VBScript Archives

Tech Optimizer

December 3, 2025

Fileless protection explained: Blocking the invisible threat others miss

Fileless malware operates within a computer's active memory, avoiding detection by traditional antivirus solutions that rely on file scanning. It uses legitimate tools like PowerShell to execute harmful commands without creating files, making it difficult to identify. Cybercriminals can use fileless malware for various malicious activities, including data theft and cryptocurrency mining. Malwarebytes combats fileless attacks through two defense layers: Script Monitoring, which intercepts potentially dangerous scripts at execution, and Command-Line Protection, which scrutinizes command-line tools for suspicious activities. Examples of fileless attacks include malicious email attachments activating PowerShell to download ransomware, hidden JavaScript on websites mining cryptocurrency, and attackers using Windows Management Instrumentation (WMI) to create backdoors. Malwarebytes' Fileless Protection operates automatically in the background, ensuring legitimate applications function normally while monitoring for threats. It is part of a comprehensive security framework that includes machine-learning detection and web protection, designed to stop attacks that do not write files. This protection is included with Malwarebytes Premium, aimed at safeguarding personal and small business systems.

Winsage

November 25, 2025

ClickFix attack uses fake Windows Update screen to push malware

Recent observations have identified ClickFix attack variants where cybercriminals use deceptive Windows Update animations on full-screen browser pages to hide malicious code within images. Victims are misled into executing harmful commands through specific key sequences that copy and execute commands via JavaScript. Security researchers have documented these attacks since October, noting the use of LummaC2 and Rhadamanthys information stealers. Attackers utilize steganography to embed malware payloads within PNG images, reconstructing and decrypting them in memory using PowerShell and a .NET assembly called the Stego Loader. A dynamic evasion tactic known as ctrampoline complicates detection by initiating calls to numerous empty functions. The shellcode extracted from the encrypted image can execute various file types directly in memory. Following a law enforcement operation on November 13, the Rhadamanthys variant's payload delivery through fake Windows Update domains ceased, although the domains remain active. Researchers recommend disabling the Windows Run box and monitoring suspicious process chains to mitigate risks.

Winsage

November 25, 2025

Attackers are Using Fake Windows Updates in ClickFix Scams

Threat actors have adapted the ClickFix attack model, using a fraudulent Windows Update screen to disguise malicious code. This screen mimics the legitimate Windows Update interface and prompts users to execute harmful commands. The execution of these commands leads to the installation of LummaC2 and Rhadamanthys info-stealing malware. A report from ESET noted a 500% increase in ClickFix attacks, which now account for nearly 8% of all blocked attacks in early 2025. Huntress researchers tracked ClickFix lures that used steganography to deliver LummaC2 and Rhadamanthys malware, concealing malicious software within image files. The attacks involve a full-screen display that instructs users not to turn off their computers, ultimately prompting them to paste a malicious command. The execution process includes using mshta.exe and PowerShell to load and inject malicious assemblies. European law enforcement recently dismantled infrastructure used by threat actors, but Rhadamanthys is no longer distributed through the fraudulent Windows Update campaign. The use of steganography helps these payloads evade detection while relying on victims to manually execute commands.

Winsage

September 13, 2025

Microsoft To Depreciate VBScript In Windows Warns Developers To Adapt Their Projects

Microsoft is phasing out VBScript from Windows, a decision announced in May 2024, affecting developers using Visual Basic for Applications (VBA). The deprecation will occur in three phases: the first phase, ongoing until at least 2026, classifies VBScript as a "Feature on Demand" (FOD), allowing existing VBA projects to function without disruption. The second phase, starting around 2027, will disable the default status of the VBScript FOD, leading to potential failures in unupdated applications. The final phase will involve the complete removal of VBScript from future Windows releases. This change will impact VBA projects that rely on VBScript for executing external scripts and using the VBScript type library for regular expressions. To address these issues, Microsoft has integrated RegExp classes into the VBA runtime library starting with Microsoft 365 Version 2508, allowing developers to use regular expressions natively without relying on vbscript.dll. Developers are encouraged to upgrade to the latest Office build and test their projects for dependencies on VBScript.

Winsage

July 27, 2025

Microsoft released Windows 11 KB5062839, KB5063689 setup and recovery updates

Microsoft has released dynamic updates for Windows 11, specifically for version 24H2 and Windows Server 2025, while Windows 10 users will not receive new enhancements. These updates improve the Windows Recovery Environment (WinRE) and Setup binaries, ensuring the preservation of Language Pack and Features on Demand content during upgrades. The updates include KB5062839, which enhances Windows setup binaries, and KB5063689, which improves the Windows recovery environment. Both updates will be automatically downloaded and installed via Windows Update, but can also be accessed manually through Microsoft's Update Catalog.

Winsage

July 13, 2025

Windows 11 KB5062785, KB5062683, KB5062688, KB5062693 setup, recovery updates released

Microsoft has released its monthly security updates for Windows 11 versions 24H2, 23H2, and 22H2, identified as KB5062553 and KB5062552. Dynamic updates have been introduced to improve the Windows Recovery experience and enhance Setup binaries. Key updates include: - KB5062785: Setup Dynamic Update for Windows 11, version 24H2 and Windows Server 2025, enhancing setup binaries. - KB5062683: Setup Dynamic Update for Windows 11, versions 22H2 and 23H2, improving setup binaries. - KB5062688: Safe OS Dynamic Update for Windows 11, version 24H2 and Windows Server 2025, enhancing recovery environment and resolving a USB-C issue on Arm64 systems. - KB5062693: Safe OS Dynamic Update for Windows 11, versions 22H2 and 23H2, improving recovery environment. These updates will be automatically downloaded and installed via Windows Update, or can be accessed manually through the Microsoft Update Catalog.

Winsage

July 13, 2025

Microsoft reiterates it may never truly be able to fix Windows Update 0x80070643 error

In April, Microsoft released dynamic updates for Windows 10, including KB5057589, which was intended for the Windows Recovery Environment (WinRE). Users faced issues with the 0x80070643 error code despite having sufficient disk space. Microsoft decided not to reoffer this update to users who installed it and promised a more reliable update. In July 2025, Microsoft released a new WinRE update, KB5063523, which automatically applies the Safe OS Dynamic Update (KB5062691) to enhance recovery features. This update resolves the previous installation issue, although the error code may still appear. Additional dynamic updates released on July 8, 2025, include KB5062682, KB5062787, KB5062788, KB5062691, KB5062689, and KB5062692, all aimed at improving Windows setup and recovery environments. These updates will be automatically downloaded and installed via Windows Update.

Winsage

June 15, 2025

Windows 10 KB5060534, KB5060532, KB5060530, KB5060529 recovery updates released

Microsoft released its Patch Tuesday updates for June 2025, targeting Windows 10 and Windows 11 systems. The updates for Windows 10 include KB5060533, KB5060531, KB5061010, and KB5060998, while Windows 11 has updates KB5060842 and KB5060999. This release did not include dynamic updates for Windows 11. The dynamic updates focus on enhancing the Windows Recovery Environment (WinRE) and include improvements to Setup binaries. They are designed to be integrated into Windows images before deployment and help preserve Language Pack (LP) and Features on Demand (FODs) content during upgrades. The specific dynamic updates released are: - KB5060534: Safe OS Dynamic Update for Windows 10 (version 1507) - KB5060532: Safe OS Dynamic Update for Windows 10 (versions 21H2 and 22H2) - KB5060530: Safe OS Dynamic Update for Windows 10 (version 1809) and Windows Server 2019 - KB5060529: Safe OS Dynamic Update for Windows 10 (version 1607) and Windows Server 2016 These updates will be automatically downloaded and installed through the Windows Update channel, and they are also available on Microsoft's Update Catalog website.

Winsage

March 18, 2025

Learn how the Windows Server 2025 editions differ

Microsoft is set to release Windows Server 2025 in November 2024, featuring several editions: Essentials, Standard, Datacenter, and Datacenter Azure. Windows Server Essentials is limited to servers with a single CPU and fewer than 10 cores and can only be obtained through hardware OEMs. The Standard edition allows Hyper-V licensing for up to two virtual machines, while the Datacenter edition has no such limits and offers more flexibility with disaster recovery features. The Datacenter Azure edition is optimized for the cloud and receives annual updates. The hardware requirements for Windows Server 2025 include a minimum 64-bit CPU at 1.4 GHz, support for various instructions, and the ability to accommodate up to 2,048 logical processors. The minimum memory requirement is 512 MB, with 2 GB recommended for optimal performance. Storage requirements suggest at least 64 GB for better performance, especially with Desktop Experience, and a Gigabit Ethernet adapter is necessary for networking. Several features have been deprecated in Windows Server 2025, including Computer Browser, Failover Clustering Cluster Sets, and NTLM, among others. Completely removed features include IIS 6 Management Console, NTLMv1, and Windows PowerShell 2.0 Engine. Organizations planning to migrate to Windows Server 2025 must ensure their hardware meets the minimum requirements and can perform an in-place upgrade if currently using Windows Server 2012 R2 or newer. Testing in a lab environment and backing up servers before migration are recommended steps.

Winsage

February 27, 2025

LCRYX Ransomware Attacks Windows Machines by Blocking Registry Editor and Task Manager

LCRYX ransomware, a VBScript-based threat, re-emerged in February 2025 after first appearing in November 2024. It encrypts files with the .lcryx extension and demands a ransom of 0 in Bitcoin for decryption. The ransomware operates with administrative privileges, disables essential system tools like Task Manager and Command Prompt, and restricts access to the Control Panel. It prevents the execution of diagnostic tools and disables inactivity timeouts. LCRYX ensures persistence by modifying registry settings and remapping keyboard keys. It uses a combination of Caesar cipher and XOR encryption techniques, eliminates backups, and makes recovery nearly impossible. The malware terminates essential processes, overwrites the Master Boot Record, and disables real-time monitoring features of antivirus solutions. After encryption, it generates a ransom note directing victims to a payment website. Some variants display pop-ups revealing the victim’s IP address or launch unrelated applications. Users are advised to implement comprehensive security solutions and maintain regular backups.