System Information Archives

Winsage

July 23, 2025

3 easy ways to turn Windows Terminal shells from drab to drip — customize both PowerShell and WSL with these same tools

- The Starship prompt enhances the command line experience with a sleek design, customization options, and compatibility across different shells. It requires a NerdFont for effective operation and can be installed via the Windows Package Manager for PowerShell or various package managers for WSL. Configuration involves adding specific commands to shell profiles and creating a configuration file. - Fastfetch is a lightweight system information display tool that serves as a modern alternative to Neofetch, supporting both Windows and Linux. Installation can be done through various package managers, and configuration is achieved by generating a config file. - Windows Terminal on Windows 11 can be customized for a more personalized experience, including theme changes, font adjustments, and transparency. Customizations can be made via the GUI or by editing a JSON configuration file. - To use Starship and Fastfetch upon startup in PowerShell, a PowerShell profile must be created using a specific command, allowing users to add necessary commands for these tools.

Winsage

July 16, 2025

Microsoft releases emergency fix for Azure Virtual Machines issue caused by Windows 11 update

Microsoft released the KB5062553 update for Windows, which caused boot failures in some Generation 2 Azure Virtual Machines (VMs) with Trusted Launch disabled. In response, Microsoft issued an emergency patch, KB5064489, applicable to Windows 11 and Windows Server 2025, to address these issues. Affected VMs may experience boot failures if Virtualization-Based Security (VBS) is enforced via registry key. Users are advised to check if their VMs are created as “Standard” and if VBS is enabled. The KB5064489 update is not automatically deployed and must be manually downloaded from the Microsoft Update Catalog, with specific installation methods outlined.

Winsage

July 15, 2025

Windows KB5064489 emergency update fixes Azure VM launch issues

Microsoft released an emergency update to address a bug affecting Azure virtual machines (VMs) that prevented them from launching when the Trusted Launch setting was disabled while Virtualization-Based Security (VBS) was enabled. This issue emerged during the July Patch Tuesday security updates and impacted Windows Server 2025 and Windows 11 24H2, specifically affecting VMs using version 8.0 with VBS provided by the host. The root cause was identified as a secure kernel initialization issue, which has been fixed with the KB5064489 out-of-band update. Administrators are advised to check if their VMs are created as "Standard" and if VBS is enabled. If affected, they should install the out-of-band update instead of the July 8th KB5062553 Patch Tuesday update and consider using the Trusted Launch security feature. Microsoft has also updated Windows Server 2025 VM images to include the latest cumulative update addressing this bug.

AppWizard

July 15, 2025

This Android malware poses as real apps to take you to dangerous sites and flood your phone with spam

A new variant of the Konfety malware targets high-end Android devices using sophisticated evasion techniques, including distorted APK files to avoid detection. This version disguises itself as legitimate applications, imitating popular apps on the Google Play Store. It employs an 'evil twin' tactic, emphasizing the need to download software only from trusted publishers and avoiding third-party APKs. The malware can redirect users to harmful websites, install unwanted software, and generate misleading notifications. It displays ads through the CaramelAds SDK and can exfiltrate sensitive data such as installed applications and network configurations. Konfety can conceal its app icon and name, using geofencing to alter behavior based on location, and employs an encrypted DEX file to hide services. To evade analysis, it manipulates APK files to appear encrypted, causing misleading prompts during inspection, and compresses critical files with BZIP, leading to parsing failures. Users are advised to avoid sideloading apps, ensure Google Play Protect is enabled, and consider installing a reputable antivirus to enhance security.

AppWizard

June 19, 2025

‘Stargazers’ use fake Minecraft mods to steal player passwords

A malware campaign targeting Minecraft players has been identified, utilizing malicious mods and cheats to infect Windows devices with infostealers that steal sensitive information, including credentials and cryptocurrency wallets. The campaign, orchestrated by the Stargazers Ghost Network, has been active on GitHub and has previously infected over 17,000 systems with a new type of malware. Researchers found around 500 GitHub repositories linked to this operation, disguised as Minecraft mods. The malware employs a Java-based loader that downloads a stealer targeting Minecraft account tokens and user data, as well as Discord and Telegram tokens. It also includes a .NET-based stealer called '44 CALIBER,' which collects data from browsers, VPNs, and applications like Steam and Discord. The stolen data is sent via Discord webhooks, indicating a potential Russian origin for the operators. To protect against these threats, players are advised to download mods from reputable sources and use separate accounts for testing.

Tech Optimizer

June 9, 2025

ViperSoftX Malware Used by Threat Actors to Steal Sensitive Information

The AhnLab Security Intelligence Center (ASEC) has reported that ViperSoftX malware, first identified in 2020, continues to pose a significant threat, particularly targeting cryptocurrency-related information. It disguises itself as cracked software or eBooks on torrent sites and uses deceptive tactics to infect users globally. ViperSoftX exploits the Windows Task Scheduler to execute malicious PowerShell scripts and communicates with its command-and-control server to transmit detailed system information. The malware captures clipboard activity to steal cryptocurrency wallet addresses and employs mechanisms to avoid detection, including self-removal. It also deploys secondary payloads like Quasar RAT and ClipBanker, which hijacks wallet addresses during transactions. ASEC warns that infections can lead to total system compromise and advises users to avoid unverified downloads and maintain updated security measures. Indicators of Compromise (IOCs): - MD5: - 064b1e45016e8a49eba01878e41ecc37 - 0ed2d0579b60d9e923b439d8e74b53e1 - 0efe1a5d5f4066b7e9755ad89ee9470c - 197ff9252dd5273e3e77ee07b37fd4dd - 1ec4b69f3194bd647639e6b0fa5c7bb5 - URLs: - http://136.243.132.112/ut.exe - http://136.243.132.112:881/3.exe - http://136.243.132.112:881/APPDATA.exe - http://136.243.132.112:881/a.ps1 - http://136.243.132.112:881/firefoxtemp.exe - IPs: - 136.243.132.112 - 160.191.77.89 - 185.245.183.74 - 212.56.35.232 - 89.117.79.31

AppWizard

June 7, 2025

8 things you must try with the Linux Terminal app on your Android phone

Google introduced Linux Terminal support integrated into Android for Pixel users running the latest stable version of the operating system. The terminal operates within a virtual machine, ensuring separation from core device functions. A recent poll showed that 24% of users have enabled the Linux Terminal app, 51% are considering it, 10% do not want it, and 15% have phones that do not support it. Key commands include "help" for available commands and "man" for manual pages. Users can install system information tools like neofetch and htop, as well as terminal games such as Bastet, Pacman4console, Moon-Buggy, nsnake, and ninvaders. SSH can be installed for network device control, and text editor nano can be used for note-taking. Users can also install cmatrix for a Matrix-like display and stress testing tools. Nyan Cat can be displayed in the terminal as well. Future plans include full-scale Linux apps in Android’s desktop mode.

AppWizard

June 2, 2025

Preinstalled Android Apps Found Leaking PINs and Executing Malicious Commands

On May 30, 2025, CERT Polska disclosed three security vulnerabilities affecting preinstalled Android applications on Ulefone and Krüger&Matz smartphones: CVE-2024-13915, CVE-2024-13916, and CVE-2024-13917. - CVE-2024-13915: The com.pri.factorytest application allows any app to invoke the FactoryResetService, enabling unauthorized factory resets due to improper export controls (CWE-926). - CVE-2024-13916: The com.pri.applock application exposes a public method that allows malicious apps to steal the user’s PIN, representing an exposure of sensitive system information (CWE-497). - CVE-2024-13917: The exported activity in com.pri.applock allows privilege escalation by enabling malicious apps to inject intents with system-level privileges if they have access to the compromised PIN (CWE-926). Users of affected devices are advised to seek firmware updates or mitigations from their vendors.

Winsage

May 29, 2025

This is what data your Windows PC is actually sending back to Microsoft

Windows collects telemetry data, which includes hardware specifications, installed software, and system events, but does not reveal personally identifiable information. This data is encrypted and sent via HTTPS during significant events like system crashes. Users can manage optional data collection settings during initial setup or in the Privacy section of the Settings app, with enterprise versions offering more control. Mandatory data collection in Windows is more extensive than in macOS, while Linux has minimal data collection due to its decentralized structure. Users can disable some data collection, but some information will always be gathered unless advanced measures are taken.

Winsage

May 12, 2025

Microsoft Defender Discovers Zero-Day Vulnerability in Windows CLFS

The deployment of PipeMagic preceded a sophisticated exploit targeting the Common Log File System (CLFS) kernel driver, initiated from a dllhost.exe process. The exploit began with the NtQuerySystemInformation API, which leaked kernel addresses to user mode. In Windows 11, version 24H2, access to specific System Information Classes within this API was restricted to users with SeDebugPrivilege, rendering the exploit ineffective on this version. The exploit then used a memory corruption technique with the RtlSetAllBits API to overwrite its process token with 0xFFFFFFFF, granting it all available privileges and enabling process injection into SYSTEM-level operations. A CLFS BLF file was created at C:ProgramDataSkyPDFPDUDrv.blf, marking the exploit's activity.