Registry Archives

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 25, 2025

ClickFix attack uses fake Windows Update screen to push malware

Recent observations have identified ClickFix attack variants where cybercriminals use deceptive Windows Update animations on full-screen browser pages to hide malicious code within images. Victims are misled into executing harmful commands through specific key sequences that copy and execute commands via JavaScript. Security researchers have documented these attacks since October, noting the use of LummaC2 and Rhadamanthys information stealers. Attackers utilize steganography to embed malware payloads within PNG images, reconstructing and decrypting them in memory using PowerShell and a .NET assembly called the Stego Loader. A dynamic evasion tactic known as ctrampoline complicates detection by initiating calls to numerous empty functions. The shellcode extracted from the encrypted image can execute various file types directly in memory. Following a law enforcement operation on November 13, the Rhadamanthys variant's payload delivery through fake Windows Update domains ceased, although the domains remain active. Researchers recommend disabling the Windows Run box and monitoring suspicious process chains to mitigate risks.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Winsage

November 24, 2025

How to get free Windows 10 security patches on your PC – from now to October 2026

Windows updates will roll out automatically on November 11. Official support for Windows 10 has ended, meaning PCs with default settings will no longer receive monthly security updates. Microsoft has introduced Extended Security Updates (ESU) for Windows 10, allowing users to receive security updates until October 2026. Any personal Windows 10 PC running version 22H2 can access free ESU subscriptions, excluding Enterprise and Education editions. Enrollment requires a Microsoft account and is available for up to 10 PCs. In Europe, customers in the EEA qualify for free ESU subscriptions without needing a Microsoft account. Enterprise customers will incur higher costs for commercial ESU subscriptions. Users must ensure they meet eligibility requirements to see the ESU offer.

Winsage

November 23, 2025

Windows: New “Digital Signage Mode” Ends Bluescreens

The new Digital Signage Mode introduced by Microsoft allows Windows to display system error messages, such as the Blue Screen of Death, for only 15 seconds before turning the screen black. This feature aims to prevent public visibility of technical errors on digital signage while still allowing support teams to address issues. The mode also applies to other disruptive Windows dialogs, but it is specifically designed for non-interactive public displays and does not extend to kiosks, which require direct user interaction. The mode can be enabled through the Windows Settings app or a registry key.

Winsage

November 21, 2025

Singin’ the Agentic Windows blues

Microsoft is evolving its Windows operating system into an agentic OS, which will connect devices, cloud, and AI to improve productivity and security. This includes the introduction of Microsoft’s Agent Workspace and Copilot Actions in Windows 11, allowing users to operate AI agents within secure workspaces. These agents will have distinct user accounts, known as Agent IDs, separate from the primary user account for enhanced security. To function effectively, these AI agents will need access to the primary user’s account permissions through the Windows On-Device Registry (ODR), enabling them to manage files, automate tasks, modify settings, and interact with system tools.

Winsage

November 20, 2025

Evicting Copilot: The Insider’s Guide to Purging AI from Windows 11

Microsoft's Windows 11 has introduced Copilot, an AI assistant aimed at enhancing productivity, but it has faced criticism from users concerned about privacy and resource usage. Copilot offers features like document summarization and image generation, but some users have labeled it an unwelcome presence. During the March 2025 Patch Tuesday, some users experienced Copilot being inadvertently uninstalled. Privacy concerns and performance issues have led many to seek ways to disable or remove Copilot, with methods including hiding the Copilot button, using Group Policy Editor, editing the Windows Registry, and uninstalling the app through Settings or PowerShell commands. In corporate environments, IT administrators can disable Copilot using Intune or Group Policy. Users have reported that Windows updates can reinstall Copilot, prompting them to disable automatic updates or block related domains. Recent user sentiment indicates growing fatigue with AI features, and there is potential for Microsoft to introduce easier opt-out options in future updates.

Winsage

November 18, 2025

Windows Is Becoming An Operating System For AI Agents

Microsoft Windows is evolving to incorporate AI agents that act autonomously, resembling digital coworkers. This shift is facilitated by the Model Context Protocol (MCP), which standardizes agent interactions with tools and data sources, ensuring secure access to system resources. Windows introduces an on-device registry of "agent connectors" for functionalities like file access and system settings, managed through an OS-level proxy that oversees identity, permissions, consent, and audit logging. The initial connectors focus on File Explorer and System Settings, defining clear capabilities and restrictions for agents. A transparent consent model allows users to manage permissions easily, promoting a user-friendly experience. The introduction of an Agent Workspace provides a dedicated environment for agents, ensuring they operate independently and with least-privileged access. Security measures include signed connectors and a standardized proxy for authentication and auditing, enabling visibility into agent actions. Windows is also expanding on-device AI processing with APIs for various functionalities, allowing agents to leverage local models securely. While Windows is not becoming an agent-first operating system, it is establishing a framework for human and agent interactions, positioning itself as a safe environment for AI operations. The foundational elements for this evolution include standard interfaces, clear permissions, isolated environments, and system-level observability.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Winsage

November 17, 2025

Windows 11 users just got a more convenient way to store passkeys – here’s how it works

The technology behind passkeys involves cryptographic keys and standards like FIDO2 and WebAuthn, but users can enhance their security by creating passkeys whenever offered by websites or apps, using face recognition, fingerprints, or PINs. Users can accumulate multiple passkeys for easier sign-in across services. 1Password is set to integrate a new native passkeys plugin API with Windows 11, allowing users to manage passkeys through 1Password while using Windows Hello for authentication. This integration requires the latest version of Windows 11 and the MSIX version of the 1Password app. Users can enable the passkey feature in 1Password and designate it as the system authenticator in Windows settings. Other password managers may also adopt this integration, and Windows is introducing its own passkey sync mechanism through the Microsoft Password Manager in Edge. Passkeys do not replace existing credentials but serve as a secure alternative to usernames and passwords, with some services offering fully passwordless options.