triofox users update to the latest version and audit admin accounts.

Winsage

October 22, 2025

Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025

Microsoft has identified an authentication issue affecting users of Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025, due to updates rolled out since late August 2025. These updates have caused failures in Kerberos and NTLM protocols on devices with identical Security Identifiers (SIDs), leading to widespread login disruptions in enterprise networks. Users have reported repeated credential prompts, error messages, and compromised network access, including issues with Remote Desktop Protocol (RDP) sessions and Failover Clustering operations. Event Viewer logs indicate machine ID mismatches and potential session discrepancies. The problem is particularly severe in virtual desktop infrastructure (VDI) environments where multiple machines share SIDs. Microsoft has emphasized the importance of using the Sysprep tool to ensure unique SIDs during cloning, as the recent updates now strictly verify SIDs during authentication. IT administrators can temporarily alleviate the authentication blocks with a specialized Group Policy, but a permanent solution involves rebuilding devices using approved cloning procedures. As of October 21, 2025, no broader patch has been released.

Winsage

October 9, 2025

Tested: Why Remote Desktop Protocol (RDP) rejects Microsoft account logins

Some users are experiencing issues with Remote Desktop Protocol (RDP) rejecting Microsoft Account (MSA) credentials, displaying an error message about invalid credentials. This problem can arise from various technical factors, including: - Credential validation failures due to issues with Microsoft server interactions. - Problems with secure channel negotiation during the authentication process. - Time synchronization or DNS resolution issues affecting credential verification. - Misconfigured credential policies that block MSA logins over RDP. - Network-Level Authentication requirements that may hinder access if the MSA does not meet security standards like two-factor authentication. - Account restrictions or conditional access policies that impose specific compliance requirements. - Corruption of the user profile associated with the MSA. - Software conflicts or updates, particularly with recent Cumulative Updates or third-party security tools. To address MSA authentication failures, creating a local administrator account on the target machine can serve as a workaround for RDP access. Some users have noted that while most PCs function well with an MSA, certain systems require a local account for successful connections, particularly on Windows versions 24H2 and 25H2 within Insider Preview builds.

Tech Optimizer

October 6, 2025

Ransomware Gangs Exploit Remote Access Tools to Stay Hidden and Maintain Control

Modern ransomware operations have evolved into complex, multi-stage campaigns that utilize legitimate Remote Access Tools (RATs) to maintain stealth and persistently dismantle organizational defenses. Ransomware encrypts critical data and demands ransom for restoration, with current operations being highly targeted compared to earlier mass phishing attacks. Attackers exploit trusted administrative software like AnyDesk, UltraViewer, RustDesk, and Splashtop to establish backdoors, escalate privileges, and deploy payloads across networks, moving laterally and evading detection. The ransomware kill chain consists of several stages: 1. Initial Access: Attackers gain access through credential compromise, often targeting administrator accounts. 2. Remote Tool Abuse: Attackers deploy RATs either by hijacking existing tools or performing silent installations. 3. Persistence & Privilege Consolidation: They maintain persistence using registry keys and scheduled tasks while escalating privileges. 4. Antivirus Neutralization & Anti-Forensics: Attackers stop antivirus services, manipulate policies, and clear logs to evade detection. 5. Payload Deployment & Execution: Ransomware is delivered and executed within remote sessions to avoid suspicion. Commonly abused RATs include AnyDesk, UltraViewer, AppAnywhere, RustDesk, Splashtop, and TightVNC, which have been associated with various ransomware campaigns. Understanding the tactics and techniques used by adversaries is crucial for effective defense, as they exploit legitimate tools to bypass security measures. Emerging trends include AI-driven RAT deployment, cloud-based RAT abuse, and the integration of RATs in ransomware-as-a-service offerings. A comprehensive defense strategy involves multiple layers of security, including virus protection, behavior-based detection, and application control, to counter the risks posed by RAT abuse in ransomware attacks.

Winsage

September 24, 2025

Windows 11 KB5065790 23H2 released, direct download links (.msu)

Windows 11 KB5065790 is being rolled out for version 23H2, focusing on bug fixes and signaling the end of service for this version on November 11, 2025. This update does not introduce new features. Users can manually install the optional update via the settings app or use an offline installer file (.msu) if they encounter issues. The update resolves login issues for users with SIM-type authentication and disconnection problems during Remote Desktop Protocol (RDP) sessions. Additionally, an Out-of-band update for Windows 11 24H2 addresses urgent issues, excluding SMB protocol problems, and resolves issues affecting Microsoft Office applications in App-V environments, as well as bugs in Microsoft Edge and printer queue UI crashes. The SMB file sharing issue remains unresolved in the OOB update for 24H2.

Winsage

September 8, 2025

MostereRAT Targets Windows Users With Stealth Tactics

A recent investigation by cybersecurity experts revealed a sophisticated phishing campaign utilizing a new strain of malware called MostereRAT, which targets Microsoft Windows systems. This Remote Access Trojan (RAT) allows attackers extensive control over compromised devices and employs advanced evasion techniques, including being crafted in the Easy Programming Language (EPL). MostereRAT can disable security tools, obstruct antivirus traffic, and establish secure communications with its command-and-control server through mutual TLS (mTLS). The attack begins with phishing emails aimed at Japanese users, leading to the download of a Word document that contains a concealed archive. This prompts the user to execute an embedded executable, activating the malware, which installs itself in the system directory and creates services with SYSTEM-level privileges. It also displays a deceptive message in Simplified Chinese to further spread the malware. MostereRAT can disable Windows Update, terminate antivirus processes, and impersonate the TrustedInstaller account to escalate privileges. Its functionalities include keylogging, system information collection, downloading and executing payloads, creating hidden administrator accounts, and running remote access tools like AnyDesk and TightVNC. Some components of MostereRAT's infrastructure were previously linked to a banking trojan reported in 2020.

Winsage

August 22, 2025

Linux Fu: Windows Virtualization The Hard(ware) Way

The Linux community faces challenges when certain applications are only available on Windows, despite solutions like Wine and virtual machines. A new approach using hardware instead of virtualization has emerged. The author received a Surface Laptop 2 that was non-functional until the keyboard was removed, revealing it was operational. While transitioning Windows installations from VirtualBox to KVM, the author discovered WinApps, a script that allows Windows applications to run on a Linux desktop via a virtual machine. However, this setup caused performance issues due to constant disk activity. The author experimented with connecting WinApps to a physical Windows machine on the network, successfully running Windows software directly on their desktop. The setup required executing an installation script on the Windows machine and making registry changes to enable RDP applications. Minor hurdles included compatibility issues with a dual-monitor setup and user permission bugs. Ultimately, Microsoft Word ran smoothly on the author's KDE desktop, demonstrating the potential for utilizing older computers for occasional tasks.

Tech Optimizer

August 8, 2025

Cyberattackers Leverage Trusted Drivers to Disable Antivirus Software and Bypass Security Protocols

A cyberattack on a Brazilian enterprise involved the use of legitimate, digitally signed drivers to disable antivirus solutions and deploy MedusaLocker ransomware. The attackers executed a Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting the ThrottleStop.sys driver, which has a critical vulnerability (CVE-2025-7771) allowing unauthorized memory access. They compromised an SMTP server using valid RDP credentials, extracted user credentials with Mimikatz, and moved laterally across the network. The attackers uploaded and executed an AV killer program and a renamed version of the driver, terminating antivirus processes to facilitate ransomware deployment. The malware targeted major antivirus vendors and employed kernel-level commands to eliminate security processes. Recommendations for defense include multi-factor authentication, hardening RDP access, and implementing layered security measures.