Instead of obvious scripting activity, the attack blends into normal system behavior. This makes it harder for security teams to notice anything suspicious during the initial stages.

How the Attack Tricks Users

ClickFix still depends on social engineering. The attacker lures users to a fake website that looks like a CAPTCHA verification page. One such example is “healthybyhillary[.]com.”

The page guides the user through a simple-looking process:

• Press Win + R to open the Run dialog
• Paste a pre-copied command using Ctrl + V
• Hit Enter to execute it

To an average user, this feels like a normal verification step. But in reality, it triggers a malicious command that starts the infection process.

How It Evades Detection

Once executed, the attack uses rundll32.exe along with WebDAV to pull a malicious DLL from a remote server. Since rundll32.exe is a trusted Windows tool, this activity often appears legitimate.

A few key techniques make this variant harder to detect:

• Uses WebDAV to fetch remote files like a network share
• Executes DLL functions using ordinal numbers (#1) instead of readable names
• Avoids early use of PowerShell to bypass common detection rules
• Runs most of the attack in memory, leaving minimal traces on disk

After the initial stage, PowerShell is used quietly with flags like -NoP and -NonI, along with IEX (Invoke-Expression) to load additional payloads.

The final payload, known as SkimokKeep, includes advanced evasion methods:

• Resolves system functions using hashing instead of direct imports
• Checks for sandbox or VM environments before running
• Uses anti-debugging tricks like timing checks
• Injects code into legitimate processes such as browsers

Why This Matters

This shift is significant because many defenses are still focused on detecting script-based attacks. By abusing trusted Windows components and reducing visible activity, attackers get a much quieter entry point.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What Security Teams Should Watch

To detect or prevent this attack, organizations should focus on unusual system behavior rather than just scripts:

• Monitor suspicious use of rundll32.exe, especially with WebDAV-related arguments
• Enable command-line logging for system binaries (LOLBins)
• Restrict or monitor WebDAV traffic over port 80
• Block known malicious IPs and domains linked to the campaign
• Educate users about fake CAPTCHA pages and ClickFix tricks

This variant shows how attackers continue to adapt. The real risk isn’t just the malware itself—it’s how easily users can be convinced to launch it.

Block Known Malicious Infrastructure

Security teams should proactively block known indicators linked to this campaign to reduce exposure:

• 178.16.53[.]137
• 141.98.234[.]27
• 46.149.73[.]60
• 91.219.23[.]245

Suspicious domains to watch or block:

• mer-forgea.sightup[.]in[.]net
• data-x7-sync.neurosync[.]in[.]net

You can place this section right after the “What Security Teams Should Watch” section so it flows naturally as an action step.

The post ClickFix Variant Bypasses Detection Using Rundll32 & WebDAV appeared first on First Hackers News.

This update ensures that only drivers verified through Microsoft’s Windows Hardware Compatibility Program (WHCP) are allowed to run automatically. By enforcing stricter validation, Microsoft is reducing the risk of attackers using malicious drivers to gain deep, kernel-level access to systems.

This enhancement is crucial for maintaining high standards of Windows kernel driver security across all devices.

Kernel drivers operate at the core of the operating system, so any weakness in how they are signed or validated can be exploited. By removing support for legacy signing methods, Microsoft is closing a long-standing security gap.

Removal of Cross-Signed Drivers and Security Impact

The older cross-signing model allowed third-party certificate authorities to approve drivers without strict validation from Microsoft. While this approach helped with compatibility in the past, it also introduced security risks.

Attackers have historically abused this model by stealing signing keys and using them to install rootkits and other advanced malware. Even though Microsoft deprecated cross-signing in 2021, older certificates were still trusted by Windows systems until now.

With this update, that trust is fully removed. Drivers must now go through a stricter approval process that includes:

• Identity verification of the vendor
• Security and compatibility testing
• Malware scanning before certification

This significantly reduces the chances of malicious drivers being loaded into the Windows kernel.

Deployment Approach and Enterprise Considerations

To avoid disruptions, Microsoft is rolling out this change in stages. Initially, the system will monitor and evaluate driver activity before enforcing the block. This allows organizations to identify compatibility issues early.

Additionally, Microsoft will maintain an allow list for widely used legacy drivers to prevent system failures. If unsupported drivers are detected, enforcement may be delayed until the system is stable.

For enterprise environments, there is still controlled flexibility. Organizations that rely on custom kernel drivers can allow them using Application Control for Business policies. These policies must be securely signed and tied to UEFI Secure Boot, ensuring only trusted internal drivers are permitted.

Overall, this update marks a significant step toward strengthening Windows security by limiting kernel-level attack vectors and enforcing modern driver validation standards.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Windows 11 Blocks Untrusted Kernel Drivers to Improve Security appeared first on First Hackers News.

The project is part of a wider Endpoint Detection and Response effort called Sanctum. It shows how defenders can use Windows Minifilters to spot and interrupt malicious file encryption before user data is damaged.

How the Detection Method Works

At the center of this approach is a Windows feature known as a file system filter driver. This driver operates between user applications and the storage system, meaning every file operation — creating, modifying, or renaming files — passes through it.

Researcher 0xflux describes this layer as a control point. Because all file activity flows through it, the system can monitor behavior in real time and step in when something suspicious happens.

Although the developer initially planned to build the driver in Rust, the lack of proper filter driver support led to the project being written in C instead.

What Signals Indicate Ransomware

The Sanctum driver registers system callbacks so it gets notified when certain file actions occur. The proof-of-concept focuses on two important Windows file events.

One event tracks when programs request access to files with write or delete permissions. A process rapidly opening many files with these permissions can signal the start of mass encryption.

The second event is more central to this PoC. It triggers when file information changes, such as when a file is renamed. Ransomware often renames files after encryption, adding a new extension to mark them as locked.

In this demo, the driver watches for a specific extension tied to a known LockBit variant.

How the System Identifies the Attacker

When a rename event occurs, the driver uses Windows APIs to read the full file name and compare the new extension with known ransomware patterns.

If a match appears, the system does more than log the event. It also determines which process made the change. Using internal functions, it retrieves the process ID and the program name responsible. This gives defenders precise visibility into which application is behaving maliciously.

Right now, the tool mainly records suspicious activity, acting as a detailed monitoring system. However, future versions could go further.

The researcher suggests adding real-time entropy analysis to detect encryption as it happens. Another potential feature is freezing or terminating the threads of a malicious process immediately after detection.

This project shows how moving defenses deeper into the Windows kernel can provide faster response and greater visibility than traditional antivirus solutions that operate at higher system levels.

The post Using Windows Minifilters to Identify Ransomware Activity appeared first on First Hackers News.

Although classified as a preview update, it brings major improvements to how Windows safeguards core file structures. The changes address increasing security concerns related to privilege escalation and direct manipulation of protected system resources.

Improved System File Security

The update introduces tighter controls over Windows system directories and essential files. Access validation has been reinforced so that only properly authorized processes can read or modify protected areas of the operating system.

This improvement targets a common technique used in both advanced and widespread attacks, where adversaries attempt to alter system files to gain higher privileges or establish hidden persistence.

Researchers have observed a rise in attacks involving direct file system abuse. The new mechanisms in KB5074105 apply layered permission checks, ensuring that interactions with critical files are limited to trusted system components. This layered validation reduces the likelihood of successful privilege escalation attempts.

Servicing Stack Enhancement

Alongside these protections, Microsoft also released KB5074104, which updates the Windows servicing stack. Since this component handles how updates are installed, strengthening it improves the reliability and security of future patch deployments.

For organizations managing large numbers of devices, this means more stable update cycles and a lower risk of systems missing critical patches due to installation failures.

AI Component Improvements

The update also refreshes several AI-powered modules that support intelligent features within Windows 11. These enhancements focus on better performance and improved security for on-device AI processing.

Updated AI components include:

• Image Search
• Content Extraction
• Semantic Analysis
• Settings Model

These modules now operate more efficiently while maintaining strong data protection standards.

Deployment Approach and Recommendations

Microsoft is releasing KB5074105 in stages to reduce compatibility risks. Devices receive the update gradually before wider availability.

Security and IT teams are advised to test the update in controlled environments before organization-wide rollout, particularly in sensitive networks. Monitoring update health and coordinating patch management strategies will help ensure smooth adoption.

With attackers increasingly targeting the operating system core, the enhanced file protection features in KB5074105 provide an important defense layer against evolving threats.

The post Windows 11 Strengthens Protection of System Files appeared first on First Hackers News.

Microsoft is investigating serious problems linked to its January 2026 security update for Windows 11 after reports of systems failing to start correctly. The update, which was meant to strengthen security, has instead left some users unable to boot their devices.

The issue is tied to update KB5074109, released for Windows 11 versions 25H2 and 24H2. Shortly after installation, affected systems began showing critical startup errors, including boot loops and black screens. In some cases, devices display an UNMOUNTABLE_BOOT_VOLUME error and never reach the login screen.

Microsoft has acknowledged the problem and confirmed receiving a limited number of reports where devices cannot complete startup. So far, the issue appears to affect physical machines only, with virtual environments remaining unaffected. For impacted users, access to the operating system is often lost entirely, requiring recovery tools to remove the update.

Even on systems that manage to boot, the update has caused widespread stability concerns. Users report random freezes, display issues, and conflicts with graphics drivers, particularly during GPU-intensive tasks. Some applications become unresponsive without triggering a crash or error message, leaving systems stuck until a forced restart.

The update has also disrupted productivity and enterprise services. Microsoft confirmed that credential prompts for certain cloud and remote desktop services were broken, temporarily preventing users from connecting. Outlook Classic users have also reported freezes and sync problems after startup.

What users should do now

• Uninstall the latest update using the Windows Recovery Environment if the system won’t boot
• Roll back KB5074109 or pause updates on unstable systems
• Delay installing the update until Microsoft releases a permanent fix

Microsoft continues to investigate the root cause of these failures. Until a comprehensive resolution is available, users and administrators are advised to approach the January update with caution, especially on production systems.

The post Windows 11 January Update Triggers Serious Boot Issues appeared first on First Hackers News.

While the issue does not enable full system takeover, it weakens safeguards designed to protect users from untrusted content, making it particularly relevant in post-compromise or insider attack scenarios.

How the Vulnerability Works

The flaw lies in how Windows Remote Assistance handles specially crafted files used to start or manage assistance sessions. In some cases, these files are processed in a way that skips normal security checks, allowing them to appear more trusted than they actually are.

As a result, protections tied to Mark of the Web (MOTW)—such as warning prompts, SmartScreen checks, and certain script or macro restrictions—may not be enforced.

This means content that originated from the internet could be opened locally without the usual defenses, increasing the risk of stealthy data access or follow-on attacks.

Exploitation requires user interaction, typically by convincing a victim to open a malicious file delivered through email, messaging platforms, or a web download.

Impact, Affected Systems, and Mitigation

• Impact: Enables attackers to bypass Mark of the Web protections, potentially allowing sensitive data access or stealthy follow-on attacks without triggering expected security warnings.
• Affected Systems: Supported versions of Windows 10, Windows 11, and Windows Server, including both client and enterprise deployments.
• Mitigation: Microsoft has addressed the issue in the January 2026 Patch Tuesday updates. Organizations should apply the updates as soon as possible. Until patching is complete, administrators are advised to restrict Windows Remote Assistance usage, enhance email and web filtering controls, and remind users to avoid opening unsolicited assistance files or attachments.

Applying the latest security updates restores proper protection checks and significantly reduces the risk of this bypass technique being exploited.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Security Bypass Issue Found in Windows Remote Assistance appeared first on First Hackers News.

Rated 9.8 on the CVSS scale, this vulnerability is extremely dangerous because it can be exploited without any user interaction.

All about the vulnerability

The flaw was discovered in May 2025 and patched by Microsoft on August 12, 2025. It comes from an untrusted pointer dereference in the windowscodecs.dll file, which is responsible for core image processing.

Attackers can hide a malicious JPEG inside common files such as Microsoft Office documents. When the file is opened or even previewed, the system can be silently compromised.

This issue shows the risks that still exist in older graphics-handling components, where something as simple as decoding an image can lead to a full system takeover. Since Windows is used on billions of devices, unpatched machines remain highly vulnerable to phishing attacks and drive-by downloads.

Zscaler ThreatLabz discovered the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on how JPEG images are encoded and decoded within windowscodecs.dll.

The entry point for exploitation is in the GpReadOnlyMemoryStream::InitFile function. By manipulating buffer sizes, attackers can take control of memory snapshots during file mapping.

Fuzzing tests uncovered a crash caused by an uninitialized pointer at jpeg_finish_compress+0xcc, allowing user-controlled data to be accessed through heap spraying.

Debugging with WinDbg showed stack traces involving functions like CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource, confirming that the flaw lies in JPEG metadata handling.

This uninitialized resource bug allows attackers to run code remotely without needing special permissions. Microsoft confirmed that the issue affects automatic image rendering in applications that rely on the Windows Graphics Component.

Affected Versions and Patch Information

Zscaler’s proof-of-concept shows how attackers can manipulate memory by using an app that allocates, frees, and processes Base64-encoded JPEG files, eventually gaining control over the instruction pointer.

There are no known real-world attacks yet, but the low skill needed and the broad attack surface make this vulnerability attractive to ransomware groups and espionage actors. On 32-bit systems, the risk is even higher because Control Flow Guard is disabled by default.

Users should install the August 2025 Patch Tuesday updates as soon as possible, especially on critical systems. It also helps to disable automatic image previews in email clients and restrict untrusted files to sandboxed environments. Zscaler has already deployed cloud-level defenses to detect and block any exploit attempts.

This case highlights the risks of outdated graphics libraries in enterprise environments, where JPEG files are used everywhere. Although no active exploitation has been observed, quick patching and cautious file handling remain the best protection against these image-based attacks.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Windows Graphics Vulnerability Opens the Door to System Hijack with a Single Image appeared first on First Hackers News.

Flexible Enrollment Options for Windows 10 Users

The Extended Security Update (ESU) program, starting October 15, 2025, introduces a Settings app wizard to deliver essential security patches for an additional year. With Windows 10 powering 53% of Windows PCs as of May 2025, the program supports users facing Windows 11’s stringent hardware requirements, such as TPM chips or modern CPUs.

Users can choose from three enrollment options:

• Free Cloud Sync: Sync settings via Windows Backup at no cost.
• Microsoft Rewards: Redeem 1,000 points for a free ESU license.
• Paid Subscription: Pay $30 per PC for a one-year license.

The wizard, now in preview through the Windows Insider Program, will be available to all by mid-August 2025, requiring a Microsoft account. The ESU focuses solely on security updates, excluding new features or non-security patches.

Tackling Growing Cybersecurity Risks

This extension addresses a surge in cyber threats, including ransomware exploiting vulnerabilities like the Windows Common Log File System Driver flaw (CVE-2025-29824). Recent zero-day exploits, such as the WebDAV vulnerability (CVE-2025-33053), underscore the need for continued updates. Microsoft’s move ensures Windows 10 users remain protected during the transition to Windows 11, which holds a 43% market share.

“Microsoft’s ESU program is a critical step to secure legacy systems,” said a CloudSEK cybersecurity expert. “It buys time for users to upgrade while maintaining robust defenses.”

Microsoft’s extended support reinforces its commitment to user security while encouraging Windows 11 adoption. As cyber threats evolve, this program provides Windows 10 users with vital protection, ensuring a safer computing experience.

The post Microsoft Boosts Windows 10 Security with Updates Until 2026 appeared first on First Hackers News.

According to Microsoft’s Digital Defense Report 2024, there are around 39,000 token theft attacks every day, showing how urgent this problem has become.

What Is Administrator Protection?

The feature changes how admin access works on Windows systems. Instead of giving users full-time admin rights, Windows now uses a hidden, system-generated profile called the System Managed Administrator Account (SMAA). This account creates a temporary admin token only when needed for specific tasks.

When a task requires admin permissions, users will be prompted to verify their identity using Windows Hello (such as PIN, fingerprint, or face). After the task is done, the token disappears—reducing the risk of abuse by malware or threat actors.

Key Benefits

• No more silent auto-elevation: Every admin action now needs user approval.
• Improved UAC prompts: Color-coded warnings now highlight risky app behaviors.
• Stronger isolation: Elevated and non-elevated apps no longer share settings or themes.
• Harder to bypass: This blocks old techniques like registry or environment variable hacks.

Microsoft emphasizes that unlike traditional User Account Control (UAC), which was more of a soft warning system, Administrator Protection creates a real security boundary that attackers will have a harder time crossing.

You can check if it’s working by running an elevated Command Prompt and typing whoami. If you see ADMIN_, the feature is active.

This is a big step forward in making Windows safer for both regular users and IT admins managing large environments.

Administrator Protection will be available in all editions of Windows 11—Home, Pro, Enterprise, and Education. Users can turn it on from Windows Security > Account Protection, while IT teams can manage it through Group Policy or Intune.

The feature separates standard and admin user profiles. Files and settings created in admin mode stay in the admin profile, so changes don’t carry over to regular mode.

Microsoft recommends using apps with the least privileges needed, and only allowing admin access for specific tasks.

Starting May 2025, apps running with admin rights will have restricted access to sensitive features like the camera, microphone, and location unless users give permission.

David Weston from Microsoft called this “the most significant security upgrade in a generation,” reinforcing Microsoft’s push to make Windows more secure.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Enhanced Admin Security for Windows 11 appeared first on First Hackers News.

The attackers managed to replace the legitimate RVTools installer on the official website with a malicious version that silently deployed Bumblebee—a highly dangerous malware loader known for enabling ransomware attacks and post-exploitation activities.

Security experts first detected the breach when Microsoft Defender for Endpoint flagged suspicious behavior coming from a file named “version.dll” executing in the same directory as the RVTools installer.

While the installer appeared legitimate at first glance, it contained hidden malicious code that activated immediately after installation.

Further analysis revealed a mismatch in hash values between the compromised installer and the official version published on the RVTools website, confirming the tampering.

Malware analysts at ZERODAY LABS identified the payload as a custom variant of the Bumblebee loader, widely used by threat actors for initial access to corporate networks in preparation for ransomware campaigns.

VirusTotal scans showed that 33 out of 71 antivirus engines detected the file as malicious, highlighting the serious threat posed by this attack and the potential for widespread distribution.

This incident underscores the growing complexity of software supply chain compromises, especially targeting tools frequently used in enterprise environments.

The trojanized installer was available on the RVTools website for about an hour before the breach was discovered, the infected files were removed, and the legitimate installer restored.

Interestingly, the malware authors employed unusual obfuscation tactics within the file metadata to confuse security researchers.

For example, the original filename was listed as “Hydrarthrus,” and the company description was given as “Enlargers pharmakos submatrix,” clearly designed to mislead and delay investigation efforts.

Infection Process

The infection began when users downloaded the seemingly official RVTools installer from the compromised website. Upon running the installer, it deployed the expected RVTools files but also silently dropped a malicious “version.dll” file into the installation directory.

This method exploits a Windows feature called DLL search order hijacking. Since Windows tries to load DLLs from the application’s folder before system directories, the malware’s version.dll was loaded instead of the legitimate system file, allowing the attacker’s code to run with the same privileges as the application.

Once executed, the malware established persistence on the system and attempted to connect to command-and-control (C2) servers to receive further instructions. This communication channel could enable attackers to download additional malicious payloads, increasing the risk of further compromise.

Recommendations

Organizations and users who downloaded RVTools during the affected period should immediately verify the integrity of their installer files by checking hash values against official sources.

It is also crucial to scan for unauthorized “version.dll” files in user directories and remove any suspicious files.

This incident serves as a powerful reminder of the evolving threat landscape, where even trusted enterprise tools can be weaponized through supply chain attacks.

Vigilance, rapid incident response, and strict validation of software sources remain key to defending against these sophisticated threats.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post RVTools Exploited to Deliver Bumblebee Malware to Windows Users appeared first on First Hackers News.