takedown Archives

Winsage

May 22, 2026

Microsoft Dismantles Fox Tempest: Ransomware Groups Paid Up to $9,500 to Fake Windows Software Signatures

Microsoft's Digital Crimes Unit has filed a lawsuit against Fox Tempest, a criminal enterprise selling fraudulently signed malware to ransomware groups, affecting hospitals, schools, and critical infrastructure in ten countries. The lawsuit was filed on May 19 in the U.S. District Court for the Southern District of New York. Fox Tempest created a portal at signspace[.]cloud, offering a user-friendly interface for uploading malicious files and generating over 580 fraudulent Microsoft accounts to bypass identity verification. The group provided pre-configured virtual machines for customers to upload malicious payloads in exchange for signed binaries. Fox Tempest's operations were linked to a ransomware attack chain involving a counterfeit Microsoft Teams installer that deployed the Rhysida ransomware. This ransomware strain has caused significant breaches, including an October 2023 attack on the British Library, which resulted in a data exfiltration of about 600GB and recovery costs of £6 to £7 million, and a September 2024 attack on Seattle-Tacoma International Airport with a ransom demand of .8 million. Microsoft's civil litigation approach allowed for a quicker legal process, leading to the seizure of the signspace[.]cloud domain and the suspension of around 1,000 Fox Tempest accounts. Despite these actions, Fox Tempest has begun shifting to alternative code-signing services, highlighting the evolving nature of cybercrime and the need for users to verify software through independent channels. The confirmed targets of Fox Tempest included organizations in the United States, France, India, China, Brazil, Germany, Japan, the United Kingdom, Italy, and Spain.

AppWizard

May 16, 2026

Borderlands 4’s new tag-team superboss borrows a killer trick from Dark Souls’ Ornstein and Smough

Borderlands 4 will release update 1.7 on May 28, featuring a new raid boss encounter with two bosses named Subjugator and Thol the Invincible. Players will face these bosses in a tag-team combat style, with dynamic attacks as the battle progresses. Defeating one boss leads to a final confrontation with the survivor gaining a power boost. New rewards include the Pearlescent Ripper SMG, Jail-Broken Gatling, and four legendary items: Lockjaw assault rifle, Shammy Kablammy pistol, Flak Cannon heavy weapon, and Collector energy shield. Each Vault Hunter will receive a unique class mod. The update will also introduce a toggle for shared character progression. A 40% discount on the game is currently available on Steam. Version 1.8 is planned for late June, introducing a Takedown challenge and Bounty Pack 3 DLC.

AppWizard

May 12, 2026

TrickMo Android Malware Targets Banking, Wallet, and Authenticator Apps

TrickMo, an Android banking malware, has re-emerged with enhanced stealth and operational capabilities, targeting banking, fintech, wallet, and authenticator apps. It retains its core device takeover abilities while improving stealth, persistence, and flexibility. The malware persuades users to grant accessibility permissions, allowing full remote control, including real-time screen viewing. A significant advancement is its shift to The Open Network (TON) for command-and-control communication, complicating takedown efforts. TrickMo has been actively deployed in France, Italy, and Austria since early 2026, using fake login overlays to capture credentials while recording user activity. It communicates through .adnl endpoints within the TON network and employs DNS-over-HTTPS for encrypted DNS queries. The malware's modular design includes a primary application as a loader and a dynamically loaded APK module called “dex.module” for malicious capabilities. It features network reconnaissance and tunneling capabilities, allowing commands like HTTP probing and establishing SSH tunnels, which can bypass fraud detection systems. Dormant features suggest potential for future capabilities without altering the core application. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo's various components.

AppWizard

May 11, 2026

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

Modern Android banking malware is evolving with architectural enhancements for increased stealth, resilience, and operational flexibility. In early 2026, a new variant of the TrickMo Android banking trojan was identified, actively targeting banking and wallet users in France, Italy, and Austria. This variant has replaced its predecessor in ongoing campaigns and has transitioned its command-and-control traffic to The Open Network (TON). Key features of the new TrickMo variant include: - The primary command-and-control channel now operates over TON, utilizing .adnl endpoints through an embedded local TON proxy. - It employs a runtime-loaded APK (dex.module) with enhanced functionalities, including reconnaissance, SSH tunneling, and SOCKS5 proxying, allowing infected devices to act as network pivots. - TrickMo is classified as Device Take Over (DTO) malware, targeting banking, fintech, wallet, and authenticator applications on Android devices. - Operators gain control over infected devices through accessibility-service permissions, enabling capabilities such as credential phishing, keylogging, screen recording, remote control, and SMS interception. The new variant features a modular architecture with a host APK functioning as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded dex.module. Significant enhancements include network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and socket-level tunneling via an embedded SSH client. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo dropper applications and host applications. The malware retains unused permissions for NFC capabilities, suggesting a strategic approach to device filtering.

AppWizard

April 26, 2026

I’m obsessed with a guy who keeps soloing Elden Ring Nightreign’s hard mode over and over like they’re trapped in a purgatory of their own making

Eauvni is a YouTuber known for playing Elden Ring Nightreign, focusing on the Sekiro-parrying Executor character and exclusively tackling the Deep of Night mode. They have recently concentrated on Depth Three of Five, where the difficulty increases significantly, with enemies dealing double damage. Despite reaching Depth Five, eauvni prefers to engage with earlier depths and has developed mathematically perfect relic builds for every character. They have achieved notable feats, including a no-damage run against challenging bosses. The gameplay experience contrasts with that of other players, who often feel overwhelmed by the game's challenges. The upcoming Tarnished Edition patch for Elden Ring raises concerns about the potential impact on game balance and the thrill of encounters.

Tech Optimizer

April 26, 2026

CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister

On April 21, 2026, compromised versions of pgserve (1.1.11, 1.1.12, and 1.1.13) were published on npm, containing a 1,143-line credential-harvesting script that executes during the postinstall phase of npm install. The malware functions as a supply-chain worm, reinjecting itself into other packages if it finds an npm publish token. Stolen credentials are encrypted using RSA-4096 and AES-256 and exfiltrated to a decentralized Internet Computer Protocol (ICP) canister. The last legitimate release was v1.1.10, published on April 17, 2026. The malware was detected by StepSecurity AI Package Analyst and Harden Runner, which flagged the compromised versions as Critical / Rejected and confirmed live exfiltration during analysis. The injected script performs operations such as harvesting environment variables, collecting filesystem secrets, encrypting payloads, and propagating to other npm packages and Python packages if a PyPI token is detected. The exfiltration domains have been added to a global block list.

AppWizard

April 21, 2026

Nothing Warp is back, but you won’t find it on the Play Store

Nothing introduced the "Nothing Warp" file transfer app, which was designed for seamless file sharing across devices using Google Drive. The app and its Chrome extension were temporarily removed but have since been reinstated after adjustments were made based on user feedback. Nothing Warp allows users to share files between devices linked to the same Google account, serving as an alternative for Android and Apple device users. The company clarified that the removal was a "strategic pause" for refinement and that privacy and security were not immediate concerns. The app is currently in Beta for community members and can be downloaded from Nothing's official website, as it is not available on the Google Play Store.

AppWizard

March 2, 2026

Meta makes changes following a Solon man’s $1 million loss in scheme police say started on Facebook Messenger

A 63-year-old resident in Solon, Ohio, lost over a million dollars to a scammer posing as a cryptocurrency investment guru. The scam began with a friendly outreach on Facebook, which transitioned to WhatsApp for private conversations. Over several months, the victim was convinced to invest in what he thought was a legitimate opportunity. This incident reflects a broader trend, as the FBI reported that Ohioans aged 60 and older lost over a million to fraud in 2024. Meta Platforms is enhancing tools to detect and disrupt fraudulent activities on its platforms, including new warnings for screen sharing requests on WhatsApp. In the first half of 2025, Meta removed eight million accounts suspected of scams and shut down 21,000 pages impersonating legitimate businesses. Warning signs in the Solon case included initial contact from a stranger, a quick shift to cryptocurrency discussions, and unusually high promised returns.

AppWizard

February 15, 2026

Why Microsoft’s Revoked DMCA Over A Minecraft-Style Game Is Such A Big Deal

Microsoft withdrew a DMCA takedown notice against the indie game Allumeria, allowing its demo to return to digital platforms. The initial takedown was likely triggered by an automated system that flagged Allumeria for similarities to Minecraft. Microsoft's legal team recognized distinct differences that complicated potential legal action. This decision may encourage creativity among indie developers and reflects a nuanced understanding of the gaming industry's dynamics. The case highlights ongoing challenges in defining ownership over game concepts and suggests a potential shift towards a more collaborative environment in game development.

AppWizard

February 12, 2026

Microsoft Briefly Torpedoes Game’s Steam Page Over Screenshot

Minecraft has inspired numerous clones and voxel-based crafting simulations over the past 15 years. Recently, the upcoming game Allumeria was temporarily removed from Valve’s Steam platform due to a DMCA copyright notice from Microsoft, which claimed that Allumeria used "Minecraft content, including but not limited to gameplay and assets." The takedown was triggered by a screenshot from the game’s Steam page that depicted a world similar to Minecraft. Unomelon, the developer, stated that Allumeria does not reuse any of Minecraft's assets. The DMCA claim was generated through Tracer.AI, an AI platform used by Microsoft and Mojang to identify copyright violations. Jens Bergensten, Chief Creative Officer at Mojang, acknowledged the situation and stated he would investigate further. Approximately 12 hours later, Microsoft withdrew their DMCA claim, and Allumeria's Steam page was reinstated.