#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

windows security | Breaking Cybersecurity News | The Hacker News

Category — windows security
PNGPlug Loader Delivers ValleyRAT Malware Through Fake Software Installers

PNGPlug Loader Delivers ValleyRAT Malware Through Fake Software Installers

Jan 21, 2025 Cyber Attack / Windows Security
Cybersecurity researchers are calling attention to a series of cyber attacks that have targeted Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China with a known malware called ValleyRAT. The attacks leverage a multi-stage loader dubbed PNGPlug to deliver the ValleyRAT payload, Intezer said in a technical report published last week. The infection chain commences with a phishing page that's designed to encourage victims to download a malicious Microsoft Installer (MSI) package disguised as legitimate software.  Once executed, the installer deploys a benign application to avoid arousing suspicion, while also stealthily extracting an encrypted archive containing the malware payload. "The MSI package uses the Windows Installer's CustomAction feature, enabling it to execute malicious code, including running an embedded malicious DLL that decrypts the archive (all.zip) using a hardcoded password 'hello202411' to extract the core malware components,...
Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques

Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques

Jan 08, 2025 Malware / Windows Security
Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems. "The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques," Cyfirma said in a technical analysis published last week. "It employs various mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files." NonEuclid has been advertised in underground forums since at least late November 2024, with tutorials and discussions about the malware discovered on popular platforms like Discord and YouTube. This points to a concerted effort to distribute the malware as a crimeware solution. At its core, the RAT commences with an initialization phase for a client application, after which it performs a series of checks to evade detection prior to s...
Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Jan 20, 2025Data Security / Data Monitoring
Every week seems to bring news of another data breach, and it's no surprise why: securing sensitive data has become harder than ever. And it's not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting stricter and more elaborate.  The problem is that while the data landscape has evolved rapidly, the usual strategies for securing that data are stuck in the past. Gone are the days when data lived in predictable places, with access controlled by a chosen few. Today, practically every department in the business needs to use customer data, and AI adoption means huge datasets, and a constant flux of permissions, use cases, and tools. Security teams are struggling to implement effective strategies for securing sensitive data, and a new crop of tools, called data security platforms, have appear...
Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor

Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor

Dec 05, 2024 Mobile Security / Windows Security
A previously undocumented threat activity cluster dubbed Earth Minotaur is leveraging the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to facilitate long-term surveillance operations targeting Tibetans and Uyghurs. "Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a cross-platform threat," Trend Micro researchers Joseph C Chen and Daniel Lunghi said in an analysis published today. "MOONSHINE exploits multiple known vulnerabilities in Chromium-based browsers and applications, requiring users to update software regularly to prevent attacks." Countries affected by Earth Minotaur's attacks span Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the U.S. MOONSHINE first came to light in September 2019 as part of cyber attacks targeting t...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

Nov 28, 2024 Windows Security / Cryptomining
A popular open-source game engine called Godot Engine is being misused as part of a new GodLoader malware campaign, infecting over 17,000 systems since at least June 2024. "Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware," Check Point said in a new analysis published Wednesday. "The technique remains undetected by almost all antivirus engines in VirusTotal." It's no surprise that threat actors are constantly on the lookout for new tools and techniques that can help them deliver malware while sidestepping detection by security controls, even as defenders continue to erect new guardrails. The newest addition is Godot Engine , a game development platform that allows users to design 2D and 3D games across platforms , including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web. The multi-platform support also makes it an attract...
Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

Nov 25, 2024 Malware / Windows Security
Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver ( BYOVD ) to disarm security protections and ultimately gain access to the infected system. "This malware takes a more sinister route: it drops a legitimate Avast Anti-Rootkit driver (aswArPot.sys) and manipulates it to carry out its destructive agenda," Trellix security researcher Trishaan Kalra said in an analysis published last week. "The malware exploits the deep access provided by the driver to terminate security processes, disable protective software, and seize control of the infected system." The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions. Once the driver is up and running, the malware gains kernel-level access to the system, allowing it...
Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

Nov 16, 2024 Vulnerability / VPN Security
A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet's FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA . Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA, DEEPPOST, and LightSpy . "DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices," security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said in a technical report. The malware first came to light earlier this week, when BlackBerry detailed the Windows-based surveillance framework as used by the China-linked APT41 threat actor to harvest data from WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass, as well as applic...
Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Nov 13, 2024 Ransomware / Data Protection
Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware. The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks." ShrinkLocker was first documented in May 2024 by Kaspersky, which found the malware's use of Microsoft's native BitLocker utility for encrypting files as part of extortion attacks targeting Mexico, Indonesia, and Jordan. It appears to have been adapted from benign ten-year-old code. Bitdefender, which investigated a ShrinkLocker incident targeting an unnamed healthcare company in the Middle East, said the attack likely originated from a machine belonging to a contractor, once again highlighting how threat actors are increasingly abusing trusted relationships to ...
New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration

New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration

Nov 12, 2024 Virtualization / Vulnerability
Cybersecurity researchers have disclosed new security flaws impacting Citrix Virtual Apps and Desktop that could be exploited to achieve unauthenticated remote code execution (RCE) The issue, per findings from watchTowr , is rooted in the Session Recording component that allows system administrators to capture user activity, and record keyboard and mouse input, along with a video stream of the desktop for audit, compliance, and troubleshooting purposes. Particularly, the vulnerability exploits the "combination of a carelessly-exposed MSMQ instance with misconfigured permissions that leverages BinaryFormatter can be reached from any host via HTTP to perform unauthenticated RCE," security researcher Sina Kheirkhah said. The vulnerability details are listed below - CVE-2024-8068 (CVSS score: 5.1) - Privilege escalation to NetworkService Account access CVE-2024-8069 (CVSS score: 5.1) - Limited remote code execution with the privilege of a NetworkService Account acces...
IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools

IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools

Nov 08, 2024 Cyber Espionage / Threat Intelligence
High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point said in a technical write-up published this week. "ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command-and-control communications," the Israeli company said . ElizaRAT is a Windows remote access tool (RAT) that Transparent Tribe was first observed using in July 2023 as part of cyber attacks targeting Indian government sectors. Active since at least 2013, the adversary is also tracked under the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM. Its malware ar...
5 Most Common Malware Techniques in 2024

5 Most Common Malware Techniques in 2024

Nov 07, 2024 Malware Analysis / Windows Security
Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. Here are some of the most commonly used techniques, according to ANY.RUN's Q3 2024 report on malware trends, complete with real-world examples. Disabling of Windows Event Logging (T1562.002) Disrupting Windows Event Logging helps attackers prevent the system from recording crucial information about their malicious actions. Without event logs, important details such as login attempts, file modifications, and system changes go unrecorded, leaving security solutions and analysts with incomplete or missing data. Windows Event Logging can be manipulated in different ways, including by changing registry keys or using commands like "net stop eventlog". Altering group policies is another common method. Since many detection mechanisms rely on log analysis to identify s...
Russian Espionage Group Targets Ukrainian Military with Malware via Telegram

Russian Espionage Group Targets Ukrainian Military with Malware via Telegram

Oct 28, 2024 Cyber Espionage / Android
A suspected Russian hybrid espionage and influence operation has been observed delivering a mix of Windows and Android malware to target the Ukrainian military under the Telegram persona Civil Defense. Google's Threat Analysis Group (TAG) and Mandiant are tracking the activity under the name UNC5812 . The threat group, which operates a Telegram channel named civildefense_com_ua , was created on September 10, 2024. As of writing, the channel has 184 subscribers. It also maintains a website at civildefense.com[.]ua that was registered on April 24, 2024. "'Civil Defense' claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters," the company said in a report shared with The Hacker News. Should these programs be installed on Android devices that have Google Play Protect disabled, they are engineered to deploy an operating system-specific commodity malware alo...
Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

Oct 28, 2024 Vulnerability / Windows Security
A new attack technique could be used to bypass Microsoft's Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks. "This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more," SafeBreach researcher Alon Leviev said in a report shared with The Hacker News. The latest findings build on an earlier analysis that uncovered two privilege escalation flaws in the Windows update process ( CVE-2024-21302 and CVE-2024-38202 ) that could be weaponized to rollback an up-to-date Windows software to an older version containing unpatched security vulnerabilities. The exploit materialized in the form of a tool dubbed Windows Downdate, which, per Leviev, could be used to hijack the Windows Update process to craft fully undetectable, persistent, and irreversible downgrades on...
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign

Oct 18, 2024 Threat Intelligence / Phishing Attack
Threat actors are leveraging fake Google Meet web pages as part of an ongoing malware campaign dubbed ClickFix to deliver infostealers targeting Windows and macOS systems. "This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems," French cybersecurity company Sekoia said in a report shared with The Hacker News. Variations of the ClickFix (aka ClearFake and OneDrive Pastejacking) campaign have been reported widely in recent months , with threat actors employing different lures to redirect users to bogus pages that aim to deploy malware by urging site visitors to run an encoded PowerShell code to address a supposed issue with displaying content in the web browser. These pages are known to masquerade as popular online services, including Facebook, Google Chrome, PDFSimpli, and reCAPTCHA, and now Google Meet as well as potentially Zoom - meet.googl...
Expert Insights / Articles Videos
Cybersecurity Resources