termination Archives

Winsage

February 19, 2026

Ex-Microsoft engineer says this is what Windows’ Task Manager would “probably” look like today — but it’s a “good thing” he stuck to his OS design lane

Dave W. Plummer, a former Microsoft employee, contributed to the Windows ecosystem, notably with the Task Manager, Calculator, and a classic pinball game. He left Microsoft in 2003 and recently expressed on Reddit that "there should be nothing that TaskMgr can't kill." Plummer shared a concept design for a modern Task Manager on his X account, inspired by his Tempest AI project, featuring a cyberpunk theme, various graphs, speedometer-style gauges, and music with a synthwave vibe. He selected Tempest for his AI project due to its challenging gameplay and holds the world record for it. The project utilizes about 75% of the GPU at 30 frames per second on his M2 Mac Pro.

AppWizard

January 30, 2026

Google’s New Android Lockdown—Do Not Install These Apps

Google is tightening its policies on sideloading practices, allowing app installations only from verified developers to enhance user security and reduce risks associated with malicious software. The company has removed numerous harmful applications and accounts to combat the exploitation of its ecosystem. Cybercriminals are replicating popular applications like Google, YouTube, and WhatsApp to deceive users into downloading malicious software, which often masquerades as “mod” or “pro” versions. These counterfeit apps can install the Arsink Remote Access Trojan (RAT), which allows hackers to control devices, record audio, harvest personal information, and perform unauthorized actions. The Arsink operation has affected tens of thousands of victims across approximately 143 countries. Users are advised to avoid installing apps from messengers, online forums, or direct links and to use official app stores instead. Google confirms that the RAT is not infecting Play Store apps and encourages users to keep Play Protect enabled.

AppWizard

January 27, 2026

GTA 6 To Thwart Leakers with Digital-Only Launch

Rockstar Games and Take-Two Interactive have terminated employees suspected of leaking information about Grand Theft Auto VI to protect the game's integrity. Reports indicate that GTA VI will launch as a digital-only title to reduce leak risks associated with retail access, with a physical edition expected to follow shortly after. The digital release is scheduled for November 19, 2026, and the physical version may be available in time for the holiday season, likely just a few weeks later.

Winsage

January 22, 2026

Windows 11’s 2026 goes from bad to worse as two new bugs cause havoc crashing apps — but there are possible fixes

Windows 11 users are experiencing application crashes, particularly with programs like MSI's Armoury Crate and the Alienware Command Center, due to issues related to the Microsoft Store and user accounts. A licensing validation error (0x803f8001) is a primary cause, often linked to a corrupted Store cache or temporary sync issues. Additionally, after the January update, users have reported that applications like Outlook freeze when saving files to cloud services such as OneDrive or Dropbox. Microsoft has acknowledged this issue, indicating that certain Outlook configurations may become unresponsive if PST files are stored on OneDrive. Users are advised to move PST files out of OneDrive and may consider resetting the Store cache or reinstalling affected applications as potential fixes. Microsoft is working on a resolution, but no timeline has been provided. Some users have found success by reinstalling the January update, while others have resolved issues by simply waiting.

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

Tech Optimizer

December 30, 2025

Hackers Advertised VOID ‘AV Killer’ with Kernel-level Termination Claims

A new threat actor named Crypt4You is promoting a tool called VOID KILLER on underground forums and dark web marketplaces. VOID KILLER is designed as a kernel-level antivirus and endpoint detection response process killer, specifically engineered to bypass existing security defenses. It targets the core of operating systems to dismantle protective barriers, posing a significant challenge to contemporary defensive architectures. VOID KILLER can terminate Windows Defender and around fifty consumer-grade antivirus solutions without detection, utilizing polymorphic build techniques to evade signature-based detection systems. It features automatic User Account Control (UAC) bypass mechanisms and can inject any executable file, making it compatible with various malware families. Custom builds of VOID KILLER are priced at three hundred dollars, and payment is accepted in cryptocurrencies. Organizations using Windows Defender, consumer antivirus software, and advanced EDR solutions face increased risk exposure due to this tool.

AppWizard

December 27, 2025

How to Properly Benchmark your PC Games Using CapFrameX

Average Frames Per Second (FPS) is a common metric in PC gaming performance, but consistency in gameplay experience is equally important, highlighted by metrics such as 1% low and 0.1% low average FPS. CapFrameX is a tool used for capturing and analyzing detailed performance data, including frametimes, which provide a more accurate assessment of gaming performance than basic FPS counters. Key metrics generated by CapFrameX include: - Average FPS: Overall framerate averaged across the capture session. - 1% low average FPS: Average of the worst 1% of framerates, indicating sustained performance. - 0.1% low average FPS: Average of the worst 0.1% of framerates, highlighting rare but significant performance dips. To ensure accurate benchmarking results with CapFrameX, users should update their UEFI BIOS, operating system, and drivers, clear unnecessary applications, configure power settings for maximum performance, monitor temperatures, and conduct multiple benchmark runs under consistent conditions. The setup process for CapFrameX includes downloading the software, configuring capture options, and verifying the setup through test captures. After capturing benchmark runs, users can analyze the data using the Analysis and Comparison tabs in CapFrameX to evaluate performance metrics and identify potential issues. Common pitfalls in benchmarking include inconsistent scenes, overlooking frametime variance, and not preparing the system properly.

Winsage

November 18, 2025

Microsoft is bringing native Sysmon support to Windows 11, Server 2025

Microsoft is integrating Sysmon into Windows 11 and Windows Server 2025, eliminating the need for separate deployments of Sysinternals tools. This integration will allow users to utilize custom configuration files for filtering captured events, which will be logged in the Windows event log. Sysmon is a free tool that monitors and blocks suspicious activities while logging events such as process creation, DNS queries, and executable file creation. It will be easily installable via the "Optional features" settings in Windows 11, with updates delivered through Windows Update. Sysmon will retain its standard features, including support for custom configuration files and advanced event filtering. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Winsage

November 18, 2025

Microsoft to integrate Sysmon directly into Windows 11, Server 2025

Microsoft will integrate Sysmon into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. Sysmon will allow users to utilize custom configuration files for event filtering, logging events in the Windows event log. It tracks events such as process creation, DNS queries, executable file creation, changes to the clipboard, and auto-backup of deleted files. Users can access Sysmon through "Optional features" in Windows 11 and receive updates via Windows Update. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.