rootkit

Winsage
June 17, 2026
The Windows variant of SprySOCKS malware, developed by the Chinese threat group Earth Lusca, targets government entities globally and features advanced capabilities such as rootkit-level stealth and extensive command-and-control (C2) functionalities. It operates on Windows systems, utilizing two main variants: WINDRV, which includes kernel drivers for stealth operations, and WINPLUS, a streamlined backdoor. The malware can communicate over TCP, UDP, and WebSocket, offering over 30 C2 commands for various operations, including system information gathering and keystroke logging. WINDRV loads a driver named ‘RawWNPF’ into memory using another signed kernel driver, allowing it to conceal processes and achieve persistence. The malware's design incorporates open-source elements and exploits vulnerabilities in the software supply chain, notably using a leaked certificate for driver signing. To combat SprySOCKS, organizations are advised to implement advanced endpoint detection and response (EDR) solutions, maintain regular patching, and manage supply chain risks vigilantly. The malware's adaptability and reliance on legitimate certificates complicate detection efforts, necessitating continuous refinement of security practices.
Winsage
June 15, 2026
Microsoft has expanded the rollout of the Secure Boot 2023 certificate update to more Windows 11 and Windows 10 devices with the June 2026 Patch Tuesday update (KB5094126). This update aims to ensure that most supported consumer PCs are classified as high confidence, meaning necessary certificates are either installed or will be applied automatically. Secure Boot is a firmware security feature that verifies the software attempting to load during the startup process, blocking unauthorized software. The certificates supporting Secure Boot, issued in 2011, are expiring in stages starting June 24, 2026, prompting Microsoft to deploy replacement certificates. Most home users do not need to take manual action as the updates will occur automatically via Windows Update. Users can check their Secure Boot certificate status in the Windows Security app. A yellow warning indicates pending compatibility data, while a red alert suggests a firmware incompatibility requiring a BIOS update. Multiple reboots during the update process are normal, and a new SecureBoot folder in Windows is for staging cryptographic files. Older PCs may experience longer update times, and some may not receive updates due to firmware issues. HP users should check for BIOS updates if encountering BitLocker recovery loops. IT administrators should monitor device classifications and manually initiate updates for devices not in the high confidence category. Devices with Secure Boot disabled cannot receive updates, leaving them vulnerable. The expiration of the Microsoft Corporation KEK CA 2011 certificate on June 24 does not immediately affect device functionality, but it limits Microsoft's ability to sign new bootkit blacklist updates.
AppWizard
April 25, 2026
McAfee researchers discovered a complex Android rootkit campaign, dubbed Operation NoVoice, that infiltrated 50 applications on Google Play, exploiting vulnerabilities in the kernel that had been patched but not uninstalled. The malware was resilient enough to survive factory resets and was concealed within seemingly benign apps, which collectively garnered 2.3 million downloads. The malicious payload was hidden in the com.facebook.utils package and used steganography to embed an encrypted payload within a PNG image. The malware conducted multiple checks to avoid detection and established contact with a command-and-control server, polling for exploit packages every 60 seconds. It utilized 22 distinct exploits, including vulnerabilities that had received patches between 2016 and 2021. The malware disabled SELinux enforcement and installed a persistent rootkit that could survive factory resets. Google confirmed the removal of the infected apps but noted that users who had already downloaded them remained at risk, especially if their devices were running unpatched Android versions. McAfee advised affected users to treat their devices as compromised and consider professional inspection or hardware-level storage wiping for remediation.
AppWizard
April 7, 2026
Recent findings from McAfee have revealed a malware campaign named Operation NoVoice that has infiltrated over 50 applications on the Google Play Store, which collectively received over 2.3 million downloads before being removed. The malware uses a rootkit attack strategy to gain administrator-level control of Android devices while remaining undetected. Affected apps appeared benign, performing tasks like cleaning files or managing photos, but were secretly communicating with a remote server to send device information. This allowed attackers to deploy custom exploit code, achieving root-level access and posing significant security risks. The malware persists even after factory resets, potentially requiring firmware reinstallation for complete removal. Users with older or unpatched Android versions are at greater risk, as well as anyone who downloaded the compromised apps.
AppWizard
April 3, 2026
Researchers at McAfee Labs discovered that 50 Android applications on the Google Play Store contain malware known as NoVoice, which can grant full remote access to infected smartphones. These apps have over 2.3 million downloads. The malware can communicate with remote servers, profile devices, and download tailored root exploits, potentially compromising specific hardware and software configurations. However, devices with an Android security patch level of May 2021 or later are not vulnerable to these exploits, as the vulnerabilities were patched by Android between 2016 and 2021. Google Play Protect removes these apps and blocks new installs, and users are advised to keep their devices updated with the latest security patches.
AppWizard
April 2, 2026
Researchers at McAfee have identified a malware strain named NoVoice that has infiltrated over 50 applications on the Google Play Store, leading to more than 2.3 million downloads. NoVoice exploits vulnerabilities in older Android kernels and GPU architectures, remaining active even after factory resets. It can inject malicious code into applications like WhatsApp, allowing it to hijack user sessions and spy on private conversations. Google has removed the affected applications, but the malware continues to pose a threat to already compromised devices.
Winsage
October 15, 2025
Microsoft has released security updates for 172 vulnerabilities in October, including six zero-day vulnerabilities. Three of these zero-days are actively exploited: 1. CVE-2025-59230: A local elevation of privilege (EoP) vulnerability in the Windows Remote Access Connection Manager that requires no user interaction. 2. CVE-2025-24990: An EoP vulnerability linked to the Agere Modem driver (ltmdm64.sys), which Microsoft has decided to remove instead of patching due to its legacy nature and associated risks. 3. CVE-2025-47827: A secure boot bypass vulnerability affecting IGEL OS, with a proof of concept available since May, allowing potential kernel-level rootkit deployment. Additionally, three publicly disclosed zero-days remain unexploited: - CVE-2025-0033: A critical vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), with no patch available. - CVE-2025-24052: An EoP vulnerability in the Agere Modem driver, similar to CVE-2025-24990. - CVE-2025-2884: An out-of-bounds read vulnerability in TCG TPM2.0 that could lead to information disclosure or denial of service. This month is the last Patch Tuesday for Windows 10 users to receive free updates, after which enrollment in Microsoft’s Extended Security Updates (ESU) scheme will be necessary for continued support.
Search