<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>windows &#8211; First Hackers News</title>
	<atom:link href="https://firsthackersnews.com/category/malware/windows/feed/" rel="self" type="application/rss+xml" />
	<link>https://firsthackersnews.com</link>
	<description>Latest cybersecurity news, real attacks, and practical IOCs—made simple and actionable.</description>
	<lastBuildDate>Tue, 16 Jun 2026 12:38:02 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://firsthackersnews.com/wp-content/uploads/2026/03/cropped-FHN_512x512-32x32.png</url>
	<title>windows &#8211; First Hackers News</title>
	<link>https://firsthackersnews.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations</title>
		<link>https://firsthackersnews.com/prc-redcap-medical-espionage/</link>
					<comments>https://firsthackersnews.com/prc-redcap-medical-espionage/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 16 Jun 2026 12:38:01 +0000</pubDate>
				<category><![CDATA[AWS]]></category>
		<category><![CDATA[Mobile Security]]></category>
		<category><![CDATA[Remote code execution]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Tips]]></category>
		<category><![CDATA[Vulnerability Reports]]></category>
		<category><![CDATA[windows]]></category>
		<category><![CDATA[Chinese hackers]]></category>
		<category><![CDATA[Cyber Espionage]]></category>
		<category><![CDATA[Healthcare Cybersecurity]]></category>
		<category><![CDATA[INFINITERED Malware]]></category>
		<category><![CDATA[Medical Research Security]]></category>
		<category><![CDATA[PRC Threat Actors]]></category>
		<category><![CDATA[UNC6508]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11842</guid>

					<description><![CDATA[<p>PRC-linked hackers are targeting REDCap servers to conduct cyber espionage against U.S. medical research organizations. The campaign underscores the increasing risks facing healthcare, research, and academic sectors as threat actors seek access to valuable scientific and medical data.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/prc-redcap-medical-espionage/">PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers from Google Threat Intelligence Group (GTIG) uncovered a long-running cyber espionage campaign attributed to <strong>UNC6508</strong>, a PRC-linked threat actor that targeted medical, academic, and military research institutions across North America. The attackers remained undetected for more than a year while collecting sensitive information related to medical research, artificial intelligence, defense intelligence, cyber operations, and military strategy.</p>



<p>The campaign primarily focused on compromising <strong>REDCap (Research Electronic Data Capture)</strong> servers, a widely used platform for managing clinical research databases and surveys. After gaining access, the attackers deployed custom malware called <strong>INFINITERED</strong>, harvested credentials, established persistence, and later abused enterprise email compliance rules to exfiltrate sensitive communications.</p>



<h2 class="wp-block-heading">Campaign Overview</h2>



<p>The operation demonstrates a sophisticated attack chain combining exploitation of public-facing applications, credential theft, malware deployment, persistence mechanisms, and stealthy data exfiltration.</p>



<h3 class="wp-block-heading">Key Objectives</h3>



<ul class="wp-block-list">
<li>Medical research intelligence</li>



<li> Artificial Intelligence research </li>



<li>Defense-related information </li>



<li>Military health research Public health policy data</li>
</ul>



<p>Researchers observed the activity from <strong>September 2023 through November 2025</strong>, indicating a highly patient and well-resourced espionage operation.</p>



<figure class="wp-block-image aligncenter size-large is-resized"><img fetchpriority="high" decoding="async" width="1024" height="830" src="https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_40_14-PM-1-1024x830.png" alt="" class="wp-image-11846" style="aspect-ratio:1.233846489791462;width:606px;height:auto" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_40_14-PM-1-177x142.png 177w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_40_14-PM-1-300x243.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_40_14-PM-1-768x622.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_40_14-PM-1-1024x830.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_40_14-PM-1.png 1393w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p>High-level attack flow used by UNC6508 to compromise research institutions and steal sensitive information.</p>



<h2 class="wp-block-heading">Initial Access Through REDCap Servers</h2>



<h3 class="wp-block-heading">Why REDCap Was Targeted</h3>



<p>REDCap is extensively used across:</p>



<ul class="wp-block-list">
<li>Hospitals </li>



<li>Clinical research organizations </li>



<li>Universities </li>



<li>Government research programs </li>



<li>Military health institutions</li>
</ul>



<p>Because REDCap stores large volumes of research and patient-related information, it provides an attractive entry point for espionage-focused threat actors.</p>



<p>Researchers observed the attackers probing and exploiting vulnerable or legacy REDCap deployments exposed to the internet. Once access was obtained, they began internal reconnaissance and credential discovery activities.</p>



<h2 class="wp-block-heading">Web Shell Deployment and Persistence</h2>



<p>Following successful compromise, UNC6508 deployed a web shell identified as:</p>



<pre class="wp-block-code"><code>help.php</code></pre>



<p>The web shell served multiple purposes:</p>



<ul class="wp-block-list">
<li>Persistent access </li>



<li>File uploads </li>



<li>Command execution </li>



<li>Further malware deployment</li>
</ul>



<p>This allowed the attackers to maintain long-term access even if passwords were changed or some security controls were implemented.</p>



<h2 class="wp-block-heading">INFINITERED Malware Analysis</h2>



<p>Three months after the initial intrusion, researchers observed deployment of a custom malware family called <strong>INFINITERED</strong>. This malware was specifically engineered to operate inside REDCap environments.</p>



<figure class="wp-block-image aligncenter size-large is-resized"><img decoding="async" width="1024" height="819" src="https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_41_56-PM-1024x819.png" alt="" class="wp-image-11847" style="aspect-ratio:1.2495632366925407;width:599px;height:auto" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_41_56-PM-177x142.png 177w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_41_56-PM-300x240.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_41_56-PM-768x615.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_41_56-PM-1024x819.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-16-2026-05_41_56-PM.png 1402w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p>Modular architecture of INFINITERED malware used by UNC6508 to maintain persistence, harvest credentials, and execute commands within compromised REDCap environments.</p>



<h2 class="wp-block-heading">Component 1 – Upgrade Interceptor</h2>



<p>The malware monitors REDCap upgrade activities.</p>



<p>When administrators update REDCap, the malware automatically injects itself into newer versions, ensuring persistence across software upgrades</p>



<h2 class="wp-block-heading">Component 2 – Credential Harvester</h2>



<p>This module captures usernames and passwords entered into REDCap login pages.</p>



<p>Stolen credentials are stored within REDCap database tables and later retrieved by attackers.</p>



<h2 class="wp-block-heading">Component 3 – Command-and-Control Backdoor</h2>



<p>The third module acts as a fully functional backdoor.</p>



<p>Researchers found it could:</p>



<ul class="wp-block-list">
<li>Execute shell commands </li>



<li>Upload files </li>



<li>Download files </li>



<li>Run SQL queries</li>
</ul>



<p>Communication was hidden within HTTP cookie values, helping evade traditional detection mechanisms.</p>



<h2 class="wp-block-heading">Abuse of Google Workspace for Data Exfiltration</h2>



<p>One of the most interesting aspects of the campaign was the attackers&#8217; use of legitimate Google Workspace functionality.</p>



<p>After obtaining administrative access, UNC6508 created a content compliance rule named:</p>



<pre class="wp-block-code"><code>Patroit</code></pre>



<p>The rule automatically monitored emails containing specific keywords and forwarded matching messages to attacker-controlled Gmail accounts.</p>



<h2 class="wp-block-heading">Attack Chain Breakdown</h2>



<ul class="wp-block-list">
<li>External Reconnaissance</li>



<li>Initial Compromise</li>



<li>Persistence</li>



<li>Privilege Escalation</li>



<li>Intelligence Gathering</li>
</ul>



<h2 class="wp-block-heading">Potential Impact on Organizations</h2>



<p>Organizations affected by this campaign could experience:</p>



<h3 class="wp-block-heading">Research Theft</h3>



<p>Loss of valuable intellectual property and scientific research.</p>



<h3 class="wp-block-heading">Strategic Intelligence Exposure</h3>



<p>Disclosure of defense and geopolitical information.</p>



<h3 class="wp-block-heading">Credential Compromise</h3>



<p>Unauthorized access to enterprise systems.</p>



<h3 class="wp-block-heading">Regulatory Risks</h3>



<p>Exposure of regulated healthcare and research data.</p>



<h2 class="wp-block-heading">Alternative Indicators of Compromise (IOCs)</h2>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th>IOC Category</th><th>Description</th></tr></thead><tbody><tr><td>Web Shell</td><td>help.php</td></tr><tr><td>Malware Family</td><td>INFINITERED</td></tr><tr><td>Email Rule Name</td><td>Patroit</td></tr><tr><td>Activity</td><td>Unauthorized REDCap upgrades</td></tr><tr><td>Activity</td><td>Suspicious credential harvesting</td></tr><tr><td>Activity</td><td>Unexpected SQL queries</td></tr><tr><td>Activity</td><td>Abnormal Gmail forwarding rules</td></tr><tr><td>Activity</td><td>Unauthorized admin account access</td></tr><tr><td>Activity</td><td>HTTP cookie-based command execution</td></tr><tr><td>Activity</td><td>Unusual database access patterns</td></tr></tbody></table></figure>



<h2 class="wp-block-heading">Security Recommendations</h2>



<h3 class="wp-block-heading">Upgrade REDCap Immediately</h3>



<p>Remove legacy versions and apply the latest security updates.</p>



<h3 class="wp-block-heading">Conduct Threat Hunting</h3>



<p>Search for:</p>



<ul class="wp-block-list">
<li>help.php </li>



<li>INFINITERED artifacts </li>



<li>Unauthorized admin activity </li>



<li>Credential harvesting indicators</li>
</ul>



<p>The UNC6508 campaign highlights how modern nation-state threat actors are increasingly targeting research ecosystems to obtain strategic intelligence. By exploiting REDCap servers, deploying INFINITERED malware, and abusing legitimate cloud email features, the attackers maintained access for more than a year while collecting sensitive medical, defense, and technology research data. Organizations operating research platforms should prioritize patching, continuous monitoring, and proactive threat hunting to defend against similar espionage campaigns.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/prc-redcap-medical-espionage/">PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/prc-redcap-medical-espionage/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>New Sniper Dz Scam Operation Exploits MENA Users with Fraudulent Facebook Offers</title>
		<link>https://firsthackersnews.com/sniper-dz-mena-facebook-scam/</link>
					<comments>https://firsthackersnews.com/sniper-dz-mena-facebook-scam/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 15 Jun 2026 10:04:46 +0000</pubDate>
				<category><![CDATA[Bug Bounty]]></category>
		<category><![CDATA[Email servers]]></category>
		<category><![CDATA[phishing]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[windows]]></category>
		<category><![CDATA[Browser Alerts]]></category>
		<category><![CDATA[Digital Fraud]]></category>
		<category><![CDATA[Fake Facebook Offers]]></category>
		<category><![CDATA[MENA Region]]></category>
		<category><![CDATA[Notification Spam]]></category>
		<category><![CDATA[User Awareness]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11828</guid>

					<description><![CDATA[<p>A new Sniper Dz scam campaign is targeting users across the Middle East and North Africa (MENA) through fraudulent Facebook offers and deceptive browser alerts. Researchers warn that the operation uses social engineering tactics to lure victims into financial scams, credential theft, and other online fraud activities.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/sniper-dz-mena-facebook-scam/">New Sniper Dz Scam Operation Exploits MENA Users with Fraudulent Facebook Offers</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a sophisticated scam campaign known as <strong>Sniper Dz</strong>, which primarily targets users across the <strong>Middle East and North Africa (MENA)</strong> region. The operation leverages <strong>fake Facebook promotions</strong>, deceptive social media content, and browser notification abuse to lure victims into fraudulent schemes.</p>



<p>Unlike traditional phishing attacks that immediately request credentials, Sniper Dz employs a multi-stage social engineering process designed to gradually build trust before redirecting users into malicious advertising and scam ecosystems. The campaign demonstrates how threat actors are increasingly combining social media platforms, legitimate web services, and browser features to maximize victim engagement.</p>



<h2 class="wp-block-heading">Technical Analysis of the Campaign</h2>



<p>Researchers found that the operation relies heavily on social engineering techniques rather than malware deployment. Victims are initially exposed to attractive Facebook advertisements promising prizes, discounts, giveaways, or exclusive offers.</p>



<p>The campaign then guides users through a series of seemingly legitimate web pages before ultimately triggering browser notification permissions and redirecting users into fraudulent content networks. By abusing trusted platforms and legitimate web services, the attackers are able to reduce suspicion and improve campaign effectiveness.</p>



<h2 class="wp-block-heading">Sniper Dz Attack Flow</h2>



<p>The attack follows a structured victim funnel designed to maximize conversion rates while minimizing detection.</p>



<h3 class="wp-block-heading">Phase 1 – Social Media Lures</h3>



<p>Attackers publish fraudulent advertisements and impersonation posts across social media platforms.</p>



<ul class="wp-block-list">
<li>Free gift offers </li>



<li>Discount promotions </li>



<li>Prize giveaways </li>



<li>Mobile device rewards</li>
</ul>



<h3 class="wp-block-heading">Phase 2 – Legitimate-Looking Bridge Pages</h3>



<p>Instead of immediately redirecting victims to malicious content, the campaign utilizes intermediary pages hosted on legitimate services.</p>



<ul class="wp-block-list">
<li>Link aggregation platforms </li>



<li>Landing page builders </li>



<li>Redirect services </li>



<li>Social media profile pages</li>
</ul>



<p>These bridge pages help bypass security filters and increase the perceived legitimacy of the campaign.</p>



<figure class="wp-block-image aligncenter size-large is-resized"><img decoding="async" width="1024" height="683" src="https://firsthackersnews.com/wp-content/uploads/2026/06/Sniper-Dz-victim-funnel-1-1024x683.png" alt="" class="wp-image-11831" style="width:636px;height:auto" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/Sniper-Dz-victim-funnel-1-300x200.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/Sniper-Dz-victim-funnel-1-768x512.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/Sniper-Dz-victim-funnel-1-1024x683.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/06/Sniper-Dz-victim-funnel-1.png 1536w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p class="has-text-align-center">Simplified representation of the Sniper Dz victim funnel showing how users are guided from social media lures through trusted bridge pages before being exposed to browser notification abuse and scam content.</p>



<h3 class="wp-block-heading">Phase 3 – Browser Notification Abuse</h3>



<p>Once users reach the final stage, they are encouraged to allow browser notifications through deceptive prompts.</p>



<ul class="wp-block-list">
<li>Fake CAPTCHA pages </li>



<li>&#8220;Click Allow to Continue&#8221;</li>



<li>&#8220;Verify You&#8217;re Human&#8221;</li>
</ul>



<p>After notification permissions are granted, attackers gain a persistent channel to deliver scam advertisements and fraudulent alerts directly to the victim&#8217;s browser.</p>



<h2 class="wp-block-heading">Potential Risks to Users</h2>



<ul class="wp-block-list">
<li>Financial Fraud</li>



<li>Privacy Exposure</li>



<li>Continuous Scam Exposure</li>



<li>Credential Theft</li>
</ul>



<h2 class="wp-block-heading">Why Social Engineering Remains Effective</h2>



<p>Modern scam campaigns increasingly rely on psychological manipulation rather than technical exploitation. By leveraging trusted platforms such as Facebook and legitimate web services, attackers can make fraudulent content appear authentic.</p>



<p>The use of multiple redirection stages also helps threat actors evade automated detection systems while increasing the likelihood that victims will complete the entire attack flow.</p>



<p>As users become more aware of traditional phishing techniques, attackers continue to evolve their tactics by combining social media abuse, browser notification exploitation, and deceptive marketing strategies.</p>



<h2 class="wp-block-heading">Security Recommendations</h2>



<ul class="wp-block-list">
<li>Verify Promotional Offers</li>



<li>Review Browser Notifications</li>



<li>Exercise Caution with Redirects</li>



<li>Implement Security Awareness Training</li>
</ul>



<p>The <strong>Sniper Dz</strong> campaign demonstrates how modern threat actors are leveraging <strong>social media impersonation</strong>, <strong>trusted bridge pages</strong>, and <strong>browser notification abuse</strong> to target users across the MENA region. Rather than relying on malware, the operation exploits user trust and social engineering tactics to drive victims toward fraudulent content, making awareness and browser security practices critical defenses against these evolving threats.</p>



<p></p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/sniper-dz-mena-facebook-scam/">New Sniper Dz Scam Operation Exploits MENA Users with Fraudulent Facebook Offers</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/sniper-dz-mena-facebook-scam/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Cloud Atlas APT Uses Modified termsrv.dll to Enable Hidden RDP Access</title>
		<link>https://firsthackersnews.com/cloud-atlas-apt-patches-termsrvdll-hidden-rdp-access/</link>
					<comments>https://firsthackersnews.com/cloud-atlas-apt-patches-termsrvdll-hidden-rdp-access/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 25 May 2026 12:20:00 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Threat Intelligence]]></category>
		<category><![CDATA[windows]]></category>
		<category><![CDATA[#APT]]></category>
		<category><![CDATA[#CloudAtlas]]></category>
		<category><![CDATA[#CloudAtlasAPT]]></category>
		<category><![CDATA[#CyberAttack]]></category>
		<category><![CDATA[#CyberEspionage]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#Kerberoasting]]></category>
		<category><![CDATA[#Malware]]></category>
		<category><![CDATA[#PowerCloud]]></category>
		<category><![CDATA[#PowerShell]]></category>
		<category><![CDATA[#PowerShower]]></category>
		<category><![CDATA[#RDPAttack]]></category>
		<category><![CDATA[#ReverseSSH]]></category>
		<category><![CDATA[#SecurityResearch]]></category>
		<category><![CDATA[#termsrvdll]]></category>
		<category><![CDATA[#ThreatHunting]]></category>
		<category><![CDATA[#ThreatIntelligence]]></category>
		<category><![CDATA[#VBCloud]]></category>
		<category><![CDATA[#WindowsSecurity]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11739</guid>

					<description><![CDATA[<p>The Cloud Atlas advanced persistent threat (APT) group, also referred to as Cloud Atlas APT, has been linked</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/cloud-atlas-apt-patches-termsrvdll-hidden-rdp-access/">Cloud Atlas APT Uses Modified termsrv.dll to Enable Hidden RDP Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The Cloud Atlas advanced persistent threat (APT) group, also referred to as Cloud Atlas APT, has been linked to a sophisticated cyber espionage campaign that abuses the Windows <code>termsrv.dll</code> library to enable multiple Remote Desktop Protocol (RDP) sessions on compromised systems.</p>



<p>Researchers observed the campaign throughout 2025 and into 2026, with most targets including government agencies, diplomatic entities, and commercial organizations in Russia and Belarus. The operation combines phishing attacks, legacy vulnerabilities, custom malware, and stealthy persistence techniques to maintain long-term access inside victim environments.</p>



<p>The campaign demonstrates how attackers are increasingly blending legitimate administration tools with advanced malware techniques to avoid detection and maintain covert remote access.</p>



<h2 class="wp-block-heading"><strong>Initial Access Through Phishing and Exploits</strong></h2>



<p>Cloud Atlas APT continues to rely heavily on phishing emails as its primary entry point. Attackers distribute ZIP archives containing malicious LNK shortcut files designed to silently execute PowerShell commands from attacker-controlled infrastructure.</p>



<p>At the same time, the threat actors also weaponize Microsoft Office documents exploiting the Equation Editor vulnerability, CVE-2018-0802, to download additional payloads onto infected systems.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="708" height="900" src="https://firsthackersnews.com/wp-content/uploads/2026/05/image-3.png" alt="" class="wp-image-11740" srcset="https://firsthackersnews.com/wp-content/uploads/2026/05/image-3-236x300.png 236w, https://firsthackersnews.com/wp-content/uploads/2026/05/image-3.png 708w" sizes="auto, (max-width: 708px) 100vw, 708px" /><figcaption class="wp-element-caption">How the Malware Operates (Source: Cloud Atlas)</figcaption></figure>



<p>Once executed, the PowerShell scripts establish persistence by saving a secondary script named <code>fixed.ps1</code> in the Windows temporary directory and creating autorun entries through the Windows Registry.</p>



<p>To distract victims and reduce suspicion, the malware downloads a decoy archive, extracts a PDF document, and displays it on the screen while malicious activities continue in the background. During this stage, forensic traces are deleted and the primary payloads are launched.</p>



<h2 class="wp-block-heading"><strong>VBCloud and PowerShower Backdoors</strong></h2>



<p>The <code>fixed.ps1</code> script functions as a loader for two major malware components named VBCloud and PowerShower.</p>



<h3 class="wp-block-heading"><strong>VBCloud File-Stealing Malware</strong></h3>



<p>VBCloud is mainly used for data theft. The malware deploys an encrypted payload named <code>video.mds</code>, which is decrypted in memory using RC4 encryption and executed through a Visual Basic Script (VBS) loader.</p>



<p>The malware searches for and exfiltrates sensitive files, including:</p>



<ul class="wp-block-list">
<li>DOC and DOCX documents</li>



<li>PDF files</li>



<li>XLS and spreadsheet data</li>



<li>Other confidential business documents</li>
</ul>



<p>Collected data is transmitted to attacker-controlled servers for further analysis and espionage purposes.</p>



<h3 class="wp-block-heading"><strong>PowerShower for Reconnaissance and Lateral Movement</strong></h3>



<p>PowerShower focuses on reconnaissance, credential harvesting, and internal network movement. The malware gathers system and domain information, executes remote PowerShell commands, and supports lateral movement across enterprise environments.</p>



<p>Researchers observed the malware performing Kerberoasting attacks to extract Active Directory service account credentials. It also includes a credential harvesting module that abuses the <code>fodhelper.exe</code> UAC bypass technique to gain elevated privileges.</p>



<p>With administrative access, attackers can retrieve sensitive data from the SAM and SECURITY registry hives through Windows shadow copies.</p>



<h2 class="wp-block-heading"><strong>Modification of termsrv.dll Enables Multiple RDP Sessions</strong></h2>



<p>A significant evolution in this campaign is the use of a PowerShell script called <code>rdp_new.ps1</code>, which directly modifies the Windows <code>termsrv.dll</code> library.</p>



<p>The <code>termsrv.dll</code> component controls Remote Desktop session management and normally prevents multiple simultaneous user logins. Cloud Atlas bypasses this restriction by taking ownership of the DLL file, patching specific byte sequences, and restarting the RDP service.</p>



<p>After modification, multiple concurrent RDP sessions become possible on the infected machine. This allows attackers to maintain hidden remote access without disconnecting legitimate users, significantly lowering the risk of detection.</p>



<p>This technique provides threat actors with stealthy persistence while blending malicious activity with normal administrator behavior.</p>



<h2 class="wp-block-heading"><strong>Reverse SSH Tunnels and Stealth Persistence</strong></h2>



<p>To strengthen persistence and ensure continued remote access, Cloud Atlas deploys multiple tunneling and proxy mechanisms.</p>



<p>The attackers establish reverse SSH tunnels from compromised systems to remote servers under their control. These tunnels bypass inbound firewall restrictions and provide continuous access into internal networks.</p>



<p>The operation also uses:</p>



<ul class="wp-block-list">
<li>VBS scripts executed through PsExec</li>



<li>Scheduled tasks for automatic tunnel recovery</li>



<li>Modified file permissions to protect SSH keys</li>



<li>Customized OpenSSH builds with altered cryptographic libraries</li>



<li>RevSocks tunneling utilities written in Go</li>



<li>Tor hidden services for anonymous RDP connectivity</li>
</ul>



<p>These layered persistence mechanisms make incident response and remediation significantly more difficult.</p>



<h2 class="wp-block-heading"><strong>PowerCloud Malware Uses Google Sheets for Data Exfiltration</strong></h2>



<p>Researchers also identified a newer tool called PowerCloud that collects administrative user information and exfiltrates the data to Google Sheets using Base64-encoded content.</p>



<p>The use of legitimate cloud services highlights Cloud Atlas’ growing focus on blending malicious traffic with normal enterprise activity, making traditional security monitoring more challenging.</p>



<h2 class="wp-block-heading"><strong>Ongoing Threat to Government and Enterprise Networks</strong></h2>



<p>Telemetry linked to the campaign shows a strong focus on government, diplomatic, and high-value enterprise organizations, consistent with Cloud Atlas’ long-standing espionage objectives.</p>



<p>Although some infrastructure overlaps with activity associated with the Head Mare group have been observed, researchers noted that the malware families, techniques, and operational behavior remain distinct.</p>



<p>The continued use of publicly available tools such as SSH, Tor, PsExec, and RevSocks alongside advanced techniques like RDP manipulation demonstrates the group’s evolving capabilities and operational maturity.</p>



<p>Security teams are advised to closely monitor:</p>



<ul class="wp-block-list">
<li>Unauthorized changes to <code>termsrv.dll</code></li>



<li>Suspicious PowerShell execution</li>



<li>Unexpected RDP configuration changes</li>



<li>Reverse SSH connections</li>



<li>Scheduled tasks linked to remote access tools</li>



<li>Unusual use of cloud platforms for data transfers</li>
</ul>



<p>The campaign highlights the increasing sophistication of modern cyber espionage operations and the importance of continuous monitoring for stealthy persistence mechanisms inside enterprise networks.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/cloud-atlas-apt-patches-termsrvdll-hidden-rdp-access/">Cloud Atlas APT Uses Modified termsrv.dll to Enable Hidden RDP Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/cloud-atlas-apt-patches-termsrvdll-hidden-rdp-access/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>ClickFix Variant Bypasses Detection Using Rundll32 &#038; WebDAV</title>
		<link>https://firsthackersnews.com/clickfix-variant-rundll32-webdav-bypass/</link>
					<comments>https://firsthackersnews.com/clickfix-variant-rundll32-webdav-bypass/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 31 Mar 2026 19:09:57 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[windows]]></category>
		<category><![CDATA[#ClickFix]]></category>
		<category><![CDATA[#ClickFixVariant]]></category>
		<category><![CDATA[#CyberAttack]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#CyberThreat]]></category>
		<category><![CDATA[#DetectionBypass]]></category>
		<category><![CDATA[#EndpointSecurity]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#Malware]]></category>
		<category><![CDATA[#MalwareAnalysis]]></category>
		<category><![CDATA[#Rundll32]]></category>
		<category><![CDATA[#SecurityResearch]]></category>
		<category><![CDATA[#ThreatDetection]]></category>
		<category><![CDATA[#WebDAV]]></category>
		<category><![CDATA[#WindowsSecurity]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11539</guid>

					<description><![CDATA[<p>A newer and more dangerous version of the ClickFix attack is now targeting Windows users, and it’s taking</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/clickfix-variant-rundll32-webdav-bypass/">ClickFix Variant Bypasses Detection Using Rundll32 &amp; WebDAV</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A newer and more dangerous version of the ClickFix attack is now targeting Windows users, and it’s taking a smarter route than before. Earlier variants relied heavily on PowerShell or mshta, which many security tools already watch closely. This time, attackers are using built-in Windows tools like rundll32.exe and WebDAV to stay under the radar and avoid early detection.</p>



<p>Instead of obvious scripting activity, the attack blends into normal system behavior. This makes it harder for security teams to notice anything suspicious during the initial stages.</p>



<h2 class="wp-block-heading"><strong>How the Attack Tricks Users</strong></h2>



<p>ClickFix still depends on social engineering. The attacker lures users to a fake website that looks like a CAPTCHA verification page. One such example is “healthybyhillary[.]com.”</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="903" height="534" src="https://firsthackersnews.com/wp-content/uploads/2026/04/image.png" alt="" class="wp-image-11540" srcset="https://firsthackersnews.com/wp-content/uploads/2026/04/image-300x177.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/04/image-768x454.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/04/image.png 903w" sizes="auto, (max-width: 903px) 100vw, 903px" /><figcaption class="wp-element-caption">Phishing Website (Source – CyberProof)</figcaption></figure>



<p>The page guides the user through a simple-looking process:</p>



<ul class="wp-block-list">
<li>Press <strong>Win + R</strong> to open the Run dialog</li>



<li>Paste a pre-copied command using <strong>Ctrl + V</strong></li>



<li>Hit <strong>Enter</strong> to execute it</li>
</ul>



<p>To an average user, this feels like a normal verification step. But in reality, it triggers a malicious command that starts the infection process.</p>



<h2 class="wp-block-heading"><strong>How It Evades Detection</strong></h2>



<p>Once executed, the attack uses rundll32.exe along with WebDAV to pull a malicious DLL from a remote server. Since rundll32.exe is a trusted Windows tool, this activity often appears legitimate.</p>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="825" height="858" src="https://firsthackersnews.com/wp-content/uploads/2026/04/image-1.png" alt="" class="wp-image-11541" srcset="https://firsthackersnews.com/wp-content/uploads/2026/04/image-1-288x300.png 288w, https://firsthackersnews.com/wp-content/uploads/2026/04/image-1-768x799.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/04/image-1.png 825w" sizes="auto, (max-width: 825px) 100vw, 825px" /><figcaption class="wp-element-caption">Attack Chain  (Source – CyberProof)<br></figcaption></figure>



<p>A few key techniques make this variant harder to detect:</p>



<ul class="wp-block-list">
<li>Uses <strong>WebDAV</strong> to fetch remote files like a network share</li>



<li>Executes DLL functions using <strong>ordinal numbers (#1)</strong> instead of readable names</li>



<li>Avoids early use of PowerShell to bypass common detection rules</li>



<li>Runs most of the attack <strong>in memory</strong>, leaving minimal traces on disk</li>
</ul>



<p>After the initial stage, PowerShell is used quietly with flags like <strong>-NoP</strong> and <strong>-NonI</strong>, along with <strong>IEX (Invoke-Expression)</strong> to load additional payloads.</p>



<p>The final payload, known as <strong>SkimokKeep</strong>, includes advanced evasion methods:</p>



<ul class="wp-block-list">
<li>Resolves system functions using <strong>hashing instead of direct imports</strong></li>



<li>Checks for sandbox or VM environments before running</li>



<li>Uses anti-debugging tricks like timing checks</li>



<li>Injects code into legitimate processes such as browsers</li>
</ul>



<h2 class="wp-block-heading"><strong>Why This Matters</strong></h2>



<p>This shift is significant because many defenses are still focused on detecting script-based attacks. By abusing trusted Windows components and reducing visible activity, attackers get a much quieter entry point.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong><a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>



<h2 class="wp-block-heading"><strong>What Security Teams Should Watch</strong></h2>



<p>To detect or prevent this attack, organizations should focus on unusual system behavior rather than just scripts:</p>



<ul class="wp-block-list">
<li>Monitor suspicious use of <strong>rundll32.exe</strong>, especially with WebDAV-related arguments</li>



<li>Enable <strong>command-line logging</strong> for system binaries (LOLBins)</li>



<li>Restrict or monitor <strong>WebDAV traffic over port 80</strong></li>



<li>Block known malicious IPs and domains linked to the campaign</li>



<li>Educate users about <strong>fake CAPTCHA pages and ClickFix tricks</strong></li>
</ul>



<p>This variant shows how attackers continue to adapt. The real risk isn’t just the malware itself—it’s how easily users can be convinced to launch it.</p>



<h2 class="wp-block-heading"><strong>Block Known Malicious Infrastructure</strong></h2>



<p>Security teams should proactively block known indicators linked to this campaign to reduce exposure:</p>



<ul class="wp-block-list">
<li><strong>178.16.53[.]137</strong></li>



<li><strong>141.98.234[.]27</strong></li>



<li><strong>46.149.73[.]60</strong></li>



<li><strong>91.219.23[.]245</strong></li>
</ul>



<p>Suspicious domains to watch or block:</p>



<ul class="wp-block-list">
<li><strong>mer-forgea.sightup[.]in[.]net</strong></li>



<li><strong>data-x7-sync.neurosync[.]in[.]net</strong></li>
</ul>



<p>You can place this section right after the “What Security Teams Should Watch” section so it flows naturally as an action step.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/clickfix-variant-rundll32-webdav-bypass/">ClickFix Variant Bypasses Detection Using Rundll32 &amp; WebDAV</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/clickfix-variant-rundll32-webdav-bypass/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Windows 11 Blocks Untrusted Kernel Drivers to Improve Security</title>
		<link>https://firsthackersnews.com/windows-kernel-driver-security-update/</link>
					<comments>https://firsthackersnews.com/windows-kernel-driver-security-update/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Sun, 29 Mar 2026 05:22:09 +0000</pubDate>
				<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Microsoft]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[windows]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#CyberThreat]]></category>
		<category><![CDATA[#DriverSecurity]]></category>
		<category><![CDATA[#EndpointSecurity]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#KernelSecurity]]></category>
		<category><![CDATA[#Malware]]></category>
		<category><![CDATA[#Microsoft]]></category>
		<category><![CDATA[#Rootkit]]></category>
		<category><![CDATA[#SecureBoot]]></category>
		<category><![CDATA[#SecurityUpdate]]></category>
		<category><![CDATA[#ThreatProtection]]></category>
		<category><![CDATA[#Windows11]]></category>
		<category><![CDATA[#WindowsServer2025]]></category>
		<category><![CDATA[#WindowsUpdate]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11518</guid>

					<description><![CDATA[<p>Microsoft is introducing a major security improvement in Windows 11 and Windows Server 2025 by changing how kernel</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-kernel-driver-security-update/">Windows 11 Blocks Untrusted Kernel Drivers to Improve Security</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Microsoft is introducing a major security improvement in Windows 11 and Windows Server 2025 by changing how kernel drivers are trusted and loaded, significantly enhancing Windows kernel driver security. Starting with the April 2026 update, the operating system will block untrusted cross-signed kernel drivers by default.</p>



<p>This update ensures that only drivers verified through Microsoft’s Windows Hardware Compatibility Program (WHCP) are allowed to run automatically. By enforcing stricter validation, Microsoft is reducing the risk of attackers using malicious drivers to gain deep, kernel-level access to systems.</p>



<p>This enhancement is crucial for maintaining high standards of Windows kernel driver security across all devices.</p>



<p>Kernel drivers operate at the core of the operating system, so any weakness in how they are signed or validated can be exploited. By removing support for legacy signing methods, Microsoft is closing a long-standing security gap.</p>



<h2 class="wp-block-heading"><strong>Removal of Cross-Signed Drivers and Security Impact</strong></h2>



<p>The older cross-signing model allowed third-party certificate authorities to approve drivers without strict validation from Microsoft. While this approach helped with compatibility in the past, it also introduced security risks.</p>



<p>Attackers have historically abused this model by stealing signing keys and using them to install rootkits and other advanced malware. Even though Microsoft deprecated cross-signing in 2021, older certificates were still trusted by Windows systems until now.</p>



<p>With this update, that trust is fully removed. Drivers must now go through a stricter approval process that includes:</p>



<ul class="wp-block-list">
<li>Identity verification of the vendor</li>



<li>Security and compatibility testing</li>



<li>Malware scanning before certification</li>
</ul>



<p>This significantly reduces the chances of malicious drivers being loaded into the Windows kernel.</p>



<h2 class="wp-block-heading"><strong>Deployment Approach and Enterprise Considerations</strong></h2>



<p>To avoid disruptions, Microsoft is rolling out this change in stages. Initially, the system will monitor and evaluate driver activity before enforcing the block. This allows organizations to identify compatibility issues early.</p>



<p>Additionally, Microsoft will maintain an allow list for widely used legacy drivers to prevent system failures. If unsupported drivers are detected, enforcement may be delayed until the system is stable.</p>



<p>For enterprise environments, there is still controlled flexibility. Organizations that rely on custom kernel drivers can allow them using Application Control for Business policies. These policies must be securely signed and tied to UEFI Secure Boot, ensuring only trusted internal drivers are permitted.</p>



<p>Overall, this update marks a significant step toward strengthening Windows security by limiting kernel-level attack vectors and enforcing modern driver validation standards.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong><a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-kernel-driver-security-update/">Windows 11 Blocks Untrusted Kernel Drivers to Improve Security</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/windows-kernel-driver-security-update/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Using Windows Minifilters to Identify Ransomware Activity</title>
		<link>https://firsthackersnews.com/windows-minifilter-ransomware-detection/</link>
					<comments>https://firsthackersnews.com/windows-minifilter-ransomware-detection/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 09 Feb 2026 10:32:47 +0000</pubDate>
				<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Ransomware]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[windows]]></category>
		<category><![CDATA[#BlueTeam]]></category>
		<category><![CDATA[#CyberDefense]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#DetectionEngineering]]></category>
		<category><![CDATA[#DFIR]]></category>
		<category><![CDATA[#EDR]]></category>
		<category><![CDATA[#EndpointSecurity]]></category>
		<category><![CDATA[#IncidentResponse]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#KernelSecurity]]></category>
		<category><![CDATA[#MalwareAnalysis]]></category>
		<category><![CDATA[#MalwareDetection]]></category>
		<category><![CDATA[#ransomware]]></category>
		<category><![CDATA[#SecurityOperations]]></category>
		<category><![CDATA[#SecurityResearch]]></category>
		<category><![CDATA[#SOC]]></category>
		<category><![CDATA[#ThreatDetection]]></category>
		<category><![CDATA[#ThreatHunting]]></category>
		<category><![CDATA[#WindowsSecurity]]></category>
		<category><![CDATA[#ZeroTrust]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security update]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11133</guid>

					<description><![CDATA[<p>A security researcher has published a proof-of-concept tool on GitHub aimed at stopping ransomware from inside the operating</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-minifilter-ransomware-detection/">Using Windows Minifilters to Identify Ransomware Activity</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A security researcher has published a proof-of-concept tool on <strong>GitHub</strong> aimed at stopping ransomware from inside the operating system itself.</p>



<p>The project is part of a wider Endpoint Detection and Response effort called <strong>Sanctum</strong>. It shows how defenders can use <strong>Windows Minifilters</strong> to spot and interrupt malicious file encryption before user data is damaged.</p>



<h3 class="wp-block-heading">How the Detection Method Works</h3>



<p>At the center of this approach is a Windows feature known as a <strong>file system filter driver</strong>. This driver operates between user applications and the storage system, meaning every file operation — creating, modifying, or renaming files — passes through it.</p>



<p>Researcher <strong>0xflux</strong> describes this layer as a control point. Because all file activity flows through it, the system can monitor behavior in real time and step in when something suspicious happens.</p>



<p>Although the developer initially planned to build the driver in Rust, the lack of proper filter driver support led to the project being written in C instead.</p>



<h3 class="wp-block-heading">What Signals Indicate Ransomware</h3>



<p>The Sanctum driver registers system callbacks so it gets notified when certain file actions occur. The proof-of-concept focuses on two important Windows file events.</p>



<p>One event tracks when programs request access to files with write or delete permissions. A process rapidly opening many files with these permissions can signal the start of mass encryption.</p>



<p>The second event is more central to this PoC. It triggers when file information changes, such as when a file is renamed. Ransomware often renames files after encryption, adding a new extension to mark them as locked.</p>



<p>In this demo, the driver watches for a specific extension tied to a known <strong>LockBit</strong> variant.</p>



<h3 class="wp-block-heading">How the System Identifies the Attacker</h3>



<p>When a rename event occurs, the driver uses Windows APIs to read the full file name and compare the new extension with known ransomware patterns.</p>



<p>If a match appears, the system does more than log the event. It also determines which process made the change. Using internal functions, it retrieves the process ID and the program name responsible. This gives defenders precise visibility into which application is behaving maliciously.</p>



<p>Right now, the tool mainly records suspicious activity, acting as a detailed monitoring system. However, future versions could go further.</p>



<p>The researcher suggests adding real-time entropy analysis to detect encryption as it happens. Another potential feature is freezing or terminating the threads of a malicious process immediately after detection.</p>



<p>This project shows how moving defenses deeper into the Windows kernel can provide faster response and greater visibility than traditional antivirus solutions that operate at higher system levels.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-minifilter-ransomware-detection/">Using Windows Minifilters to Identify Ransomware Activity</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/windows-minifilter-ransomware-detection/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Windows 11 Strengthens Protection of System Files</title>
		<link>https://firsthackersnews.com/windows-11-kb5074105-system-file-protection-update/</link>
					<comments>https://firsthackersnews.com/windows-11-kb5074105-system-file-protection-update/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 03 Feb 2026 06:12:11 +0000</pubDate>
				<category><![CDATA[windows]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[AI components Windows]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[endpoint security]]></category>
		<category><![CDATA[enterprise patching]]></category>
		<category><![CDATA[IT security]]></category>
		<category><![CDATA[KB5074105]]></category>
		<category><![CDATA[Microsoft security update]]></category>
		<category><![CDATA[OS security]]></category>
		<category><![CDATA[privilege escalation prevention]]></category>
		<category><![CDATA[servicing stack update]]></category>
		<category><![CDATA[system file protection]]></category>
		<category><![CDATA[system hardening]]></category>
		<category><![CDATA[update management]]></category>
		<category><![CDATA[Windows 11]]></category>
		<category><![CDATA[windows security]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11092</guid>

					<description><![CDATA[<p>Microsoft has issued KB5074105, an important preview update for Windows 11 versions 24H2 and 25H2, aimed at strengthening</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-11-kb5074105-system-file-protection-update/">Windows 11 Strengthens Protection of System Files</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Microsoft has issued <strong>KB5074105</strong>, an important preview update for Windows 11 versions 24H2 and 25H2, aimed at strengthening the operating system’s defense against unauthorized access to sensitive system files.</p>



<p>Although classified as a preview update, it brings major improvements to how Windows safeguards core file structures. The changes address increasing security concerns related to privilege escalation and direct manipulation of protected system resources.</p>



<h2 class="wp-block-heading"><strong>Improved System File Security</strong></h2>



<p>The update introduces tighter controls over Windows system directories and essential files. Access validation has been reinforced so that only properly authorized processes can read or modify protected areas of the operating system.</p>



<p>This improvement targets a common technique used in both advanced and widespread attacks, where adversaries attempt to alter system files to gain higher privileges or establish hidden persistence.</p>



<p>Researchers have observed a rise in attacks involving direct file system abuse. The new mechanisms in <strong>KB5074105</strong> apply layered permission checks, ensuring that interactions with critical files are limited to trusted system components. This layered validation reduces the likelihood of successful privilege escalation attempts.</p>



<h2 class="wp-block-heading"><strong>Servicing Stack Enhancement</strong></h2>



<p>Alongside these protections, Microsoft also released <strong>KB5074104</strong>, which updates the Windows servicing stack. Since this component handles how updates are installed, strengthening it improves the reliability and security of future patch deployments.</p>



<p>For organizations managing large numbers of devices, this means more stable update cycles and a lower risk of systems missing critical patches due to installation failures.</p>



<h2 class="wp-block-heading"><strong>AI Component Improvements</strong></h2>



<p>The update also refreshes several AI-powered modules that support intelligent features within Windows 11. These enhancements focus on better performance and improved security for on-device AI processing.</p>



<p>Updated AI components include:</p>



<ul class="wp-block-list">
<li>Image Search</li>



<li>Content Extraction</li>



<li>Semantic Analysis</li>



<li>Settings Model</li>
</ul>



<p>These modules now operate more efficiently while maintaining strong data protection standards.</p>



<h2 class="wp-block-heading"><strong>Deployment Approach and Recommendations</strong></h2>



<p>Microsoft is releasing <strong>KB5074105</strong> in stages to reduce compatibility risks. Devices receive the update gradually before wider availability.</p>



<p>Security and IT teams are advised to test the update in controlled environments before organization-wide rollout, particularly in sensitive networks. Monitoring update health and coordinating patch management strategies will help ensure smooth adoption.</p>



<p>With attackers increasingly targeting the operating system core, the enhanced file protection features in <strong>KB5074105</strong> provide an important defense layer against evolving threats.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-11-kb5074105-system-file-protection-update/">Windows 11 Strengthens Protection of System Files</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/windows-11-kb5074105-system-file-protection-update/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Windows 11 January Update Triggers Serious Boot Issues</title>
		<link>https://firsthackersnews.com/windows-11/</link>
					<comments>https://firsthackersnews.com/windows-11/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 26 Jan 2026 07:29:11 +0000</pubDate>
				<category><![CDATA[windows]]></category>
		<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Microsoft]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[#BootFailure]]></category>
		<category><![CDATA[#ITAdmin]]></category>
		<category><![CDATA[#Microsoft]]></category>
		<category><![CDATA[#PatchTuesday]]></category>
		<category><![CDATA[#SystemStability]]></category>
		<category><![CDATA[#TechNews]]></category>
		<category><![CDATA[#Windows11]]></category>
		<category><![CDATA[#WindowsUpdate]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security update]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11043</guid>

					<description><![CDATA[<p>Microsoft investigates startup and stability issues affecting recent Windows 11 versions Microsoft is investigating serious problems linked to</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-11/">Windows 11 January Update Triggers Serious Boot Issues</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p><strong>Microsoft investigates startup and stability issues affecting recent Windows 11 versions</strong></p>



<p>Microsoft is investigating serious problems linked to its January 2026 security update for Windows 11 after reports of systems failing to start correctly. The update, which was meant to strengthen security, has instead left some users unable to boot their devices.</p>



<p>The issue is tied to update KB5074109, released for Windows 11 versions 25H2 and 24H2. Shortly after installation, affected systems began showing critical startup errors, including boot loops and black screens. In some cases, devices display an <em>UNMOUNTABLE_BOOT_VOLUME</em> error and never reach the login screen.</p>



<p>Microsoft has acknowledged the problem and confirmed receiving a limited number of reports where devices cannot complete startup. So far, the issue appears to affect physical machines only, with virtual environments remaining unaffected. For impacted users, access to the operating system is often lost entirely, requiring recovery tools to remove the update.</p>



<p>Even on systems that manage to boot, the update has caused widespread stability concerns. Users report random freezes, display issues, and conflicts with graphics drivers, particularly during GPU-intensive tasks. Some applications become unresponsive without triggering a crash or error message, leaving systems stuck until a forced restart.</p>



<p>The update has also disrupted productivity and enterprise services. Microsoft confirmed that credential prompts for certain cloud and remote desktop services were broken, temporarily preventing users from connecting. Outlook Classic users have also reported freezes and sync problems after startup.</p>



<h3 class="wp-block-heading">What users should do now</h3>



<ul class="wp-block-list">
<li>Uninstall the latest update using the Windows Recovery Environment if the system won’t boot</li>



<li>Roll back KB5074109 or pause updates on unstable systems</li>



<li>Delay installing the update until Microsoft releases a permanent fix</li>
</ul>



<p>Microsoft continues to investigate the root cause of these failures. Until a comprehensive resolution is available, users and administrators are advised to approach the January update with caution, especially on production systems.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-11/">Windows 11 January Update Triggers Serious Boot Issues</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/windows-11/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Security Bypass Issue Found in Windows Remote Assistance</title>
		<link>https://firsthackersnews.com/windows-remote-assistance-security-bypass/</link>
					<comments>https://firsthackersnews.com/windows-remote-assistance-security-bypass/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Fri, 16 Jan 2026 02:27:44 +0000</pubDate>
				<category><![CDATA[windows]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Microsoft]]></category>
		<category><![CDATA[Mobile Security]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#ITSecurity]]></category>
		<category><![CDATA[#MicrosoftSecurity]]></category>
		<category><![CDATA[#PatchTuesday]]></category>
		<category><![CDATA[#RemoteAssistance]]></category>
		<category><![CDATA[#SecurityUpdates]]></category>
		<category><![CDATA[#VulnerabilityManagement]]></category>
		<category><![CDATA[#WindowsSecurity]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=10996</guid>

					<description><![CDATA[<p>Microsoft has addressed a security weakness in Windows Remote Assistance that could allow attackers to bypass built-in protection</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-remote-assistance-security-bypass/">Security Bypass Issue Found in Windows Remote Assistance</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Microsoft has addressed a security weakness in Windows Remote Assistance that could allow attackers to bypass built-in protection mechanisms and access sensitive data under certain conditions. The vulnerability, tracked as CVE-2026-20824, has been rated <em>Important</em> and mainly impacts how Windows applies trust checks to files involved in Remote Assistance sessions.</p>



<p>While the issue does not enable full system takeover, it weakens safeguards designed to protect users from untrusted content, making it particularly relevant in post-compromise or insider attack scenarios.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerability Works</strong></h2>



<p>The flaw lies in how Windows Remote Assistance handles specially crafted files used to start or manage assistance sessions. In some cases, these files are processed in a way that skips normal security checks, allowing them to appear more trusted than they actually are.</p>



<p>As a result, protections tied to <strong>Mark of the Web (MOTW)</strong>—such as warning prompts, SmartScreen checks, and certain script or macro restrictions—may not be enforced. </p>



<p>This means content that originated from the internet could be opened locally without the usual defenses, increasing the risk of stealthy data access or follow-on attacks.</p>



<p>Exploitation requires user interaction, typically by convincing a victim to open a malicious file delivered through email, messaging platforms, or a web download.</p>



<h2 class="wp-block-heading"><strong>Impact, Affected Systems, and Mitigation</strong></h2>



<ul class="wp-block-list">
<li><strong>Impact:</strong> Enables attackers to bypass Mark of the Web protections, potentially allowing sensitive data access or stealthy follow-on attacks without triggering expected security warnings.</li>



<li><strong>Affected Systems:</strong> Supported versions of <strong>Windows 10</strong>, <strong>Windows 11</strong>, and <strong>Windows Server</strong>, including both client and enterprise deployments.</li>



<li><strong>Mitigation:</strong> Microsoft has addressed the issue in the <strong>January 2026 Patch Tuesday</strong> updates. Organizations should apply the updates as soon as possible. Until patching is complete, administrators are advised to restrict Windows Remote Assistance usage, enhance email and web filtering controls, and remind users to avoid opening unsolicited assistance files or attachments.</li>
</ul>



<p>Applying the latest security updates restores proper protection checks and significantly reduces the risk of this bypass technique being exploited.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong> <a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-remote-assistance-security-bypass/">Security Bypass Issue Found in Windows Remote Assistance</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/windows-remote-assistance-security-bypass/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Windows Graphics Vulnerability Opens the Door to System Hijack with a Single Image</title>
		<link>https://firsthackersnews.com/windows-graphics-vulnerability/</link>
					<comments>https://firsthackersnews.com/windows-graphics-vulnerability/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 20 Nov 2025 17:19:47 +0000</pubDate>
				<category><![CDATA[windows]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Mobile Security]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Tips]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[security vulnerability]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[vulnerability impact]]></category>
		<category><![CDATA[windows graphics]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=10668</guid>

					<description><![CDATA[<p>A serious remote code execution flaw in Microsoft’s Windows Graphics Component allows attackers to take control of a</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-graphics-vulnerability/">Windows Graphics Vulnerability Opens the Door to System Hijack with a Single Image</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A serious remote code execution flaw in Microsoft’s Windows Graphics Component allows attackers to take control of a device using a specially crafted JPEG image.</p>



<p>Rated <strong>9.8 on the CVSS scale</strong>, this vulnerability is extremely dangerous because it can be exploited <strong>without any user interaction</strong>.</p>



<h2 class="wp-block-heading"><strong>All about the vulnerability</strong></h2>



<p>The flaw was discovered in May 2025 and patched by Microsoft on August 12, 2025. It comes from an untrusted pointer dereference in the <strong>windowscodecs.dll</strong> file, which is responsible for core image processing.</p>



<p>Attackers can hide a malicious JPEG inside common files such as Microsoft Office documents. When the file is opened or even previewed, the system can be silently compromised.</p>



<p>This issue shows the risks that still exist in older graphics-handling components, where something as simple as decoding an image can lead to a full system takeover. Since Windows is used on billions of devices, unpatched machines remain highly vulnerable to phishing attacks and drive-by downloads.</p>



<p>Zscaler ThreatLabz discovered the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on how JPEG images are encoded and decoded within windowscodecs.dll.</p>



<p>The entry point for exploitation is in the <strong>GpReadOnlyMemoryStream::InitFile</strong> function. By manipulating buffer sizes, attackers can take control of memory snapshots during file mapping.</p>



<p>Fuzzing tests uncovered a crash caused by an uninitialized pointer at <strong>jpeg_finish_compress+0xcc</strong>, allowing user-controlled data to be accessed through heap spraying.</p>



<p>Debugging with WinDbg showed stack traces involving functions like <strong>CJpegTurboFrameEncode::HrWriteSource</strong> and <strong>CFrameEncodeBase::WriteSource</strong>, confirming that the flaw lies in JPEG metadata handling.</p>



<p>This uninitialized resource bug allows attackers to run code remotely without needing special permissions. Microsoft confirmed that the issue affects automatic image rendering in applications that rely on the Windows Graphics Component.</p>



<h2 class="wp-block-heading">Affected Versions and Patch Information</h2>



<figure class="wp-block-table"><table><thead><tr><th>Product</th><th>Impacted Version</th><th>Patched Version</th></tr></thead><tbody><tr><td>Windows Server 2025</td><td>10.0.26100.4851</td><td>10.0.26100.4946</td></tr><tr><td>Windows 11 Version 24H2 (x64)</td><td>10.0.26100.4851</td><td>10.0.26100.4946</td></tr><tr><td>Windows 11 Version 24H2 (ARM64)</td><td>10.0.26100.4851</td><td>10.0.26100.4946</td></tr><tr><td>Windows Server 2025 (Core)</td><td>10.0.26100.4851</td><td>10.0.26100.4946</td></tr></tbody></table></figure>



<p>Zscaler’s proof-of-concept shows how attackers can manipulate memory by using an app that allocates, frees, and processes Base64-encoded JPEG files, eventually gaining control over the instruction pointer.</p>



<p>There are no known real-world attacks yet, but the low skill needed and the broad attack surface make this vulnerability attractive to ransomware groups and espionage actors. On 32-bit systems, the risk is even higher because Control Flow Guard is disabled by default.</p>



<p>Users should install the August 2025 Patch Tuesday updates as soon as possible, especially on critical systems. It also helps to disable automatic image previews in email clients and restrict untrusted files to sandboxed environments. Zscaler has already deployed cloud-level defenses to detect and block any exploit attempts.</p>



<p>This case highlights the risks of outdated graphics libraries in enterprise environments, where JPEG files are used everywhere. Although no active exploitation has been observed, quick patching and cautious file handling remain the best protection against these image-based attacks.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong> <a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/windows-graphics-vulnerability/">Windows Graphics Vulnerability Opens the Door to System Hijack with a Single Image</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/windows-graphics-vulnerability/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
