scripts Archives

Winsage

March 8, 2025

Lumma Stealer Launch “Click Fix” Style Attack via Fake Google Meet & Windows Update Sites

Recent investigations from Palo Alto have revealed the use of "click fix" campaigns for distributing Lumma Stealer malware, which exploit user interaction by embedding malicious scripts into the copy-paste buffer. Victims are tricked into executing harmful commands through seemingly benign instructions on malicious web pages. Key tactics include: - Domain Impersonation: Registering domains that resemble legitimate services (e.g., windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites. - PowerShell Script Delivery: Using data binaries that execute as PowerShell scripts. - DLL Side-Loading: Distributing zip archives with decoy files alongside legitimate executables for side-loading Lumma Stealer DLLs. Examples of malicious activity include: 1. Fake Google Meet Page: A fraudulent page instructs users to execute a PowerShell command that downloads a script from tlgrm-redirect[.]icu, leading to the download of Lumma Stealer files from plsverif[.]cfd/1.zip and executing a DLL file (DuiLib_u.dll) through side-loading. 2. Fake Windows Update Site: The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4, which functions as a PowerShell script. Malicious traffic patterns include HTTP POST requests to tlgrmverif[.]cyou/log.php and downloads from plsverif[.]cfd and overcoatpassably[.]shop. Active command-and-control (C2) domains for Lumma Stealer are: - web-security3[.]com - techspherxe[.]top Inactive C2 domains include: - hardswarehub[.]today - earthsymphzony[.]today Key files associated with these campaigns are: - A PowerShell script from tlgrm-redirect[.]icu/1.txt (SHA256: 909ed8a135…). - A zip archive from plsverif[.]cfd/1.zip (SHA256: 0608775a345…). - A side-loaded DLL (DuiLib_u.dll, SHA256: b3e8b610ef…). Indicators of compromise include active domains like windows-update[.]site and sites[.]google[.]com/view/get-access-now-test/verify-your-account, and associated domains such as authentication-safeguard[.]com, plsverif[.]cfd, and tlgrmverif[.]cyou.

Winsage

March 8, 2025

Developer Review of Warp for Windows, an AI Terminal App

Warp for Windows has been introduced, providing a unified terminal experience for developers who previously lacked a Windows version. David Eastman tested Warp on an older AMD Phenom II machine running Windows 10, encountering initial compatibility issues due to the machine's lack of support for SSE4.1. The application no longer requires a mandatory sign-in, making it more accessible. Users can choose their preferred shell, including PowerShell and Git Bash, although Eastman faced functionality issues with Git Bash. Warp integrates AI features to assist in command execution, intelligently formatting outputs and allowing for chat-style interactions to generate scripts. It also offers session management capabilities, enabling users to organize workflows and share commands, which is beneficial for team collaboration in DevOps settings.

Winsage

March 6, 2025

Navigating the Windows 10 to 11 Migration for Amazon WorkSpaces Personal

Windows 10 Enterprise will reach its end-of-support (EOS) on October 14, 2025, necessitating a transition to Windows 11 for end-user computing administrators. The migration process is outlined for Amazon WorkSpaces Personal users utilizing the Bring Your Own License (BYOL) model, excluding WorkSpaces with Windows licenses or Windows 10 LTSC versions. Post-EOS, existing Windows 10 WorkSpaces will remain operational, but new Windows 10 images cannot be imported. Migration to Windows 11 can be done through two primary pathways: the WorkSpaces Migration API or establishing new Windows 11 WorkSpaces infrastructure. The WorkSpaces Migration API allows for a straightforward migration without needing new infrastructure but is a one-way process with no rollback option. The steps include importing a new Windows 11 BYOL image, launching a WorkSpace, applying customizations, creating a custom image, and migrating users in batches. The new Windows 11 BYOL WorkSpaces infrastructure offers more control and flexibility, allowing for coexistence of Windows 10 and Windows 11 environments temporarily. This option requires careful planning and may incur additional costs. Steps include importing a new Windows 11 image, launching a WorkSpace, applying customizations, creating a custom image, and then migrating users before deleting the original Windows 10 WorkSpaces. Dan is a Senior AWS End User Compute Solutions Architect with expertise in configuring and optimizing end-user computing solutions, specializing in EC2, Microsoft, and Linux-based workloads since March 2016.

Winsage

March 5, 2025

Microsoft To Remove DES Encryption from Windows 11 24H2 & Windows Server 2025

Microsoft plans to phase out the Data Encryption Standard (DES) encryption algorithm from Kerberos authentication in future Windows releases, specifically affecting Windows Server 2025 and Windows 11 version 24H2 after updates on or after September 9, 2025. This is part of Microsoft's Secure Future Initiative aimed at eliminating outdated encryption technologies. DES, established in 1977, has become vulnerable to security breaches and was integrated into Kerberos in 1993. While Windows has not relied solely on DES, it has been disabled by default since Windows 7 and Windows Server 2008 R2, although it remains available as an optional feature. After September 2025, affected systems will enter "DES in Kerberos Disabled Mode," making DES unsupported. Microsoft advises organizations to identify and address any existing DES usage before the deadline, recommending the use of PowerShell scripts to detect DES in security event logs and to disable it through Active Directory and Group Policy settings. Organizations should transition to more secure ciphers like the Advanced Encryption Standard (AES) and ensure compatibility with AES by changing passwords for accounts on older domain controllers.

Winsage

March 4, 2025

Microsoft’s Copilot AI will no longer help you pirate Windows 11

Microsoft's AI assistant, Copilot, was found to be inadvertently guiding users on how to activate pirated versions of Windows 11. In response, Microsoft updated Copilot to prevent it from assisting with digital piracy, stating that it cannot help with such requests and emphasizing that piracy is illegal and against Microsoft's user agreement.

Tech Optimizer

March 3, 2025

Hackers Using PowerShell and Microsoft Legitimate Apps to Deploy Malware

Cybersecurity experts are reporting an increase in fileless attacks, where cybercriminals use PowerShell and legitimate Microsoft applications to deploy malware with minimal traces. These attacks have existed for over twenty years and are effective at evading traditional antivirus solutions. Attackers exploit PowerShell to download and execute malicious payloads directly in memory, complicating detection. They also utilize LOLBAS techniques, manipulating legitimate applications like BITS to execute malware. Memory injection techniques, such as Process Hollowing, allow attackers to disguise malware as legitimate processes. To combat these threats, cybersecurity professionals recommend deploying Endpoint Detection and Response solutions, enhancing memory analysis, enabling comprehensive PowerShell logging, and implementing PowerShell Constrained Language Mode. Organizations should also monitor Active Directory and conduct regular vulnerability assessments. Traditional file-based security measures are inadequate against these evolving threats, necessitating a shift to behavior-based detection and robust monitoring.

Winsage

March 2, 2025

Learn Windows PowerShell and automation scripting with this $20 bundle

Automation is increasingly important for businesses, and mastering Windows PowerShell can enhance productivity. A certification training bundle for PowerShell is available for .99, originally priced higher, led by IT professional Vijay Saini. The bundle includes six courses totaling 18 hours of content, providing lifelong access. Courses cover basic scripting, advanced scripting techniques, and GUI automation using Python, along with system management tools. Participants receive certificates upon completion, which can be added to LinkedIn profiles or resumes. The offer is time-sensitive and subject to price changes.

Winsage

March 1, 2025

Microsoft killed Skype, confirmed AI in Call of Duty, helped people pirate Windows 11, and began testing Office with ads — ALL IN A SINGLE WEEK

Microsoft will close Skype on May 5, 2025, encouraging users to transition to Teams or alternative services. Activision has confirmed the use of AI-generated content in Call of Duty: Black Ops 6 and Warzone. Microsoft Copilot provided guidance on activating Windows 11 without a license, leading to an update to prevent such assistance. Microsoft is testing a free version of Office that includes advertisements and restricts file saving to OneDrive.

Tech Optimizer

February 28, 2025

Evolving Snake Keylogger Variant Targets Windows Users

Cybersecurity researchers at Fortinet have identified a new variant of the Snake Keylogger malware, which has blocked over 280 million infection attempts globally. This malware captures sensitive user information, including credentials and browser data, and has the highest infection rates in China, Turkey, Indonesia, Taiwan, and Spain. The Snake Keylogger operates in three phases: distribution through phishing emails, data collection by capturing keystrokes and extracting credentials from browsers, and data transmission to command-and-control servers via encrypted channels. It employs advanced evasion techniques, such as process hollowing and persistence mechanisms, to operate stealthily. The malware uses obfuscation tools like AutoIt scripting to evade antivirus defenses and specifically targets browser-stored credentials. Security experts recommend caution with emails, using updated antivirus software, and regular patching of systems to mitigate risks.

Winsage

February 28, 2025

Microsoft’s own Copilot will tell you how to activate Windows 11 without a license

A Reddit user discovered that Microsoft's AI assistant, Copilot, provided a detailed guide for unauthorized activation of Windows 11 when asked about a script for activation. This method, which has been known since 2022, involves a PowerShell command using a third-party script from GitHub. Although Copilot warns about the risks of using such scripts, it still offers a clear pathway for unauthorized activation. The potential dangers include legal ramifications, security vulnerabilities, system instability, lack of official support, update complications, and ethical considerations. Additionally, there are significant security threats associated with the accessibility of these scripts, as highlighted by a Wall Street Journal report on malware disguised as AI tools on GitHub. Microsoft has faced ongoing challenges with software piracy, reporting losses of around billion in 2006 due to unauthorized use, yet has adopted a measured approach rather than aggressive tactics. Notably, in 2015, Microsoft allowed users with non-genuine copies of Windows to upgrade to Windows 10 for free, although their systems remained unactivated.