Windows Kernel Archives

AppWizard

April 30, 2026

LofyStealer Uses Node.js Loader Against Minecraft Gamers

Cybersecurity threat hunters have discovered an active infostealer campaign targeting the gaming community, involving malware called LofyStealer (or GrabBot) that disguises itself as a Minecraft hack named “Slinky.” The attackers use the official game icon to trick young gamers into executing the malware. The Brazilian cybercrime group LofyGang has enhanced its technical capabilities, utilizing a sophisticated two-stage modular architecture. The initial stage features a 53.5 MB loader file named load.exe, which is a Node.js runtime environment that obscures malicious signatures. The loader connects to the attacker’s server and decrypts a 1.4 MB C++ payload, chromelevator.exe, which targets eight web browsers to extract sensitive information like cookies and passwords. The stolen data is compressed, encrypted, and sent to the attacker’s server. LofyGang has evolved into a Malware-as-a-Service platform, offering a web panel for operators to monitor victims and generate custom executables. The campaign highlights the increasing threats to the gaming community, with advanced evasion techniques being employed by cybercriminals. Security professionals are advised to monitor network traffic and conduct audits for suspicious activities.

Winsage

April 23, 2026

Get Linux on your ancient 486 Windows 95 desktop using WSL9x — very old Windows PCs can cooperatively run very modern Linux kernels

A computer enthusiast has developed a tool called WSL9x, which allows users to run contemporary Linux kernels on early versions of Windows (from Windows 95 onward) and on machines with 486 CPUs. WSL9x enables the simultaneous operation of Windows and Linux applications without relying on hardware virtualization. The architecture includes a client program, wsl.com, which manages a DOS window for the console driver. Meanwhile, the Linux community is phasing out support for the Intel 486 CPU, with developers removing related support options in the Linux kernel, marking the end of support for this processor.

Winsage

April 22, 2026

You can now run WSL on Windows 95, in case you’re crazy, too

Hailey has developed the Windows 9x Subsystem for Linux (WSL9x), which allows the 6.19 Linux kernel to run on Windows 9x systems without a graphical user interface, relying instead on a terminal experience. WSL9x consists of three main components: a modified Linux kernel that interacts with Windows 9x APIs, a virtual device (VxD) driver that initializes WSL9x and manages userspace events, and a simple 16-bit DOS client for passing commands to the Linux kernel. The system handles syscalls through a general protection fault handler due to limitations in the Win9x architecture. However, this setup poses security risks as both the Linux kernel and Windows kernel operate with the same CPU privileges, meaning instability could occur if either crashes. Comprehensive instructions for installation are available on Hailey's Codeberg page.

Winsage

April 10, 2026

Microsoft Locked Out VeraCrypt, WireGuard, and Windscribe from Pushing Windows Updates

Microsoft implemented a mandatory account verification process for all partners in the Windows Hardware Program who had not completed verification since April 2024, effective October 16, 2025. This requirement necessitated that partners verify their identities using a government-issued ID matching the name of the primary contact in the Partner Center. Failure to meet this deadline or pass verification resulted in account suspension, preventing further submissions. This affected the ability of developers to sign Windows kernel drivers, leading to suspensions for notable open source projects like VeraCrypt, WireGuard, and Windscribe. Mounir Idrassi, the developer of VeraCrypt, reported his account was terminated without notice, and Jason Donenfeld of WireGuard faced similar issues. Windscribe experienced a prolonged resolution process despite having a verified account for over eight years. Following these suspensions, Scott Hanselman from Microsoft announced that the accounts would be reinstated and corrective measures were being taken.

Winsage

March 31, 2026

Microsoft’s April 2026 Windows Update Ends Trust for Cross-Signed Kernel Drivers

Microsoft will eliminate default trust for kernel drivers signed through the outdated cross-signed root program with the April 2026 Windows update. All new kernel drivers must be certified via the Windows Hardware Compatibility Program (WHCP). This change will affect Windows 11 builds 24H2, 25H2, and 26H1, as well as Windows Server 2025, with future versions following the same standards. The update will begin in evaluation mode, monitoring driver loads for compliance before transitioning to enforcement mode. An allow list of reputable drivers will be maintained for legacy hardware, and enterprises can use Application Control for Business policies to authorize specific drivers. Users with older hardware may face compatibility issues if their drivers are not WHCP-certified.

Winsage

March 27, 2026

Microsoft tells crusty old kernel drivers to get with the Windows Hardware Compatibility Program

Microsoft is enhancing the security of the Windows kernel by eliminating trust for kernel drivers not certified through the Windows Hardware Compatibility Program (WHCP) starting with the April 2026 Windows Update. This change specifically targets kernel drivers signed by the now-obsolete cross-signed root program, which has been associated with security vulnerabilities. The new policy will initially be introduced in an "evaluation mode" to monitor and audit driver loads for potential compatibility issues. Custom kernel drivers can still be used under the Application Control for Business policy, but must be signed by an authority within the device's Secure Boot Platform Key or Key Exchange Key variables. The changes will impact Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025.

Tech Optimizer

March 27, 2026

Bogus Avast website fakes virus scan, installs Venom Stealer instead

A deceptive website impersonating Avast antivirus tricks users into downloading Venom Stealer malware, which steals passwords, session cookies, and cryptocurrency wallet information. The site conducts a fake virus scan, falsely reporting threats to encourage users to download a malicious file named Avastsystemcleaner.exe. This file mimics legitimate software and operates stealthily, targeting web browsers to harvest credentials and session cookies. It also captures screenshots and sends stolen data to the command-and-control domain app-metrics-cdn[.]com via unencrypted HTTP. The malware employs evasion techniques to avoid detection and is part of a long-standing cybercrime tactic that exploits user trust in security software. Indicators of compromise include the file hash SHA-256: ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d, the domain app-metrics-cdn[.]com, and the network indicator 104.21.14.89.

Winsage

March 14, 2026

Announcing Windows 11 Insider Preview Build 26220.8062 (Beta Channel)

Windows 11 Insider Preview Build 26220.8062 (KB 5079458) has been released to the Beta Channel, introducing various changes and improvements. 1. Policy-Based Removal of Preinstalled Microsoft Apps: IT administrators can now use a dynamic app removal list to remove MSIX/APPX apps by adding their package family names through Group Policy. The dynamic list is not yet available in Intune CSP. 2. Windows Setup Experience: Users can select a custom name for their user folder during the Windows setup process, which must adhere to standard naming conventions. 3. Windows Driver Policy Update: A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default. The feature will initially operate in audit mode for at least 100 hours. 4. Point-in-Time Restore Updates: Local administrators will see a settings dialog to view or modify default restore settings, including a list of available restore points. Updated messaging has been added to the restore experience. 5. Drag Tray Rebranding: The Drag Tray has been rebranded as Drop Tray, with settings relocated to System > Multitasking. 6. Pen Settings: Refinements have been made to the Pen settings page, including an option for the pen tail button to launch the same app as the Copilot key. 7. File Explorer and Other Enhancements: Improvements have been made to the reliability of setting the preferred display language, and unexpected errors from the sfc/scannow command have been removed. Updates are gradually rolled out to Insiders who opt in via Settings > Windows Update, and features may evolve or be removed based on feedback.

Winsage

March 13, 2026

Announcing Windows 11 Insider Preview Build 26300.8068 (Dev Channel)

Windows 11 Insider Preview Build 26300.8068 (KB 5079464) has been released to the Dev Channel. Key changes include: - Enhanced policy for removing preinstalled Microsoft Store apps for Windows ENT/EDU, allowing IT administrators to use a dynamic app removal list via Group Policy. - Users can now select a custom name for their user folder during the Windows setup process. - A new policy removes default trust for cross-signed drivers, allowing third-party drivers from the Windows Hardware Compatibility Program (WHCP) by default, initially operating in audit mode. - Point-in-time restore now includes a settings dialog for local administrators and displays available restore points. - Microsoft 365 Family subscribers can upgrade their plan directly from the Accounts page in Settings. - The Drag Tray feature has been rebranded to Drop Tray, with settings relocated. - Updates to Pen settings include a new option for the pen tail button. - Enhanced reliability for preferred display language settings and removal of an unexpected error from sfc/scannow. Updates are gradually rolled out to users who opt in through the Settings menu under Windows Update.

Winsage

February 26, 2026

PoC Published for Microsoft Windows Flaw That Allows Low-Privileged Users to Force Irrecoverable BSODs

Security researchers have developed a working Proof of Concept (PoC) exploit for a vulnerability in the Windows kernel, identified as CVE-2026-2636, which allows low-privileged users to induce a Blue Screen of Death (BSoD), resulting in a Denial of Service. This vulnerability is linked to the Windows Common Log File System (CLFS) driver, specifically the CLFS.sys component, and arises from improper handling of invalid or special elements within CLFS (CWE-159). The PoC demonstrates that a non-administrative user can trigger the bug by executing a crafted ReadFile operation on a handle linked to an opened .blf log file without the expected I/O Request Packet (IRP) flags set. This leads to a critical inconsistency in the driver, causing Windows to invoke the kernel routine KeBugCheckEx, which results in a BSoD. The CVE-2026-2636 has a CVSS score of 5.5 (Medium) and poses a high impact on availability, allowing any authenticated user to crash the host reliably. Microsoft addressed this vulnerability in the September 2025 cumulative update, protecting systems running Windows 11 2024 LTSC and Windows Server 2025 by default. However, older or unpatched builds remain vulnerable. Organizations are advised to verify the deployment of the September 2025 updates, prioritize patching multi-user systems, and monitor for unusual spikes in BSoD events.