static analysis Archives

Tech Optimizer

June 18, 2026

Here’s What Actually Happens When Antivirus Software Scans Your PC

Interactions with antivirus software occur during installation and when issues arise, while the software operates quietly in the background. Modern antivirus solutions continuously monitor for threats using various detection methods, including real-time scanning, which actively scrutinizes files as they are downloaded or accessed. The signature database is essential for identifying malware by comparing files against known signatures, but it can only detect documented threats. Heuristic detection and behavioral analysis help catch unknown malware by evaluating suspicious characteristics and monitoring file actions during execution. Sandboxing allows suspicious files to run in a controlled environment, logging their behavior to determine if they are malicious. Quarantine neutralizes threats by locking files in a secure location, allowing users to review them before deletion. Full scans are resource-intensive and can slow down system performance, while real-time scanning is less demanding. Users can schedule scans during idle times, exclude trusted folders, or consider cloud-based solutions to mitigate performance impacts.

Winsage

June 12, 2026

Hackers Use Fake Windows Update Installers to Deliver OnyxC2 Credential Stealer

OnyxC2 is a sophisticated credential stealer available for a subscription fee of 0 per month, distributed through disguised lures such as fake Windows updates and legitimate software installers. It functions as a commercial product with features like an automated payload builder, tiered licensing, and a centralized web dashboard. The malware boasts a 99% detection-evasion rate, successfully evading major antivirus solutions during tests. It is developed in C++, utilizing direct system calls and mutating with each build to avoid detection. OnyxC2 collects data from around 210 applications, targeting 45 web browsers, password managers, cryptocurrency wallets, and FTP clients. The malware is delivered using DLL sideloading, where a password-protected archive contains a legitimate application and a malicious DLL. The attacker's DLL is disguised by inflating its size and is loaded by a trusted binary. The malicious code remains encrypted on disk and decrypts in memory to evade analysis. OnyxC2 communicates with a Cloudflare-fronted command-and-control server to manage infected hosts and execute commands like hardware registration and cookie uploads. The threat extends to business environments, targeting FTP and email clients, with stolen session cookies allowing ongoing access to corporate infrastructure. Implementing anti-data exfiltration controls is recommended as a mitigation strategy.

AppWizard

June 8, 2026

NFCShare Android malware spreads via fake banking app updates on GitHub

New variants of the NFCShare Android malware are disguised as fake updates for legitimate banking applications and are targeting customers of various banks in Europe through a phishing campaign to steal sensitive payment card data. The malware prompts victims to place their cards near the NFC chip of their mobile devices, using Android’s IsoDep interface to read card information, including card number, type, expiry date, and a 4-digit PIN. The stolen data is exfiltrated to the attacker’s command-and-control host via a WebSocket channel. Recent attacks began on May 14, with victims directed to a phishing site that impersonates a legitimate bank and then to a GitHub repository hosting a malicious APK file. The repository has hosted 56 unique APKs impersonating banking applications primarily from Italy and Spain. The malware has evolved from initially targeting Deutsche Bank in Germany to a broader range of banks. The latest version features malformed APK packaging to complicate automated analysis. Users are advised to download banking applications only from Google Play and to be cautious of verification requests that ask for NFC card scans.

Winsage

May 23, 2026

Windows 11 26H1: Microsoft’s driver changes target platform, WLAN, storage, and GPU debugging

Microsoft has refreshed its driver documentation for Windows 11 version 26H1, focusing on enhancements within the driver ecosystem rather than user-centric features. The Windows Driver Kit 10.0.28000.1839, released on May 4, 2026, is designated for driver development on this version and supports Visual Studio 2026. Networking drivers have been updated to support WPA3 Compatibility Mode Security, with an upgraded WiFiCx TLV parser and the removal of outdated WDI datapath definitions. The storage driver stack now accommodates SD Ultra Capacity (SDUC) for cards exceeding 2 TB and up to 128 TB. In graphics, kernel header definitions for GPU Process Debug Blob Collection have been introduced, and static analysis integration has been intensified with updated CodeQL suites. These updates aim to prepare the driver base for future hardware demands and improve driver quality and compatibility.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

AppWizard

October 30, 2025

More Than 700 Malicious Android Apps Using NFC Relay to Exfiltrate Banking Credentials

Cybersecurity researchers at zLabs have identified over 760 malicious Android applications that exploit Near Field Communication (NFC) and Host Card Emulation (HCE) technologies to steal payment data and facilitate fraudulent transactions. Since April 2024, these applications have evolved into a coordinated global operation targeting financial institutions in countries such as Russia, Poland, the Czech Republic, Slovakia, and Brazil. The threat actors have established around 70 command-and-control servers and use Telegram bots for data exfiltration. The malicious apps impersonate about 20 legitimate entities, focusing on Russian banks and international institutions like Santander and Google Pay. They utilize various strategies to compromise payment credentials, including scanner and tapper tools, and employ simplified interfaces resembling legitimate banking portals. The malware activates a Host Card Emulation service during NFC payment events for real-time data relay. To evade detection, the threat actors use name masquerading, code obfuscation, and software packing techniques. This campaign represents a significant escalation in NFC-based financial fraud, highlighting the risks associated with NFC payment privileges.

AppWizard

October 25, 2025

OWASP Mobile Top 10 for Android – How AutoSecT Detects Each Risk?

Mobile applications account for 70% of global interactions, with over 6.8 billion smartphone users. In 2023, 40% of data breaches are linked to vulnerabilities in mobile applications. The OWASP Mobile Top 10 outlines critical security risks for mobile apps, including: 1. Improper Credential Usage: Mishandling of passwords and session tokens. 2. Inadequate Supply Chain Security: Risks from unverified third-party components. 3. Insecure Authentication/Authorization: Failures in verifying user identities. 4. Insufficient Input/Output Validation: Lack of checks on incoming and outgoing data. 5. Insecure Communication: Unprotected data during transmission. 6. Inadequate Privacy Controls: Poor safeguards for personal data. 7. Insufficient Binary Protections: Lack of defenses against reverse engineering. 8. Security Misconfiguration: Improperly secured application settings. 9. Insecure Data Storage: Weak protection of sensitive information on devices. 10. Insufficient Cryptography: Use of weak or improperly implemented encryption. AutoSecT, an AI-driven mobile app security testing platform, detects these risks through various methods, including static code analysis, software composition analysis, and dynamic testing. It helps developers identify and mitigate vulnerabilities effectively.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

AppWizard

September 17, 2025

224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads

A mobile ad fraud operation called "SlopAds" infiltrated the Google Play Store with 224 malicious applications, which collectively achieved over 38 million downloads across 228 countries. The operation utilized advanced steganography and obfuscation techniques to deliver fraudulent advertising payloads while avoiding detection. SlopAds activated its fraud system selectively based on specific advertising campaigns, generating around 2.3 billion fraudulent bid requests daily, primarily from the United States (30%), India (10%), and Brazil (7%). The malicious apps exploited Firebase Remote Config to retrieve encrypted data for downloading a primary fraud module named "FatModule." This module was concealed within PNG image files, allowing it to bypass traditional security measures. The FatModule included anti-analysis features to evade detection by security researchers. Google has since removed all identified SlopAds applications from the Play Store and implemented protections through Google Play Protect.

AppWizard

September 17, 2025

38 Million Downloads Across 224 Malicious Android Apps on Google Play Deliver Harmful Payloads

Researchers from HUMAN’s Satori Threat Intelligence and Research Team discovered a digital advertising fraud operation called “SlopAds,” which involves 224 Android applications that have over 38 million downloads across 228 countries. SlopAds employs a multi-layered obfuscation strategy to deploy fraud modules that siphon ad revenue. The applications connect to Firebase Remote Config to retrieve an encrypted configuration that conceals URLs for PNG images containing fragments of an APK, which are reassembled to create the core fraud component known as FatModule. SlopAds generates approximately 2.3 billion bid requests daily, primarily targeting users in the United States (30%), India (10%), and Brazil (7%). Google Play Protect alerts users and blocks known SlopAds applications, and Google has removed these applications from the Play Store. Users who installed these apps from off-market sources remain vulnerable until they uninstall them.