Windows processes Archives

Winsage

April 14, 2025

No Reboot Security Updates Come To Windows 11 — But There’s A Catch

Microsoft has introduced a "hotpatching" feature for Windows 11 that allows security updates to be installed in the background without requiring a reboot. This feature is currently limited to Windows 11 Enterprise, version 24H2, for x64 devices with AMD or Intel CPUs, and requires Microsoft Intune for deployment. The 0patch micro-patching service offers an alternative for users outside the enterprise, providing fixes directly in memory and free zero-day micro patches.

Winsage

March 17, 2025

Invisible Windows Rootkit Hides Dangerous Files Using This Prefix

Obscure#Bat is a malware campaign targeting Windows users that uses obfuscated batch scripts to deploy a user-mode rootkit, which can hide its activities from standard security measures. It stores hidden scripts in the Windows Registry and can conceal files, registry entries, and running processes through application programming interface hooking. The malware can embed itself within legitimate Windows processes, making it undetectable by conventional security methods, and is capable of deleting evidence of its activity. Attackers use social engineering tactics, such as fake CAPTCHA tests and legitimate software tools, to lure victims into executing the malicious batch file. The rootkit obscures files, processes, or registry keys that begin with the “$nya-” prefix and is identified as an open-source ring-3 rootkit known as r77. It avoids kernel modifications and relies on registry and scheduled tasks for persistence, allowing it to evade detection by traditional kernel-based security tools. Windows users are advised to be cautious of social engineering tactics and to inspect batch files in a text editor before execution.

Tech Optimizer

February 28, 2025

Evolving Snake Keylogger Variant Targets Windows Users

Cybersecurity researchers at Fortinet have identified a new variant of the Snake Keylogger malware, which has blocked over 280 million infection attempts globally. This malware captures sensitive user information, including credentials and browser data, and has the highest infection rates in China, Turkey, Indonesia, Taiwan, and Spain. The Snake Keylogger operates in three phases: distribution through phishing emails, data collection by capturing keystrokes and extracting credentials from browsers, and data transmission to command-and-control servers via encrypted channels. It employs advanced evasion techniques, such as process hollowing and persistence mechanisms, to operate stealthily. The malware uses obfuscation tools like AutoIt scripting to evade antivirus defenses and specifically targets browser-stored credentials. Security experts recommend caution with emails, using updated antivirus software, and regular patching of systems to mitigate risks.

Winsage

February 19, 2025

Hidden Microsoft Windows Threat Attacks When Your PC Restarts

A significant alert has been issued for Microsoft Windows users regarding the Snake Keylogger, an advanced keylogger capable of extracting sensitive information from web browsers like Chrome, Edge, and Firefox. It logs keystrokes, captures credentials, and monitors clipboard activity. The malware has already infiltrated millions of PCs and activates upon system restart, disguising itself among benign Windows processes. Fortinet reports that the Snake Keylogger has been circulating since 2020, infiltrating systems through malicious Office documents or PDFs attached to emails. If opened with macros enabled or using vulnerable software, the malware executes. It employs AutoIt scripting to obfuscate its operations and sets its attributes to hidden to complicate detection. The keylogger places a file in the Windows Startup folder to ensure it launches automatically with each restart, maintaining access to the compromised system. Once installed, it checks its environment to capture specific security credentials through keystrokes, clipboard data, or browser autofill information, transmitting this data to its handlers. Fortinet has observed the Snake Keylogger in various countries, including China, Turkey, Indonesia, Taiwan, and Spain. Users are advised to keep security software updated and exercise caution with email attachments from untrusted sources.

Winsage

February 18, 2025

Earth Preta APT Exploit Microsoft Utility Tool to Control Windows

Researchers from Trend Micro's Threat Hunting team have identified a cyberattack campaign by the APT group Earth Preta, targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. The group uses spear-phishing emails and advanced malware to compromise Windows systems, notably employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes. The attack typically begins with a malicious file, IRSetup.exe, which drops both legitimate and malicious files onto the system, often accompanied by a decoy PDF posing as an official document. Earth Preta utilizes a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe and a malicious DLL, EACore.dll. This malware communicates with a command-and-control server for data exfiltration and remote operations, offering capabilities such as reverse shell access, file deletion, and persistent storage of victim identifiers. The malware adapts its behavior based on the presence of ESET antivirus software, using different techniques for code injection. Trend Micro attributes this campaign to Earth Preta with medium confidence, noting that the group has compromised over 200 victims since at least 2022, primarily focusing on government entities and using phishing as the initial attack vector.

Winsage

February 14, 2025

Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is being actively exploited by the Chinese APT group Mustang Panda. This low-severity vulnerability affects how Windows processes files from compressed RAR archives, making extracted files invisible in the Windows Explorer GUI while still accessible via command-line tools. Mustang Panda uses this vulnerability to hide malicious files within archives, facilitating stealthy attacks through phishing campaigns. Despite its exploitation, Microsoft has rated the vulnerability as low-severity, which may indicate limited potential damage. Cybersecurity experts warn that such vulnerabilities can have significant implications when used in larger attack strategies.

Winsage

November 14, 2024

Windows 11 KB5046633 thinks ‘Your version of Windows has reached the end of service’

Microsoft released its latest Patch Tuesday update, which includes updates KB5046613, KB5046615, KB5046612, and KB5046665 for Windows 10 users, and KB5046617 and KB5046633 for Windows 11 users. The Windows 11 update fixes a bug in the Task Manager that incorrectly displayed background and Windows processes as zero, while the Windows 10 updates resolve an issue preventing non-administrative users from launching applications like Teams and Quick Assist. Windows 11 users may encounter a new bug that incorrectly states their version has reached the end of service, despite having the latest cumulative update KB5046633. Microsoft has also deployed update KB5001716 to notify users about the impending end of support for their operating system versions. Additionally, Microsoft is discouraging downloads of Windows 10, even from official sources, to promote transitions to newer operating systems.

Winsage

November 13, 2024

Microsoft sneaks Task Manager fixes into Patch Tuesday

Microsoft released an update (KB5046617) for Windows 11 24H2 and Windows Server 2025 that addresses security concerns and includes quality improvements. The update fixes a Task Manager glitch that incorrectly displayed zero counts for active applications when using the "Group by Type" option. It also resolves access issues related to Dev Drive for Windows Subsystem for Linux and installation delays of up to 40 minutes on certain hardware configurations. Additionally, it addresses failures during installations and extended restart times on Windows Server 2025 systems with 256 or more logical processors. Microsoft has been working on known issues, including a problem with fingerprint sensors and an unexpected upgrade issue affecting Windows Server 2019 and 2022 systems.

Winsage

November 5, 2024

Black screens persist for Windows 10 AVD users

Microsoft has acknowledged ongoing issues affecting Azure Virtual Desktop (AVD) users after the installation of July's non-security preview update (KB5040525), leading to a black screen that can last 10 to 30 minutes. This issue is linked to a deadlock between the Azure Active Directory broker and the AppX deployment service, as well as the Background tasks infrastructure service. Users with FSLogix user profile containers in multi-session environments are more likely to face these problems. Additionally, Windows 11 24H2 users are experiencing issues with Task Manager displaying zero counts for Apps, Background Processes, and Windows Processes after the October 2024 non-security preview update, particularly when the 'Group by Type' view is enabled. Dave Plummer, the original author of Task Manager, described this as a "fairly severe bug."

Winsage

November 1, 2024

Windows 11 Task Manager bug shows wrong number of running processes

Microsoft has acknowledged a reporting anomaly in the Task Manager of Windows 11, where it shows zero running applications and background processes after installing the October 2024 non-security preview update (KB5044384) for Windows 11 24H2 systems. This issue primarily affects devices with the "Group by Type" view enabled, although the Task Manager remains functional and users can still access the list of active applications and processes. Microsoft is investigating the matter and plans to include a fix in an upcoming Windows update. Additionally, a separate bug in Windows 10 was preventing certain applications from launching from non-admin accounts, which has been addressed using the Known Issue Rollback feature.