ZIP archives Archives

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 13, 2025

New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware

Security researchers have identified a malware campaign using the ClickFix social engineering technique to spread information-stealing malware on Windows and macOS. The campaign targets users searching for cracked software, leading them to malicious Google-hosted landing pages. Victims encounter fake security warnings that prompt them to execute a malicious command, resulting in the installation of infostealer malware. Windows users receive the ACR stealer, while macOS users get the Odyssey stealer, both delivered in password-protected ZIP files. ACR also loads additional malware like SharkClipper, which hijacks cryptocurrency clipboard data. The campaign has seen a 700% increase in ACR logs in May 2025, with ClickFix becoming the most common initial access method, accounting for 47% of all initial access schemes. The malware collects various user data, including passwords and cryptocurrency wallets, and operates in a fileless manner to evade detection. Security experts advise against executing unverified commands and recommend enhancing endpoint detection capabilities to combat these threats.

Winsage

October 19, 2025

DOSBox Pure Unleashed is ready for Windows, Mac, and Linux computers after five years in development — enhanced standalone release no longer restricted to being a RetroArch core

DOSBox Pure Unleashed is a new version of the DOS emulator developed by Psyraven, released on Saturday evening. It is a standalone application compatible with Windows, Mac, and Linux, featuring a user-friendly interface. Key enhancements include experimental support for Windows 9X, the ability to run games from ZIP archives, Voodoo graphics emulation up to 4K/UHD resolution, and integration of MIDI synths and SoundFonts. The emulator is available for download on its GitHub page, and its source code is accessible under the GNU General Public License, version 2 or later.

AppWizard

September 17, 2025

224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads

A mobile ad fraud operation called "SlopAds" infiltrated the Google Play Store with 224 malicious applications, which collectively achieved over 38 million downloads across 228 countries. The operation utilized advanced steganography and obfuscation techniques to deliver fraudulent advertising payloads while avoiding detection. SlopAds activated its fraud system selectively based on specific advertising campaigns, generating around 2.3 billion fraudulent bid requests daily, primarily from the United States (30%), India (10%), and Brazil (7%). The malicious apps exploited Firebase Remote Config to retrieve encrypted data for downloading a primary fraud module named "FatModule." This module was concealed within PNG image files, allowing it to bypass traditional security measures. The FatModule included anti-analysis features to evade detection by security researchers. Google has since removed all identified SlopAds applications from the Play Store and implemented protections through Google Play Protect.

Tech Optimizer

September 15, 2025

HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks

Chinese-speaking users are experiencing a sophisticated SEO poisoning campaign that uses counterfeit software sites to spread malware. Researchers from Fortinet FortiGuard Labs discovered this activity in August 2025, which involves manipulating search rankings to redirect users to fraudulent sites that deliver malware through trojanized installers. The malware families identified include HiddenGh0st and Winos, both variants of the Gh0st RAT, linked to a cybercrime group known as Silver Fox. The attack mechanism involves a script named nice.js that orchestrates the malware delivery process, leading to the installation of a malicious DLL, "EnumW.dll," which performs anti-analysis checks and extracts another DLL, "vstdlib.dll." This second DLL inflates memory usage to evade detection and is responsible for launching the main payload. The malware aims to sideload a DLL, "AIDE.dll," which establishes a Command-and-Control (C2) communication, collects victim data, and monitors user activity. Additionally, a separate campaign targeting Chinese-speaking users has been flagged by Zscaler ThreatLabz, featuring a new malware called kkRAT. This malware shares code similarities with Gh0st RAT and employs fake installer pages to deliver multiple trojans. It uses techniques to bypass security software and targets specific antivirus programs, including 360 Total Security and Kingsoft Internet Security. The installer launches shellcode that retrieves additional malicious payloads, including kkRAT, which can perform various data-gathering tasks and manipulate clipboard data to replace cryptocurrency addresses.

AppWizard

August 26, 2025

77 Malicious Android Apps With 19M Installs Targeted 831 Banks Worldwide

Zscaler’s ThreatLabz team identified 77 malicious applications on the Google Play Store with over 19 million installations, which target financial institutions and compromise user data. A new variant of the Anatsa banking trojan, also known as TeaBot, now targets over 831 banks globally, up from 650, and has expanded its reach to countries like Germany and South Korea. Many of these apps disguise themselves as document readers, with some exceeding 50,000 downloads. The malware downloads the Anatsa payload after installation and uses Android’s Accessibility Services to automate malicious activities, including stealing financial information and facilitating fraudulent transactions. The malware employs techniques to evade detection, such as obfuscating its code and using corrupted ZIP archives. The most prevalent Android malware identified was Joker, found in nearly 25% of the analyzed applications, known for stealing contacts and device data. A smaller subset of apps contained “maskware,” which engages in credential theft and personal data collection.

Winsage

August 7, 2025

These 9 File Explorer alternatives make your Windows PC so much better

Windows Explorer has a basic interface that can hinder file management, prompting the development of alternative "commander" tools. These alternatives include single-window and dual-window applications designed to improve file management on Windows PCs. Free Commander XE features a dual-window layout with tabs for quick access and modern icons, allowing users to manage ZIP files and synchronize folders. Multi Commander also uses a dual-window approach, supports bulk file renaming, and offers a portable version. Double Commander is an open-source option with a familiar interface, capable of creating symbolic links and synchronizing folders. One Commander allows toggling between single and dual-window views and includes customizable features. Paid file managers like Total Commander, SpeedCommander, and XYplorer offer advanced functionalities, including FTP capabilities and scripting options. Q-Dir can open four windows simultaneously and provides extensive customization. File Voyager features a two-window view but may have stability issues. For Android devices, Google Files, Total Commander, and X-plore are notable file management apps, each offering various features for organizing and accessing files.

Winsage

August 4, 2025

North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center discovered a new variant of the RoKRAT malware linked to the North Korean APT37 threat group. This malware uses steganography to hide malicious payloads within JPEG files, allowing it to evade traditional antivirus detection. It is typically distributed through malicious shortcut files within ZIP archives, often disguised as legitimate documents. The malware employs a two-stage encrypted shellcode injection method, utilizing PowerShell and batch scripts to execute its payloads in memory. It collects system information, documents, and screenshots, exfiltrating data via compromised cloud APIs. The command and control accounts associated with the malware are linked to Russian email services. Variants of RoKRAT have evolved to include different injection methods and reference specific PDB paths. Indicators of compromise include various MD5 hashes associated with the malware.

Tech Optimizer

July 7, 2025

XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses

The XWorm Remote Access Trojan (RAT) has evolved its attack strategies by incorporating advanced stagers and loaders to evade detection. It is known for its capabilities, including keylogging, remote desktop access, data exfiltration, and command execution, and is particularly targeted at the software supply chain and gaming sectors. Recent campaigns have paired XWorm with AsyncRAT for initial access before deploying ransomware using the leaked LockBit Black builder. XWorm utilizes various file formats and scripting languages for payload delivery, often through phishing campaigns with deceptive lures like invoices and shipping notifications. It employs obfuscation techniques, including Base64 encoding and AES encryption, and manipulates Windows security features to avoid detection. Persistence mechanisms such as registry run keys and scheduled tasks ensure sustained access. XWorm conducts system reconnaissance, queries for antivirus software, and attempts to disable Microsoft Defender. It can propagate via removable media and execute commands from command-and-control servers. The Splunk Threat Research Team has developed detections for suspicious activities related to XWorm infections. Indicators of compromise include various file hashes for different scripts and loaders associated with XWorm.

AppWizard

July 3, 2025

Qwizzserial Android Malware as Legitimate Apps Steals Banking Data & Intercepts 2FA SMS

A sophisticated Android malware campaign named Qwizzserial has emerged as a significant threat to banking security in Central Asia, particularly affecting users in Uzbekistan. Initially identified in mid-2024, it disguises itself as legitimate applications to deceive users into installation. Analysts from Group-IB uncovered it, noting its distribution network resembles the Classiscam fraud infrastructure. The campaign has reportedly infected around 100,000 users, resulting in financial losses exceeding ,000 within three months. The primary distribution channel is Telegram, where cybercriminals pose as government entities. Qwizzserial requests critical permissions upon installation and collects personal and financial information, systematically harvesting existing SMS messages. Recent iterations have incorporated obfuscation techniques and enhanced persistence mechanisms.