Windows processes Archives

Winsage

August 14, 2025

Microsoft asks Windows 11 users to ignore yet another error message

Microsoft has advised users to disregard a new error related to the CertificateServicesClient (CertEnroll), logged as Error ID 57 in the Event Viewer, which may appear after installing the optional July 2025 update or later updates. The error message states that the 'Microsoft Pluton Cryptographic Provider' provider was not loaded due to initialization failure. Microsoft clarified that this error can be safely ignored, as it does not indicate an issue with any active Windows component and is related to a feature under development. There is no impact on Windows processes, and no action is required from users.

Winsage

August 14, 2025

Microsoft asks users to ignore certificate enrollment errors

Microsoft has advised users to disregard certain CertificateServicesClient (CertEnroll) errors following the installation of the July 2025 preview update and subsequent Windows 11 24H2 updates. Users were also encouraged to overlook Windows Firewall configuration errors after rebooting post-installation of the June 2025 preview update. In April 2025, Microsoft confirmed and rectified a known issue causing invalid 0x80070643 failure errors after applying April 2025 Windows Recovery Environment updates, and addressed a bug triggering BitLocker drive encryption errors on Windows 10 and 11 devices. In October, Microsoft clarified that a specific issue primarily affected managed Windows environments with enforced drive encryption. Recently, Microsoft updated its Windows release health dashboard, asking users to ignore an error logged in Event Viewer with Error ID 57, related to the 'Microsoft Pluton Cryptographic Provider' not loading due to initialization failure. They emphasized that this error can be safely ignored and does not indicate issues with active Windows components, as it stems from a feature still under development.

Winsage

August 13, 2025

Latest Windows patches cause false error to appear

Microsoft is addressing an issue with its Windows operating system where users see an event log message after installing the July 2025 non-security preview update or the August 2025 security update. The Event Viewer may show an error with ID 57 related to the CertificateServicesClient (CertEnroll), stating: "The 'Microsoft Pluton Cryptographic Provider' provider was not loaded because initialization failed." This error can be safely ignored, as it pertains to a feature under development, specifically the Pluton architecture for processor security, and affects users on Windows 11 24H2. Microsoft is working on a resolution and has indicated that there is no impact on Windows processes related to this event, advising users that no action is needed.

Winsage

August 5, 2025

North Korean Cyberattackers Conceal Malicious Software Inside JPEG Images

North Korean state-sponsored hackers, part of the APT37 group, are using advanced steganography techniques to embed malicious software within JPEG image files. The RoKRAT malware variant employs a two-stage encryption process, starting with the creation of large malicious shortcut files disguised as legitimate documents. These .lnk files download JPEG images from cloud storage services, which appear to contain valid image headers but actually conceal encrypted malware code. The malware is revealed through multiple XOR decryption operations. Security researchers have identified the steganographic payload at offset 0x4201 within the images. The malware generates temporary files in the %LOCALAPPDATA% directory and executes through rundll32.exe, complicating detection. APT37 also uses fileless attack strategies, injecting shellcode into legitimate Windows processes and exploiting cloud services for command and control operations. Recent attacks have targeted South Korean organizations using social engineering tactics. Traditional antivirus solutions are inadequate against these techniques, prompting experts to recommend Endpoint Detection and Response (EDR) systems for real-time monitoring of anomalous activities.

Winsage

August 5, 2025

APT37 Hackers Weaponizes JPEG Files to Attack Windows System Leveraging “mspaint.exe” File

A new variant of the RoKRAT malware, attributed to North Korea's APT37 group, utilizes advanced techniques such as steganography to hide malicious code within JPEG image files, complicating detection efforts. This malware is primarily distributed in South Korea through compressed archives containing Windows shortcut files that lead to a multi-stage infection process. The process involves executing PowerShell commands to decrypt and run the malware, which can inject itself into trusted Windows processes like mspaint.exe and notepad.exe, leaving minimal forensic traces. The malware also exfiltrates sensitive information using legitimate cloud APIs, making attribution difficult. APT37 has demonstrated adaptability by changing its injection targets and camouflaging its development artifacts, highlighting the need for advanced Endpoint Detection and Response (EDR) solutions and proactive security measures.

Winsage

August 4, 2025

Malware disguises itself as an innocent photo on Dropbox. APT37’s steganographic strategy

Specialists at the Genians Security Center have identified a new version of the RoKRAT malware linked to the North Korean APT37 group. This version uses steganography to hide its code in JPEG images, allowing it to bypass antivirus systems. The infection begins with a malicious .LNK link in a ZIP archive, which contains a large .LNK file that misleads users. The malware employs various encrypted components, including shellcode, PowerShell scripts, and batch files. Upon execution, PowerShell decrypts the shellcode using a XOR operation, and the malware injects itself into legitimate Windows processes without leaving traces on the disk. The RoKRAT loader is embedded in a JPEG image hosted on Dropbox, and it uses a double XOR transformation to extract the shellcode. The malware is activated through sideloading techniques using legitimate utilities and downloads from cloud platforms. RoKRAT can collect data, take screenshots, and transmit them to external servers. Recent samples have targeted “notepad.exe” for code injection, indicating ongoing development. Endpoint detection and response (EDR) systems are essential for monitoring unusual activities and protecting against these sophisticated attacks, as traditional defenses are inadequate.

Winsage

August 4, 2025

North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center discovered a new variant of the RoKRAT malware linked to the North Korean APT37 threat group. This malware uses steganography to hide malicious payloads within JPEG files, allowing it to evade traditional antivirus detection. It is typically distributed through malicious shortcut files within ZIP archives, often disguised as legitimate documents. The malware employs a two-stage encrypted shellcode injection method, utilizing PowerShell and batch scripts to execute its payloads in memory. It collects system information, documents, and screenshots, exfiltrating data via compromised cloud APIs. The command and control accounts associated with the malware are linked to Russian email services. Variants of RoKRAT have evolved to include different injection methods and reference specific PDB paths. Indicators of compromise include various MD5 hashes associated with the malware.

Winsage

July 6, 2025

Microsoft Confirms Windows 11 Update Causes Security Firewall Error

Microsoft Windows updates are essential for system security but can cause user challenges. A recent high-severity vulnerability, CVE-2025-33073, emphasizes the need for timely updates. Windows 11 users are experiencing a Firewall configuration error linked to the June 26 KB5060829 update, which has raised security concerns despite being a non-security update. Microsoft confirmed the error appears in the Event Viewer as "Config Read Failed" and occurs after each device restart, but it can be safely ignored and does not indicate a problem with Windows Firewall. The error is related to a feature under development, and Microsoft is working on a resolution for a future update.

Winsage

July 4, 2025

Microsoft confirms KB5060829 update for Windows 11 causes worrying Firewall errors

Microsoft addressed concerns regarding the KB5060829 update for Windows 11 24H2, which caused error messages related to the Windows Firewall With Advanced Security. The error, labeled as "Config Read Failed" and logged as event 2042 in the Event Viewer, does not indicate a malfunction of the Firewall and can be safely ignored. Microsoft stated that the Windows Firewall is expected to function normally and no action is required from users. The error is associated with a feature under development and does not impact Windows processes. The issue affects a minimal number of users, as the update requires manual installation. Microsoft is aware of the problem and is working on a resolution, though no timeline has been provided.

Winsage

July 3, 2025

Microsoft Acknowledges Error Entry in Windows Firewall With Advanced Security

Microsoft has acknowledged that the Windows 11 update KB5060829 is causing unexpected error entries in the Windows Firewall With Advanced Security logs, specifically Event ID 2042, which appears with the label “Config Read Failed” upon reboot. These errors do not indicate any malfunction or security threat, and the firewall continues to function normally. Users can filter out these error entries in Event Viewer or use PowerShell to suppress them. The issue affects only Windows 11 version 24H2 and does not impact server platforms. Microsoft is working on a resolution but has not provided a timeline. Users can uninstall the June 2025 update to eliminate the error, though it is not necessary for system security or functionality.