XDR Archives

Winsage

January 15, 2026

Microsoft updates Windows DLL that triggered security alerts

Microsoft has resolved an issue where third-party security applications mistakenly flagged the WinSqlite3.dll component of the Windows operating system as vulnerable. This issue affected various systems, including Windows 10, Windows 11, and Windows Server 2012 through 2025. The flagged vulnerability was linked to a memory corruption issue (CVE-2025-6965). Microsoft released an update to the WinSqlite3.dll component in updates from June 2025 and later, advising users to install the latest updates for their devices. WinSqlite3.dll is a core component of Windows, distinct from sqlite3.dll, which is not part of the operating system. Microsoft had previously addressed other false positive issues affecting its Defender for Endpoint platform.

Winsage

January 12, 2026

Windows 11 has a hidden feature that barely anyone knows exists, and Microsoft just made a crucial update that could actually make it useful | Attack of the Fanboy

Windows 11 introduces a feature called Resume, or Cross Device Resume (XDR), which allows users to switch from an app on their phone to their Windows PC. The feature currently has limited app support, mainly functioning with Spotify and Microsoft 365. Microsoft is working to enhance this feature by allowing a broader range of Android applications to utilize Windows Resume. An update has introduced an alternative method for developers to connect their applications to Resume using the Windows Push Notification Service (WNS), addressing previous limitations. Developers must submit a request to Microsoft to enable Resume for their applications, and the app must be available on both Windows and Android for the feature to work effectively.

Winsage

November 5, 2025

Curly COMrades abuse Hyper-V for covert malware operations in VMs

Bitdefender researchers have identified advanced techniques used by the Curly COMrades threat actor, believed to have Russian backing, to exploit Microsoft’s Hyper-V virtualization platform. This group activates Hyper-V on compromised systems to deploy a lightweight virtual machine (VM) running Alpine Linux, which hosts malware tools CurlyShell and CurlCat. The operation began in early July with commands that activated Hyper-V and prepared the environment for the VM, using deceptive file names to avoid detection. The Alpine Linux VM is customized for each victim, allowing the attackers to maintain a low profile while facilitating reverse shell and proxy activities. The VM routes traffic through the host's network, masking communications as originating from the legitimate host IP. CurlyShell acts as a persistent reverse shell, while CurlCat manages SSH traffic tunneling, utilizing a private key for authentication. The attackers also employ various proxy and tunneling tools and utilize PowerShell scripts for tasks such as injecting Kerberos tickets into LSASS for lateral movement and creating local accounts to ensure ongoing access. Their command and control infrastructure involves compromised servers that relay traffic between infected hosts and the attackers' servers, with measures taken to limit forensic evidence. To detect and mitigate these threats, Bitdefender emphasizes the need for host-based network inspection and hardening, as well as monitoring for abnormal access to the LSASS process and suspicious Kerberos ticket activities. The findings indicate a shift in threat actor tactics towards using virtualization for stealth and persistence, highlighting the need for layered security measures.

Winsage

November 4, 2025

Russian spies pack custom malware into hidden VMs on Windows

Bitdefender's senior security researcher, Victor Vrabie, reported that the Russian cyber group Curly COMrades is using Microsoft's Hyper-V hypervisor to conduct sophisticated attacks on compromised Windows machines. They create a concealed Alpine Linux-based virtual machine (VM) that bypasses traditional endpoint security, allowing prolonged access for espionage and malware deployment. This VM is lightweight, requiring only 120MB of disk space and 256MB of memory, and hosts a reverse shell called CurlyShell and a reverse proxy named CurlCat. The group's operations have targeted judicial and governmental institutions in Georgia and an energy company in Moldova. Their current campaign, starting in July, involved activating Hyper-V and downloading the VM with custom malware. The VM uses the Default Switch network adaptor, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell maintains root-level persistence and communicates with a command-and-control server over HTTPS, while CurlCat manages an SSH reverse proxy tunnel disguised as standard HTTP traffic. Additionally, two PowerShell scripts linked to the group enable remote authentication and establish persistent access across domain-joined machines. Vrabie highlighted the evolving tactics of cybercriminals to bypass endpoint detection and response (EDR) systems, emphasizing the need for a multi-layered security strategy.

Winsage

October 28, 2025

Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild

On October 14, 2025, a critical remote code execution (RCE) vulnerability, CVE-2025-59287, was discovered in Microsoft's Windows Server Update Services (WSUS). The vulnerability allows remote, unauthenticated attackers to execute arbitrary code with system privileges on affected servers. It was initially addressed on October 14, but the patch was insufficient, leading to an urgent out-of-band update on October 23. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog on October 24, indicating its immediate threat. The vulnerability affects Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, specifically on servers with the WSUS role enabled. Attackers are exploiting the vulnerability by targeting publicly exposed WSUS instances on TCP ports 8530 (HTTP) and 8531 (HTTPS). Approximately 5,500 WSUS instances have been identified as exposed to the internet. Microsoft recommends disabling the WSUS Server Role or blocking inbound traffic to the high-risk ports as temporary workarounds for organizations unable to apply the emergency patches immediately.

Tech Optimizer

October 17, 2025

Bitdefender Antivirus Review for Businesses & MSPs

Bitdefender has been operating since 2001 and is recognized for its antivirus solutions for individual users, small businesses, and large enterprises. It offers various plans, including a free version for consumers and multiple options under its GravityZone line for businesses and managed service providers (MSPs). The pros of Bitdefender include reliable threat detection, strong performance in independent tests, an easy-to-use interface, low system resource impact, seamless setup, and the availability of free antivirus software. The cons include scalability limitations based on the initial plan chosen. For consumers, Bitdefender offers two subscription tiers: Bitdefender Free and Bitdefender Antivirus Plus, priced at free and .99 for the first year, respectively. The business plans include GravityZone Small Business Security, GravityZone Business Security Premium, and Secure (EDR), with prices starting at .49 for one year. Bitdefender’s business solutions received accolades from AV-TEST in April 2025, detecting 100% of widespread malware and zero false positives. AV-Comparatives awarded it the Approved Enterprise & Business Security Product Award in 2024. Key features of Bitdefender’s business solutions include multilayered defenses against various threats, centralized dashboards for visibility, built-in device controls, and advanced capabilities in higher-tier plans. The GravityZone platform offers tailored solutions for MSPs, including Secure (EDR), Secure Plus (MDR), and Secure Extra (MXDR). Bitdefender’s Risk Analytics capabilities assist MSPs in identifying vulnerabilities and automating compliance reporting. User feedback from third-party forums highlights its effectiveness, high detection rates, affordability, and strong real-time threat prevention. In June 2025, Bitdefender acquired Mesh Security to enhance its XDR and MDR offerings against email threats.

Winsage

September 28, 2025

Is end of service leaving your system vulnerable? The risks no IT leader can ignore

Unsupported operating systems and device software lack regular updates, making them vulnerable to cyber attacks. Devices running on unsupported platforms can become gateways for attackers, as they are susceptible to known exploits that can be easily weaponized. According to Microsoft’s 2024 Digital Defense Report, over 90% of successful ransomware attacks target unmanaged endpoints. Unsupported versions can bypass standard security solutions and often fail compatibility checks with modern security tools, leading to significant protection gaps. Additionally, these vulnerabilities can be exploited to steal credentials and gain unauthorized access, posing risks to overall network security.

Tech Optimizer

September 27, 2025

Antivirus Statistics 2025: Revealing Growth & Usage

The global antivirus software market is projected to reach approximately billion by 2025 and grow at a compound annual growth rate (CAGR) of around 6.9% through 2029. By 2025, 84% of users are expected to have antivirus software installed on their computers, and approximately 68% will have antivirus protection on their smartphones. In recent testing, antivirus products were evaluated against 212 test cases, with 560,000 new malware variants detected globally each day. Microsoft Defender and Norton achieved perfect protection scores of 100% in evaluations conducted in June 2025. Microsoft is redesigning Windows to relocate antivirus and Endpoint Detection and Response (EDR) applications out of the kernel. In 2024, the U.S. government prohibited the sale of Kaspersky antivirus software due to national security concerns. Gen Digital anticipates revenue between .70 billion and .80 billion for 2026. The integration of AI into malware frameworks is pushing antivirus vendors to adopt machine learning-driven threat detection models. Antivirus plans are predominantly priced between and , with 32.1% of plans falling within this range. Only 3.6% of antivirus options are free, and 93% of products offer a 30+ day money-back guarantee. 79% include defenses against ransomware and phishing attacks, and 61% come with a built-in firewall. The average maximum coverage per antivirus subscription extends to 24 devices. In 2024, around 121 million Americans used third-party antivirus software, with 17 million adults intending to adopt antivirus software within six months. Among users of commercial antivirus software, 74% reported encountering malware in the past year. Detection effectiveness in malware tests often surpasses 99% for leading antivirus products, while false positive rates vary significantly. Symantec leads the Windows antivirus market with a share of 13.81%, followed by AVAST Software (11.93%) and ESET (11.03%). Approximately 560,000 new malware variants are identified daily, and there are over 1 billion documented malware samples worldwide. Ransomware attacks targeting Windows constitute around 93% of all enterprise ransomware incidents. In 2024, 17% of U.S. adults reported using antivirus software on mobile phones, with 73% opting for paid versions. Free antivirus solutions typically offer basic features but lack advanced modules. The enterprise antivirus market is projected to reach approximately .0 billion by 2024, with significant growth expected in the coming years. North America holds approximately 48.3% of the global antivirus market share, while Europe experiences growth due to regulations. IoT devices are increasingly targeted, with unpatched firmware responsible for about 60% of IoT breaches. The average cost of an IoT security failure incident is approximately 0,000. Typical antivirus subscriptions range from to 0 per year, with many vendors offering multi-device bundles.

Winsage

August 22, 2025

IGEL benefits from seismic VMware and Windows 10 shifts

IGEL Technology, founded in 2001, initially specialized in thin clients but has shifted towards software solutions that protect endpoints with a read-only operating system, reducing the attack surface by up to 95 percent. Each endpoint operates statelessly, retaining no memory of past interactions, and is managed through a unified portal that integrates with various vendors like Zscaler and CrowdStrike. IGEL's solutions allow for the integration of endpoints in operational technology environments without introducing additional security vulnerabilities, effectively replacing EDR systems with over 120 integrations. The company aims to extend the lifespan of endpoints from 3-5 years to 6-8 years, providing significant cost savings and addressing the challenges posed by the transition from Windows 10 to Windows 11. IGEL's approach enhances security while offering flexibility in application delivery options, although it does not eliminate all cyber threats.

Tech Optimizer

August 21, 2025

Inside Quick Heal’s Journey: Building India’s First Antivirus to a Global Brand

Quick Heal Technologies was founded by brothers Kailash and Sanjay Katkar in Pune, focusing on antivirus solutions to combat rising computer viruses. It became India's first homegrown antivirus and is now a globally recognized company. Despite India's digital economy expanding, only 7% of organizations are mature in cybersecurity readiness, facing challenges such as a skills deficit, fragmented security implementations, and a disconnect between executive priorities and security realities. India needs over 800,000 cybersecurity professionals, and educational institutions must integrate practical threat scenarios into their curricula. The "Make in India" movement is fostering indigenous cybersecurity solutions that address local threats while being globally relevant. Quick Heal utilizes AI to enhance threat detection and response, analyzing vast amounts of data while emphasizing the irreplaceable role of human expertise in strategic decision-making. Emerging threats include AI-powered social engineering, supply chain attacks, and cloud misconfigurations. Organizations should adopt Zero Trust architectures, invest in continuous security training, and utilize integrated threat intelligence. Quick Heal's leadership emphasizes solving real problems for customers and encourages young engineers to gain practical experience in cybersecurity. Recommended strategies for CISOs include aligning security investments with business priorities, embracing automation, and establishing integrated threat intelligence for effective risk management.