temporary directory Archives

Tech Optimizer

December 3, 2025

Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems

A malicious Rust package named "evm-units," uploaded by a user called "ablerust" to crates.io in mid-April 2025, poses a significant threat to developers on Windows, macOS, and Linux. It has over 7,000 downloads and is designed to execute its payload stealthily, depending on the victim's operating system and the presence of Qihoo 360 antivirus. The package disguises itself as a function that returns the Ethereum version number and can detect Qihoo 360 antivirus software. It downloads and executes different payloads based on the operating system: a script for Linux, a file for macOS, and a PowerShell script for Windows. If the antivirus is not detected, it creates a Visual Basic Script wrapper to run a hidden PowerShell script. The package targets the Web3 community, particularly developers, and is linked to the widely used "uniswap-utils" package. Both "evm-units" and "uniswap-utils" have been removed from the repository.

AppWizard

October 24, 2025

New Python RAT Mimic as Legitimate Minecraft App Steals Sensitive Data from Users Computer

A Python-based remote access trojan (RAT) has emerged in the gaming community, disguised as a legitimate Minecraft client named “Nursultan Client.” It uses the Telegram Bot API for command and control, allowing attackers to exfiltrate sensitive data and interact with compromised machines. The malware is packaged with PyInstaller and has a large executable size of 68.5 MB to evade security tools. Upon execution, it hides its console window and presents a fake installation progress bar. Researchers identified the executable with the SHA256 hash 847ef096af4226f657cdd5c8b9c9e2c924d0dbab24bb9804d4b3afaf2ddf5a61. It attempts to create a registry key for persistence but has a flawed startup command. The malware includes a hardcoded Telegram Bot Token (8362039368:AAGj_jyw6oYftV2QQYiYoUslJOmXq6bsAYs) and a restricted list of user IDs (6804277757) for command authorization. It targets Discord authentication tokens and scans local storage and user data directories of major web browsers to extract tokens. Additionally, it features surveillance capabilities like screenshot capture and webcam photography, compiling detailed system profiles.

Winsage

September 2, 2025

Threat Actors Exploit Windows Search in AnyDesk ClickFix Attack to Spread MetaStealer

Cybercriminals have developed a sophisticated variant of the ClickFix scam, utilizing human-verification social engineering and the Windows search protocol to deploy MetaStealer, an infostealer that steals credentials and sensitive data. The attack begins when a target searches for the legitimate AnyDesk tool and is redirected to a phishing page featuring a deceptive human-verification prompt. This page uses a search-ms URI scheme to connect to an attacker-controlled SMB share, presenting a malicious Windows shortcut disguised as a PDF. Executing this shortcut downloads the legitimate AnyDesk installer and retrieves a malicious "PDF" from an external server. The MSI package contains a dropper (ls26.exe) that operates similarly to known MetaStealer samples, scanning for browser credentials and exfiltrating data. The attack circumvents user suspicion by mimicking a legitimate application installation. Organizations are advised to implement strict application whitelisting, monitor Windows protocol handlers, educate users about suspicious prompts, and deploy detection rules to mitigate these threats.

Tech Optimizer

May 23, 2025

Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has identified a new strain of backdoor malware that works with a Monero coin miner, utilizing the PyBitmessage library for covert P2P communications. This malware uses encryption to secure data exchanges and anonymize identities, complicating detection by security tools. It decrypts resources using XOR operations to deploy a Monero miner and a backdoor component. The Monero miner exploits the cryptocurrency's anonymity, while the backdoor, created with PowerShell, installs PyBitmessage and retrieves files from GitHub or a Russian file-sharing platform. Commands are executed as PowerShell scripts, making detection difficult. The malware may be distributed as legitimate software or cracked files. ASEC advises caution with unverified files and recommends keeping security solutions updated. Indicators of Compromise (IOCs): - MD5: 17909a3f757b4b31ab6cd91b3117ec50 - MD5: 29d43ebc516dd66f2151da9472959890 - MD5: 36235f722c0f3c71b25bcd9f98b7e7f0 - MD5: 498c89a2c40a42138da00c987cf89388 - MD5: 604b3c0c3ce5e6bd5900ceca07d587b9 - URLs: - http://krb.miner.rocks:4444/ - http://krb.sberex.com:3333/ - http://pool.karbowanec.com:3333/ - http://pool.supportxmr.com:3333/ - https://spac1.com/files/view/bitmessage-6-3-2-80507747/

Tech Optimizer

November 23, 2024

What happens when you install Postgres 16 on Ubuntu

- The installation of PostgreSQL 16 on Ubuntu using the apt package manager involves several key steps: updating package lists, resolving dependencies, downloading packages, unpacking and installing, setting up the Postgres service, and cleaning up. - The command `sudo apt update` fetches the latest package lists from configured repositories. - The command `sudo apt install postgresql-16` triggers apt to search for the package and resolve dependencies. - Necessary .deb package files are downloaded to the `/var/cache/apt/archives/` directory. - Each downloaded .deb package is extracted, files are placed in appropriate locations, pre-installation and post-installation scripts are run, and the dpkg package database is updated. - Post-installation scripts create a dedicated postgres Linux user and group, initialize the data directory, generate default configuration files, set up system catalog tables, configure PostgreSQL to start automatically on boot, and start the PostgreSQL server. - The PostgreSQL server is configured to start automatically on system boot using `systemctl enable postgresql.service`. - The PostgreSQL server is started with `systemctl start postgresql.service`. - After installation, several processes are actively running: postmaster, checkpointer, background writer, walwriter, autovacuum launcher, stats collector, and logical replication launcher. - PostgreSQL is ready to accept client connections through the local socket and will start automatically on future system reboots.

Tech Optimizer

June 12, 2024

Kaspersky releases free tool that scans Linux for known threats

KVRT can be downloaded and run as root for maximum functionality, with the option to use a GUI or command-line interface. Regular users may not have the necessary permissions to scan all directories and partitions.