URL Archives

Tech Optimizer

December 3, 2025

Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems

A malicious Rust package named "evm-units," uploaded by a user called "ablerust" to crates.io in mid-April 2025, poses a significant threat to developers on Windows, macOS, and Linux. It has over 7,000 downloads and is designed to execute its payload stealthily, depending on the victim's operating system and the presence of Qihoo 360 antivirus. The package disguises itself as a function that returns the Ethereum version number and can detect Qihoo 360 antivirus software. It downloads and executes different payloads based on the operating system: a script for Linux, a file for macOS, and a PowerShell script for Windows. If the antivirus is not detected, it creates a Visual Basic Script wrapper to run a hidden PowerShell script. The package targets the Web3 community, particularly developers, and is linked to the widely used "uniswap-utils" package. Both "evm-units" and "uniswap-utils" have been removed from the repository.

AppWizard

December 1, 2025

This Gemini for Home hack lets you hear the new assistant early, with a catch

Reddit users have discovered a method to access the new Gemini voices for Google Home devices before the official rollout by manually initiating the onboarding process. This workaround allows users to change their voice settings while still using Google Assistant. The upgrade introduces ten new voice options and is part of an early access program being rolled out on a per-home basis. Users can enter a specific URL to modify voice settings on their Home and Nest devices, but the full suite of Gemini features will not be accessible through this method. The longevity of this hack is uncertain, as it is unclear if Google will address it.

AppWizard

November 30, 2025

Google Messages update adds cleaner link and YouTube video previews

Google is introducing a redesigned link preview feature in its Messages app, focusing on larger website titles and thumbnails while removing full link URLs and descriptions. The new previews will display a general site URL beneath the title and prioritize a minimalist design, resembling Google Discover cards. Users can access the full URL by copying it or adjusting settings to disable link previews. The update is rolling out with version 2025112100RC01 on the beta channel, with wider availability expected soon.

Winsage

November 25, 2025

Attackers are Using Fake Windows Updates in ClickFix Scams

Threat actors have adapted the ClickFix attack model, using a fraudulent Windows Update screen to disguise malicious code. This screen mimics the legitimate Windows Update interface and prompts users to execute harmful commands. The execution of these commands leads to the installation of LummaC2 and Rhadamanthys info-stealing malware. A report from ESET noted a 500% increase in ClickFix attacks, which now account for nearly 8% of all blocked attacks in early 2025. Huntress researchers tracked ClickFix lures that used steganography to deliver LummaC2 and Rhadamanthys malware, concealing malicious software within image files. The attacks involve a full-screen display that instructs users not to turn off their computers, ultimately prompting them to paste a malicious command. The execution process includes using mshta.exe and PowerShell to load and inject malicious assemblies. European law enforcement recently dismantled infrastructure used by threat actors, but Rhadamanthys is no longer distributed through the fraudulent Windows Update campaign. The use of steganography helps these payloads evade detection while relying on victims to manually execute commands.

Winsage

November 25, 2025

ClickFix Attack Uses Steganography to Hide Malicious Code in Fake Windows Security Update Screen

A new wave of ClickFix attacks has emerged, using fake Windows Update screens and PNG image steganography to deploy infostealing malware like LummaC2 and Rhadamanthys. The attacks trick users into executing a command by pressing Win+R and pasting a command copied to their clipboard. Attackers have shifted from using “Human Verification” lures to more convincing full-screen fake Windows Update screens. The fake update prompts users to run a command that initiates mshta.exe with a URL containing a hex-encoded IP address, leading to the download of obfuscated PowerShell and .NET loaders. A notable feature of the campaign is the use of a .NET steganographic loader that hides shellcode within the pixel data of a PNG image, which is decrypted and reconstructed in memory. The shellcode is Donut-packed and injected into processes like explorer.exe using standard Windows APIs. Huntress has been monitoring these ClickFix clusters since early October, noting the use of the IP address 141.98.80[.]175 and various paths for the initial mshta.exe stage, with subsequent PowerShell stages hosted on domains linked to the same infrastructure. Despite the disruption of Rhadamanthys’ infrastructure in mid-November, active domains continue to serve the ClickFix lure, although the Rhadamanthys payload appears to be unavailable. To mitigate the attack, disabling the Windows Run box through Group Policy or registry settings is recommended, along with monitoring for suspicious activity involving explorer.exe. User education is critical, emphasizing that legitimate processes will not require pasting commands into the Run prompt. Analysts can check the RunMRU registry key to investigate potential ClickFix abuse.

Winsage

November 25, 2025

New ClickFix attacks use fake Windows Updates to swipe creds

A surge in ClickFix attacks is occurring, where attackers use deceptive Windows update screens to trick users into downloading infostealer malware. This method has become the primary means of initial access for cybercriminals, as reported by Microsoft. State-sponsored actors and organized crime groups are increasingly using this tactic. Huntress security experts have noted a shift from traditional prompts to convincing fake Windows update screens, showcasing the attackers' adaptability. Cyber adversaries are utilizing a steganographic loader to deliver infostealing malware like Rhadamanthys, encoding malicious code within PNG images to evade detection. Between September 29 and October 30, 2025, Huntress investigated 76 incidents linked to this campaign across various regions, with one incident involving the IP address 141.98.80[.]175. Victims typically visit a malicious site that triggers a full-screen blue Windows Update screen, leading them to install a “critical security update” through a series of commands. This process involves executing a command that runs PowerShell code to deploy a steganographic loader, ultimately leading to the installation of Rhadamanthys, which captures login credentials. Comments in the lure site's source code are in Russian, suggesting the attackers' identity remains unknown. As of November 19, multiple domains continue to host the lure page, although the payload is no longer actively hosted. Organizations can defend against these attacks by blocking access to the Windows Run box and educating employees about the ClickFix technique.

Winsage

November 16, 2025

Install Citrix Workspace on Windows 10 or 11 with One Winget Command

The Windows Package Manager (Winget) is a command-line tool for installing applications on Windows 10 and 11, allowing users to install Citrix Workspace with a single command. The installation process is streamlined compared to traditional methods, which require multiple steps. To install Citrix Workspace, users can run the command PLACEHOLDERc6b882d28883340b, and for a silent installation, the command is PLACEHOLDERbaded4e7ed0be5cc. Winget also allows for easy updates and uninstallation of Citrix Workspace using the commands PLACEHOLDERa8a40c3b00eedb29 and PLACEHOLDER2a455122f4fd3869, respectively. Before installation, users should verify that Winget is installed by running winget --version. If not installed, Windows 11 typically has it by default, while Windows 10 users can install it via the Microsoft Store or GitHub.

Winsage

November 16, 2025

Install Citrix Workspace on Windows 10 or 11 with One Winget Command

Citrix Workspace can be installed on Windows 10/11 using the Windows Package Manager (Winget) with a single command, significantly simplifying the installation process. The command to install Citrix Workspace is PLACEHOLDERd82422506e45dbee, and for a silent installation, the command is PLACEHOLDER9e60d2b5a15c0a19. Winget is pre-installed on Windows 11 and available for Windows 10 (version 1809 and later). To check if Winget is installed, use the command winget --version. If not installed, Windows 10 users can install it via the Microsoft Store or download it from GitHub. To verify the installation, use PLACEHOLDER22b868ab6c66c0b5. If issues arise, commands such as PLACEHOLDER701c3ab11cb60203 or PLACEHOLDERfe806bd28c6739dc can help troubleshoot. Updating Citrix Workspace can be done with PLACEHOLDERa75655fef5d4711e. For batch deployments, a PowerShell script can be created to automate the installation across multiple machines.

Winsage

November 12, 2025

‘Cameyo by Google’ launches with Chrome Enterprise integration, Gemini AI support

Rob Beard, product manager at Google, discussed Cameyo, a platform that allows users to access web applications and legacy software seamlessly. It enables IT administrators to deliver applications to users' devices quickly, enhancing efficiency and simplifying application management. Google has integrated Cameyo with Chrome Enterprise Premium to streamline the deployment and management of virtual applications, allowing access controls to be managed through the Google Admin Console. The integration also introduces security features like URL filtering and data loss prevention to protect sensitive information.

Tech Optimizer

November 11, 2025

Umami v3 Launches With New Interface, Cohorts, And Advanced Segmentation – Open Source For You

Umami has released version 3 of its open source analytics platform, featuring a redesigned interface, advanced tracking capabilities, and exclusive support for PostgreSQL, discontinuing MySQL compatibility. The update includes a streamlined navigation experience, organized reports, the ability to store filters as URL parameters, and support for adding or editing multiple filters simultaneously. New analysis functions such as Segments and Cohorts have been introduced, along with tracking features like short URLs and invisible pixels. A central admin panel has been added for easier management of users, teams, and websites. Umami is licensed under MIT, allowing for self-hosting or cloud deployment.