tar Archives

Winsage

December 18, 2025

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

A newly identified cyber threat cluster called LongNosedGoblin has been linked to cyber espionage attacks targeting governmental entities in Southeast Asia and Japan, with activities traced back to at least September 2023. The group uses Group Policy to spread malware and employs cloud services like Microsoft OneDrive and Google Drive for command and control. Key tools include NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, and NosyLogger, which perform functions such as collecting browser history, executing commands, and logging keystrokes. ESET first detected LongNosedGoblin's activities in February 2024, identifying malware on a governmental system. The attacks showed a targeted approach, with specific tools affecting select victims. Additionally, a variant of NosyDoor was found targeting an organization in an EU country, indicating a possible connection to other China-aligned threat groups.

Winsage

December 1, 2025

5 Essential Windows Apps Everyone Should Be Using In 2025

Everything is a free application from Voidtools that indexes file and folder names quickly, allowing searches of up to a million files in a minute. It can index mapped network drives and supports Boolean operators and wildcards for advanced search needs. Flow Launcher is an open-source application that serves as a quick launcher and search utility, integrating with Everything for fast file searches and allowing users to open applications, search for files, and perform calculations from a single interface. NanaZip is an open-source archive manager derived from 7-Zip, supporting various archive formats and offering faster processing times, improved encryption, dark mode, and context menu integration. Microsoft PowerToys is a suite of utilities for power users that includes tools like Command Palette, PowerRename, and FancyZones, available for free from the Microsoft Store. Ferdium is an open-source tool that consolidates web applications into a single platform, allowing users to manage multiple web apps within one window, supporting multiple instances of the same app and offering workspace management and a built-in To-do list panel.

Winsage

October 31, 2025

Windows LNK UI Spoofing Vulnerability Weaponized for Remote Code Execution

A cyber espionage campaign targeting European diplomatic institutions has been attributed to the Chinese-affiliated threat actor UNC6384, which exploits the ZDI-CAN-25373 vulnerability in Windows shortcut files. The campaign, noted for its use of social engineering tactics that mimic legitimate diplomatic events, has specifically targeted entities in Hungary, Belgium, and surrounding European nations between September and October 2025. The attack utilizes spearphishing emails with malicious LNK files related to European Commission and NATO meetings, leading to the deployment of PlugX, a remote access trojan. The attack chain involves a weaponized LNK file that executes PowerShell commands to unpack a tar archive containing a malicious DLL and an encrypted payload. UNC6384 employs advanced techniques to evade detection, including dynamic loading of Windows API functions and anti-analysis measures. The malware allows extensive espionage activities and creates hidden directories for persistent access. Recommendations for organizations include disabling automatic LNK file resolution, blocking known command and control domains, and enhancing user training to defend against such threats.

Winsage

October 31, 2025

China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

A China-affiliated threat actor, UNC6384, has been conducting cyber attacks targeting diplomatic and governmental entities in Europe, including Hungary, Belgium, Italy, the Netherlands, and Serbia. These attacks exploit an unpatched Windows shortcut vulnerability (CVE-2025-9491) through spear-phishing emails that appear relevant to diplomatic events. The emails deliver malicious LNK files that deploy PlugX malware via DLL side-loading. PlugX is a remote access trojan that allows extensive control over compromised systems and has been linked to another hacking group, Mustang Panda. Microsoft Defender can detect these attacks, and Smart App Control provides additional protection. The LNK file executes a PowerShell command to extract a TAR archive containing a legitimate utility, a malicious DLL, and an encrypted PlugX payload. The size of the malicious artifacts has decreased significantly, indicating ongoing evolution. UNC6384 has also begun using HTML Application files to load external JavaScript for retrieving malicious payloads, aligning with Chinese intelligence objectives regarding European defense policies.

Winsage

October 31, 2025

Windows LNK UI Spoofing Vulnerability Weaponized for Remote Code Execution

A cyber espionage campaign has been launched by the Chinese-affiliated threat actor UNC6384, targeting European diplomatic institutions using a vulnerability in the Windows shortcut (LNK) user interface, identified as ZDI-CAN-25373. This vulnerability was disclosed in March 2025. Between September and October 2025, entities in Hungary, Belgium, and neighboring European nations were specifically targeted. The attack utilizes spearphishing emails with conference-themed LNK files that exploit the Windows vulnerability to execute PowerShell commands, leading to the deployment of the PlugX remote access trojan (RAT). The attack sequence involves a weaponized LNK file that unpacks a tar archive containing a legitimate Canon printer assistant executable, a malicious DLL, and an encrypted payload. The Canon binary, despite being digitally signed, loads the malicious DLL which injects the PlugX payload into memory. The malware employs anti-analysis techniques and creates a hidden directory for persistent access. Recommendations for organizations include disabling automatic LNK file resolution, blocking known command and control domains, and monitoring for DLL side-loading attacks.

Winsage

October 31, 2025

Windows LNK File UI Misrepresentation Enables Remote Code Execution Attacks

A vulnerability in the Windows operating system, identified as ZDI-CAN-25373 and disclosed in March 2025, allows advanced persistent threat (APT) actors to deploy malware by manipulating whitespace in Windows LNK files. This technique has been adopted by espionage groups from North Korea, China, Russia, and Iran for data theft and intelligence-gathering. The flaw enables malicious PowerShell commands to be concealed within seemingly legitimate shortcut files, which execute automatically when opened. The exploitation involves weaponized LNK files that initiate obfuscated PowerShell commands to decode embedded TAR archives containing a legitimate Canon printer utility, a malicious loader DLL, and an RC4-encrypted payload with remote access trojan malware. The legitimate executable, although signed with an expired certificate, is trusted by Windows due to its valid timestamp. As of October 2025, Microsoft has not released a patch for this vulnerability, prompting organizations to implement defensive measures against its exploitation.

AppWizard

October 26, 2025

I’m not sure what’s scarier in Bye Sweet Carole, the demonic owl or the fact that it rips apart an integral part of my childhood

The game "Bye Sweet Carole" features nostalgic 2D visuals and begins in a serene flower garden where players interact with birds and chase a rabbit. However, it quickly transitions to a darker atmosphere as the protagonist, Lana, navigates through an orphanage facing bullying and harassment. Players solve puzzles to progress, using creative mechanics like combining items to overcome obstacles. The narrative centers on Lana's quest to find her friend Carole, with hints of a deeper story. The game emphasizes narrative depth over jump scares and offers a unique horror experience while maintaining a classic 2D animation style.

Winsage

August 26, 2025

5 “just-enough” open-source apps I install on every fresh Windows setup

A fresh installation of Windows provides a clean slate, but soon requires essential tools for tasks like file extraction, text editing, audio recording, and screen capturing. The following open-source tools are recommended: - 7-Zip: A lightweight file compression tool that supports various formats (.zip, .rar, .tar, .7z, .iso) and integrates into the right-click context menu. It is free and maintained by a community. - OBS Studio: An open-source software for gamers and content creators that excels in livestreaming and game recording, featuring customizable recording parameters and a replay buffer. - Audacity: A long-standing open-source audio editing software that is lightweight yet feature-rich, ideal for straightforward audio editing tasks and supports built-in effects and plugins. - Notepad++: An enhanced text editor that supports multiple programming languages and syntax highlighting, making it suitable for editing configuration files, with lightweight nature and plugin support. - ShareX: An open-source screenshot tool that offers advanced features and customizable workflows, improving upon the Snipping Tool for seamless screenshot management. The author values these tools for being free, open-source, and reliable, often preferring them over proprietary software.

Tech Optimizer

August 19, 2025

PostgreSQL with Patroni: Installation and Configuration

A PostgreSQL Patroni Cluster will be set up for high availability, involving the following steps: 1. **Etcd Cluster Installation**: - Install Etcd binaries on nodes .196, .197, and .198. - Create necessary directories and users for Etcd. - Create a systemd service file for Etcd. - Configure the Etcd configuration file for each node. - Start the Etcd service and verify the cluster status. 2. **PostgreSQL + Patroni Installation**: - Install required packages on PostgreSQL nodes .193, .194, and .195. - Configure Patroni for each PostgreSQL node. 3. **HAProxy + Keepalived Installation**: - Install and configure HAProxy on primary (.191) and secondary (.192) nodes. - Install and configure Keepalived for high availability. 4. **pgBackRest Backup Solution Setup**: - Install and configure pgBackRest on the backup node (.199). - Initialize the pgBackRest stanza and run backups. The server infrastructure consists of the following nodes: - .190 → VIP - .191 → HAProxy Primary Node - .192 → HAProxy Secondary Node - .193 → PostgreSQL Node 1 - .194 → PostgreSQL Node 2 - .195 → PostgreSQL Node 3 - .196 → Etcd Node 1 - .197 → Etcd Node 2 - .198 → Etcd Node 3 - .199 → Backup Node

AppWizard

June 25, 2025

It’s been so long since I played a 30 fps console game, it took me a week to realize Death Stranding 2 was literally giving me headaches

The author experienced persistent headaches after playing Death Stranding 2, initially attributing them to various factors like dehydration and hunger. The headaches intensified after playing the game at its default 30 frames per second setting, which contrasted with the author's usual gaming experience on PC at 60 fps. After discovering the performance mode that locks the framerate at 60 fps, the author switched to it and noticed an immediate improvement in gameplay responsiveness and a reduction in headaches. The author reflects on how accustomed they have become to higher frame rates, noting that the camera movement at 30 fps contributed to feelings of queasiness. After adjusting to the performance mode, the author was headache-free after over 20 hours of gameplay. The author appreciates that Death Stranding 2 offers a performance mode and anticipates that the eventual PC port will provide an even better experience.