SSH Archives

Winsage

March 13, 2026

These 4 open-source apps fixed Windows’ biggest problems

Windows operating system has evolved over the years, but initially, it often required external tools for tasks like video playback, file compression, secure connections, and file transfers. VLC Media Player addressed the issue of codec compatibility in video playback by bundling its own codecs, making it a widely used media player. 7-Zip improved file compression on Windows by offering superior efficiency, extensive format support, and user-friendly features, becoming essential for archiving tasks. PuTTY provided Windows users with their first effective SSH client, allowing secure terminal connections to remote servers, and remains popular despite Microsoft integrating OpenSSH. FileZilla simplified the process of uploading files to servers with its user-friendly graphical interface, becoming a staple for web developers. Despite improvements in Windows, many users continue to install these open-source applications out of habit due to their reliability and effectiveness.

Winsage

March 6, 2026

Chinese hackers hide malware in Windows and Google Drive to hit targets

Chinese state-sponsored threat actors, specifically a group known as Silver Dragon, have been conducting espionage operations across Southeast Asia and Europe since at least mid-2024. They have targeted government entities in countries such as Russia, Poland, Hungary, Italy, Japan, Myanmar, and Malaysia. Silver Dragon is believed to be affiliated with APT41 and primarily uses phishing emails to initiate attacks, often containing weaponized documents or links. They employ a custom backdoor called GearDoor, which utilizes Google Drive for command-and-control operations, allowing them to exfiltrate stolen intelligence. The group also hijacks legitimate Windows services to load malicious code and uses tools like SSHcmd and Cobalt Strike for post-exploitation activities. Their tactics involve blending malicious activities with normal system operations, making detection difficult and increasing their dwell time within targeted networks.

Winsage

February 17, 2026

How to Uninstall and Reinstall Chrome on Windows 11 Using Winget CMD

Google Chrome can experience performance issues on Windows due to corrupted profiles, extension conflicts, broken updates, and crashes. A complete uninstall and reinstall often resolves these issues, and the Windows Package Manager (Winget) provides a command-line method for this process. To uninstall Chrome using Winget, open Terminal as an administrator and run the command PLACEHOLDER7836d906c03bd8f1. After uninstallation, verify it with PLACEHOLDER30cf24d62406b8ee, then reinstall using PLACEHOLDER76e40aae6965d719. For a clean reinstall, delete the leftover user data folder at PLACEHOLDER142352b706501488. Commands: - Check installed version: winget list Google.Chrome - Uninstall Chrome: winget uninstall Google.Chrome - Verify removal: winget list Google.Chrome - Reinstall Chrome: winget install Google.Chrome - Silent install: winget install Google.Chrome --silent - Delete leftover data: rmdir /s /q "%LocalAppData%GoogleChrome" Before executing commands, ensure Winget is available and updated, and that you have administrator privileges. Backup data by enabling Chrome Sync. Close Chrome completely before uninstalling to avoid process interference. A clean reinstall involves deleting the Chrome user data folder, which removes bookmarks, passwords, and other stored data. Winget is faster and more suitable for scripting and remote management compared to traditional uninstall methods through the Settings app or Control Panel. Common troubleshooting for Winget includes handling errors related to package recognition, installation blocks, and access issues. If uninstalling fails, terminate any running Chrome processes and retry the command. If unsuccessful, use the Settings app for removal and then Winget for reinstallation.

Tech Optimizer

November 12, 2025

Hackers hijacked antivirus features to install malware – here’s what we know

A critical vulnerability identified as CVE-2025-12480 was found in the remote file sharing platform Triofox, characterized by improper access control that allowed zero-day exploitation. Security experts from Google’s Mandiant revealed that Triofox's antivirus feature was compromised, enabling unauthorized access to setup pages post-installation. The UNC6485 threat group exploited this vulnerability using tools like Zoho Assist, AnyDesk, and SSH tunneling for remote access. A patch was released on July 26, and a newer version of Triofox was made available on October 14 to mitigate the risks, with users advised to update their systems.

Winsage

November 11, 2025

“Windows doesn’t really suck” — ex‑Microsoft engineer calls for a ‘Pro Mode’ to cut the clutter

Microsoft discontinued support for Windows 10, pushing users to upgrade to Windows 11 or use the Extended Security Updates (ESU) program. Critics view the ESU as a temporary solution. Windows 11 is reported to be up to 2.3 times faster than Windows 10, but many users are hesitant to switch due to strict hardware requirements and design issues. Approximately 400 million Windows PCs are now unsupported, raising concerns about increased electronic waste. User dissatisfaction with Windows 11 includes issues with AI integration, the Start menu, mandatory Microsoft Account usage, default browser settings, inability to remove CoPilot, frequent ads, and resource-heavy background processes. Former Microsoft engineer Dave Plummer suggested a professional mode for advanced users, proposing features like centralized settings, a default Windows terminal, transparency in telemetry, a predictable update schedule, and a paid professional mode to reduce upselling. Plummer emphasized that current frustrations stem from the user experience being compromised by aggressive marketing tactics.

Tech Optimizer

November 11, 2025

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

A critical security vulnerability (CVE-2025-12480) has been identified in Gladinet's Triofox platform, allowing attackers to bypass authentication and access sensitive configuration pages. This vulnerability has a CVSS score of 9.1 and has been exploited by a threat cluster known as UNC6485 since August 24, 2025. Despite patches issued by Gladinet, attackers created a new admin account to execute malicious code, including a batch script that downloaded tools for remote access. They used these tools for reconnaissance and privilege escalation. Mandiant recommends that Triofox users update to the latest version and audit admin accounts.

Winsage

November 5, 2025

Russian APT abuses Windows Hyper-V for persistence and malware execution

Cyber attackers used the Import-VM and Start-VM PowerShell cmdlets to introduce a virtual machine named WSL into Hyper-V. This virtual machine hosts a compact Alpine Linux environment with two implants, CurlyShell and CurlCat, identified by Bitdefender. CurlyShell uses libcurl to connect to a command-and-control server, creating a reverse shell to execute commands and return outputs. CurlCat functions as a proxy, tunneling SSH traffic through HTTP requests to evade detection by network monitoring tools.

Tech Optimizer

November 5, 2025

Hackers Are Using Linux Malware to Invisibly Bypass Windows Security

Hackers are refining tactics to evade detection by EDR systems and antivirus software, with a notable strategy being the use of Linux malware to infiltrate Windows systems. Investigations by Bitdefender and CERT-GE revealed a campaign by the Russian hacker group Curly COMrades, which exploits the Hyper-V virtualization platform on Windows 10 to create covert access channels. They utilize Alpine Linux for lightweight virtual machines that are difficult to detect, requiring only 120 MB of disk space and 256 MB of RAM. The attackers maintain persistent access using tools like Resocks and Stunnel, starting their activities in early July 2024 by activating Hyper-V on compromised systems and deploying misleading virtual machines labeled “WSL.” They introduced custom malware, CurlyShell and CurlCat, for communication and remote access. This trend of using Linux malware against Windows systems is growing, as seen in recent Qilin ransomware attacks documented by Trend Micro.

Winsage

November 5, 2025

Curly COMrades abuse Hyper-V for covert malware operations in VMs

Bitdefender researchers have identified advanced techniques used by the Curly COMrades threat actor, believed to have Russian backing, to exploit Microsoft’s Hyper-V virtualization platform. This group activates Hyper-V on compromised systems to deploy a lightweight virtual machine (VM) running Alpine Linux, which hosts malware tools CurlyShell and CurlCat. The operation began in early July with commands that activated Hyper-V and prepared the environment for the VM, using deceptive file names to avoid detection. The Alpine Linux VM is customized for each victim, allowing the attackers to maintain a low profile while facilitating reverse shell and proxy activities. The VM routes traffic through the host's network, masking communications as originating from the legitimate host IP. CurlyShell acts as a persistent reverse shell, while CurlCat manages SSH traffic tunneling, utilizing a private key for authentication. The attackers also employ various proxy and tunneling tools and utilize PowerShell scripts for tasks such as injecting Kerberos tickets into LSASS for lateral movement and creating local accounts to ensure ongoing access. Their command and control infrastructure involves compromised servers that relay traffic between infected hosts and the attackers' servers, with measures taken to limit forensic evidence. To detect and mitigate these threats, Bitdefender emphasizes the need for host-based network inspection and hardening, as well as monitoring for abnormal access to the LSASS process and suspicious Kerberos ticket activities. The findings indicate a shift in threat actor tactics towards using virtualization for stealth and persistence, highlighting the need for layered security measures.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.