CyberSecurity news

FlagThis - #windows

@tomshardware.com - 77d

Microsoft Recall Exposes Sensitive Data Screenshots - Microsoft’s Recall feature captures sensitive data like credit card numbers even with the 'sensitive information' filter enabled, raising privacy concerns.
Microsoft’s new AI feature ‘Recall’ for Copilot+ PCs stores screenshots of sensitive data, including credit cards and social security numbers, even when a ‘sensitive information’ filter is enabled. This has raised serious privacy and security concerns among users. This feature takes continuous screenshots of everything a user does. The data is stored locally but sent off to Microsoft’s LLM for analysis. This has prompted an investigation by the UK Information Commissioner’s Office. This incident highlights the potential risks of AI-powered surveillance features and the importance of user privacy.

Recommended read:
References :
  • Techmeme: Microsoft's new version of Recall appears to still capture sensitive data like credit card numbers, even with the "sensitive information" filter enabled (Avram Piltch/Tom's Hardware)
  • hachyderm.io: screenshots and numbers ( ), even with the "sensitive information" filter enabled Despite promising to filter personal data out, still captures it.
  • Techmeme: Microsoft's new version of Recall appears to still capture sensitive data like credit card numbers, even with the "sensitive information" filter enabled (Avram Piltch/Tom's Hardware)
  • www.tomshardware.com: screenshots credit cards and Social Security numbers, even with the "sensitive information" filter enabled
  • Metacurity: Microsoft Recall screenshots credit cards and Social Security numbers, even with the "sensitive information" filter enabled
  • PrivacyDigest: screenshots credit cards and numbers, even with the "sensitive information" filter enabled | Tom's Hardware Despite promising to filter personal data out, Recall still captures it
  • TechSpot: Microsoft Recall is capturing screenshots of sensitive information like credit card and social security numbers
  • Techzine Global: Microsoft Recall is still a privacy nightmare
  • Pivot to AI: «When Piltch asked Microsoft about the issues [of sending over sensitive information like credit card numbers] , it referred him to a blog post saying AI makes mistakes» Ah yes, it's perfectly normal (and on-brand) for MS to push the recall bs despite all of this. 🤦‍♂️
  • bsky.app: Attackers can abuse the Windows UI Automation framework to steal data from apps
  • David Gerard: Windows AI Copilot+ Recall stores screenshots of sensitive data, regardless of ‘sensitive information’ filter
  • Amy Castor: Windows AI Copilot+ Recall stores screenshots of sensitive data, regardless of ‘sensitive information’ filter
  • securityonline.info: Abusing Microsoft’s UI Automation Framework: The New Evasion Technique Bypassing EDR
  • www.csoonline.com: Attackers can abuse the Windows UI Automation framework to steal data from apps
  • www.computerworld.com: Hands on with Microsoft’s Windows Recall: Not impressive yet
@gbhackers.com - 15d

North Korean Hackers Exploit PowerShell Trick - The North Korea-linked APT group Kimsuky is tricking targets into running PowerShell as an administrator and executing malicious code, using a browser-based remote desktop tool for data exfiltration.
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.

If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.

Recommended read:
References :
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
  • The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
  • : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
  • www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
  • www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
  • www.scworld.com: PowerShell exploited in new Kimsuky intrusions
  • Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
  • The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
  • MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
  • securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
@securityonline.info - 23d

Coyote Malware Expands Reach Targeting Windows Systems - The Coyote Banking Trojan targets Microsoft Windows users, distributed via malicious LNK files executing PowerShell commands to harvest sensitive information and bypass sandbox discovery, now targeting 1,030 sites and 73 financial institutions.
Fortinet's FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan. This sophisticated malware, targeting Microsoft Windows users, has expanded its reach to include 1,030 websites and 73 financial institutions. The malware is distributed through malicious LNK files that execute PowerShell commands, initiating a multi-stage attack. The primary goal is to harvest sensitive data, including system details and lists of installed antivirus products.

The attack sequence begins with a LNK file executing a PowerShell command to retrieve a next-stage PowerShell script, launching the trojan. Once deployed, the trojan gathers system information and evades detection by security measures. Should a victim attempt to access a targeted site, the malware communicates with a command-and-control server, enabling actions like capturing screenshots or displaying phishing overlays to steal sensitive credentials, impacting financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users.
  • www.scworld.com: Updated Coyote malware facilitates more extensive compromise
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • The Hacker News: Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions
  • securityonline.info: SecurityOnline article about the multi-stage Coyote banking trojan targeting Brazil.
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
@PCWorld - 8d

New Snake Keylogger Variant Launches Mass Attacks - A new variant of Snake Keylogger is launching over 280 million attacks, primarily impacting users in China, Turkey, Indonesia, Taiwan, and Spain, stealing credentials from browsers like Chrome and exfiltrating data via Telegram Bots.
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.

The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.

Recommended read:
References :
  • CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
  • hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
  • cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
  • The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
  • Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
  • The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
  • PCWorld: This high-risk keylogger malware is a growing threat to Windows users
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
  • www.scworld.com: More advanced Snake Keylogger variant emerges
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
Arda Büyükkaya@EclecticIQ Blog - 16d

Russian Sandworm Group Targets Ukraine with Malicious KMS Activators - The Russian Sandworm group is actively targeting Windows users in Ukraine by distributing trojanized KMS activators and fake Windows updates to compromise systems.
The Russian Sandworm group, a cyber-espionage unit with ties to the Russian military, is actively targeting Windows users in Ukraine. They are distributing malicious Microsoft Key Management Service (KMS) activators and fake Windows updates, compromising systems in the process. This campaign, which likely started in late 2023, showcases the ongoing cyber warfare efforts targeting Ukraine.

EclecticIQ threat analysts have linked these attacks to Sandworm based on overlapping infrastructure, consistent tactics, techniques, and procedures (TTPs), and the use of ProtonMail accounts to register domains used in the attacks. The attackers are also deploying a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware. This malicious tool abuses legitimate Windows processes to evade detection, such as using `wmic` to add Microsoft Defender exclusions and `reg` to gather information about Defender's status, mimicking the behavior of legitimate KMS activators, while injecting malicious payloads onto compromised systems.

Recommended read:
References :
  • bsky.app: The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
  • BleepingComputer: Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
  • www.bleepingcomputer.com: Russian military hackers deploy malicious Windows activators in Ukraine
  • Know Your Adversary: EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader.
  • EclecticIQ Blog: Sandworm APT Targets Ukrainian Users With Trojanized Microsoft KMS Activation Tools In Cyber Espionage Campaigns
  • Anonymous ???????? :af:: Details about the malicious Microsoft KMS activation tools used in a recent Sandworm campaign.
  • MSSP feed for Latest: Reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed.
  • securityaffairs.com: Report highlights that a Sandworm subgroup exploited trojanized Microsoft KMS activation tools.
  • ciso2ciso.com: Source: socprime.com – Author: Daryna Olyniychuk For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a primary focus on state bodies and critical infrastructure.
  • www.microsoft.com: Details of the BadPilot operation conducted by the Sandworm subgroup, targeting critical organizations and governments.
  • ciso2ciso.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine – Source: socprime.com
  • securityonline.info: Discussion of the campaign, the methods used by the attackers and potential consequences.
  • BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
  • : Microsoft : Microsoft Threat Intelligence reports on a subgroup within Russian APT Seashell Blizzard (aka Sandworm, APT44) and their multiyear [sic] initial access operation (tracked as the "BadPilot campaign"). This blog details this subgroup's recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard's scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities. Indicators of compromise and Yara rules are listed.
  • socprime.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
  • securityaffairs.com: Microsoft Threat Intelligence has published research on a subgroup of the Russia-linked APT group Seashell Blizzard behind the global BadPilot campaign, which compromises infrastructure to support Russian cyber operations. Seashell Blizzard (aka Sandworm, BlackEnergy and TeleBots) has been active in the cybersecurity arena for more than a decade.
do son@Cybersecurity News - 83d

Critical Windows Zero-Day Vulnerability: NTLM Hash Disclosure - A zero-day vulnerability in Windows allows attackers to steal NTLM credentials by simply having a user view a malicious file in Windows Explorer.
A critical zero-day vulnerability affecting all Windows versions from 7 to 11, and Server 2008 R2 to 2022, has been discovered. This flaw allows attackers to steal NTLM credentials simply by having a user view a malicious file in Windows Explorer; opening a shared folder, inserting a USB drive, or even browsing the Downloads folder could trigger the exploit. The vulnerability, discovered by 0patch researchers, doesn't require users to open or execute the file – merely viewing it is enough to compromise credentials. This highlights the ongoing risk posed by zero-day exploits and the importance of robust security patches and awareness programs.

0patch has reported the issue to Microsoft but has released free micropatches to mitigate the risk until an official fix is available. This is the third zero-day vulnerability 0patch has identified recently, with previous issues, including a Windows Theme file vulnerability and a ‘Mark of the Web’ bypass, still awaiting official Microsoft patches. The NTLM protocol itself has several known issues that Microsoft has chosen not to address, further emphasizing the need for proactive security measures and potentially alternative authentication methods. Organizations are urged to apply the available micropatches and consider additional security precautions.

Recommended read:
References :
  • CyberInsider: New 0-Day NTLM Hash Disclosure Vulnerability in Windows 7 to 11
  • gbhackers.com: Windows NTLM Zero-Day Vulnerability Exposes User Credentials
  • malware.news: URL File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it
  • securityonline.info: SecurityOnline reports on a critical zero-day vulnerability in Windows exposing user credentials.
  • 0patch Blog: 0patch blog post on the vulnerability and its micropatches.
@Talkback Resources - 1d

Truesight.sys Driver Variants Bypassing EDR Solutions - Attackers are exploiting 2,500+ Truesight.sys driver variants to bypass EDR solutions and deploy the HiddenGh0st RAT.
A large-scale malware campaign has been discovered exploiting a vulnerable Windows driver, truesight.sys, associated with Adlice's RogueKiller Antirootkit suite. Attackers are leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy the HiddenGh0st RAT malware. Over 2,500 distinct variants of the truesight.sys driver have been identified, allowing attackers to evade EDR solutions and Microsoft’s Vulnerable Driver Blocklist.

This sophisticated campaign employs a multi-stage infection process, where initial-stage malware samples are disguised as legitimate applications and distributed via deceptive websites and messaging apps. These samples download the vulnerable truesight.sys driver alongside encrypted payloads, ultimately delivering advanced malware such as the Gh0st RAT. The campaign primarily targets victims in China, Singapore, and Taiwan, with infrastructure hosted on public cloud services within China.

Recommended read:
References :
  • Cyber Security News: A sophisticated cyber campaign has been uncovered, leveraging a loophole in Windows’ driver signing policy to bypass detection and deploy malware.
  • Talkback Resources: 2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT [exp] [mal]
  • The Hacker News: A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection efforts and deliver the Gh0st RAT malware.

Blogs

Research Tools