Windows processes Archives

Winsage

January 12, 2026

EDRStartupHinder Disables Antivirus and EDR Protections During Windows 11 25H2 Startup

A new tool named EDRStartupHinder was unveiled on January 11, 2026, which allows attackers to inhibit the launch of antivirus and endpoint detection and response (EDR) solutions during the Windows startup process. Developed by security researcher Two Seven One Three, it targets Windows Defender and various commercial security products on Windows 11 25H2 systems by redirecting essential system DLLs during boot using the Windows Bindlink API and Protected Process Light (PPL) security mechanisms. The tool employs a four-step attack chain that includes creating a malicious service with higher priority than the targeted security services, redirecting critical DLLs to attacker-controlled locations, and modifying a byte in the PE header of the DLLs to cause PPL-protected processes to refuse loading them. This results in the termination of the security software. EDRStartupHinder has been tested successfully against Windows Defender and other unnamed antivirus products, demonstrating its effectiveness in preventing these security solutions from launching. The source code for EDRStartupHinder is publicly available on GitHub, raising concerns about its potential misuse. Security teams are advised to monitor for Bindlink activity, unauthorized service creation, and registry modifications related to service groups and startup configurations to detect this attack vector. Microsoft has not yet issued any statements regarding patches or mitigations for this technique.

Winsage

December 3, 2025

Microsoft mitigates Windows LNK flaw exploited as zero-day

Microsoft has addressed a security vulnerability in Windows tracked as CVE-2025-9491, which allows malicious actors to embed harmful commands in Windows LNK files, requiring user interaction to exploit. Threat actors often distribute these files in ZIP formats to bypass email security. In March 2025, 11 hacking groups, including Evil Corp and Kimsuky, were actively exploiting this vulnerability using various malware payloads. Although Microsoft initially did not consider the issue urgent, it later modified the handling of LNK files in November updates to allow users to view the entire character string in the Target field. However, this change does not eliminate the malicious arguments embedded in the files. ACROS Security has released an unofficial patch that restricts shortcut target strings to 260 characters and alerts users about risks associated with long target strings, covering multiple Windows versions.

Tech Optimizer

November 14, 2025

Beware of Fake Bitcoin Tool That Hides DarkComet RAT Malware With it

A recent malware campaign has seen attackers disguising the DarkComet remote access trojan as Bitcoin-related applications to target cryptocurrency users. DarkComet RAT allows attackers to gain extensive control over compromised systems, despite its original creator discontinuing it years ago. The malware features capabilities such as keystroke logging, file theft, webcam surveillance, and remote desktop control, posing significant risks to users. The malicious file was distributed as a compressed RAR archive named “94k BTC wallet.exe,” which helps evade email filters. Security analysts at Point Wild discovered that the malware ensures persistence by copying itself to %AppData%RoamingMSDCSCexplorer.exe and creating a registry key for automatic execution at system startup. It attempts to connect to a command-and-control server at kvejo991.ddns.net over TCP port 1604. The malware injects its payload into legitimate Windows processes to perform keylogging and screen capture while remaining undetected. Captured keystrokes are stored in log files and exfiltrated through the command-and-control channel. Users are advised to avoid downloading cryptocurrency tools from untrusted sources and to keep security software updated.

Tech Optimizer

October 24, 2025

Why Aren’t Antivirus Programs Enough To Protect Crypto?

Cryptocurrency has introduced a decentralized approach to financial transactions, but it faces significant security challenges, including vulnerability to cyberattacks, theft, and fraud. Traditional antivirus software has limitations, such as reliance on signature-based detection, which struggles against emerging and polymorphic malware. Behavioral detection methods also have shortcomings, as stealth malware can disguise itself and conditional activation can evade detection. Fileless malware techniques and human error, such as phishing and weak password hygiene, further complicate security. To enhance security, cryptocurrency users should adopt a multi-layered strategy that includes using hardware wallets for offline storage of private keys, implementing multi-factor authentication (MFA), and utilizing dedicated anti-malware tools. Safe browsing habits and regular software patches are also essential, along with securely backing up private keys.

Tech Optimizer

October 7, 2025

6 Windows hardening steps that don’t break gaming or DRM

Windows 11 is not the most secure operating system by default but offers ways to enhance security without affecting gaming performance. Gaming PCs are vulnerable to cyber threats and should adopt security measures. Customizing Windows Firewall allows users to maintain internet access for gaming applications while ensuring security. Users should add key game executable files to the "allowed apps" list and consider using SimpleWall for better control over network activity. Using a standard account for gaming sessions enhances security by limiting admin account access, which should be reserved for software installation and updates. Implementing multi-factor authentication for both admin and standard user accounts adds an extra layer of security. Windows Defender has improved and can be an efficient antivirus option, but third-party solutions may conflict with gaming performance. Game files should be added to Windows Defender's exclusion list to avoid performance issues. Disabling unnecessary Windows services can enhance security and performance by reducing the attack surface and freeing up resources. Common services to disable include Cellular Time, Connected Devices Platform Service, and Telemetry. Secure Boot protects against malicious software during the boot process and may require BIOS adjustments. It does not affect gaming performance and is often necessary for games with kernel-level anti-cheat systems. Memory Integrity and Core Isolation are advanced security features that protect against low-level attacks by creating an isolated environment for critical processes. These features require minimal resources if the CPU supports Intel's Mode-Based Execution Control (MBEC) or AMD's Guest Mode Execution Trap (GMET). Balancing security measures with optimal system performance is essential for a secure gaming experience.

Tech Optimizer

September 22, 2025

Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A security researcher has developed a tool called EDR-Freeze that allows for the temporary disabling of endpoint detection and response (EDR) systems and antivirus software without using vulnerable drivers. EDR-Freeze exploits the Windows Error Reporting functionality to execute a race condition attack that suspends security processes, specifically targeting the WerFaultSecure.exe process. The tool can successfully suspend the MsMpEng.exe process of Windows Defender on Windows 11 24H2. It operates entirely within user-mode and uses legitimate Windows components, making detection more difficult for security teams. The source code for EDR-Freeze is publicly available on GitHub, intended for legitimate security research, but poses risks of misuse by malicious actors. Security teams are advised to monitor for suspicious activity related to WerFaultSecure.exe and to enhance their process protection mechanisms.

Winsage

August 14, 2025

Microsoft asks Windows 11 users to ignore yet another error message

Microsoft has advised users to disregard a new error related to the CertificateServicesClient (CertEnroll), logged as Error ID 57 in the Event Viewer, which may appear after installing the optional July 2025 update or later updates. The error message states that the 'Microsoft Pluton Cryptographic Provider' provider was not loaded due to initialization failure. Microsoft clarified that this error can be safely ignored, as it does not indicate an issue with any active Windows component and is related to a feature under development. There is no impact on Windows processes, and no action is required from users.

Winsage

August 14, 2025

Microsoft asks users to ignore certificate enrollment errors

Microsoft has advised users to disregard certain CertificateServicesClient (CertEnroll) errors following the installation of the July 2025 preview update and subsequent Windows 11 24H2 updates. Users were also encouraged to overlook Windows Firewall configuration errors after rebooting post-installation of the June 2025 preview update. In April 2025, Microsoft confirmed and rectified a known issue causing invalid 0x80070643 failure errors after applying April 2025 Windows Recovery Environment updates, and addressed a bug triggering BitLocker drive encryption errors on Windows 10 and 11 devices. In October, Microsoft clarified that a specific issue primarily affected managed Windows environments with enforced drive encryption. Recently, Microsoft updated its Windows release health dashboard, asking users to ignore an error logged in Event Viewer with Error ID 57, related to the 'Microsoft Pluton Cryptographic Provider' not loading due to initialization failure. They emphasized that this error can be safely ignored and does not indicate issues with active Windows components, as it stems from a feature still under development.

Winsage

August 13, 2025

Latest Windows patches cause false error to appear

Microsoft is addressing an issue with its Windows operating system where users see an event log message after installing the July 2025 non-security preview update or the August 2025 security update. The Event Viewer may show an error with ID 57 related to the CertificateServicesClient (CertEnroll), stating: "The 'Microsoft Pluton Cryptographic Provider' provider was not loaded because initialization failed." This error can be safely ignored, as it pertains to a feature under development, specifically the Pluton architecture for processor security, and affects users on Windows 11 24H2. Microsoft is working on a resolution and has indicated that there is no impact on Windows processes related to this event, advising users that no action is needed.

Winsage

August 5, 2025

North Korean Cyberattackers Conceal Malicious Software Inside JPEG Images

North Korean state-sponsored hackers, part of the APT37 group, are using advanced steganography techniques to embed malicious software within JPEG image files. The RoKRAT malware variant employs a two-stage encryption process, starting with the creation of large malicious shortcut files disguised as legitimate documents. These .lnk files download JPEG images from cloud storage services, which appear to contain valid image headers but actually conceal encrypted malware code. The malware is revealed through multiple XOR decryption operations. Security researchers have identified the steganographic payload at offset 0x4201 within the images. The malware generates temporary files in the %LOCALAPPDATA% directory and executes through rundll32.exe, complicating detection. APT37 also uses fileless attack strategies, injecting shellcode into legitimate Windows processes and exploiting cloud services for command and control operations. Recent attacks have targeted South Korean organizations using social engineering tactics. Traditional antivirus solutions are inadequate against these techniques, prompting experts to recommend Endpoint Detection and Response (EDR) systems for real-time monitoring of anomalous activities.