Windows APIs Archives

Winsage

June 17, 2026

Windows SprySOCKS Malware: Advanced Kernel-Level Rootkit Targets Government Organizations via Supply Chain Vulnerabilities

The Windows variant of SprySOCKS malware, developed by the Chinese threat group Earth Lusca, targets government entities globally and features advanced capabilities such as rootkit-level stealth and extensive command-and-control (C2) functionalities. It operates on Windows systems, utilizing two main variants: WINDRV, which includes kernel drivers for stealth operations, and WINPLUS, a streamlined backdoor. The malware can communicate over TCP, UDP, and WebSocket, offering over 30 C2 commands for various operations, including system information gathering and keystroke logging. WINDRV loads a driver named ‘RawWNPF’ into memory using another signed kernel driver, allowing it to conceal processes and achieve persistence. The malware's design incorporates open-source elements and exploits vulnerabilities in the software supply chain, notably using a leaked certificate for driver signing. To combat SprySOCKS, organizations are advised to implement advanced endpoint detection and response (EDR) solutions, maintain regular patching, and manage supply chain risks vigilantly. The malware's adaptability and reliance on legitimate certificates complicate detection efforts, necessitating continuous refinement of security practices.

AppWizard

June 10, 2026

If a decade-old Nintendo Switch can run PC games, your next handheld doesn’t need to be x86

Arm chips have traditionally excelled in Android gaming and emulation, while x86 architecture has dominated serious PC gaming. A modder successfully ran Steam on the original Nintendo Switch, which features an Nvidia Tegra chip, due to the introduction of Arm support in Proton 11's beta version. This achievement indicates that PC gaming on handheld devices may not be limited to x86 architecture. However, running Steam on the Switch requires complex workarounds, resulting in low frame rates and various limitations. The process involved using Box64 and community-developed projects to facilitate the installation, as the Switch's outdated kernel posed challenges. Despite the limitations, the ability to run x86 games on an Arm chip suggests that hardware constraints, rather than translation feasibility, are the main obstacles. Modern Arm chips have shown the capability to run PC games, with driver issues being a significant challenge for non-gaming devices. Valve is developing the Steam Frame, a VR headset powered by Snapdragon 8 Gen 3, which runs SteamOS natively on Arm and utilizes FEX for x86 game compatibility. Early benchmarks indicate promising performance on Arm devices, suggesting a potential shift in the handheld gaming landscape. While x86 remains the safer choice currently, the barriers for Arm-based handhelds are gradually diminishing, indicating a future with more options beyond x86 architecture.

Winsage

June 5, 2026

Microsoft wants AI to customize your Windows 11 entirely with one sentence, shows off a demo

At Build 2026, Microsoft announced plans to enhance Windows 11 personalization through AI agents, with API endpoints available for developers to create tailored experiences. Product Manager Samantha Song highlighted the need for a more user-friendly interface that reflects individual preferences, noting current customization options can be cumbersome. Microsoft introduced "WinUI skills," enabling developers to use AI agents like Copilot to create native applications that interact with Windows APIs. Users could instruct AI to modify themes, such as creating a cherry blossom theme, which would adjust wallpapers and accent colors automatically. AI skills could also apply accent colors to File Explorer and download themed wallpapers. The theme module can orchestrate multiple actions, allowing users to change their entire Windows theme with a single command. Microsoft is exploring a themes agent for generating new themes. While currently an open-source project, there is potential for these features to be integrated into Windows 11, enhancing user experience through personalized customization.

Winsage

June 4, 2026

ADCS Now Generates Post-Quantum Certificates For Windows

Active Directory Certificate Services (ADCS) now supports the generation of post-quantum certificates, enhancing quantum-safe cryptography within Windows' secure connection protocols. Microsoft has integrated PQ TLS hybrid key exchange into the Windows Transport Layer Security (TLS) stack, providing protection against "Harvest Now, Decrypt Later" attacks. The PQ TLS hybrid key exchange combines traditional cryptographic methods with the NIST ML-KEM algorithm, offering three hybrid combinations: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1_MLKEM1024. This feature is available in preview via the Windows Insider Program and will be rolled out to Windows 11 and Windows Server. Additionally, Windows cryptography APIs now support composite ML-KEM and ML-DSA algorithms, which are NIST-approved standards for key exchange and digital signatures, enhancing security by requiring multiple components to be compromised. Microsoft emphasizes the importance of establishing new Certification Authorities (CAs) for implementing post-quantum certificate issuance, as existing CAs cannot be upgraded. The introduction of ML-DSA support within ADCS allows organizations to counter HNDL risks associated with long-lived data. Organizations are encouraged to inventory their use of public-key cryptography, prioritize systems protecting sensitive data, and test hybrid and composite approaches in non-production environments to facilitate a smooth transition to quantum-safe cryptography.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

AppWizard

April 30, 2026

LofyStealer Targets Minecraft Players via Node.js Loader and Browser Injection

Minecraft players are being targeted by a deceptive hacking tool called “Slinky,” which is actually an infostealer known as LofyStealer linked to the Brazilian cybercrime group LofyGang. The malware uses a Node.js-based loader and a C++ payload to extract sensitive browser data, disguising itself as a Minecraft hack. It primarily targets younger players who may unknowingly execute it. The malware operates through a two-stage architecture, with a 53.5 MB loader binary that injects a smaller 1.4 MB payload into browser processes, bypassing detection methods. It collects sensitive information such as cookies, passwords, and credit card details, compressing and encoding the data for exfiltration. The command-and-control (C2) infrastructure is hosted in Brazil, and the malware's design reflects advanced compilation techniques. The campaign is attributed to LofyGang, which has evolved into a more professional entity, posing severe risks to players who download cheats and cracked tools. Indicators of compromise include a specific C2 IP address and associated endpoints.

Winsage

April 16, 2026

Fake Proton VPN sites are pushing NWHStealer malware to Windows users

A malware campaign is utilizing counterfeit Proton VPN websites and other deceptive tactics to distribute a Windows infostealer known as NWHStealer. This malware extracts sensitive information, including browser credentials and cryptocurrency wallet details, and operates stealthily by injecting itself into legitimate processes. Two primary infection vectors have been identified: malicious ZIP archives on a free web hosting platform and trojanized installers from fake Proton VPN sites. The malware employs DLL hijacking and can exfiltrate data to a command-and-control server while ensuring persistence through scheduled tasks and disguising payloads as legitimate system processes. It also exploits the Windows cmstp.exe utility to bypass User Account Control. Users are advised to avoid downloading software from unofficial sources and to verify file signatures and publisher information.

Winsage

April 14, 2026

Microsoft’s VP brings macOS-style click to reveal desktop feature to Windows with new tool

Scott Hanselman, VP at Microsoft, has introduced a tool called PeekDesktop for Windows, which allows users to minimize all open windows by clicking on an empty area of their desktop wallpaper. A second click or switching back to any application restores the windows to their original positions. This feature is similar to the "click wallpaper to reveal desktop" function in macOS Sonoma, which has not been available in Windows until now. PeekDesktop is easy to install from GitHub, requires no additional setup, and is compatible with Windows on ARM. It uses minimal system resources and operates through lightweight Windows APIs to manage window states. Users can customize settings from the system tray, and Hanselman is working on enhancements to replicate more macOS-style behaviors.

Winsage

March 27, 2026

Microsoft Introduces WinApp CLI to Unify Windows App Development Workflows

In January 2026, Microsoft launched the public preview of the WinApp CLI, a command-line tool for Windows application development that is open source and supports various frameworks including .NET, C++, Electron, and Rust. The tool aims to simplify the complexities of Windows development by providing a unified entry point for environment setup, configuration, and packaging. Key features include the winapp init command for environment initialization, the winapp create-debug-identity command for attaching package identities without full MSIX packaging, and automation capabilities for manifests, certificates, and signing processes. The CLI also supports Electron and Node.js scenarios, allowing developers to inject package identity into running Electron processes. The WinApp CLI is currently in public preview, with potential changes before general availability, and an updated version 0.2.0 was released in late February 2026. It can be accessed via WinGet, npm, and as a GitHub project for community contributions.

BetaBeacon

January 29, 2026

GameNative Adds Epic Games Support On Android

After installing the newest nightly build, users can integrate their Epic Games account with GameNative by signing in through a secure browser window, syncing their library, and picking games directly from Epic's servers. Multiplayer is currently disabled due to networking and anti-cheat issues. Performance on Android devices depends on hardware specifications, with modern flagship SoCs recommended for smooth gameplay. GameNative uses open-source tools to translate x86-64 CPU instructions and DirectX calls for Android play. Epic Games support on GameNative allows mobile gamers to access their free and purchased titles from the Epic store on their phones. The Epic integration is available in GameNative's nightly channel, with plans for future stable releases to include library filters and multiplayer support.