ZIP archives Archives

Winsage

June 18, 2025

XDSpy Threat Actors Exploit Windows LNK Zero-Day Vulnerability to Target Windows System Users

The XDSpy threat actor is exploiting a Windows LNK zero-day vulnerability (ZDI-CAN-25373) to target governmental entities in Eastern Europe and Russia since March 2025. This campaign involves a multi-stage infection chain deploying the XDigo implant, developed in Go. Attackers use spearphishing emails with ZIP archives containing crafted LNK files that exploit the vulnerability. Upon execution, these files sideload a malicious C# .NET DLL named ETDownloader, which establishes persistence and retrieves the XDigo payload from specific domains. XDigo is a data collection implant capable of file scanning, clipboard capture, and screenshot acquisition, communicating with command-and-control servers. The campaign targets Belarusian governmental entities and employs advanced tactics, including anti-analysis checks and encryption for data exfiltration. Indicators of compromise include specific SHA-256 hashes for ZIP archives, LNK files, the ETDownloader, and XDigo malware, along with associated distribution and command-and-control domains.

Winsage

April 25, 2025

My favorite File Explorer replacement just got better

Files has released an update to version 3.9.7, enhancing its functionality and introducing new customization features. Key improvements include a revamped Release Notes dialog that opens automatically after updates, customizable file size units, automatic encoding detection for ZIP file extraction, and UTF-8 encoding as the default for creating ZIP archives. The app is recognized for introducing features ahead of Windows File Explorer, such as tabs and unique functionalities like diverse view modes, sorting options, and tagging capabilities.

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

Winsage

March 8, 2025

Lumma Stealer Launch “Click Fix” Style Attack via Fake Google Meet & Windows Update Sites

Recent investigations from Palo Alto have revealed the use of "click fix" campaigns for distributing Lumma Stealer malware, which exploit user interaction by embedding malicious scripts into the copy-paste buffer. Victims are tricked into executing harmful commands through seemingly benign instructions on malicious web pages. Key tactics include: - Domain Impersonation: Registering domains that resemble legitimate services (e.g., windows-update[.]site). - Abuse of Trusted Platforms: Hosting malicious pages on reputable platforms like Google Sites. - PowerShell Script Delivery: Using data binaries that execute as PowerShell scripts. - DLL Side-Loading: Distributing zip archives with decoy files alongside legitimate executables for side-loading Lumma Stealer DLLs. Examples of malicious activity include: 1. Fake Google Meet Page: A fraudulent page instructs users to execute a PowerShell command that downloads a script from tlgrm-redirect[.]icu, leading to the download of Lumma Stealer files from plsverif[.]cfd/1.zip and executing a DLL file (DuiLib_u.dll) through side-loading. 2. Fake Windows Update Site: The site windows-update[.]site prompts users to run a PowerShell command that downloads a file from overcoatpassably[.]shop/Z8UZbPyVpGfdRS/maloy[.]mp4, which functions as a PowerShell script. Malicious traffic patterns include HTTP POST requests to tlgrmverif[.]cyou/log.php and downloads from plsverif[.]cfd and overcoatpassably[.]shop. Active command-and-control (C2) domains for Lumma Stealer are: - web-security3[.]com - techspherxe[.]top Inactive C2 domains include: - hardswarehub[.]today - earthsymphzony[.]today Key files associated with these campaigns are: - A PowerShell script from tlgrm-redirect[.]icu/1.txt (SHA256: 909ed8a135…). - A zip archive from plsverif[.]cfd/1.zip (SHA256: 0608775a345…). - A side-loaded DLL (DuiLib_u.dll, SHA256: b3e8b610ef…). Indicators of compromise include active domains like windows-update[.]site and sites[.]google[.]com/view/get-access-now-test/verify-your-account, and associated domains such as authentication-safeguard[.]com, plsverif[.]cfd, and tlgrmverif[.]cyou.

Winsage

February 18, 2025

Windows 11 24H2’s latest bug turns a simple file move into a total nightmare, and you could be its next victim

Moving program files from .ZIP files in Windows 11 can cause File Explorer to freeze. Users can restart File Explorer via Task Manager to resolve the issue temporarily. Microsoft has not acknowledged this bug, and it is recommended to avoid using drag-and-drop for moving files to prevent the freeze.

Tech Optimizer

December 5, 2024

Hackers bypass antivirus using corrupted files

Researchers at ANY.RUN have identified a zero-day attack campaign operational since at least August 2024, which employs corrupted files to bypass security measures. Attackers use corrupted files, often disguised as ZIP archives or DOCX documents, to exploit vulnerabilities in file-handling processes, allowing them to evade antivirus software, sandbox environments, and email spam filters. These files execute malicious code when opened, despite their damaged appearance. Conventional antivirus solutions struggle to scan these files effectively, static analysis tools fail to process them, and advanced email filters cannot intercept them. ANY.RUN’s interactive sandbox can dynamically analyze these corrupted files in real-time, identifying malicious activity that traditional security tools miss. The attack process involves delivering a corrupted file via email, leading to detection failure by security tools, execution through built-in recovery mechanisms in applications, and identification of malicious behavior by the sandbox. This highlights the need for advanced threat detection techniques to maintain robust cybersecurity.

Winsage

September 26, 2024

Alert on illegal movie download: This new virus can ‘destroy’ your Windows PC/laptop – Times of India

A sophisticated malware known as Peaklight targets individuals who visit illegal movie download sites, specifically designed to infiltrate Windows computers and deploy information stealers and loaders. Peaklight operates solely within a computer's memory, leaving no trace on the hard drive, making detection difficult. It uses a PowerShell-based downloader to retrieve additional malware, such as Lumma Stealer, Hijack Loader, and CryptBot. Cybercriminals distribute Peaklight through deceptive movie downloads, hiding harmful Windows shortcut files within ZIP folders. When opened, these files connect to a content delivery network (CDN) to execute malicious JavaScript code, which activates the Peaklight downloader and retrieves further threats from a remote server.

Tech Optimizer

September 26, 2024

Illegal movie downloads could be hiding dangerous new malware

Illegal movie sites pose a significant risk to internet users due to the potential for malware infections. A report from Mandiant has identified a new malware called Peaklight, which targets individuals downloading pirated content. Peaklight operates solely in a computer's memory, leaving no trace on the hard drive, making it difficult for traditional antivirus programs to detect. The malware is activated when users download a Windows shortcut file (LNK) disguised as a movie download, which connects to a content delivery network (CDN) to execute harmful JavaScript code and a PowerShell script known as PEAKLIGHT. This script communicates with a remote server to download additional malicious software. Mandiant researchers note that Peaklight is part of a multi-stage execution chain that checks for ZIP archives in specific file paths before downloading more harmful content. To protect against malware, users are advised to avoid pirated content, keep their operating systems and software updated, use strong antivirus software, be cautious of suspicious links and files, utilize strong passwords and two-factor authentication, and be wary of compressed files.

Winsage

September 21, 2024

New Microsoft Windows Warning—You Must Never Do This On Your PC

A global cyber attack is targeting Windows users, particularly those on Windows 10, as they approach a period without security updates. The campaign involves fraudulent CAPTCHA popups designed to distribute Lumma Stealer malware. Users are tricked into clicking buttons that prompt them to paste a PowerShell script, which then executes a malicious EXE file. McAfee researchers have issued an alert about these deceptive tactics, which target individuals downloading pirated games and software developers through phishing emails. The ClickFix infection chain exploits common user behaviors, leading to the installation of malware. Users are advised to be cautious and avoid executing commands from within CAPTCHAs. As Windows 10 support ends in October 2024, users may need to consider upgrading to Windows 11 for continued security.