threat actors Archives

Winsage

May 3, 2026

You shouldn’t delay your Windows 11 updates, experts reveal

Experts advise against postponing Windows updates, as Microsoft has introduced features allowing users to control when updates occur. Users can pause updates for up to 35 days indefinitely, but delaying updates can lead to security vulnerabilities. Microsoft releases several types of updates: security updates, feature updates, quality updates, driver updates, optional updates, out-of-band updates, and zero-day updates. Zero-day updates are critical and should be installed immediately to avoid exploitation. Recent reports indicate that critical OS patching for Windows 10 and 11 is lagging by an average of 256 days, increasing the risk of cyber incidents.

Winsage

May 1, 2026

Microsoft fixes Remote Desktop warnings displaying incorrectly

Microsoft resolved an issue affecting the display of security warnings when opening Remote Desktop (.rdp) files across all supported Windows versions, including Windows 11, Windows 10, and Windows Server. This problem was particularly evident on devices with multiple monitors having different display scaling settings. The fix was included in the optional KB5083631 preview cumulative update for Windows 11. The issue arose after the installation of the April 2026 security update, which introduced security warnings to enhance protection against phishing attacks. Users reported misalignment and obscured buttons in the security dialog, making it difficult to interact with. Additionally, the April security updates caused issues with third-party backup applications on Windows 11 systems and led to restart loops and failures during update installations on Windows Server.

AppWizard

April 30, 2026

Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign

A Brazilian cybercriminal group known as LofyGang has re-emerged after three years, targeting Minecraft players with malware called LofyStealer, also known as GrabBot. This malware is disguised as a Minecraft hack named 'Slinky' and uses the official game icon to attract young users. The group has been active since late 2021 and previously leaked thousands of Minecraft accounts. The attack begins with the 'Slinky' hack, which deploys LofyStealer (identified as "chromelevator.exe") to harvest sensitive information from web browsers, including cookies, passwords, and credit card information, sending this data to a command-and-control server. ZenoX reports a shift in LofyGang's tactics from JavaScript supply chain attacks to a malware-as-a-service model, offering both free and premium tiers. Cybercriminals are increasingly exploiting trusted platforms like GitHub to distribute malware through bogus repositories and various deceptive tactics, including fake security alerts and counterfeit accounts. This trend highlights a strategy focused on volume targeting rather than precision, prompting cybersecurity experts to prioritize threats from GitHub-hosted downloads that appear legitimate.

AppWizard

April 30, 2026

LofyStealer Uses Node.js Loader Against Minecraft Gamers

Cybersecurity threat hunters have discovered an active infostealer campaign targeting the gaming community, involving malware called LofyStealer (or GrabBot) that disguises itself as a Minecraft hack named “Slinky.” The attackers use the official game icon to trick young gamers into executing the malware. The Brazilian cybercrime group LofyGang has enhanced its technical capabilities, utilizing a sophisticated two-stage modular architecture. The initial stage features a 53.5 MB loader file named load.exe, which is a Node.js runtime environment that obscures malicious signatures. The loader connects to the attacker’s server and decrypts a 1.4 MB C++ payload, chromelevator.exe, which targets eight web browsers to extract sensitive information like cookies and passwords. The stolen data is compressed, encrypted, and sent to the attacker’s server. LofyGang has evolved into a Malware-as-a-Service platform, offering a web panel for operators to monitor victims and generate custom executables. The campaign highlights the increasing threats to the gaming community, with advanced evasion techniques being employed by cybercriminals. Security professionals are advised to monitor network traffic and conduct audits for suspicious activities.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

AppWizard

April 25, 2026

NoVoice malware hit 2.3 million Android devices through apps Google never should have approved

McAfee researchers discovered a complex Android rootkit campaign, dubbed Operation NoVoice, that infiltrated 50 applications on Google Play, exploiting vulnerabilities in the kernel that had been patched but not uninstalled. The malware was resilient enough to survive factory resets and was concealed within seemingly benign apps, which collectively garnered 2.3 million downloads. The malicious payload was hidden in the com.facebook.utils package and used steganography to embed an encrypted payload within a PNG image. The malware conducted multiple checks to avoid detection and established contact with a command-and-control server, polling for exploit packages every 60 seconds. It utilized 22 distinct exploits, including vulnerabilities that had received patches between 2016 and 2021. The malware disabled SELinux enforcement and installed a persistent rootkit that could survive factory resets. Google confirmed the removal of the infected apps but noted that users who had already downloaded them remained at risk, especially if their devices were running unpatched Android versions. McAfee advised affected users to treat their devices as compromised and consider professional inspection or hardware-level storage wiping for remediation.

Winsage

April 24, 2026

Microsoft to roll out Entra passkeys on Windows in late April

Microsoft will introduce passkey support for phishing-resistant passwordless authentication on Microsoft Entra-protected resources starting in late April, with broader availability expected by mid-June 2026. This feature will allow passwordless sign-in on unmanaged Windows devices and will support various device types, including corporate, personal, and shared options. Administrators can manage passkeys through Conditional Access and Authentication Methods policies. Users can create device-bound passkeys stored securely within the Windows Hello container, using methods like facial recognition, fingerprint scanning, or a PIN. The passkeys will adhere to FIDO2 standards and will be securely bound to individual devices, preventing transmission over the network to enhance security against phishing and malware attacks. Microsoft has also announced plans for mandatory multifactor authentication registration for Entra tenants by October 2024 and that all new accounts will be passwordless by default starting in May 2025.

Tech Optimizer

April 22, 2026

New STX RAT Uses Hidden Remote Desktop and Infostealer Features to Evade Detection

A newly identified remote access trojan, STX RAT, emerged in 2026, integrating hidden remote desktop access with credential theft features. The name "STX" comes from the Start of Text magic byte x02, which it appends to communications with its command-and-control (C2) server. Initial sightings were reported in late February 2026, when it was delivered via a browser-downloaded VBScript file to a financial organization. By early March, Malwarebytes noted a campaign distributing STX RAT through compromised FileZilla installers. Researchers from eSentire’s Threat Response Unit analyzed the malware, which includes extensive anti-analysis measures and employs techniques like AMSI-ghosting. Once operational, STX RAT connects to a C2 server at 95.216.51.236, transmitting system information securely. It targets saved credentials from applications like FileZilla and includes a Hidden Virtual Network Computing (HVNC) module, allowing attackers to control a victim's machine without detection. Security teams are advised to block the C2 IP and implement detection rules to mitigate the threat.

AppWizard

April 21, 2026

Trojanized Android App Fuels New Wave of NFC Fraud

A new variant of the NGate malware family has emerged, using a trojanized Android application to capture payment card data and personal identification numbers (PINs). This modified version of HandyPay, a legitimate NFC relay app, has been distributed since November 2025, primarily targeting users in Brazil. The malware intercepts NFC payment card data and allows fraudulent transactions. Two distinct malware samples have been observed, delivered through phishing infrastructure that impersonates a Brazilian lottery site and a Google Play listing for a card protection tool. The trojanized app captures NFC data, requests the victim's card PIN, and transmits this information to attacker-controlled infrastructure. It requires minimal permissions, leveraging its role as the default payment application to evade detection. Evidence suggests that generative AI tools may have been used in its development, indicated by emoji markers in debug logs. ESET has reported its findings to Google, and Google Play Protect can detect known versions of the malware. The developer of HandyPay is investigating the misuse of its application.

AppWizard

April 21, 2026

NGate Android malware uses HandyPay NFC app to steal card data

A new variant of the NGate malware targets Android users by disguising itself within a trojanized version of the HandyPay app, which is a legitimate mobile payment processing application. This malware, documented since mid-2024, siphons payment card information through the mobile device's near-field communication (NFC) chip and sends the stolen data directly to attackers, who create virtual cards for unauthorized purchases or cash withdrawals from NFC-enabled ATMs. The new variant has been injected with malicious code into the HandyPay app, which has been available on Google Play since 2021. The code includes emojis, indicating the possible use of a generative AI tool in its development. The shift from previous iterations, which used an open-source tool named NFCGate, to HandyPay is likely motivated by financial considerations and the need for evasion, as HandyPay is more affordable and requires fewer permissions. This NGate variant has been active since November 2025, primarily targeting Android devices in Brazil. It employs two main distribution methods: a counterfeit app named “Proteção Cartão” hosted on a fraudulent Google Play page and a fake lottery website that redirects users to WhatsApp to download the malicious APK. Upon installation, the app prompts users to set it as their default NFC payment application, requests their card PIN, and instructs them to tap their card on the phone for reading, transmitting all collected information to an attacker's email address. To protect against such threats, Android users are advised to avoid downloading APKs from outside Google Play, disable NFC when not in use, and use Play Protect to scan for threats.