scheduled tasks Archives

Winsage

March 6, 2026

Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer

Microsoft revealed a social engineering campaign named ClickFix that exploits the Windows Terminal application to deploy Lumma Stealer malware. Detected in February 2026, this campaign instructs users to access Windows Terminal using the Windows + X → I shortcut, enhancing its perceived legitimacy. Attackers evade detection by manipulating users into executing harmful commands through deceptive prompts. The attack chain involves pasting a hex-encoded command into Windows Terminal, which opens additional Terminal and PowerShell instances, leading to a PowerShell process that decodes a script. This process downloads a ZIP payload containing a renamed 7-Zip binary, which extracts files and initiates a multi-stage attack, including retrieving payloads, establishing persistence, configuring Microsoft Defender exclusions, exfiltrating data, and deploying Lumma Stealer by injecting it into "chrome.exe" and "msedge.exe." Lumma Stealer targets browser artifacts to harvest credentials. A secondary attack pathway involves downloading a batch script that writes a Visual Basic Script to the Temp folder and connects to Crypto Blockchain RPC endpoints, also using QueueUserAPC() for code injection into browsers to extract data.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

Tech Optimizer

February 16, 2026

How to Uninstall McAfee on Windows 11 (3 Methods Including winget)

To uninstall McAfee on Windows 11, go to Settings → Apps → Installed apps, find McAfee, and select Uninstall. Alternatively, use the command winget uninstall --id "McAfee.TotalProtection" in an elevated terminal. After uninstalling, run McAfee’s MCPR removal tool to remove any leftover files and registry entries. Windows Security (Defender) will automatically activate after McAfee is removed. McAfee is often preinstalled on Windows 11 laptops by manufacturers like Dell, HP, Lenovo, and ASUS. It is recommended to create a system restore point before uninstalling and ensure you have administrative rights. After uninstalling, check for any remaining McAfee entries in installed apps, running services, Task Manager processes, leftover folders, and scheduled tasks. If issues arise during uninstallation, booting into Safe Mode or using the MCPR tool can help. Windows Security is a built-in antivirus that activates automatically after McAfee removal, providing protection.

Tech Optimizer

January 29, 2026

eScan Antivirus Update Server Hacked to Push Malicious Update packages

A supply chain breach has affected MicroWorld Technologies' eScan antivirus product, allowing malicious actors to use the vendor's update infrastructure to spread malware. Discovered on January 20, 2026, by Morphisec, the attack involved a trojanized update package that deployed multi-stage malware on enterprise and consumer endpoints globally. The initial compromise occurred through a malicious update replacing the legitimate Reload.exe binary, which was digitally signed with a valid eScan certificate. This led to the execution of a downloader (CONSCTLX.exe) and further malware stages that evaded defenses and disabled security features. The malware obstructs automatic updates by altering system configurations, including the hosts file and registry keys. Indicators of compromise include specific file names and SHA-256 hashes for the trojanized update and downloader. Network administrators are advised to block traffic to identified command and control domains and IPs. Affected organizations should verify their systems for signs of compromise and contact MicroWorld Technologies for a manual patch.

Tech Optimizer

January 27, 2026

Not a virus: What it means and why antivirus flags it

The term “not a virus” is used by antivirus software to indicate that a file does not match known malware signatures but still triggers a detection. This means the file is not automatically blocked or confirmed as a threat; the alert highlights something unusual, leaving the decision to the user. Alerts typically arise when software exhibits behavior associated with increased risk, despite lacking clear evidence of malicious intent. Malware is specifically designed to inflict harm, while files labeled “not a virus” may perform actions that raise security concerns but are not classified as harmful. Antivirus programs identify threats through signature detection and heuristic behavior-based detection. Legitimate programs, such as system utilities, download managers, and game cheats, can inadvertently trigger “not a virus” alerts. Common types of detections include adware, riskware, and potentially unwanted applications (PUA). The primary security risk of “not a virus” files is exposure rather than direct attacks, and privacy concerns often arise from data collection by these programs. If an antivirus detects “not a virus,” users should identify the file, review recent changes, compare detections, and decide whether to keep or remove it. To reduce unwanted alerts, users should download from official sources, use custom installation options, and remove unused software.

Tech Optimizer

January 22, 2026

Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

A large-scale campaign is exploiting the truesight.sys Windows security driver from Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions, facilitating the deployment of ransomware and remote access malware. This attack utilizes over 2,500 validly signed variants of the driver, allowing attackers to manipulate legacy driver signing rules to load pre-2015 signed drivers on Windows 11 machines. The vulnerable TrueSight driver exposes an IOCTL command that enables attackers to terminate security processes, providing them with kernel-level access to bypass user-mode protections. The infection chain typically starts with phishing emails or compromised sites, leading to the installation of a downloader that retrieves additional malicious components. The malware establishes persistence and deploys an EDR killer module targeting nearly 200 security products. Once defenses are disabled, the final payload, often a remote access trojan or ransomware, executes with minimal visibility, completing the attack in as little as 30 minutes.

Winsage

January 15, 2026

Speed Up Your Windows 11 Launch Time in a Snap. Here’s How to Do It

The delay in booting up a Windows 11 laptop can be caused by multiple applications that automatically launch at startup, which can hinder system performance. Common applications that may launch include antivirus programs, Microsoft OneDrive, Slack, gaming applications, backup tools, and webcam software. Users can manage these startup applications through three methods: Task Manager, Settings, or File Explorer. In Task Manager, users can view and disable startup applications by right-clicking on entries in the Startup apps menu. The impact of each application on startup time is categorized as high, medium, low, none, or not measured. In the Settings app, users can navigate to Apps and then Startup to toggle off applications they do not want to launch automatically. File Explorer can also be used to manage startup applications by accessing the shell:appsfolder and shell:startup or shell:common startup commands to view and modify the applications set to launch at sign-in. Users are advised to disable applications they rarely use while keeping essential security software enabled. Third-party startup managers like Autoruns and Startup Delayer can provide additional insights into startup applications. Similar management methods apply to previous Windows versions.

Tech Optimizer

December 3, 2025

Fileless protection explained: Blocking the invisible threat others miss

Fileless malware operates within a computer's active memory, avoiding detection by traditional antivirus solutions that rely on file scanning. It uses legitimate tools like PowerShell to execute harmful commands without creating files, making it difficult to identify. Cybercriminals can use fileless malware for various malicious activities, including data theft and cryptocurrency mining. Malwarebytes combats fileless attacks through two defense layers: Script Monitoring, which intercepts potentially dangerous scripts at execution, and Command-Line Protection, which scrutinizes command-line tools for suspicious activities. Examples of fileless attacks include malicious email attachments activating PowerShell to download ransomware, hidden JavaScript on websites mining cryptocurrency, and attackers using Windows Management Instrumentation (WMI) to create backdoors. Malwarebytes' Fileless Protection operates automatically in the background, ensuring legitimate applications function normally while monitoring for threats. It is part of a comprehensive security framework that includes machine-learning detection and web protection, designed to stop attacks that do not write files. This protection is included with Malwarebytes Premium, aimed at safeguarding personal and small business systems.

Winsage

December 2, 2025

Microsoft needs to make it easier to disable automatic Windows 11 updates

Updates in the Windows ecosystem are essential for enhancing stability, performance, and security. However, users of Windows 11 have expressed frustration due to frequent updates disrupting functionalities like network connectivity and printer access. Automatic updates can interrupt productivity, with unexpected restart prompts leading to potential loss of unsaved work. Issues with third-party programs and drivers often arise post-update, and older PCs experience significant performance degradation due to background updates. Many users face limitations with internet access, as substantial update sizes can consume data quickly, especially under fair usage policies. Storage constraints on older devices can lead to operational issues, and attempts to pause updates may not always be effective. While updates are crucial for delivering new features and security fixes, their frequency can diminish their perceived importance, causing users to delay addressing issues. Disabling automatic updates can be complicated, requiring adjustments in the Windows Update service, Group Policy Editor, or Registry, which may not be accessible or user-friendly. A simple one-click "Disable" button in the Windows Update settings would enhance user control over update installations, allowing them to manage updates according to their schedules.

Tech Optimizer

November 6, 2025

EndClient RAT Abuses Stolen Code-Signing Certificate to Evade Antivirus Detection

North Korean cyber actors have developed a Remote Access Trojan (RAT) called "EndClient RAT," targeting human rights defenders in South Korea and internationally. This malware evades antivirus detection by using stolen code-signing certificates and is delivered through a Microsoft Installer package named "StressClear.msi," which is signed by a Chinese firm. The RAT deploys an AutoIT-based payload, creates a scheduled task for persistence, and communicates with its command-and-control server using a custom protocol. Detection rates for EndClient RAT are low, with only 7 out of 64 detections for the dropper and 1 out of 64 for the payload script. Organizations are advised to block identified indicators of compromise and treat signed MSIs as untrusted until verified.