remote access Archives

Winsage

April 7, 2026

“This was not opportunistic. It was precision.” — How North Korean hackers used Microsoft Teams and Slack to compromise Windows PCs with an elaborate ploy

On March 30, 2026, axios, a JavaScript HTTP client library, was temporarily compromised by suspected North Korean hackers who hijacked maintainer Jason Saayman's account. This allowed them to publish two malicious versions of axios on npm. The malicious versions were identified and removed within three hours by StepSecurity. A post-mortem blog on GitHub provided security measures for users of Windows, macOS, and Linux, highlighting risks from a Remote Access Trojan (RAT) introduced during the breach. The attack was attributed to a group known as UNC1069, which has been active since at least 2018. Two weeks prior to the breach, Saayman was targeted in a social engineering campaign where attackers posed as a legitimate company founder, leading him to install the RAT via a fake update during a Microsoft Teams meeting. Microsoft Teams was not compromised; it was used as a delivery method for the Trojan. Saayman noted the operation's sophistication.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

Winsage

April 4, 2026

WhatsApp Malware Campaign Uses VBS to Hijack Windows

Microsoft has identified a cyberattack campaign that uses WhatsApp messages to distribute malicious Visual Basic Script (VBS) files targeting Windows systems. First detected in late February 2026, the campaign employs social engineering to trick users into executing the VBS files, which then create hidden directories and disguise themselves as legitimate Windows utilities. The malware downloads additional payloads from cloud platforms like AWS, Tencent Cloud, and Backblaze B2 to establish persistence and escalate privileges. It can bypass User Account Control (UAC), alter registry settings, and install malicious MSI packages, including remote access tools like AnyDesk, to maintain continuous access for attackers.

AppWizard

April 3, 2026

Google Responds As 50 Apps With 2 Million Downloads Hit By Malware

Researchers at McAfee Labs discovered that 50 Android applications on the Google Play Store contain malware known as NoVoice, which can grant full remote access to infected smartphones. These apps have over 2.3 million downloads. The malware can communicate with remote servers, profile devices, and download tailored root exploits, potentially compromising specific hardware and software configurations. However, devices with an Android security patch level of May 2021 or later are not vulnerable to these exploits, as the vulnerabilities were patched by Android between 2016 and 2021. Google Play Protect removes these apps and blocks new installs, and users are advised to keep their devices updated with the latest security patches.

Winsage

April 3, 2026

Microsoft now force upgrades unmanaged Windows 11 24H2 PCs

Microsoft has begun upgrading unmanaged devices running Windows 11 24H2 Home and Pro editions to the latest Windows 11 25H2 version. Support for Windows 11 24H2 will end on October 13, 2026. The 25H2 version rollout started in September and is delivered through compact enablement packages. The update is now available for all unmanaged devices running Windows 11 24H2, and those devices will stop receiving critical updates. Users can manually check for the update or pause it through the settings menu. Microsoft has provided a support document and guide for the upgrade process.

Winsage

April 1, 2026

New Windows 11 emergency update fixes preview update install issues

Microsoft released an out-of-band update (KB5086672) to address installation issues caused by the March 2026 non-security preview update (KB5079391) for Windows 11 versions 24H2 and 25H2. The initial update led to errors indicating missing or problematic update files, prompting Microsoft to halt its rollout. The new emergency update consolidates previous updates and is available through Windows Update for automatic installations or can be manually accessed via Settings. Additionally, Microsoft has addressed issues from earlier Patch Tuesday security updates affecting sign-ins with Microsoft accounts and has released two other out-of-band updates targeting Bluetooth visibility bugs and security vulnerabilities in the Routing and Remote Access Service. Guidance has also been provided for resolving access issues on C: drives of Samsung Windows 11 laptops linked to specific Samsung applications.

AppWizard

March 30, 2026

Google Significantly Restricts Popular Android Feature

Google is transforming the Android operating system to enhance security by imposing stricter regulations on app distribution, particularly affecting sideloading. Developers will be categorized as verified or unverified, with registered developers benefiting from a streamlined app distribution process. New regulations will introduce a four-step process for installing apps from external sources, including a 24-hour timer before installation. This aims to deter fraud but may discourage users from pursuing alternative apps. The restrictions could limit opportunities for independent developers and reduce the diversity of available applications on the platform, shifting Android towards a more controlled environment.

AppWizard

March 25, 2026

FBI warns of Russian, Iranian cyber activity involving messaging platforms

The FBI issued alerts regarding cyber campaigns by Russian and Iranian actors targeting messaging platforms. Russian intelligence services are reportedly infiltrating applications like Signal, leading to unauthorized access of thousands of accounts of U.S. government officials, military personnel, political figures, and journalists. Russian operatives are using phishing messages disguised as support notifications to trick users into providing verification codes or account PINs, potentially allowing attackers to take over accounts. Once compromised, attackers can access messages, contact lists, and launch further phishing attempts. The advisory emphasizes that while Signal is targeted, similar tactics can affect any messaging app. In a separate alert, the FBI highlighted Iran’s Ministry of Intelligence and Security (MOIS) using Telegram to distribute malware aimed at Iranian dissidents and journalists, enabling them to steal sensitive information. This malware often disguises itself as legitimate software and connects to Telegram bots for remote access and data exfiltration. The FBI linked these activities to the Handala Hack group, which claimed responsibility for a recent attack on medical device manufacturer Stryker. The malware can be introduced through social media by hackers posing as technical support. Experts note that the use of Telegram for cyber compromises is increasing, as it helps malicious actors avoid detection by blending their traffic with trusted platforms.

Winsage

March 24, 2026

Microsoft Announces WSL Upgrades for Windows 11

Microsoft has announced enhancements for the Windows Subsystem for Linux (WSL) to improve the experience for developers using Linux tools on Windows. Key areas of focus include: - Faster file performance between Linux and Windows - Improved network compatibility and throughput - A more streamlined first-time setup and onboarding experience - Enhanced enterprise management with stronger policy control, security, and governance Networking improvements are particularly significant, addressing past issues with mirrored networking that caused “No route to host” errors. Additionally, a new dxgkrnl driver patch has been submitted to improve GPU support for WSL2, introducing compute-only GPU capabilities and support for multiple virtual GPUs. Pavan Davuluri, Microsoft VP for Windows and Devices, emphasized ongoing quality improvements for Windows 11, including reducing Copilot integration in built-in applications, enhancing Bluetooth and USB reliability, and improving search functionality and responsiveness. Despite these commitments, concerns remain, such as the mandatory Microsoft Account sign-in requirement.

AppWizard

March 24, 2026

Google’s going to make it more difficult to sideload apps on Android phone

Google is implementing a new "advanced flow" for sideloading apps on Android to enhance security. This change will introduce multiple steps before sideloading can occur, including enabling Developer Mode, confirming the user's intent, and requiring a device restart and re-authentication. A mandatory one-day "security wait" will also be introduced, which can be verified through biometrics or a PIN, allowing users time to reconsider their decision. After this initial wait, sideloading can be enabled indefinitely or temporarily for seven days. Android will continue to warn users about unverified apps, and these changes aim to protect users from scams that pressure them into installing harmful software. Additionally, Google is planning stricter checks for app distribution and launching "limited distribution" accounts for developers.