scripts Archives

Tech Optimizer

June 17, 2025

Hackers Use Fake Verification Prompt and Clickfix Technique to Deploy Fileless AsyncRAT

Threat actors are using a fileless variant of AsyncRAT, targeting German-speaking individuals with a deceptive verification prompt. This prompt misleads users into executing harmful commands. The malware employs obfuscated PowerShell scripts to operate in memory without creating files on disk, complicating detection by antivirus solutions. The attack begins with a fake verification page prompting users to click "I’m not a robot," which copies a malicious command to the clipboard. This command uses conhost.exe to run a hidden PowerShell instance that retrieves a payload from a remote server. The malware establishes a connection to a command-and-control server and maintains persistence through registry keys, enabling remote control and data exfiltration. Key tactics include stealth execution, in-memory C# compilation, and TCP-based communication over non-standard ports. The campaign has been active since at least April 2025. Indicators of Compromise (IOCs) include: - IP: 109.250.111[.]155 (Clickfix Delivery) - FQDN: namoet[.]de (Clickfix / C2 Server) - Port: 4444 (TCP Reverse Shell Listener) - URL: hxxp[:]//namoet[.]de:80/x (PowerShell Payload) - Registry (HKCU): SOFTWAREMicrosoftWindowsCurrentVersionRunOncewindows (Persistence on Boot) - Registry (HKCU): SOFTWAREMicrosoftWindows NTCurrentVersionWindowswin (Holds Obfuscated Command)

Tech Optimizer

June 14, 2025

Hackers are sneaking malware into your browser using Google’s link, and antivirus software can’t stop it

A new browser-based malware campaign exploits trusted domains like Google.com to bypass traditional antivirus defenses. The malware operates through an e-commerce site using a manipulated Google OAuth logout URL, which executes an obfuscated JavaScript payload. This script activates silently during checkout or when the browser appears automated, opening a WebSocket connection to a malicious server. Payloads are dynamically executed using JavaScript, enhancing the threat's effectiveness. The attack evades detection by many antivirus programs due to its obfuscation and conditional activation. DNS filters and firewall rules offer limited protection since the initial request goes to a legitimate domain. Advanced users may use content inspection proxies or behavioral analysis tools to detect anomalies, but average users remain vulnerable. Recommendations to mitigate risks include limiting third-party scripts and maintaining separate browser sessions for financial transactions.

Winsage

June 13, 2025

Announcing Windows 11 Insider Preview Build 26120.4441 (Beta Channel)

Windows 11 Insider Preview Build 26120.4441 (KB5060816) has been released to the Beta Channel for users on Windows 11, version 24H2. This update includes new features such as the ability for Windows Insiders in the European Economic Area to export Recall snapshots with a unique export code, which is secured by encryption and requires Windows Hello authentication. A larger clock display option in the notification center has been added, and recent updates to Recall include a reset option and a maximum storage duration for snapshots set to 90 days. New actions in Click to Do allow users to interact with Microsoft 365 Copilot and connect with colleagues via Teams. Improvements have been made to File Explorer, voice access support has been expanded to additional languages, and sharing options for OneDrive files have been enhanced. Various fixes have been implemented for Recall, File Explorer, the Start menu, and Settings. Known issues include display problems in the Start menu and issues with Xbox Controllers. Updates will be delivered via an enablement package, and features may evolve based on user feedback.

Tech Optimizer

June 9, 2025

Streamline Amazon Aurora database operations at scale: Introducing the AWS Database Acceleration Toolkit

The AWS Database Acceleration Toolkit (DAT) is an open-source solution that enhances database performance, particularly for Amazon Aurora, by utilizing Terraform for setup, provisioning, and maintenance. DAT helps organizations reduce time to market, improve customer satisfaction, and optimize costs. It is beneficial for DevOps teams, SaaS providers, and enterprises transitioning from commercial databases to Aurora. One example of its effectiveness includes a customer reducing database migration time from 12 months to 4 weeks for over 100 databases, achieving zero outages over six months, increasing database team productivity by 60-70%, and lowering infrastructure costs by 42%. DAT's architecture includes automated resource provisioning and security through Terraform, with source code available in a Git repository. It offers multiple provisioning options for Aurora clusters, including the Terraform CLI and Jenkins pipelines. Key modules include: - Aurora cluster module for creating new clusters with customization options. - Amazon RDS Proxy for enhancing application performance and security. - Aurora GlobalDB for creating clusters across AWS Regions for disaster recovery. - Aurora Monitoring for configuring CloudWatch dashboards to monitor database performance. Use case examples are provided in the Git repository for both Aurora PostgreSQL-Compatible and Aurora MySQL-Compatible engines. Deployment options include using Terraform directly, setting up a new Jenkins instance, or integrating with an existing Jenkins setup. To provision an Aurora PostgreSQL cluster, users must clone the DAT repository, navigate to the appropriate folder, configure the Terraform variable definition file, initialize the working directory, execute a plan, and apply the changes. Security features include customer-managed keys, integration with AWS Secrets Manager for password management, and enhanced monitoring through CloudWatch. To clean up, users can destroy the Aurora cluster with a Terraform command.

Tech Optimizer

June 9, 2025

ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has reported that ViperSoftX malware, first identified in 2020, continues to pose a significant threat, particularly targeting cryptocurrency-related information. It disguises itself as cracked software or eBooks on torrent sites and uses deceptive tactics to infect users globally. ViperSoftX exploits the Windows Task Scheduler to execute malicious PowerShell scripts and communicates with its command-and-control server to transmit detailed system information. The malware captures clipboard activity to steal cryptocurrency wallet addresses and employs mechanisms to avoid detection, including self-removal. It also deploys secondary payloads like Quasar RAT and ClipBanker, which hijacks wallet addresses during transactions. ASEC warns that infections can lead to total system compromise and advises users to avoid unverified downloads and maintain updated security measures. Indicators of Compromise (IOCs): - MD5: - 064b1e45016e8a49eba01878e41ecc37 - 0ed2d0579b60d9e923b439d8e74b53e1 - 0efe1a5d5f4066b7e9755ad89ee9470c - 197ff9252dd5273e3e77ee07b37fd4dd - 1ec4b69f3194bd647639e6b0fa5c7bb5 - URLs: - http://136.243.132.112/ut.exe - http://136.243.132.112:881/3.exe - http://136.243.132.112:881/APPDATA.exe - http://136.243.132.112:881/a.ps1 - http://136.243.132.112:881/firefoxtemp.exe - IPs: - 136.243.132.112 - 160.191.77.89 - 185.245.183.74 - 212.56.35.232 - 89.117.79.31

Winsage

June 6, 2025

Microsoft shares script to restore inetpub folder you shouldn’t delete

Microsoft has released a PowerShell script to help restore the C:Inetpub folder, which is crucial for addressing a high-severity privilege escalation vulnerability associated with Windows Process Activation. The folder's unexpected appearance after the April 2025 Windows security updates led some users to delete it, inadvertently exposing their systems to vulnerabilities. Microsoft emphasizes that the folder should not be deleted, as it is integral to the security framework, regardless of whether Internet Information Services (IIS) is active. The script allows administrators to recreate the folder with the correct permissions and access control settings.

Winsage

June 6, 2025

Microsoft Issues Critical Windows Update—Do Not Delete This

Users may face a significant vulnerability related to a Windows update from April 2025, particularly concerning the "inetpub" folder, which is essential for the security of Windows 11 systems. Microsoft clarified that this folder, linked to Internet Information Services (IIS) and necessary for hosting capabilities, should not be deleted. If users have removed the folder, they must restore it to address the security patch for CVE-2025-21204, as its absence can lead to risks such as privilege escalation and unauthorized access. Microsoft has provided a PowerShell script to restore the folder without enabling IIS, and users are advised to follow specific commands to execute the fix. However, many users may not take action, leaving their systems vulnerable.

Winsage

June 6, 2025

Your Windows PC might be at risk if you deleted the “inetpub” folder, but there’s a fix

Windows users have encountered a new "inetpub" folder on their primary drive after the April 2025 Patch Tuesday update. This folder is empty and occupies no storage space, but many users have deleted it out of concern. Microsoft has stated that the folder is part of a security patch for vulnerability CVE-2025-21204 and should not be removed, as it is linked to Internet Information Services (IIS). Users can restore the folder using a PowerShell script if they have deleted it. The folder addresses a security flaw related to improper link resolution that could allow local attackers to manipulate files. Instructions for restoring the folder include running PowerShell as Administrator, allowing signed scripts, downloading a specific script, and applying the fix.

AppWizard

June 4, 2025

Meta found ‘covertly tracking’ Android users through Instagram and Facebook

Experts at Radboud University and IMDEA Networks found that Meta and Yandex have been covertly tracking Android users by monitoring browser activity without consent. This tracking was first identified in January and involves apps like Facebook, Instagram, and Yandex Maps operating in the background and loading scripts that transmit data back to their respective apps. These scripts bypass Android's security measures, allowing the companies to track users' web browsing activities. The tracking affects all major Android browsers, including incognito mode. Google confirmed that Meta and Yandex exploited Android's capabilities in violation of security and privacy principles. Meta is investigating the issue and has paused the feature, while Yandex claims to adhere to data protection standards. Meta's tracking has been ongoing for about eight months, while Yandex's practices date back to 2017. Facebook tracked users on around 16,000 websites in the EU, and Yandex was active on 1,300 sites. Google has begun implementing changes to address these tracking techniques and is conducting its own investigation. Browsers like Firefox, Microsoft Edge, and DuckDuckGo are also affected, with efforts underway to prevent future incidents.

AppWizard

June 4, 2025

Meta Pixel halts Android localhost tracking after disclosure

Security researchers have found that Meta and Yandex used native Android applications to access localhost ports, allowing them to link web browsing data with user identities and bypass privacy protections. Following these findings, Meta stopped its data transmission to localhost and removed much of the tracking code to comply with Google Play policies. A report from researchers at IMDEA Networks, Radboud University, and KU Leuven detailed how apps like Facebook and Instagram collected web cookie data via the loopback interface. This method allowed the companies to associate browsing sessions with user identities, undermining privacy measures. Meta's tracking process involved the Meta Pixel script, which transmitted cookies to native apps through various protocols. Meta began using this technique in September 2024 but ceased these practices by June 3rd, 2025. Yandex's localhost tracking dates back to 2017, and while they did not respond to inquiries, browser vendors have implemented mitigations against these practices. Proposed solutions include a new permission for local network access to prevent such tracking in the future.