termination Archives

Winsage

November 18, 2025

Microsoft is bringing native Sysmon support to Windows 11, Server 2025

Microsoft is integrating Sysmon into Windows 11 and Windows Server 2025, eliminating the need for separate deployments of Sysinternals tools. This integration will allow users to utilize custom configuration files for filtering captured events, which will be logged in the Windows event log. Sysmon is a free tool that monitors and blocks suspicious activities while logging events such as process creation, DNS queries, and executable file creation. It will be easily installable via the "Optional features" settings in Windows 11, with updates delivered through Windows Update. Sysmon will retain its standard features, including support for custom configuration files and advanced event filtering. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Winsage

November 18, 2025

Microsoft to integrate Sysmon directly into Windows 11, Server 2025

Microsoft will integrate Sysmon into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. Sysmon will allow users to utilize custom configuration files for event filtering, logging events in the Windows event log. It tracks events such as process creation, DNS queries, executable file creation, changes to the clipboard, and auto-backup of deleted files. Users can access Sysmon through "Optional features" in Windows 11 and receive updates via Windows Update. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 17, 2025

SilentButDeadly – A Network Communication Blocker That Neutralizes EDR and AV Tools

A new endpoint detection and response (EDR) evasion technique called SilentButDeadly has been identified, which exploits vulnerabilities in security software by using a network communication blocker that leverages the Windows Filtering Platform (WFP). This technique disrupts EDR and antivirus solutions' cloud connectivity without terminating processes or manipulating the kernel. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges and discovering EDR solutions like SentinelOne and Windows Defender. It establishes dynamic WFP sessions with high-priority filtering rules to block outbound telemetry and inbound command-and-control communications, preventing EDR solutions from receiving updates and executing remote management commands. Additionally, it attempts to disable EDR services, hindering automatic restarts and background monitoring. This technique highlights a significant architectural vulnerability in EDR systems that rely on network connectivity. To mitigate this threat, security teams can monitor Windows event logs for specific Event IDs related to WFP filter creation and implement real-time monitoring and redundant communication channels. SilentButDeadly requires administrator privileges and is ineffective against EDR solutions protected by kernel-level network drivers.

AppWizard

November 11, 2025

‘I think we’re in the fight of our lives’: Fired Rockstar employees and IWGB are confident the GTA 6 developer will be held accountable for its alleged union busting

Over 30 employees at Rockstar Games were terminated, leading to protests organized by the Independent Workers' of Great Britain (IWGB) union, which labeled the firings as union busting. Take-Two, Rockstar's parent company, stated that the dismissals were due to "gross misconduct" related to employees discussing confidential information, denying any link to union activities. As a result of these events, the release of Grand Theft Auto 6 has been postponed from May 2026 to November 2026 to ensure quality standards. A representative from People Make Games expressed belief that the financial impact of the firings and delays has been considered by management, but he remains optimistic about the strength of worker solidarity in response to the situation.

Winsage

November 3, 2025

New GDI Flaws Could Enable Remote Code Execution in Windows

A series of vulnerabilities within the Windows Graphics Device Interface (GDI) has been discovered, potentially allowing for remote code execution and information disclosure. These vulnerabilities are linked to malformed enhanced metafile (EMF) and EMF+ records, leading to memory corruption during image rendering. Three specific vulnerabilities were analyzed and included in Microsoft's Patch Tuesday updates released in May, July, and August of 2025. They are cataloged as: - CVE-2025-30388: Rated important and more likely to be exploited. - CVE-2025-53766: Rated critical, enabling remote code execution. - CVE-2025-47984: Rated important, associated with information disclosure. All three involve out-of-bounds memory access triggered by crafted metafiles. Microsoft has released patches for GdiPlus.dll and gdi32full.dll to address these vulnerabilities, including validation checks and corrections in memory handling. These vulnerabilities also affect Microsoft Office for Mac and Android platforms.

Winsage

November 2, 2025

Windows Task Manager is fine, but this is the tool I actually use

Windows Task Manager has evolved to align with Windows 11's aesthetics while improving functionality, but some users find it frustrating when processes won't terminate. Process Explorer is an alternative that offers a clearer interface, real-time monitoring, and detailed statistics. It displays hardware graphs at the top and consolidates key metrics into a single view, including the total number of active processes. Users can hover over processes for quick information and access a comprehensive properties view by double-clicking. Process Explorer allows adding columns for process paths and related services, provides graphical views of resource usage, and enables the termination of stubborn processes. It also offers a refresh rate as low as 0.5 seconds and displays comprehensive graphical statistics since system boot-up. Additionally, it integrates with Virus Total to verify processes against a database, includes a tool for searching processes online, and features a lens tool for identifying process names. Process Explorer is considered a superior alternative for advanced users due to its rich features and security integration.

Tech Optimizer

October 21, 2025

Luma Infostealer Malware Launches Attacks to Steal Browser Cookies, Cryptocurrency, and Remote Access Accounts

Lumma Infostealer is a sophisticated information-stealing malware that targets high-value credentials and sensitive assets on Windows systems. It is distributed through a Malware-as-a-Service (MaaS) model, allowing inexperienced attackers to conduct data theft campaigns. Lumma is primarily deployed via phishing campaigns disguised as cracked or pirated software, often hosted on legitimate platforms like MEGA Cloud. Upon execution, Lumma uses a multi-stage decryption process and process injection techniques to activate its payload while evading detection. The latest samples utilize the Nullsoft Scriptable Install System (NSIS) as a deceptive installer, extracting malicious payloads into the %Temp% directory and launching a counterfeit document that triggers a sequence of commands to deploy Lumma’s core. Once activated, Lumma communicates with command-and-control servers (including rhussois[.]su, diadtuky[.]su, and todoexy[.]su) to gather stored browser credentials, session cookies, Telegram data, remote access configuration files, and cryptocurrency wallet information, which is then exfiltrated for exploitation. The malware avoids detection by checking for security solutions and has a modular architecture that complicates signature-based detection. Effective detection requires behavior-based Endpoint Detection and Response (EDR) systems that monitor real-time activities. To mitigate exposure, security professionals recommend avoiding storing credentials in browsers, enforcing multi-factor authentication (MFA), and monitoring suspicious processes. Indicators of Compromise (IoC) include: - E6252824BE8FF46E9A56993EEECE0DE6 - E1726693C85E59F14548658A0D82C7E8 - 19259D9575D229B0412077753C6EF9E7 - 2832B640E80731D229C8068A2F0BCC39 Command-and-control domains include: - diadtuky[.]su - rhussois[.]su - todoexy[.]su

Winsage

October 20, 2025

In ’90s Microsoft, you either shipped code or shipped out

Former engineer Dave Plummer reflects on Microsoft's past, particularly the 1990s and the stack ranking system. He describes the hiring process as selective and rigorous, with some individuals securing positions despite lacking strong coding skills. Those who didn't fit the traditional developer mold could transition to program management roles, which were better suited to their strengths. Microsoft implemented a Performance Improvement Plan (PIP) for employees misaligned with their roles, requiring them to improve their performance within a set timeframe or face termination. Plummer notes that while PIP could help some employees, it also highlighted the complexities of performance management. He criticizes the stack ranking system, which evaluated staff using a bell curve, creating a competitive and cutthroat environment. Microsoft abandoned stack ranking in 2013, a decision linked to a period of internal strife and low morale. Plummer likens the evaluation meetings to a survival spectacle, comparing it to "The Bachelor," where managers chose which employees to retain.

Winsage

October 19, 2025

Switch to Windows 11 and your PC will be TWICE as fast, Microsoft claims

Microsoft claims that laptops and desktop PCs running Windows 11 are "up to 2.3x faster than Windows 10 PCs," based on benchmarking data from Geekbench 6. Windows 10 will reach its end of support on October 14, leaving around 5 million users in the UK vulnerable to security risks. Microsoft offers a free upgrade to Windows 11 for users with a legitimate copy of Windows 10, although not all existing devices may support it. The upcoming Windows 11 Version 25H2 update will provide a smoother installation experience and introduce features like a redesigned Start menu and CPU throttling for better power management. Microsoft will offer free security updates to Windows 10 users who subscribe to OneDrive, while others will need to pay a one-time fee of £22 for updates. Some users report that Windows 10 may have better gaming performance, which could affect their decision to upgrade.