rootkit Archives

AppWizard

April 7, 2026

Researchers find 50 ‘dangerous’ Android apps that are secretly hijacking phones: Who is at risk

Recent findings from McAfee have revealed a malware campaign named Operation NoVoice that has infiltrated over 50 applications on the Google Play Store, which collectively received over 2.3 million downloads before being removed. The malware uses a rootkit attack strategy to gain administrator-level control of Android devices while remaining undetected. Affected apps appeared benign, performing tasks like cleaning files or managing photos, but were secretly communicating with a remote server to send device information. This allowed attackers to deploy custom exploit code, achieving root-level access and posing significant security risks. The malware persists even after factory resets, potentially requiring firmware reinstallation for complete removal. Users with older or unpatched Android versions are at greater risk, as well as anyone who downloaded the compromised apps.

AppWizard

April 3, 2026

Google Responds As 50 Apps With 2 Million Downloads Hit By Malware

Researchers at McAfee Labs discovered that 50 Android applications on the Google Play Store contain malware known as NoVoice, which can grant full remote access to infected smartphones. These apps have over 2.3 million downloads. The malware can communicate with remote servers, profile devices, and download tailored root exploits, potentially compromising specific hardware and software configurations. However, devices with an Android security patch level of May 2021 or later are not vulnerable to these exploits, as the vulnerabilities were patched by Android between 2016 and 2021. Google Play Protect removes these apps and blocks new installs, and users are advised to keep their devices updated with the latest security patches.

AppWizard

April 2, 2026

‘This rootkit is highly persistent; a standard factory reset will not remove it’: “NoVoice” Android malware on Google Play infects 50 apps across 2.3 million devices, here’s what we know

Researchers at McAfee have identified a malware strain named NoVoice that has infiltrated over 50 applications on the Google Play Store, leading to more than 2.3 million downloads. NoVoice exploits vulnerabilities in older Android kernels and GPU architectures, remaining active even after factory resets. It can inject malicious code into applications like WhatsApp, allowing it to hijack user sessions and spy on private conversations. Google has removed the affected applications, but the malware continues to pose a threat to already compromised devices.

AppWizard

April 1, 2026

‘NoVoice’ Android malware on Google Play infected 2.3 million devices

A new Android malware called NoVoice has been found in over 50 applications on Google Play, with more than 2.3 million downloads. The malware targets older Android versions, specifically those patched between 2016 and 2021, and attempts to gain root access by exploiting vulnerabilities. It conceals malicious components within the com.facebook.utils package and uses steganography to hide an encrypted payload within a PNG image file. NoVoice avoids infecting devices in certain regions and has checks to detect emulators and VPNs. Once activated, the malware contacts its command-and-control server to gather device information and polls it every 60 seconds for tailored exploits aimed at rooting the device. It can exploit 22 vulnerabilities, including kernel bugs, and establishes persistence by replacing key system libraries and installing recovery scripts. The malware injects code into applications, particularly targeting WhatsApp to extract sensitive data for session replication, which is then exfiltrated to the C2 server. The malicious apps containing NoVoice have been removed from Google Play, but users who installed them should consider their devices compromised. Upgrading to devices with later security patches is recommended to mitigate the threat.

Tech Optimizer

December 28, 2025

Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass

A malicious entity named AlphaGhoul has introduced a tool called NtKiller, designed to disable antivirus software and endpoint detection systems, posing a threat to organizations using traditional security measures. NtKiller was advertised on an underground forum, claiming to allow attackers to operate undetected while executing malware. It reportedly circumvents security programs like Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro, and can bypass enterprise-grade Endpoint Detection and Response solutions in aggressive modes. Analysts from KrakenLabs noted that NtKiller uses early-boot persistence mechanisms to evade detection and operates on a modular pricing structure, with core functionality available for [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A malicious entity known as AlphaGhoul has recently surfaced within the cybercriminal underworld, promoting a tool dubbed NtKiller. This tool is engineered to discreetly disable antivirus software and endpoint detection systems, posing a new threat to organizations that rely on traditional security measures. NtKiller was unveiled on an underground forum frequented by individuals seeking to buy and sell hacking services. The advertisement claims that this tool enables attackers to operate undetected while executing their malware on compromised machines. The introduction of NtKiller signifies a formidable challenge for businesses that depend on established security solutions. According to the threat actor, the tool is capable of circumventing several widely-used security programs, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. Alarmingly, it is also said to bypass enterprise-grade Endpoint Detection and Response (EDR) solutions when utilized in aggressive modes. Analysts from KrakenLabs have observed that NtKiller employs early-boot persistence mechanisms, allowing it to remain concealed and evade detection by security teams once activated. This stealthy approach complicates efforts to identify and eliminate the malware. Further investigation by KrakenLabs revealed that NtKiller operates on a modular pricing structure. The core functionality is available for 0, with additional features such as rootkit capability and User Account Control (UAC) bypass each priced at an extra 0. This pricing model indicates that the tool has been meticulously crafted for commercial distribution within the cybercriminal ecosystem. Beyond merely terminating processes, NtKiller is purported to support advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Technical capabilities The technical features attributed to NtKiller render it particularly perilous in the hands of adept attackers. The tool's early-boot persistence mechanism allows it to embed itself during system startup, prior to the activation of many security monitoring systems. This timing advantage facilitates the execution of malicious payloads in an environment where detection capabilities are significantly diminished. Moreover, the anti-debugging and anti-analysis protections embedded within NtKiller hinder researchers and automated tools from scrutinizing the malware's behavior, resulting in a substantial knowledge gap regarding its true capabilities versus its promotional claims. Another critical feature is the silent UAC bypass option, which enables malware to acquire elevated system privileges without triggering standard Windows prompts that could alert users to suspicious activities. When combined with rootkit functionality, this allows attackers to maintain persistent access to compromised systems while remaining undetected by conventional security measures. It is essential to highlight that these capabilities have yet to be independently verified by third-party researchers, leaving the actual effectiveness of NtKiller uncertain. Organizations are urged to remain vigilant and ensure their security tools incorporate behavioral detection mechanisms that extend beyond signature-based identification to effectively combat such emerging threats. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and additional features priced at 0 each. The tool supports advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Its silent User Account Control bypass option allows malware to gain elevated privileges without alerting users. The effectiveness of NtKiller's capabilities has not been independently verified, prompting organizations to enhance their security measures beyond signature-based detection.

Winsage

October 15, 2025

Last Windows 10 Patch Tuesday Fixes Six Zero Days

Microsoft has released security updates for 172 vulnerabilities in October, including six zero-day vulnerabilities. Three of these zero-days are actively exploited: 1. CVE-2025-59230: A local elevation of privilege (EoP) vulnerability in the Windows Remote Access Connection Manager that requires no user interaction. 2. CVE-2025-24990: An EoP vulnerability linked to the Agere Modem driver (ltmdm64.sys), which Microsoft has decided to remove instead of patching due to its legacy nature and associated risks. 3. CVE-2025-47827: A secure boot bypass vulnerability affecting IGEL OS, with a proof of concept available since May, allowing potential kernel-level rootkit deployment. Additionally, three publicly disclosed zero-days remain unexploited: - CVE-2025-0033: A critical vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), with no patch available. - CVE-2025-24052: An EoP vulnerability in the Agere Modem driver, similar to CVE-2025-24990. - CVE-2025-2884: An out-of-bounds read vulnerability in TCG TPM2.0 that could lead to information disclosure or denial of service. This month is the last Patch Tuesday for Windows 10 users to receive free updates, after which enrollment in Microsoft’s Extended Security Updates (ESU) scheme will be necessary for continued support.

Tech Optimizer

May 29, 2025

How to run an antivirus scan on your computer

When selecting antivirus software, understanding its functionality is crucial to ensure adequate protection. Running a virus scan involves opening the antivirus program, clicking the ‘Scan’ button, and allowing the software to operate. Automated scan schedules are important for consistent protection, especially during system startup to catch hidden malware. Key points for executing scans include avoiding heavy applications during the scan, utilizing the ability to pause scans, and ensuring laptops are charged and plugged in. During scans, the antivirus may identify potentially unwanted programs (PUPs), which should not be dismissed. After a scan, reviewing the results is essential, including threat names, severity ratings, affected files, and recommended actions. If threats are detected, correlating them with known vulnerabilities is advisable. Some malware may require a device restart or boot-time scanning for removal. Maintaining exportable logs can be beneficial for future reference. Post-scan, it is important to patch operating systems, change passwords if necessary, perform system backups, and establish a regular backup plan. Most antivirus programs offer features for automated scans and real-time protection, which should be utilized. Regular checks of reports are necessary to stay informed about device security. To maintain virus-free devices, users should avoid unknown links or email attachments, download software from legitimate sources, use strong passwords, back up important files, keep browsers updated, and enable multi-factor authentication. Regular virus scans are vital for safeguarding online presence and preventing performance issues.

Winsage

March 17, 2025

Invisible Windows Rootkit Hides Dangerous Files Using This Prefix

Obscure#Bat is a malware campaign targeting Windows users that uses obfuscated batch scripts to deploy a user-mode rootkit, which can hide its activities from standard security measures. It stores hidden scripts in the Windows Registry and can conceal files, registry entries, and running processes through application programming interface hooking. The malware can embed itself within legitimate Windows processes, making it undetectable by conventional security methods, and is capable of deleting evidence of its activity. Attackers use social engineering tactics, such as fake CAPTCHA tests and legitimate software tools, to lure victims into executing the malicious batch file. The rootkit obscures files, processes, or registry keys that begin with the “$nya-” prefix and is identified as an open-source ring-3 rootkit known as r77. It avoids kernel modifications and relies on registry and scheduled tasks for persistence, allowing it to evade detection by traditional kernel-based security tools. Windows users are advised to be cautious of social engineering tactics and to inspect batch files in a text editor before execution.

Tech Optimizer

February 27, 2025

New Malware Uses Legitimate Antivirus Driver to Bypass All System Protections

Cybersecurity researchers at Trellix have identified a malware campaign utilizing a legitimate antivirus driver, specifically the Avast Anti-Rootkit driver (aswArPot.sys), to gain kernel-level access and bypass security protocols. The malware, named “kill-floor.exe,” deploys the Avast driver as a file called “ntfs.bin” and registers it as a service using the Service Control utility (sc.exe) to obtain unrestricted privileges. It monitors active processes and terminates security-related processes by communicating with the Avast driver through the DeviceIoControl API. The malware exploits kernel-mode capabilities to execute actions that dismantle system defenses. Organizations are advised to implement BYOVD protection strategies, including detection rules for vulnerable drivers. Key indicators associated with this campaign include the MD5 hashes: 40439f39f0195c9c7a3b519554afd17a (kill-floor.exe) and a179c4093d05a3e1ee73f6ff07f994aa (ntfs.bin).

Winsage

February 11, 2025

Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391)

February 2025 Patch Tuesday has resulted in a significant update from Microsoft addressing 56 vulnerabilities, including two critical zero-day exploits: CVE-2025-21418 and CVE-2025-21391. CVE-2025-21418 is a vulnerability in the Windows Ancillary Function Driver (AFD.sys) that allows attackers to elevate their privileges on the target system. It requires an authenticated user to run a specially-crafted program that executes code with SYSTEM privileges. Since 2022, there have been nine elevation of privilege vulnerabilities associated with AFD.sys, with one previously exploited as a zero-day. The North Korean APT group, Lazarus Group, previously leveraged a related vulnerability (CVE-2024-38193) to implant a rootkit. CVE-2025-21391 affects Windows Storage across various Windows and Windows Server versions, allowing attackers to delete targeted files and potentially escalate privileges. This vulnerability is noted as the first time the technique has been exploited in the wild. Both zero-days are included in CISA’s Known Exploited Vulnerabilities catalog. Other vulnerabilities addressed include CVE-2025-21194, a security feature bypass affecting Microsoft Surface laptops, and CVE-2025-21377, an NTLMv2 hash disclosure vulnerability that could enable unauthorized authentication. CVE-2025-21376 is a critical remote code execution vulnerability that could be exploited by unauthenticated attackers through crafted requests to vulnerable LDAP servers, with Microsoft indicating that exploitation is likely.