SmartScreen Archives

Winsage

January 7, 2026

Hackers Use Fake Windows BSOD To Spread Malware

Security researchers have identified a social engineering campaign that mimics the Windows Blue Screen of Death (BSOD) to deceive users into installing a remote access Trojan (RAT). The campaign, named PHALT#BLYX, begins with phishing emails that appear to be legitimate cancellation notices from travel websites, leading victims to a fake login page and an interactive CAPTCHA. This culminates in a full-screen imitation of the BSOD, prompting users to follow instructions that ultimately allow attackers to gain control of their computers. The attackers use a “ClickFix” process that involves executing commands through native Windows tools like PowerShell and MSBuild, making detection more challenging. The malware delivered is an obfuscated version of DCRat, which provides attackers with remote control capabilities, keylogging, and the ability to download additional malware. The campaign primarily targets hotels and hospitality businesses in Europe, exploiting the urgency of front-desk staff to respond to apparent technical issues. Indicators of a fake BSOD include the ability to interact with the screen, requests to execute commands via Windows tools, and the presence of CAPTCHA prompts. Organizations are advised to train employees, implement application control, enhance email and web defenses, and prepare for incident response to mitigate risks associated with such attacks.

Tech Optimizer

November 6, 2025

EndClient RAT Abuses Stolen Code-Signing Certificate to Evade Antivirus Detection

North Korean cyber actors have developed a Remote Access Trojan (RAT) called "EndClient RAT," targeting human rights defenders in South Korea and internationally. This malware evades antivirus detection by using stolen code-signing certificates and is delivered through a Microsoft Installer package named "StressClear.msi," which is signed by a Chinese firm. The RAT deploys an AutoIT-based payload, creates a scheduled task for persistence, and communicates with its command-and-control server using a custom protocol. Detection rates for EndClient RAT are low, with only 7 out of 64 detections for the dropper and 1 out of 64 for the payload script. Organizations are advised to block identified indicators of compromise and treat signed MSIs as untrusted until verified.

Tech Optimizer

October 29, 2025

Windows Defender Settings Explained for Windows 11 Users

Windows Defender, now known as Microsoft Defender Antivirus, is a security tool for PCs that protects against viruses and malware. To access its settings, press Windows + I, select Privacy & Security, then Windows Security, and click Open Windows Security. Key settings to review include: 1. Virus & Threat Protection: Enable real-time protection, cloud-delivered protection, and automatic sample submission. Run a Quick Scan for threats. 2. Firewall & Network Protection: Ensure the firewall is enabled for Domain, Private, and Public networks. 3. App & Browser Control: Activate SmartScreen features for apps and downloads. 4. Device Security: Check if Core Isolation is enabled for memory integrity protection. Users can customize notification settings to reduce pop-ups. Windows Defender can be temporarily disabled by toggling off Real-time protection. It can work alongside other antivirus programs but will disable its real-time protection if another antivirus is detected. For most users, Windows Defender provides sufficient protection. Automatic scans can be scheduled through Task Scheduler.

Tech Optimizer

October 26, 2025

How Your Computer Protects Itself from Viruses and Cyberattacks

Virus protection is essential in the digital landscape due to threats like ransomware, phishing, spyware, and trojans that can compromise personal data and financial security. Cybercriminals continuously innovate, leading to potential malware infections that can steal sensitive information, lock files for ransom, or degrade device performance. Windows includes Microsoft Defender Antivirus, which provides real-time protection, automatic updates, cloud-based scanning, and firewall features. macOS offers built-in security tools such as XProtect, Gatekeeper, and the Malware Removal Tool, alongside regular updates. Linux distributions like Ubuntu are designed with security in mind, featuring regular patches, AppArmor, and optional antivirus tools. Key features to look for in antivirus software include real-time scanning, firewall protection, web protection, email scanning, automatic updates, and parental controls. While built-in solutions are often sufficient for everyday users, advanced users may benefit from third-party antivirus software. Best practices for maintaining cyber hygiene include keeping software updated, avoiding unverified applications, using strong passwords, enabling two-factor authentication, and regularly backing up data.

Tech Optimizer

October 9, 2025

Business security worries during the move to Windows 11?

Windows 11 will replace Windows 10 on October 14th and is designed with enhanced security features, making it the most secure operating system to date. It requires a motherboard and CPU that support Secure Boot to protect against malicious code during startup. The operating system integrates artificial intelligence within its Windows Security suite for improved threat detection and data protection. Key components include Microsoft Defender Antivirus, which offers real-time alerts and a centralized command center, and Windows Defender SmartScreen, which analyzes potential threats from websites and downloads. Additional security features include Windows Firewall, Bluetooth Protection, Secure Wi-Fi, and enhanced VPN functionality. Windows 11 also focuses on identity security with biometric access through Windows Hello and multifactor authentication via Microsoft Authenticator. The operating system is linked to Microsoft Accounts for centralized data management and includes a Find My Device feature for locating or locking stolen PCs. RCT Cloud is a recommended vendor for assistance with the Windows 11 upgrade, providing Microsoft licenses and support.

Tech Optimizer

September 22, 2025

Threat Actors Market Stealthy New RAT as Alternative to ScreenConnect FUD

Cybersecurity researchers have identified a sophisticated Remote Access Trojan (RAT) being marketed as a fully undetectable alternative to the legitimate ScreenConnect remote access solution. This malware evades security measures like Google Chrome and Windows SmartScreen by bundling itself with valid Extended Validation (EV) certificates, allowing it to appear legitimate and evade detection. The RAT employs a comprehensive evasion toolkit, including antibot mechanisms and cloaked landing pages, to mislead automated security scanners while delivering malicious payloads. It utilizes fileless execution techniques via PowerShell commands, enabling it to operate without leaving traditional file traces. The malware provides attackers with real-time control over compromised systems, facilitating data exfiltration and system manipulation. The sales strategy of the threat actors indicates a mature cybercrime-as-a-service model, with the tool marketed as a "FUD loader" for establishing persistent access before deploying secondary payloads. This trend highlights an increasing focus on exploiting user trust in legitimate brands and undermining security technologies, particularly through the use of valid EV certificates. Security professionals are warned to expect more instances of brand impersonation and sophisticated evasion techniques.

Tech Optimizer

September 20, 2025

Threat Actors Selling New Undetectable RAT as ’ScreenConnect FUD Alternative’

A new Remote Access Trojan (RAT) is being marketed on underground forums as a fully undetectable alternative to ScreenConnect, featuring advanced capabilities to bypass security defenses. The seller claims it achieves zero detections during static and runtime analysis, making it a significant threat for initial access and payload delivery. The RAT can bypass security warnings from Google Chrome and Windows SmartScreen by bundling with a valid Extended Validation (EV) certificate. It includes antibot mechanisms and cloaked landing pages to evade detection by security scanners. The malware is presented through a fraudulent Adobe Acrobat Reader download page and allows attackers direct visual control over compromised machines. It utilizes a PowerShell-based command for execution, helping it avoid detection by traditional antivirus solutions. The tool is described as a “FUD loader,” intended to establish a stealthy presence on target systems before deploying additional payloads. The seller offers a demo and promises delivery within 24 working hours.

Tech Optimizer

August 20, 2025

I tested the best antivirus software for Windows: Here’s what I’d use to protect my PC

Windows Security is a free antivirus program pre-installed on every Windows PC, offering solid protection. Bitdefender provides a comprehensive antivirus solution with a yearly subscription. Malwarebytes is recommended as the top antivirus choice for Windows users, featuring a user-friendly interface and both free and paid versions. TotalAV is an affordable option with a built-in VPN and system tune-up tool. McAfee Total Protection offers extensive features, including identity theft coverage. Avast One is designed for gamers, providing a Do Not Disturb mode. uBlock Origin is an ad blocker that enhances browser security, while Brave is a secure web browser with built-in tracking and ad blocking features.

Winsage

July 9, 2025

Microsoft Patch Tuesday, July 2025 Edition

Microsoft has released updates addressing 137 vulnerabilities across its Windows operating systems and supported software, with 14 classified as "critical." CVE-2025-49719 is a publicly disclosed information disclosure flaw affecting all SQL Server versions since 2016, posing a supply-chain risk due to its potential exploitation without authentication. SQL Server 2012 has reached its end of life, meaning no future security patches will be available. CVE-2025-47981 is a critical remote code execution vulnerability with a CVSS score of 9.8, affecting Windows clients and Windows Server. Microsoft also addressed four critical remote code execution vulnerabilities in its Office suite, including CVE-2025-49695 and CVE-2025-49696, which can be triggered through the Preview Pane. Other high-severity vulnerabilities include CVE-2025-49740, which could bypass Microsoft Defender SmartScreen, and CVE-2025-47178, allowing attackers to execute arbitrary SQL queries with minimal privileges. Adobe has also released security updates for various software, and users are advised to back up data before installing patches.

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.