script Archives

Winsage

June 19, 2026

Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Microsoft has identified a Windows-based cryptocurrency clipper campaign that has been active since February 2026. This campaign uses clipboard-intercepting malware with self-spreading capabilities and operates through the Tor network. The clipper malware employs Windows Script Host and ActiveX to launch a Tor proxy and connect to a hidden command-and-control server. It focuses on stealing clipboard data, particularly cryptocurrency wallet addresses, and can exfiltrate screenshots. The malware is distributed via malicious Windows Shortcut (LNK) files on USB drives, which activate a worm that checks for existing infections and fetches the payload from a remote server. The clipper monitors the clipboard every 500 milliseconds for sensitive information and can replace copied wallet addresses with those controlled by attackers. Microsoft recommends behavioral detections, disabling AutoRun for removable media, blocking LNK execution from drives, and monitoring clipboard-related activities as mitigations against this threat.

Winsage

June 19, 2026

Microsoft finally admits its default Windows 11 25H2, 24H2 action broke key legacy component

Microsoft released Patch Tuesday updates for Windows 11, specifically KB5094126 and KB5093998, along with dynamic updates KB5094149, KB5095971, and KB5094156. Two issues have been acknowledged: malfunctioning Office applications and complications with the Recycle Bin. In July 2025, Microsoft changed the default settings of Windows 11 to JScript9Legacy in versions 24H2 and later, continuing with version 25H2 in October 2025. This change aimed to enhance security by addressing vulnerabilities related to legacy scripting, particularly cross-site scripting (XSS). A support article details a compatibility issue arising from the transition from jscript9.dll to jscript9legacy.dll, which affects how JScript manages execution context. Functions and definitions established by one script are no longer accessible to subsequent scripts, leading to failures in legacy applications. To address this, Microsoft released the KB5077241 update, which requires manual activation of persistent JScript execution context through a Registry setting. The steps to implement this solution involve creating a feature control registry key and configuring a DWORD value for specific processes or all processes.

Tech Optimizer

June 18, 2026

Retro gaming fans are the new target for fake GitHub malware

Retro gaming enthusiasts should be cautious when exploring GitHub projects for tools or plugins, as cybercriminals may disguise malware as homebrew software. A specific incident involved a project called EQVita, which pretended to be a free audio tool for PlayStation Vita but actually contained Windows malware. The downloaded file included three files: Launch.bat, luajit.exe, and x64.txt, with the latter concealing a hidden script that connected to the attacker's server upon execution. This scam is part of a broader trend where counterfeit GitHub repositories distribute SmartLoader malware, which retrieves additional malicious software aimed at stealing passwords and cryptocurrency wallets. The PS Vita community, despite the console's production ceasing, remains active in modding, making it a target for attackers. Legitimate plugins typically come in Vita-compatible formats, while fake ones may feature polished marketing materials and AI-generated descriptions. Users are advised to verify sources, be cautious of suspicious downloads, and utilize security tools like Malwarebytes. If someone has executed the malicious EQVitav1.3.zip file, they should conduct a malware scan, change important passwords, and monitor accounts for unauthorized access. Indicators of compromise include the domains https://github.com/Voistace/EQVita and https://voistace.github.io, and the IP address 85.137.52.21.

Winsage

June 16, 2026

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have identified two new Windows variants of the SprySOCKS backdoor, named WINDRV and WINPLUS, which were previously thought to be exclusive to Linux systems. Both variants feature hard-coded command-and-control configurations and can communicate via TCP, UDP, and WebSocket protocols. They support over 30 commands for operations such as system information collection and file management. WINDRV employs kernel drivers for stealth, obscuring network connections and allowing TCP traffic diversion. SprySOCKS was first documented by Trend Micro in September 2023, linked to the Chinese state-sponsored threat actor Earth Lusca, also known as FishMonger. The Windows variants belong to version 1.8 of SprySOCKS and utilize a kernel driver named RawWNPF for enhanced stealth. The attack chain begins with an initial access method that drops a batch script, leading to the installation of the backdoor. Evidence suggests these variants may have been used in attacks against government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The WINPLUS variant was first detected in July 2024 in Pakistan. There are indications of a potential UEFI bootkit involvement exploiting CVE-2023-24932, a vulnerability in the Windows Boot Manager.

Winsage

June 16, 2026

Windows 11 KB5094126 BSODing, freezing, forcing BitLocker lockout, breaks OneDrive, and more

Microsoft rolled out Patch Tuesday updates for Windows 11, specifically KB5094126 and KB5093998, along with dynamic updates KB5094149, KB5095971, and KB5094156. Users have reported various issues post-update, including access difficulties with OneDrive and Dropbox, BitLocker recovery lockouts, and blue screens of death (BSOD), particularly the 0xc0430001 error on HP systems. This error may be linked to a previous bug affecting HP devices related to Secure Boot certificate updates. Users experiencing this error are advised to verify the presence of the boot.stl file on their installation media, as it is essential for Secure Boot. Microsoft recommends using the Update WinPE script to ensure the boot.stl file is included or manually transferring it from the WindowsBootEFI directory. Additionally, some Lenovo PC users have reported system freezes after the update. One user identified a conflict between KB5094126 and User Account Control (UAC) that affects OneDrive and Dropbox access in Explorer, noting that enabling UAC resolves the issue.

Tech Optimizer

June 14, 2026

Automate Amazon Aurora PostgreSQL major or minor version upgrade using AWS Systems Manager and Amazon EC2

Managing upgrades for the Aurora PostgreSQL-Compatible Edition can be labor-intensive and error-prone when done manually. Automating Amazon Aurora PostgreSQL upgrades can reduce manual effort by up to 80% and minimize downtime risks through consistent procedures. The automation solution uses AWS Systems Manager, Amazon EC2, and AWS Secrets Manager, structured around two modules: PREUPGRADE for readiness checks and UPGRADE for the actual upgrade process. The solution identifies upgrade candidates using database tags, creates safety backups with Copy-on-Write clones, manages the upgrade process with minimal human intervention, and offers real-time monitoring and email notifications. The workflow includes logging into the Systems Manager console, downloading the upgrade script, identifying Aurora PostgreSQL clusters based on tags, retrieving credentials from AWS Secrets Manager, executing pre-upgrade checks or upgrades, uploading log files to Amazon S3, and sending email notifications via Amazon SNS. Prerequisites include familiarity with the Aurora upgrade process, appropriate IAM permissions, creating a maintenance user, setting up AWS Secrets Manager, tagging Aurora clusters, creating an S3 bucket, and configuring an SNS topic for notifications. Implementation steps involve reviewing setup instructions, uploading the upgrade script to S3, creating an AWS Systems Manager automation document, executing the automation document, and monitoring the upgrade process through logs generated during pre-upgrade and upgrade phases. The logs provide detailed information on tasks performed, including replication slot status and configuration backups. After testing, it is recommended to clean up resources to avoid future charges.

Winsage

June 13, 2026

I tried Microsoft’s new AI-powered Terminal, and it is a surprisingly different experience

Windows 11 has introduced a new command-line tool called "Intelligent Terminal," which is a fork of the open-source Windows Terminal project and integrates an AI agent, specifically GitHub Copilot by default. Users must manually download and install the Intelligent Terminal, which retains the familiar Windows Terminal interface but adds a side panel for AI interaction. Upon first launch, users select an Agent Client Protocol (ACP) compatible agent, with options to enable features like automatic error detection and session management. The Intelligent Terminal offers two main experiences: agent chat and agent management. The agent chat pane allows users to inquire about errors and receive assistance, while the agent management pane tracks active and past agent sessions. Users can also utilize other agents like Claude Code, Google Gemini, and OpenAI Codex, provided they are installed locally. The Command Palette is enhanced with AI actions, allowing users to initiate tasks without interrupting their workflow. Users can customize terminal and agent settings, including pane position and error detection features. Adjustments require saving to apply changes.

AppWizard

June 13, 2026

Don’t expect the Death Stranding movie to retell the story of the games, as its director says the film will be set in his ‘own corner of the world’

The cinematic adaptation of the video game Death Stranding has been in development since its announcement in 2022. Director Michael Sarnoski is currently writing the script and is collaborating with A24, which has expressed excitement about the project. Hideo Kojima has reacted positively to Sarnoski's script, recognizing film references within it. Additionally, a film adaptation of Elden Ring is in progress, with an expected release in 2028, and recent leaks suggest that Conwy Castle in North Wales may be used as a stand-in for Stormveil Castle from the game.

Winsage

June 12, 2026

Microsoft’s bug-hunting nemesis extends vendetta with more zero-day attacks — Nightmare Eclipse publishes RoguePlanet and GreatXML local privilege escalation exploits

Nightmare-Eclipse, also known as Chaotic-Eclipse, has introduced two new exploits: RoguePlanet and GreatXML. RoguePlanet exploits a vulnerability in Windows Defender, allowing attackers to gain SYSTEM user access privileges by tricking a user into executing a script. This access enables attackers to execute commands beyond standard Administrator capabilities, siphon sensitive data, and install malware. GreatXML provides a method for bypassing BitLocker encryption by creating a specially crafted "unattend.xml" file and a "Recovery" directory on the Windows recovery partition. Microsoft has shifted its stance from threatening legal action against Eclipse and is now monitoring the situation, while Eclipse has postponed a planned mass disclosure of zero-day Windows vulnerabilities initially set for July 14 due to delays in developing RoguePlanet.

AppWizard

June 11, 2026

Your dad’s favorite show might become a videogame

Taylor Sheridan is writing the script for the upcoming Call of Duty movie, directed by Peter Berg and likely featuring Mark Wahlberg. Paramount Games Studio, led by Shawn Kittelsen, plans to transform Yellowstone into a video game, alongside exploring other Paramount properties like Star Trek and Avatar: The Last Airbender. Kittelsen emphasized the importance of honoring the narratives and characters associated with these titles.