remote Archives

Winsage

June 25, 2026

Introduction to COM usage by Windows threats

Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.

AppWizard

June 24, 2026

Minecraft mod hides malware sweeping Australian gaming communities

A new US price point in cybersecurity has made advanced cyber capabilities accessible to a wider audience, including individuals who may want to cause harm for personal reasons rather than financial gain. In Australia, personal cyber insurance products have traditionally focused on risks like identity theft and financial fraud, driven by economic incentives. As the nature of cyber threats evolves, existing insurance products may not adequately cover risks from individuals motivated by personal grievances, prompting a need for insurers to reevaluate coverage, risk assessment, and customer education.

Winsage

June 24, 2026

Point-in-Time Restore for Windows 11 is Generally Available

Microsoft has rolled out the Point-in-time restore feature for Windows 11, enhancing recovery capabilities. Users need to install the June Week D preview update to access it, and the rollout is a Controlled Feature Release (CFR), meaning availability will vary by device. This feature is available in Windows 11 Enterprise, Pro, and Home editions, allowing users to revert systems to a prior state quickly. It offers automatic restore points, improved reliability, integrated management through the Settings app, lower storage impact, and future remote management capabilities via Intune. For Windows 11 Home and Pro users, Point-in-time restore is enabled by default in versions 24H2 and 25H2, and can be managed in the Settings app under System > Recovery > Point-in-time restore.

Winsage

June 24, 2026

Windows 11 Adds Point‑in‑Time Restore for System Recovery

Point-in-time restore is a new feature for Windows 11 that allows administrators to revert systems to a previous stable state, streamlining recovery from issues like problematic updates or software conflicts. It automatically generates restore points every 24 hours, retaining them for up to 72 hours and using a maximum of 2 percent of disk space. This feature is available on Windows 11 version 24H2 and later across all editions, including Enterprise, Pro, and Home. Administrators can initiate the restore process through the Windows Recovery Environment (Windows RE) by selecting a restore point. Future enhancements will include remote restore capabilities through Microsoft Intune.

Winsage

June 24, 2026

Windows RAT Uses Encrypted HTTP C2 and Registry Persistence After npm Infection

A malware campaign targets Windows systems through a malicious npm package named postcss-minify-selector-parser, which mimics the legitimate postcss-selector-parser. This counterfeit package installs a Remote Access Trojan (RAT) on developer machines, beginning with a multi-stage attack triggered by the installation of the package. The RAT can steal credentials, execute shell commands, and communicate with a remote attacker. Security researchers at JFrog identified this threat and reported it on June 22, 2026, noting that two additional related packages, postcss-minify-selector and aes-decode-runner-pro, are linked to the same publisher and remain live on the npm registry. The RAT employs encrypted HTTP communication with a command-and-control (C2) server and ensures persistence by creating a registry key under the Windows Run key. It has capabilities for remote shell execution, file uploads and downloads, and can steal saved login data from Google Chrome using Windows decryption APIs. The malware is designed for organized batch exfiltration of stolen data. Indicators of compromise include specific IP addresses, domains, file paths, and SHA-256 hashes associated with the malware components. JFrog advises users to remove the malicious packages, inspect their dependency trees, and treat any stored credentials as compromised.

Tech Optimizer

June 23, 2026

Active Exploitation of Critical CVE-2026-20253 in Splunk Enterprise: Unauthenticated RCE via PostgreSQL Sidecar Service

A critical security vulnerability, SVD-2026-0603 (CVE-2026-20253), has been identified in Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. This flaw allows unauthenticated, remote attackers to create or truncate arbitrary files on the host system by exploiting the PostgreSQL Sidecar Service endpoints. The vulnerability is actively exploited, with public proof-of-concept code available, and has been added to the CISA Known Exploited Vulnerabilities (KEV) list. Successful exploitation can lead to full remote code execution (RCE) as the Splunk user. The vulnerability arises from inadequate authentication controls on the PostgreSQL Sidecar Service endpoints, specifically /v1/postgres/recovery/backup and /v1/postgres/recovery/restore, which are accessible without authentication. It is classified under CWE-306: Missing Authentication for Critical Function and has a CVSS v3.1 base score of 9.8 (Critical). Attackers can exploit the vulnerability by sending crafted HTTP POST requests to the exposed endpoints, allowing them to create or truncate files and potentially execute malicious scripts. Indicators of compromise include unexpected files in directories such as /tmp/ or /opt/splunk/var/run/supervisor/pkg-run/, modified Splunk Python scripts, and unusual outbound connections from Splunk to unknown PostgreSQL servers. The vulnerability aligns with several MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). Active exploitation of CVE-2026-20253 has been confirmed, and it is likely that both opportunistic cybercriminals and sophisticated threat actors will use this exploit. The affected versions of Splunk Enterprise are 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6, with the issue resolved in versions 10.2.4 and 10.0.7. Organizations are advised to upgrade to fixed versions or disable the PostgreSQL Sidecar Service as a mitigation strategy.

AppWizard

June 22, 2026

The Steam Machine is the most ambitious game console I’ve ever played

The Steam Machine retails starting at ,049 without a gamepad and ,128 bundled with one. Its performance does not significantly exceed that of the 5.5-year-old PS5, which offers sharper visuals in certain games. The Steam Machine operates more like a console than previous iterations, featuring a compact design and compatibility with modern gamepads. Valve claims to sell its components at cost, having negotiated with suppliers during a memory supply crisis. Users have reported technical issues, such as problems with the Steam Controller, sound output, and game downloads. The device requires manual adjustments for settings, lacks user-friendly configurations, and has questionable reliability with its sleep function. Valve plans to support AMD’s FSR 4 upscaling and is working on graphics driver updates. The Steam Machine is positioned as a versatile gaming and computing solution, but its limitations highlight the need for further refinement.

Tech Optimizer

June 22, 2026

pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features

pgAdmin 4 version 9.16 has been released, featuring 64 bug fixes and addressing seven security vulnerabilities (CVE-2026-12044 to CVE-2026-12050). Key vulnerabilities include SQL injection flaws and cross-site scripting issues. CVE-2026-12044 involved SQL injection risks in dialog templates, while CVE-2026-12045 allowed attackers to bypass read-only transaction restrictions in the AI Assistant feature. Authentication issues were fixed in CVE-2026-12046, and client-side vulnerabilities were addressed in CVE-2026-12048 and CVE-2026-12047. Additional vulnerabilities included an open redirect in multi-factor authentication (CVE-2026-12049) and another SQL injection flaw in restore point functionality (CVE-2026-12050). Usability improvements include colorized panel headers, middle-click tab closing, and enhancements to OAuth2 login. The release supports new PostgreSQL storage parameters and includes dependency upgrades. Stricter access controls have been enforced, and pgAgent has been marked for removal. The update is available for download on multiple platforms.

Winsage

June 22, 2026

Windows 11 version 26H2: Microsoft details rollout strategy

Microsoft is enhancing its enterprise offerings with Microsoft Intune, a cloud-based service for managing mobile devices and applications. Intune allows IT administrators to control device usage, ensuring compliance with corporate policies, securing sensitive data through application management, and providing employees with flexible access to corporate resources from personal devices. Additionally, Microsoft promotes Microsoft Learn, an educational platform to help users understand Intune and other services.

AppWizard

June 21, 2026

“Subscription-based gaming is the final boss of piracy”: Why I think we’re on track to own nothing and be happy we get to play at all

A study published in the Entertainment Computing journal analyzed 86 games released on Steam from 2014 to 2022, finding that games with cracked versions available within the first week of launch experienced a 20% drop in revenue. If DRM delayed cracks by at least six weeks, the revenue decline was only 5%, and if DRM withstood cracks for three months, there was no significant loss in revenue. Denuvo's defenses have been breached within hours of game releases, and the future of DRM may rely more on contractual agreements than technology. Subscription-based gaming models, like Xbox's PC Game Pass, are emerging, allowing players to access games without owning them, which raises concerns about game ownership and the potential for titles to be removed from libraries. The rise of cloud gaming is seen as a solution to affordability issues for gamers, but it also leads to questions about the future of game ownership and piracy.