SSH Archives

Winsage

February 17, 2026

How to Uninstall and Reinstall Chrome on Windows 11 Using Winget CMD

Google Chrome can experience performance issues on Windows due to corrupted profiles, extension conflicts, broken updates, and crashes. A complete uninstall and reinstall often resolves these issues, and the Windows Package Manager (Winget) provides a command-line method for this process. To uninstall Chrome using Winget, open Terminal as an administrator and run the command PLACEHOLDER7836d906c03bd8f1. After uninstallation, verify it with PLACEHOLDER30cf24d62406b8ee, then reinstall using PLACEHOLDER76e40aae6965d719. For a clean reinstall, delete the leftover user data folder at PLACEHOLDER142352b706501488. Commands: - Check installed version: winget list Google.Chrome - Uninstall Chrome: winget uninstall Google.Chrome - Verify removal: winget list Google.Chrome - Reinstall Chrome: winget install Google.Chrome - Silent install: winget install Google.Chrome --silent - Delete leftover data: rmdir /s /q "%LocalAppData%GoogleChrome" Before executing commands, ensure Winget is available and updated, and that you have administrator privileges. Backup data by enabling Chrome Sync. Close Chrome completely before uninstalling to avoid process interference. A clean reinstall involves deleting the Chrome user data folder, which removes bookmarks, passwords, and other stored data. Winget is faster and more suitable for scripting and remote management compared to traditional uninstall methods through the Settings app or Control Panel. Common troubleshooting for Winget includes handling errors related to package recognition, installation blocks, and access issues. If uninstalling fails, terminate any running Chrome processes and retry the command. If unsuccessful, use the Settings app for removal and then Winget for reinstallation.

Tech Optimizer

November 12, 2025

Hackers hijacked antivirus features to install malware – here’s what we know

A critical vulnerability identified as CVE-2025-12480 was found in the remote file sharing platform Triofox, characterized by improper access control that allowed zero-day exploitation. Security experts from Google’s Mandiant revealed that Triofox's antivirus feature was compromised, enabling unauthorized access to setup pages post-installation. The UNC6485 threat group exploited this vulnerability using tools like Zoho Assist, AnyDesk, and SSH tunneling for remote access. A patch was released on July 26, and a newer version of Triofox was made available on October 14 to mitigate the risks, with users advised to update their systems.

Winsage

November 11, 2025

“Windows doesn’t really suck” — ex‑Microsoft engineer calls for a ‘Pro Mode’ to cut the clutter

Microsoft discontinued support for Windows 10, pushing users to upgrade to Windows 11 or use the Extended Security Updates (ESU) program. Critics view the ESU as a temporary solution. Windows 11 is reported to be up to 2.3 times faster than Windows 10, but many users are hesitant to switch due to strict hardware requirements and design issues. Approximately 400 million Windows PCs are now unsupported, raising concerns about increased electronic waste. User dissatisfaction with Windows 11 includes issues with AI integration, the Start menu, mandatory Microsoft Account usage, default browser settings, inability to remove CoPilot, frequent ads, and resource-heavy background processes. Former Microsoft engineer Dave Plummer suggested a professional mode for advanced users, proposing features like centralized settings, a default Windows terminal, transparency in telemetry, a predictable update schedule, and a paid professional mode to reduce upselling. Plummer emphasized that current frustrations stem from the user experience being compromised by aggressive marketing tactics.

Tech Optimizer

November 11, 2025

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

A critical security vulnerability (CVE-2025-12480) has been identified in Gladinet's Triofox platform, allowing attackers to bypass authentication and access sensitive configuration pages. This vulnerability has a CVSS score of 9.1 and has been exploited by a threat cluster known as UNC6485 since August 24, 2025. Despite patches issued by Gladinet, attackers created a new admin account to execute malicious code, including a batch script that downloaded tools for remote access. They used these tools for reconnaissance and privilege escalation. Mandiant recommends that Triofox users update to the latest version and audit admin accounts.

Winsage

November 5, 2025

Russian APT abuses Windows Hyper-V for persistence and malware execution

Cyber attackers used the Import-VM and Start-VM PowerShell cmdlets to introduce a virtual machine named WSL into Hyper-V. This virtual machine hosts a compact Alpine Linux environment with two implants, CurlyShell and CurlCat, identified by Bitdefender. CurlyShell uses libcurl to connect to a command-and-control server, creating a reverse shell to execute commands and return outputs. CurlCat functions as a proxy, tunneling SSH traffic through HTTP requests to evade detection by network monitoring tools.

Tech Optimizer

November 5, 2025

Hackers Are Using Linux Malware to Invisibly Bypass Windows Security

Hackers are refining tactics to evade detection by EDR systems and antivirus software, with a notable strategy being the use of Linux malware to infiltrate Windows systems. Investigations by Bitdefender and CERT-GE revealed a campaign by the Russian hacker group Curly COMrades, which exploits the Hyper-V virtualization platform on Windows 10 to create covert access channels. They utilize Alpine Linux for lightweight virtual machines that are difficult to detect, requiring only 120 MB of disk space and 256 MB of RAM. The attackers maintain persistent access using tools like Resocks and Stunnel, starting their activities in early July 2024 by activating Hyper-V on compromised systems and deploying misleading virtual machines labeled “WSL.” They introduced custom malware, CurlyShell and CurlCat, for communication and remote access. This trend of using Linux malware against Windows systems is growing, as seen in recent Qilin ransomware attacks documented by Trend Micro.

Winsage

November 5, 2025

Curly COMrades abuse Hyper-V for covert malware operations in VMs

Bitdefender researchers have identified advanced techniques used by the Curly COMrades threat actor, believed to have Russian backing, to exploit Microsoft’s Hyper-V virtualization platform. This group activates Hyper-V on compromised systems to deploy a lightweight virtual machine (VM) running Alpine Linux, which hosts malware tools CurlyShell and CurlCat. The operation began in early July with commands that activated Hyper-V and prepared the environment for the VM, using deceptive file names to avoid detection. The Alpine Linux VM is customized for each victim, allowing the attackers to maintain a low profile while facilitating reverse shell and proxy activities. The VM routes traffic through the host's network, masking communications as originating from the legitimate host IP. CurlyShell acts as a persistent reverse shell, while CurlCat manages SSH traffic tunneling, utilizing a private key for authentication. The attackers also employ various proxy and tunneling tools and utilize PowerShell scripts for tasks such as injecting Kerberos tickets into LSASS for lateral movement and creating local accounts to ensure ongoing access. Their command and control infrastructure involves compromised servers that relay traffic between infected hosts and the attackers' servers, with measures taken to limit forensic evidence. To detect and mitigate these threats, Bitdefender emphasizes the need for host-based network inspection and hardening, as well as monitoring for abnormal access to the LSASS process and suspicious Kerberos ticket activities. The findings indicate a shift in threat actor tactics towards using virtualization for stealth and persistence, highlighting the need for layered security measures.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.

Winsage

November 4, 2025

Russian Hackers Abuse Hyper-V to Hide Malware and Evade Endpoint Detection

A Russian-linked hacking group, Curly COMrades, is using Microsoft’s Hyper-V to conceal malware within compromised Windows systems. They install a small Alpine Linux virtual machine (VM) to run custom malware, evading endpoint detection and response (EDR) software since July. The group exploits Hyper-V's native features, enabling it on victim systems while disabling management clients to avoid detection. The VM, named “WSL,” hosts two C++ tools: ‘CurlyShell,’ a reverse shell, and ‘CurlCat,’ a reverse proxy, both designed to maintain persistence and obfuscate their activities. The VM occupies only 120MB of disk space and uses Hyper-V’s Default Switch for network traffic, making malicious communication appear to originate from the legitimate host. Additionally, Curly COMrades employs malicious PowerShell scripts for persistence and lateral movement, including creating local user accounts and using a modified TicketInjector for authentication across networks.

Winsage

November 4, 2025

Russian spies pack custom malware into hidden VMs on Windows

Bitdefender's senior security researcher, Victor Vrabie, reported that the Russian cyber group Curly COMrades is using Microsoft's Hyper-V hypervisor to conduct sophisticated attacks on compromised Windows machines. They create a concealed Alpine Linux-based virtual machine (VM) that bypasses traditional endpoint security, allowing prolonged access for espionage and malware deployment. This VM is lightweight, requiring only 120MB of disk space and 256MB of memory, and hosts a reverse shell called CurlyShell and a reverse proxy named CurlCat. The group's operations have targeted judicial and governmental institutions in Georgia and an energy company in Moldova. Their current campaign, starting in July, involved activating Hyper-V and downloading the VM with custom malware. The VM uses the Default Switch network adaptor, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell maintains root-level persistence and communicates with a command-and-control server over HTTPS, while CurlCat manages an SSH reverse proxy tunnel disguised as standard HTTP traffic. Additionally, two PowerShell scripts linked to the group enable remote authentication and establish persistent access across domain-joined machines. Vrabie highlighted the evolving tactics of cybercriminals to bypass endpoint detection and response (EDR) systems, emphasizing the need for a multi-layered security strategy.