security researchers Archives

Winsage

May 14, 2026

Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026

On the inaugural day of Pwn2Own Berlin 2026, a total of ,000 was awarded to security researchers for exploiting 24 unique zero-day vulnerabilities. Orange Tsai earned ,000 for chaining four logic bugs to achieve a sandbox escape on Microsoft Edge. Windows 11 was targeted by Angelboy, TwinkleStar03, Marcin Wiązowski, and Kentaro Kawane, each earning ,000 for demonstrating new privilege escalation zero-days. Valentina Palmiotti earned ,000 for rooting Red Hat Linux for Workstations and an additional ,000 for a zero-day in the NVIDIA Container Toolkit. Other notable exploits included k3vg3n earning ,000 for taking down LiteLLM, Satoki Tsuji and haehae earning ,000 for exploiting NVIDIA Megatron Bridge zero-days, Compass Security and maitai earning ,000 each for hacking OpenAI's Codex, haehae earning ,000 for a Chroma zero-day, and STARLabs SG earning ,000 for exploiting a LM Studio zero-day. The DEVCORE Research Team leads the competition with ,000 in earnings, followed by Valentina Palmiotti with ,000. The contest is held at the OffensiveCon conference from May 14 to May 16, with over ,000,000 in cash and prizes available. Participants must target fully patched products and demonstrate arbitrary code execution. Vendors have a 90-day window to release security fixes after zero-day flaws are disclosed. Last year, the TrendMicro Zero Day Initiative awarded ,078,750 for 29 zero-day vulnerabilities.

Winsage

May 14, 2026

Dell confirms its SupportAssist software causes Windows BSOD crashes

Dell's SupportAssist software is causing blue-screen crashes on certain Windows systems, attributed to a recent update to the SupportAssist Remediation service, specifically version 5.5.16.0. Users experiencing these crashes are advised to uninstall or disable the service to resolve the issue. Dell has acknowledged the problem and is working on a solution. Uninstalling the service may result in the loss of system repair points created by Dell OS SupportAssist Recovery. Users still facing issues after uninstallation should contact Dell support. This incident follows previous software challenges faced by Dell, including blue screens from earlier SupportAssist versions and BIOS updates that prevented some laptops from booting. Additionally, vulnerabilities have been identified in the BIOSConnect feature of Dell SupportAssist, posing security risks.

Winsage

May 14, 2026

Microsoft MDASH finds Windows security flaws with AI | ETIH EdTech News

Microsoft has developed an AI security system called MDASH that has identified 16 vulnerabilities in Windows networking and authentication frameworks, with four classified as Critical, allowing for remote code execution. MDASH uses over 100 specialized AI agents to analyze code from multiple perspectives, improving the accuracy of vulnerability detection. The system has successfully detected all 21 planted vulnerabilities in a private testing environment without false positives, achieving a 96 percent recall rate against historical cases and an 88.45 percent success rate on the CyberGym benchmark. The identified vulnerabilities include issues in tcpip.sys and IKEEXT, which can be exploited remotely without needing credentials.

AppWizard

May 12, 2026

TrickMo Android Malware Targets Banking, Wallet, and Authenticator Apps

TrickMo, an Android banking malware, has re-emerged with enhanced stealth and operational capabilities, targeting banking, fintech, wallet, and authenticator apps. It retains its core device takeover abilities while improving stealth, persistence, and flexibility. The malware persuades users to grant accessibility permissions, allowing full remote control, including real-time screen viewing. A significant advancement is its shift to The Open Network (TON) for command-and-control communication, complicating takedown efforts. TrickMo has been actively deployed in France, Italy, and Austria since early 2026, using fake login overlays to capture credentials while recording user activity. It communicates through .adnl endpoints within the TON network and employs DNS-over-HTTPS for encrypted DNS queries. The malware's modular design includes a primary application as a loader and a dynamically loaded APK module called “dex.module” for malicious capabilities. It features network reconnaissance and tunneling capabilities, allowing commands like HTTP probing and establishing SSH tunnels, which can bypass fraud detection systems. Dormant features suggest potential for future capabilities without altering the core application. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo's various components.

AppWizard

May 11, 2026

Google warns 7 million Android users to delete these 28 fake apps

28 Android applications were removed from the Google Play Store after being identified as scams by security researchers at ESET. These apps, part of a campaign called “CallPhantom,” falsely claimed to provide access to private call logs, SMS records, and WhatsApp activity. They attracted millions of downloads despite lacking legitimacy, offering fabricated data such as fake phone numbers and bogus call durations. Some apps charged users for “detailed reports” that either never arrived or contained nonsensical information. The apps did not steal phone data or install malware but instead promised illicit access and generated fictitious data. The primary targets of this scam were users in India and the Asia-Pacific region.

AppWizard

May 8, 2026

Android alert: 7 million users downloaded ‘stalking’ apps that were actually scams

Security researchers at ESET uncovered a scam involving 28 applications named "CallPhantom," which collectively amassed over 7.3 million downloads on the Google Play Store. These apps promised access to call histories, SMS records, and WhatsApp call logs for any phone number, raising privacy concerns. They requested intrusive permissions from users' devices, leading to potential privacy violations. Payment structures varied, with some using Google Play's billing system and others circumventing it through third-party methods. ESET reported the apps to Google in December 2025, resulting in their removal from the Play Store. A recent search confirmed that these apps are no longer available.

AppWizard

May 5, 2026

North Koreans Spy on Defectors Via Android Game Apps

A North Korean hacking group has targeted a digital gaming platform popular among the Korean ethnic enclave in China, using a sophisticated strategy to infiltrate Android applications. Researchers from Eset discovered that an app on the platform contained a backdoor known as BirdCall, linked to North Korea. The official website for the gaming platform hosted the same suspicious APK file. A second Android file associated with another game on the same site was also found to contain the BirdCall backdoor. This supply-chain attack was attributed to the threat actor ScarCruft (APT37), active in Asia and extending into Europe and the Middle East since late 2024. The hackers likely compromised the web server to recompile original APKs with the backdoor, which can collect sensitive information such as contacts, SMS messages, call logs, documents, media files, and private keys, and can take screenshots and record audio. The malware disguises its command and control traffic among regular internet traffic, primarily using Zoho WorkDrive for operations.

Tech Optimizer

May 4, 2026

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Microsoft Defender mistakenly flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, leading to their removal from Windows systems globally. This issue arose after a Defender signature update on April 30th, with affected certificates including 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4. The certificates were removed from the AuthRoot store under the Registry key HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates. Microsoft has addressed the issue in Security Intelligence update version 1.449.430.0, which also restored the removed certificates. The false positives were linked to detections related to a recent DigiCert breach, where threat actors obtained valid code-signing certificates used for signing malware. DigiCert revoked 60 code-signing certificates, including those linked to the "Zhong Stealer" malware campaign. The malware utilized certificates issued to companies like Lenovo and Kingston, but the certificates flagged by Microsoft Defender are root certificates and do not correspond to the revoked code-signing certificates.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

AppWizard

April 23, 2026

Binance’s Android app is quietly running TikTok and WeChat SDKs alongside 13 other trackers

Security researchers have found that the Binance Android app includes SDKs from ByteDance and Tencent, along with 13 additional third-party trackers. This raises privacy concerns for users, as the TikTok SDK collects device fingerprints, behavioral signals, and potentially clipboard data, while the WeChat SDK adds functionalities not necessary for a financial trading platform. The incorporation of these SDKs could expose sensitive financial information. Under EU GDPR and FTC regulations, undisclosed telemetry in financial apps may be considered deceptive trade practices, potentially leading to regulatory repercussions for Binance. Users are advised to revoke permissions from the app or switch to the browser-based platform. The situation could prompt regulatory scrutiny and audits of cryptocurrency asset management apps.