scheduled tasks Archives

Winsage

June 12, 2025

Windows Task Scheduler Vulnerability Let Attackers Escalate Privileges

A critical security vulnerability, designated as CVE-2025-33067, has been identified in the Windows Task Scheduler, allowing attackers to escalate privileges to SYSTEM level access without prior administrative rights. This vulnerability is rated as "Important" with a CVSS score of 8.4 and is due to improper privilege management within the Windows Kernel’s task scheduling component. It affects multiple Windows versions, including Windows 10 (Versions 1607, 1809, 21H2, 22H2), Windows 11 (22H2, 23H2, 24H2), and Windows Server 2016-2025. Microsoft released security updates on June 10, 2025, to address this flaw across 27 different Windows configurations. The vulnerability requires local system access, no prior privileges, and no user interaction, making it particularly dangerous. Security researcher Alexander Pudwill discovered and disclosed the vulnerability.

Tech Optimizer

June 3, 2025

Misspell one word and you’re infected: New malware campaign fools developers on both Windows and Linux

Cybersecurity experts have highlighted the risks of typosquatting, where developers accidentally download malicious packages due to typographical errors. A report from Checkmarx reveals that attackers exploit this trust by creating counterfeit packages that can grant unauthorized access to systems. Malicious packages have been found in the Python Package Index (PyPI) and can enable remote control, posing serious threats to system integrity. Attackers employ a cross-platform strategy, mixing names from different programming environments to target unsuspecting users. On Windows, malware can create scheduled tasks and disable antivirus protections, while on Linux, certain packages facilitate encrypted reverse shells for data exfiltration. Although the malicious packages have been removed, the threat remains, prompting developers to verify package sources and spellings. Checkmarx recommends organizations conduct audits of deployed packages and scrutinize application code to enhance security.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

May 6, 2025

I used Sophia Script to take back control of Windows 11, and I wish I did it sooner

Sophia Script is a PowerShell module available on GitHub that simplifies the process of adjusting Windows settings through the command line interface (CLI), offering over 150 regularly updated functions. It provides GUI-based options for managing tasks like telemetry settings, scheduling tasks, and uninstalling OneDrive, allowing users to select multiple tasks at once. The setup process involves opening the main PS1 file in Notepad++, changing the directory, and executing a command from GitHub, with comprehensive instructions available. Users can customize settings by adding or replacing code with a hashtag next to the script they wish to run, and it allows changes to be applied across all user accounts. Sophia Script is particularly useful for configuring new PCs or fresh installations, as it helps remove unnecessary bloatware and streamline system performance. It can uninstall Microsoft apps, including the Windows Copilot app, and has created five scheduled tasks after running, saving time compared to traditional methods. The creator, Farag2, is also developing a GUI version, SophiApp 2.0.

Winsage

April 14, 2025

Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller

Microsoft has warned IT administrators about a significant issue affecting Windows Server 2025 domain controllers, which may struggle to manage network traffic after a system restart. This problem arises because the domain controllers revert to the standard firewall profile instead of the required domain firewall profile, leading to potential inaccessibility on the domain network, application failures, and open ports that could pose security risks. The issue specifically affects Windows Server 2025 systems with the Active Directory Domain Services role, while client systems and earlier server versions remain unaffected. To address this, Microsoft recommends a temporary workaround: manually restarting the network adapter using PowerShell with the command Restart-NetAdapter * after each reboot. Administrators are advised to create a scheduled task for automation, monitor domain controllers for disruptions, and minimize unnecessary restarts. Microsoft is working on a permanent fix, with an update expected in the future.

AppWizard

March 28, 2025

How to use ChatGPT: A beginner’s guide to the most popular AI chatbot

ChatGPT, developed by OpenAI, was launched in late 2022 and has evolved into a versatile tool for tasks such as composing emails, generating essays, brainstorming ideas, translating languages, assisting with coding, and answering questions. OpenAI offers a free version and paid plans for additional features. Users can access ChatGPT via its website or app without creating an account, although registration unlocks features like saving chat history. The user base has grown to over 400 million weekly users within six months. OpenAI's subscription plans include a free tier, a Plus plan at per month, and a Pro plan at 0 per month. ChatGPT can assist with advice, data analysis, browsing, deep research, image generation with DALL·E, and file uploads. Features include Voice Mode for spoken interaction, ChatGPT Canvas for visual organization, and ChatGPT Tasks for scheduling reminders. ChatGPT can also generate images and videos, with the upgraded GPT-4o image generator available to Plus subscribers. The desktop app is available for Windows and MacOS, and users can try ChatGPT without logging in. Accuracy may vary, and users are advised to fact-check responses.

Winsage

March 17, 2025

Invisible Windows Rootkit Hides Dangerous Files Using This Prefix

Obscure#Bat is a malware campaign targeting Windows users that uses obfuscated batch scripts to deploy a user-mode rootkit, which can hide its activities from standard security measures. It stores hidden scripts in the Windows Registry and can conceal files, registry entries, and running processes through application programming interface hooking. The malware can embed itself within legitimate Windows processes, making it undetectable by conventional security methods, and is capable of deleting evidence of its activity. Attackers use social engineering tactics, such as fake CAPTCHA tests and legitimate software tools, to lure victims into executing the malicious batch file. The rootkit obscures files, processes, or registry keys that begin with the “$nya-” prefix and is identified as an open-source ring-3 rootkit known as r77. It avoids kernel modifications and relies on registry and scheduled tasks for persistence, allowing it to evade detection by traditional kernel-based security tools. Windows users are advised to be cautious of social engineering tactics and to inspect batch files in a text editor before execution.

Winsage

March 10, 2025

Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines

Cisco Talos has reported a series of cyberattacks exploiting a critical vulnerability in PHP (CVE-2024-4577) to target Windows systems, primarily affecting organizations in Japan since January 2025. The vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with PHP-CGI. They use a Python script, “PHP-CGICVE-2024-4577RCE.py,” to send crafted POST requests and confirm exploitation through a specific MD5 hash. After gaining access, attackers deploy a PowerShell injector script to establish a connection with their command and control (C2) server and utilize Cobalt Strike plugins for post-exploitation activities, including modifying registry keys for persistence and clearing event logs to evade detection. They conduct lateral movement using reconnaissance tools and exploit Group Policy Objects to execute malicious scripts, ultimately extracting credentials with Mimikatz. The attackers have access to a pre-configured installer script on their C2 server, suggesting potential for future attacks.

Winsage

February 17, 2025

Winhance transforms Windows 11 (and Windows 10) into the bloat-free, faster operating system you always wanted

User sentiment towards Windows 11 has led to the development of third-party tools to enhance the experience. Talon can debloat Windows 11 with just two clicks, removing unnecessary pre-installed applications like Microsoft Edge, OneDrive, Copilot, and Clipchamp. Winhance is another tool that debloats and optimizes Windows 11, also compatible with Windows 10 (22H2). Winhance features include: - Software & Apps: - Install Software - Permanently Remove Windows Apps (e.g., Microsoft Edge, OneDrive, Copilot) - Optimize: - Set UAC Notification Level - Disable/Enable Windows Security Suite - Privacy Settings - Gaming Optimizations - Windows Updates - Power Settings - Scheduled Tasks - Windows Services - Customize: - Toggle Windows Dark or Light Mode - Taskbar Customization - Start Menu Settings - Explorer Options - Notification Preferences - Sound Settings - Accessibility Options - Search Configuration To use Winhance, users must open PowerShell as Administrator, confirm privileges, enable script execution, and run a specific command to download and execute the application from GitHub. Winhance has received significant updates since its release in February, with version 2 introducing UI/UX improvements, critical fixes, and bug resolutions, including issues with Windows Search and OneDrive folder cleanup. A demonstration video is available for viewing.

Winsage

February 13, 2025

Russian Hackers Leverages Weaponized Microsoft Key Management Service (KMS) To Hack Windows Systems

The Sandworm APT group, also known as APT44 or UAC-0145, has been exploiting weaponized Microsoft Key Management Service (KMS) activators to breach Windows systems in Ukraine since late 2023. This campaign uses pirated KMS tools and counterfeit Windows updates to spread malware, targeting state bodies and critical infrastructure. The attackers deploy Trojanized KMS activators, such as “KMSAuto++x64_v1.8.4.zip,” often shared on torrent sites and forums for Ukrainian speakers. The attack begins with the BACKORDER loader, which disables Windows Defender and delivers the DarkCrystal RAT (DcRAT) to exfiltrate sensitive data. A new backdoor named Kalambur is also identified, distributed via a typosquatted domain that pretends to be a Windows Update. Security teams are advised to use Sigma rules and detection tools aligned with the MITRE ATT&CK framework to counter these threats.