Researcher Archives

AppWizard

April 21, 2026

NGate NFC malware targets Android users through trojanized payment app

NFC-based payment fraud targeting Android users in Brazil has been linked to a campaign using a trojanized version of the HandyPay app, part of the NGate malware family, since November 2025. The malware is distributed through a counterfeit website mimicking a lottery and a fraudulent Google Play page. The operators chose HandyPay for its low cost and minimal permissions required. The malware requests users to set it as the default NFC payment app, allowing it to capture payment card PINs and relay NFC card data to attackers. ESET Research identified this campaign and discovered logs from compromised devices containing sensitive information. The trojanized app has never been on the official Google Play store, and ESET has notified Google and the HandyPay developer about the issue.

Winsage

April 20, 2026

“The vault is solid, the delivery truck is not” — strong key storage, shaky transfer: why this Windows Recall feature raises new security questions

Windows Recall, an AI-driven tool by Microsoft designed to capture and analyze users' screen content, was initially unveiled in 2024 but faced a delayed rollout due to significant security concerns. It launched in April 2025 with enhanced security features, including isolation within a "VBS Enclave" to protect against third-party access and filtering out sensitive information. However, security researcher Alexander Hagenah identified a flaw where data is transmitted to a less secure process, d AIXHost.exe, allowing tools like TotalRecall Reloaded to access sensitive data without administrative privileges. Despite reporting this vulnerability, Microsoft deemed it "not a vulnerability" and has not planned significant fixes. In response to user backlash, Microsoft is reassessing its AI initiatives, including Windows Recall, while privacy-focused organizations have introduced features to block the tool. Experts are calling for improved security protocols and user opt-out options.

Winsage

April 19, 2026

Microsoft Is Quietly Opening the Windows 11 Taskbar To Third-Party AI Agents That Can Act On Your Desktop

Microsoft has rolled out Windows 11 Builds 26100.8313 and 26200.8313 to the Release Preview Channel, emphasizing its focus on integrating artificial intelligence into the operating system. The company plans to introduce AI "Agents" in the taskbar, including the Microsoft 365 Researcher, which will enhance user workflows by tracking progress and providing notifications. These AI Agents will be able to act across multiple applications, summarize content, extract data, automate tasks, and manage productivity workloads autonomously. The taskbar will also support third-party AI Agents, allowing developers to create their own. The Microsoft 365 Researcher is part of the Microsoft 365 Copilot suite, which requires a subscription for access. Users who opt out of Copilot will miss out on the benefits of these AI applications.

Winsage

April 19, 2026

Windows Defender Security Flaws Actively Exploited by Hackers

Three vulnerabilities in Microsoft Defender, known as BlueHammer (CVE-2026-33825), RedSun, and UnDefend, are being actively exploited by hackers. BlueHammer has been patched, while RedSun and UnDefend remain unpatched. The public release of exploit code has accelerated real-world attacks, affecting Windows 10, Windows 11, and Windows Server systems. Attackers have begun exploiting these vulnerabilities, leading to concerns about privilege escalation, disruption of security updates, and the rapid spread of attacks.

Winsage

April 19, 2026

Microsoft confirms AI agents are still coming to the Windows 11 taskbar as it prepares for public rollout

Microsoft is integrating AI agents into the Windows 11 taskbar, allowing users to invoke these agents, including third-party options, directly from the taskbar. This feature will be optional and not enabled by default. The AI agents, such as Microsoft 365 Researcher, can operate autonomously to perform tasks like planning, researching, and executing actions without user intervention. Users can activate these agents by hovering over the Microsoft 365 Copilot icon on the taskbar. The Microsoft 365 Researcher can conduct complex research tasks and generate reports using files from OneDrive or Microsoft 365, but it requires a Microsoft 365 subscription to access. A new feature called ‘Ask Copilot’ may enhance the search experience by allowing users to tag and trigger agents using the “@” symbol. This functionality is supported by the Model Context Protocol (MCP), which connects AI models with applications and files. Developers can integrate their agents using the Windows.UI.Shell.Tasks API. Despite earlier statements about reducing AI in Windows 11, Microsoft is adopting a more selective approach to AI integration, ensuring that the use of taskbar agents remains optional and not intrusive. The company is phasing out Copilot branding in certain applications while maintaining AI capabilities in a streamlined manner.

Winsage

April 18, 2026

RedSun: Windows 0day when Defender becomes the attacker

A vulnerability has been discovered in Windows Defender that allows standard users to exploit a logic error in the file remediation process, enabling code execution with elevated privileges without administrative access. This flaw, identified by security researcher Chaotic Eclipse, occurs because Windows Defender does not verify if the restoration location of flagged files has been altered through a junction point. The exploit, named RedSun, takes advantage of a missing validation in the MpSvc.dll file, allowing attackers to redirect file restoration to the C:WindowsSystem32 directory. RedSun operates by chaining together four legitimate Windows features: Opportunistic Locks (OPLOCKs), Cloud Files API, Volume Shadow Copy Service (VSS), and Junction Points. The execution of the exploit involves monitoring shadow copies, triggering Defender's detection, synchronizing OPLOCKs, and ultimately writing malicious binaries to the System32 directory. The root cause is the lack of reparse point validation in the restoration process, and currently, no patch or CVE has been assigned for this vulnerability. It affects Windows 10, Windows 11, and Windows Server 2019 and later, and organizations are advised to implement behavioral detection strategies until a fix is available.

Winsage

April 18, 2026

‘They mopped the floor with me and pulled every childish game they could’: Disgruntled researcher releases second major Windows zero-day — claims Microsoft ‘would ruin my life, and they did’

A new zero-day vulnerability in Microsoft Defender has been disclosed by a researcher known as "Chaotic Eclipse," who has created a proof-of-concept exploit called "RedSun." This vulnerability allows local privilege escalation to SYSTEM level on Windows 10, Windows 11, and Windows Server when Microsoft Defender is active. The vulnerability has attracted attention from antivirus vendors, with some detecting it on VirusTotal due to an embedded EIRCAR in the executable. Chaotic Eclipse previously disclosed another vulnerability named BlueHammer, which also allowed local attackers to gain SYSTEM or elevated permissions. The researcher expressed dissatisfaction with Microsoft's vulnerability disclosure process, recounting negative interactions with the company. A Microsoft spokesperson stated the company's commitment to investigating security issues and supporting coordinated vulnerability disclosure.

Winsage

April 18, 2026

‘They mopped the floor with me and pulled every childish game they could’: Disgruntled researcher releases second major Windows zero-day — claims Microsoft ‘would ruin my life, and they did’

A researcher known as “Chaotic Eclipse” has revealed a new zero-day vulnerability in Microsoft Defender, called “RedSun,” which allows local privilege escalation to SYSTEM privileges on Windows 10, Windows 11, and Windows Server when Microsoft Defender is enabled. The exploit has been confirmed to function correctly, and some antivirus vendors have begun detecting it. This follows another vulnerability disclosure by the same researcher, named BlueHammer, which also allows local attackers to elevate permissions. Chaotic Eclipse expressed dissatisfaction with Microsoft’s handling of vulnerability disclosures, claiming they were threatened and experienced frustration with the company’s response. A Microsoft spokesperson stated the company is committed to investigating reported security issues and supports coordinated vulnerability disclosure.

Winsage

April 17, 2026

Hackers are abusing unpatched Windows security flaws to hack into organizations

Hackers have exploited vulnerabilities in Windows systems, specifically targeting three flaws: BlueHammer, UnDefend, and RedSun. BlueHammer has been patched by Microsoft, while UnDefend and RedSun remain unaddressed. The exploitation is linked to code published by a researcher named Chaotic Eclipse, who criticized Microsoft for their response to vulnerabilities. All three flaws affect Windows Defender, allowing hackers potential high-level access to systems. Microsoft emphasized the importance of coordinated vulnerability disclosure to protect customers and the research community. The situation underscores the ongoing struggle between cybersecurity defenders and cybercriminals.

Winsage

April 17, 2026

Windows 11’s New Xbox Mode is Now Available for More Insiders

Microsoft is expanding the Xbox Mode, previously known as the Xbox Full Screen Experience, to more Insiders, including those on the Canary and Release Preview Channels. The new Xbox Mode can be activated through the Xbox app, Game Bar settings, or by pressing Win + F11, providing a full-screen interface for PC games. The Canary build 29570.1000 also introduces a new Touchpad setting for adjusting the right-click zone size and expands lock screen widget personalization options. For Canary testers on the 28000 series builds, the build 28020.1863 addresses a sign-in issue without introducing new features. The Dev and Beta Channels are receiving updates focused on reliability, including improvements to File Explorer and Windows Hello. The Release Preview Channel is previewing an upcoming optional April update that includes the new Xbox Mode, File Explorer enhancements, haptic feedback for certain pens, a rebranded Drop Tray, taskbar monitoring for AI agents, and revamped voice typing features. Additional reliability enhancements are included for various Windows components.