security researchers Archives

Winsage

February 26, 2026

PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs

Security researchers have developed a working Proof of Concept (PoC) exploit for a vulnerability in the Windows kernel, identified as CVE-2026-2636, which allows low-privileged users to induce a Blue Screen of Death (BSoD), resulting in a Denial of Service. This vulnerability is linked to the Windows Common Log File System (CLFS) driver, specifically the CLFS.sys component, and arises from improper handling of invalid or special elements within CLFS (CWE-159). The PoC demonstrates that a non-administrative user can trigger the bug by executing a crafted ReadFile operation on a handle linked to an opened .blf log file without the expected I/O Request Packet (IRP) flags set. This leads to a critical inconsistency in the driver, causing Windows to invoke the kernel routine KeBugCheckEx, which results in a BSoD. The CVE-2026-2636 has a CVSS score of 5.5 (Medium) and poses a high impact on availability, allowing any authenticated user to crash the host reliably. Microsoft addressed this vulnerability in the September 2025 cumulative update, protecting systems running Windows 11 2024 LTSC and Windows Server 2025 by default. However, older or unpatched builds remain vulnerable. Organizations are advised to verify the deployment of the September 2025 updates, prioritize patching multi-user systems, and monitor for unusual spikes in BSoD events.

AppWizard

February 24, 2026

Android mental health apps with 14.7M installs filled with security flaws

Recent analysis by Oversecured identified 1,575 security vulnerabilities across ten mental health mobile applications, which include 54 high-severity, 538 medium-severity, and 983 low-severity issues. These apps, with over 14.7 million downloads, assist users with conditions like clinical depression and anxiety. Vulnerabilities include improper handling of user-supplied URIs, weak local data storage practices, and cryptographically weak session token generation. Six of the ten apps had no high-severity vulnerabilities, but medium-severity issues still pose risks to user privacy. The scans were conducted between January 22 and 23, 2026, and only four apps had received recent updates.

Tech Optimizer

February 22, 2026

Researchers Discover First Android Malware Using Generative AI for Persistence

Security researchers have identified a new Android Trojan named PromptSpy that uses generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers, PromptSpy leverages Google's Gemini AI model to analyze infected device screens and generate tailored instructions for embedding itself within recent apps lists. It includes a Virtual Network Computing (VNC) module that allows attackers full remote control over the device, enabling activities such as viewing the screen, performing actions remotely, capturing lock screen data, blocking uninstallation attempts, gathering device information, taking screenshots, and recording screen activity as video. The malware communicates with command-and-control servers using AES encryption and exploits Android Accessibility Services, making it difficult to remove. PromptSpy is distributed through a dedicated website and is financially motivated, adapting to various Android interfaces and operating system versions. ESET's analysis indicates that the malware is regionally targeted, with a focus on Argentina, and may have been developed in a Chinese-speaking environment. The same threat actor is believed to be responsible for both VNCSpy and PromptSpy.

AppWizard

February 20, 2026

Dangerous Massiv Android malware poses as IPTV app to infect devices and steal banking info

Security researchers from ThreatFabric have identified a deceptive application named “Massiv,” which masquerades as a legitimate IPTV service but is actually a banking trojan designed to compromise users' financial security. The malware primarily targets users in Portugal, using tactics like screen overlays and keylogging to steal sensitive data. Many users download unofficial IPTV apps, which are often fraudulent and do not provide access to pirated broadcasts. The stolen information is exploited by cybercriminals to open fraudulent bank accounts and launder money, putting victims in precarious financial situations and posing risks to the integrity of financial systems.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

AppWizard

February 19, 2026

Android AI app exposes nearly 2m user files – including private videos

A privacy breach involving the "Video AI Art Generator & Maker" app has exposed millions of private user files due to a misconfigured Google Cloud Storage bucket lacking authentication. Since June 2023, approximately 8.27 million media files, including nearly 2 million original user-uploaded files, have become publicly accessible. This includes over 1.57 million private images, more than 385,000 personal videos, and millions of AI-generated assets. The app's developer, Codeway Dijital Hizmetler Anonim Sirketi, has fixed the configuration issue, but users remain at risk for phishing attacks, identity theft, and misuse of their private content. Legal experts suggest the app's privacy documentation may not comply with international standards like GDPR. Additionally, Codeway has a history of similar issues, as another app they developed also faced a security breach exposing 300 million messages from over 25 million users.

Winsage

February 16, 2026

Multiple Flaws Found in Microsoft Windows & Office — Could Let Hackers In

Microsoft has identified at least six zero-day vulnerabilities in Windows and Microsoft Office that were actively being exploited by hackers before patches were released. These vulnerabilities allow attackers to compromise systems with minimal user interaction, such as clicking on malicious links or opening compromised Office documents. Notable examples include a Windows Shell Security Bypass (CVE-2026-21510) and an Office File Exploit that can execute malicious code. The vulnerabilities pose serious risks, including active exploitation, remote code execution, and the potential for malware installation and credential theft. Microsoft has released security patches to address these vulnerabilities, and users are urged to install them immediately. The affected systems include all supported versions of Windows and Microsoft Office applications. Users are advised to install updates, be cautious with emails and links, enable security tools, and keep software up to date.

Winsage

February 15, 2026

Microsoft Blocks Credential Autofill to Fix Windows Hello Flaw

Microsoft has blocked credential autofill functionality in Windows 11 as part of the February 2026 Patch Tuesday updates to address the critical vulnerability CVE-2026-20804, which allows unauthorized access by tampering with Windows Hello authentication. This vulnerability was first identified in August 2025 and allows local administrators to inject biometric data. The restriction was documented in the January 2026 Patch Tuesday release notes. Enhanced Sign-in Security (ESS) operates at a hypervisor virtual trust level but is limited by hardware compatibility issues, particularly affecting AMD-based systems. Post-update, credential dialogs do not respond to virtual keyboard inputs from remote desktop or screen-sharing applications, preventing autofill during remote support sessions. Microsoft has provided a risky workaround that allows applications to operate with elevated administrator privileges, but this reintroduces the vulnerability. Organizations must now choose between disrupted remote support workflows or risking exposure to credential injection attacks, leading to operational challenges for IT teams and help desk staff.

Winsage

February 13, 2026

Microsoft Introduces New Secure Boot Certificates Before June Deadline

The foundational security certificates supporting Windows Secure Boot, introduced in 2011, will expire in mid-2026, specifically in June and October. Microsoft and PC manufacturers are updating the Windows ecosystem to address this. Devices that do not receive updated certificates may face security limitations and compatibility issues with newer operating systems and hardware. The transition is described as a "generational refresh" of the trust infrastructure for Windows. Systems failing to update will still function but may enter a "degraded security state," unable to install new security mitigations or newer operating systems. Most users will receive updates automatically through Windows Update, while older systems may require manual intervention. Systems at risk include those running unsupported Windows versions, with Secure Boot disabled, or not enrolled in Extended Security Updates. Users should check their Secure Boot status using PowerShell commands to ensure they are using the new certificates. The update affects not only Windows PCs but also other devices utilizing UEFI Secure Boot.

Winsage

February 12, 2026

Microsoft says hackers are exploiting critical zero-day bugs to target Windows and Office users

Microsoft has addressed critical security vulnerabilities in its Windows operating system and Office suite that are actively exploited by malicious actors. These vulnerabilities include one-click attacks that can be triggered by users clicking on malicious links or opening compromised Office files. Known as zero-days, these flaws were exploited before Microsoft could implement fixes. One significant vulnerability, tracked as CVE-2026-21510, affects the Windows shell and allows hackers to bypass Microsoft's SmartScreen feature, potentially enabling remote malware installation. Another vulnerability, CVE-2026-21513, is found in the MSHTML browser engine, allowing hackers to install malware by bypassing security measures. Microsoft has also patched three other zero-day bugs that were under active exploitation.