redirection Archives

Tech Optimizer

February 10, 2026

GuLoader Leverages Polymorphic Malware and Trusted Cloud Infrastructure to Evade Detection

GuLoader, also known as CloudEye, is a downloader malware that has been active since late 2019, primarily used to fetch and install secondary malware like Remote Access Trojans (RATs) and information stealers. It employs legitimate cloud services such as Google Drive and Microsoft OneDrive to host its malicious payloads, allowing it to evade detection by security tools. GuLoader utilizes advanced techniques including polymorphic code, which alters its appearance to avoid static detection signatures, and exception-based control flow to confuse analysis tools. Over the years, GuLoader has refined its tactics, including the use of software breakpoints and various exception types to redirect its operations. It also employs dynamic XOR encryption to obfuscate internal data, making it difficult for analysts to extract URLs. The malware's continuous evolution poses ongoing challenges for security researchers. Indicators of Compromise (IOCs) include specific hash values for different versions of GuLoader from 2022 to 2024.

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

AppWizard

December 18, 2025

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

A new Android malware campaign has been launched by the North Korean threat actor Kimsuky, introducing a variant called DocSwap. This malware is distributed via QR codes on phishing websites that impersonate CJ Logistics. Attackers use QR codes and notification pop-ups to lure victims into downloading the malware, which decrypts an embedded APK and activates Remote Access Trojan (RAT) capabilities. The malicious app is disguised as a legitimate application to bypass Android's security measures. Victims are tricked into installing the app through smishing texts or phishing emails that mimic delivery companies. The app downloads an APK named "SecDelivery.apk," which then loads the malware. It requests permissions to access various device functions and registers a service that simulates an OTP authentication screen. The app connects to an attacker-controlled server, allowing execution of commands such as logging keystrokes, capturing audio, and gathering sensitive information. Additionally, two other malicious samples have been identified, disguised as a P2B Airdrop app and a trojanized version of the BYCOM VPN app. The campaign also includes phishing sites mimicking popular South Korean platforms to capture user credentials.

AppWizard

December 16, 2025

Meta Shuts Down Messenger Desktop App on Windows and macOS

As of December 15, 2025, Meta has ceased operations of the Facebook Messenger desktop client for Windows and macOS. Users are redirected to Facebook.com or Messenger.com based on their account type. The shutdown follows a decline that began in 2023 when Meta started reintegrating Messenger into the main Facebook app, which led to a deterioration of the desktop experience. The app transitioned to less effective platforms, and key functionalities such as screen sharing and support for large video calls were lacking, making it less competitive against platforms like Zoom and Microsoft Teams. Users are advised to activate Secure Storage on the web version to preserve end-to-end encryption keys and avoid losing encrypted chat histories stored on the desktop application.

Winsage

December 15, 2025

Repurposing an ‘Obsolete’ Windows 10 Laptop into a Thin Client, Part 2 — Virtualization Review

The article discusses the potential of extending the lifespan of aging Windows 10 hardware by repurposing it with 10ZiG's RepurpOS, particularly on a Dell Latitude E7440. It evaluates how well RepurpOS handles Virtual Desktop Infrastructure (VDI) workloads, including tests with Microsoft Office applications, high-resolution video streaming, and unified communications via Zoom. The performance during these tests was comparable to that of a Windows 11 system. RepurpOS supports dual-monitor setups and utilizes Multimedia Redirection (MMR) to optimize unified communications processing. It also allows access to SaaS applications through a local web browser, with Google Chrome functioning smoothly for tasks like streaming and using MS Office 365. Additionally, 10ZiG introduced the 10ZiG Secure Browser to enhance web security for businesses. The dual monitor support was confirmed, allowing for independent and mirrored display modes.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 2, 2025

New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files

An upgraded release of the EDR-Redir V2 tool has been developed to circumvent Endpoint Detection and Response (EDR) systems by using Windows bind link technology. This version targets the parent directories of EDR installations, such as Program Files, and creates redirection loops that blind security software while keeping legitimate applications intact. Unlike its predecessor, EDR-Redir V2 uses a more complex mechanism that loops subfolders back to themselves, isolating the EDR's path for manipulation without triggering alarms. The tool utilizes the bind link feature from Windows 11 24H2, allowing filesystem namespace redirection without needing kernel privileges. EDR solutions typically secure their subfolders but cannot entirely restrict writes to parent directories. EDR-Redir V2 queries all subfolders in a targeted parent directory and mirrors them in a controlled directory, establishing bidirectional bind links that create loops for normal access by non-EDR software. In a demonstration against Windows Defender, EDR-Redir V2 successfully redirected access to its operational files, making Defender blind to its actual files. This technique highlights vulnerabilities in EDR systems regarding filesystem manipulations at the parent directory level, suggesting that folder-specific safeguards are inadequate. Although there are no widespread reports of exploits using this method, it poses significant concerns for enterprise environments, prompting security teams to monitor bind link usage in critical directories and implement integrity checks on EDR paths.