User Credentials Archives

AppWizard

July 22, 2025

Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials

A new wave of malicious Android Package Kit (APK) files is combining click-fraud advertising and credential theft, primarily affecting regions like Southeast Asia, Latin America, and parts of Europe. These APKs disguise themselves as casual games or clones of legitimate apps, enticing users to sideload them and bypass Google Play’s security measures. Once installed, they request excessive permissions and operate in the foreground to inflate ad impressions while capturing user credentials through convincing login forms. The malware uses a modular configuration system and communicates with an encrypted command-and-control backend. The installation process often begins with social media messages or QR codes leading to spoofed landing pages. The app can embed secondary payloads without invalidating its original signature and minimizes detection by sandboxes. By the time users notice unusual activity, the malware has already exfiltrated ad revenue and credentials.

AppWizard

July 22, 2025

Cybercriminals Merge Android Malware with Click Fraud Apps to Harvest Credentials

Researchers have identified a sophisticated cluster of Android malware that merges brand impersonation with traffic monetization strategies, utilizing Android Package Kit (APK) files to compromise user trust and extract sensitive information. The malware disguises itself as legitimate services and uses social engineering techniques to encourage manual installations. Once installed, it exploits Android's permission model to access device resources and hijack network traffic for advertising fraud. The malware includes various categories such as ad fraud apps, credential stealers, background data harvesters, task reward apps, and gambling apps, each designed to manipulate user interactions and collect sensitive data. Common strategies include redirecting traffic through monetized domains and employing encrypted command-and-control communications. A notable variant is a spoofed Facebook APK that requests extensive permissions and retrieves encrypted configuration files from specific domains. The malware's infrastructure allows it to circumvent Android signature verification and adapt its behavior based on the environment, evading detection. Analysis suggests involvement from Chinese-speaking operators, with connections to underground economies trading stolen data. The campaign combines ad fraud and credential theft, highlighting a dual purpose of monetization and intelligence gathering. Users are advised to limit installations to trusted sources and scrutinize unsolicited APKs to mitigate threats.

Winsage

July 10, 2025

Windows BitLocker Bypass Vulnerability Let Attackers Bypass Security Feature

A security vulnerability, designated CVE-2025-48818, has been identified in Windows BitLocker encryption, allowing attackers to exploit a time-of-check time-of-use (TOCTOU) race condition to bypass encryption. The vulnerability has a CVSS score of 6.8 and affects multiple versions of Windows, specifically targeting BitLocker Device Encryption. It requires physical access to the target system, has low attack complexity, and does not require user interaction. The affected Windows platforms include Windows 10 (versions 1607, 21H2, 22H2), Windows 11 (versions 22H2, 23H2, 24H2), and Windows Server editions (2016, 2022, 2025). Microsoft has released security updates to address this vulnerability, with key patches for specific Windows versions. System administrators are advised to install these updates and enhance physical security measures to prevent unauthorized access.

AppWizard

July 9, 2025

Dangerous Android malware targets US banking apps – 50,000 people already affected, make sure you’re not next

A PDF reader app for Android, 'Document Viewer – File Reader', has been found to contain a banking trojan called Anatsa, introduced through a patch six weeks after its release. The app, published by 'Hybrid Cars Simulator, Drift & Racing', has over 50,000 downloads and specifically targets North American banking applications. Security researchers have noted a history of similar threats, with previous trojanized apps having significant download numbers. The Anatsa trojan scans for North American banking apps and overlays a deceptive interface to steal user credentials. Google has removed the app from the Play Store and advises users to uninstall it, conduct a system scan, and reset banking credentials. Google Play Protect provides automatic protection against malicious apps.

Tech Optimizer

June 25, 2025

Meet the new features for Avast Free AV and Avast Premium Security

Avast has millions of active users and is recognized in the cybersecurity field for its effective solutions and commitment to user security. Avast Free Antivirus includes real-time behavioral analysis for proactive malware detection, enhanced Network Inspector and Firewall modules for network security, improved intelligent quarantine and cloud scanning, and the new Scam Guardian feature, which includes Web Guard for browsing protection and Avast Assistant for scam guidance. Avast Premium Security offers additional features for heightened privacy, including Sensitive Data Shield, Webcam Shield, Data Shredder, and Hack Alerts for monitoring password leaks. The Pro version introduces Email Guard, which uses AI for intelligent email filtering to detect phishing attempts. Avast's tools enhance online shopping safety, email security, public Wi-Fi connections, and protection of sensitive files and credentials.

Winsage

May 25, 2025

Windows Passwords Are Under Attack — Do These 7 Things Now

Microsoft Windows is a target for cybercriminals, particularly regarding password theft. Trend Micro has reported an increase in fraudulent Captcha attacks that trick users into executing malicious commands through the Windows Run dialog, leading to data theft and malware infections. These attacks utilize PowerShell and can deploy various malware types, including Lumma Stealer and AsyncRAT. Despite efforts to disrupt the Lumma Stealer network, threats persist, exploiting legitimate platforms. Microsoft recommends users adopt safer online practices and outlines seven mitigations for organizations: disable access to the Run dialog, apply least privilege, restrict access to unapproved tools, monitor unusual behavior, harden browser configurations, enable memory protection, and invest in user education.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

AppWizard

April 1, 2025

Google’s Play Store Warning—Do Not Update This Setting

A sophisticated trojan named TsarBot is targeting over 750 legitimate banking and shopping applications on Android devices. It overlays a counterfeit login screen on real apps to capture user credentials. TsarBot is believed to have Russian origins and can remotely control the device's screen, simulating user interactions and capturing device lock credentials through a deceptive lock screen. The trojan is typically installed from phishing websites, where a dropper application delivers the TsarBot APK file. Once installed, it disguises itself as the Google Play Services app and urges users to enable Accessibility services. Users are advised to avoid installing apps from outside the Google Play Store, ensure Play Protect is enabled, and only enable Accessibility Services when necessary to mitigate risks.

Winsage

March 26, 2025

New Windows Zero-Day Vulnerability Exposes NTLM Credentials – Unofficial Patch Now Available

A zero-day vulnerability has been identified in the Windows operating system, affecting versions from Windows 7 and Server 2008 R2 to Windows 11 v24H2 and Server 2025. This vulnerability allows attackers to obtain NTLM credentials by tricking users into opening malicious files in Windows Explorer. Microsoft has been notified, and while there is no official CVE number yet, an unofficial patch is available through 0patch. The flaw is similar to previous vulnerabilities related to NTLM hash disclosures but has not been widely discussed. To exploit it, attackers need network access to the victim's system or a way to relay stolen credentials. 0patch has created micropatches for all affected Windows versions, which are available for free until Microsoft provides an official fix. This is the fourth zero-day vulnerability reported by 0patch recently, with previous vulnerabilities including those in Windows Theme files and the Mark of the Web issue on Server 2012. 0patch also offers patches for NTLM-related vulnerabilities that Microsoft has classified as “wont fix.” Users can create a free account with 0patch for automatic protection against these vulnerabilities. Micropatches are available for various Windows versions, including both legacy and currently supported systems, and will remain free until an official Microsoft fix is released.