security mechanisms Archives

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

Tech Optimizer

September 25, 2025

LNK Malware Leverages Windows Binaries to Evade Security Tools and Run Malicious Code

Cybersecurity researchers have identified a malware campaign utilizing Windows shortcut (.LNK) files distributed via Discord to deploy a Remote Access Trojan (RAT). The malicious file, named “cyber security.lnk,” lures users with a fake job offer PDF while executing PowerShell commands in the background. It displays a decoy document titled “Cyber Security.pdf” to distract victims during the infection process. The malware exploits the legitimate Windows utility odbcconf.exe to execute a malicious DLL named Moq.dll without triggering security alerts. A PowerShell script extracts a ZIP file containing the payload and runs it using the command: odbcconf.exe /a {regsvr "C:UsersPublicNugetmoq.dll"}. This approach bypasses standard security measures by utilizing trusted binaries. Moq.dll employs advanced evasion techniques, including modifying the AmsiScanBuffer function to disable the Anti-Malware Scan Interface (AMSI) and altering the EtwEventWrite function in ntdll.dll to prevent monitoring through event logs. The malware ensures persistence by modifying the Windows registry to run with explorer.exe at user login and communicates with its command and control server at hotchickenfly.info. The RAT can capture screenshots, gather system information, and exfiltrate data via Dropbox’s API, using AES encryption for its communications. This threat was first observed in Israel and highlights the trend of malware authors leveraging legitimate Windows tools to evade detection. Security researchers from K7 Labs have identified the malware and recommend application whitelisting and monitoring of LOLBin usage as countermeasures. Indicators of Compromise (IOCs) include specific hash values associated with the Trojan.

Tech Optimizer

July 7, 2025

Percona offers clear view into Transparent Data Encryption

Percona has launched its Transparent Data Encryption (TDE) extension for PostgreSQL, designed to secure sensitive data at rest without licensing fees or usage restrictions. TDE automatically encrypts and decrypts data at the database layer, protecting backups and transaction logs, with encryption keys stored separately. The pg_tde extension supports compliance with regulations like GDPR, HIPAA, SOX, and PCI DSS v4.0, and allows users to encrypt all database files, apply encryption at the table level, and maintain control over their encryption strategies. It integrates with Key Management Services (KMS) providers and requires a patched PostgreSQL server to function. Percona aims to extend pg_tde to Community PostgreSQL, with some code already contributed for review. The extension is included in the Percona Distribution for PostgreSQL, which also offers support and consulting services for TDE setup and configuration.

AppWizard

June 19, 2025

Godfather Android malware now uses virtualization to hijack banking apps

A new iteration of the Android malware "Godfather" has emerged, utilizing advanced techniques to create isolated virtual environments on mobile devices for stealthy account data theft and transaction manipulation from legitimate banking applications. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, employing a comprehensive virtual filesystem, virtual Process ID, intent spoofing, and a component called StubActivity. Godfather is delivered as an APK app with an embedded virtualization framework, scanning for installed target applications and launching them within its virtual environment. It intercepts user interactions with genuine banking apps, capturing sensitive data like credentials and PINs while presenting a legitimate interface. The malware can execute commands to unlock devices and initiate transactions while avoiding detection. Godfather first appeared in March 2021 and has evolved significantly since then, with the latest version representing a notable advancement over previous iterations. Users are advised to download apps only from trusted sources and remain cautious about app permissions to protect against this malware.

AppWizard

June 19, 2025

X Rolls Out XChat: New Messaging to Challenge WhatsApp

XChat is an integrated instant messaging feature within X (formerly Twitter) designed to offer various communication options, including voice and video calls, file sharing, image sending, voice messages, and vanishing messages. It is accessible on mobile for both free users and X Premium subscribers, although some advanced features require a subscription. XChat includes encryption, disappearing messages, and the ability to send any file type. Unlike existing direct messages (DMs) on X, XChat offers more advanced features such as unsending messages and group chats. Security is emphasized, with XChat built on Rust and utilizing a "Bitcoin-style encryption system," though it does not guarantee end-to-end encryption. Key features of XChat include disappearing messages, message unsending, group chats, and audio/video calls without the need for a phone number. Currently in beta, XChat aims to enhance connectivity for brands and digital marketers on the platform. The unique advantage of XChat is its integration with X, allowing for a centralized experience combining social media and messaging functionalities.

Tech Optimizer

May 19, 2025

A spoof antivirus makes Windows Defender disable security scans

A researcher known as es3n1n explored Windows security mechanisms to bypass antivirus software validation checks in the Windows Security Center (WSC). He used tools like dnSpy and Process Monitor to analyze how legitimate antivirus solutions register with WSC. He confirmed that WSC validates the signatures of processes calling its APIs. Previously, es3n1n faced controversy when his project, no-defender, was removed from GitHub due to a DMCA takedown request from a software vendor.