Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows. Show all posts
Windows
Audit ClawHub Cyber Attacks macOS Windows

Experts Find Malicious ClawHub Skills Stealing Data from OpenClaw


Koi Security’s security audit of 2,857 skills on ClawHub found 341 malicious skills via multiple campaigns. Users are exposed to new supply chain threats. 

ClawHub is a marketplace made to help OpenClaw users in finding and installing third-party skills. It is a part of the OpenClaw project, a self-hosted artificial intelligence (AI) assistant aka Moltbot and Clawdbot. 

Koi Security's analysis with OpenClaw bot “Alex” revealed that 335 skills use malicious pre-requisite to install an Apple macOS stealer called (Atomic Stealer). The activity goes by the code name ClawHavoc. 

According to Koi research Oren Yomtov, "You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro. The skill's documentation looks professional. But there's a 'Prerequisites' section that says you need to install something first.”

Instruction steps:

Windows users are asked to download file “openclaw-agent.zip” from a GitHub repository.

macOS users are asked to copy an installation script hosted at glot[.]io and paste it in the Terminal application. 

Threat actors are targeting macOS users because of an increase in purchase of Mac Minus to use the AI assistant 24x7. 

In the password-protected archive, the trojan has keylogging functionality to steal credentials, API keys, and other important data on the device. Besides this, the glot[.]io script includes hidden shell commands to retrieve next-stage payloads from a threat-actor controlled infrastructure. 

This results in getting another IP address ("91.92.242[.]30") to get another shell script, which is modified to address the same server to get a universal Mach-O binary that shows traits persistent with Atomic Stealer, a commodity stealer that threat actors can buy for $500-1000/month that can extract data from macOS hosts.

The issue is that anyone can post abilities to ClawHub because it is open by default. At this point, the only requirement is that a publisher have a GitHub account that is at least a week old. 

Peter Steinberger, the founder of OpenClaw, is aware of the problem with malicious abilities and has subsequently implemented a reporting option that enables users who are signed in to report a skill. According to the documentation, "Each user can have up to 20 active reports at a time," "Skills with more than 3 unique reports are auto-hidden by default.”


Read more »
Zero Day
CVE exploits LNKs Microsoft Vulnerabilities and Exploits Windows Zero Day

Microsoft Quietly Changes Windows Shortcut Handling After Dangerous Zero-day Abuse

 



Microsoft has changed how Windows displays information inside shortcut files after researchers confirmed that multiple hacking groups were exploiting a long-standing weakness in Windows Shell Link (.lnk) files to spread malware in real attacks.

The vulnerability, CVE-2025-9491, pertains to how Windows accesses and displays the "Target" field of a shortcut file. The attackers found that they could fill the Target field with big sets of blank spaces, followed by malicious commands. When a user looks at a file's properties, Windows only displays the first part of that field. The malicious command remains hidden behind whitespace, making the shortcut seem innocuous.

These types of shortcuts are usually distributed inside ZIP folders or other similar archives, since many email services block .lnk files outright. The attack relies on persuasion: Victims must willingly open the shortcut for the malware to gain an entry point on the system. When opened, the hidden command can install additional tools or create persistence.


Active Exploitation by Multiple Threat Groups

Trend Micro researchers documented in early 2025 that this trick was already being used broadly. Several state-backed groups and financially motivated actors had adopted the method to deliver a range of malware families, from remote access trojans to banking trojans. Later, Arctic Wolf Labs also observed attempts to use the same technique against diplomats in parts of Europe, where attackers used the disguised shortcut files to drop remote access malware.

The campaigns followed a familiar pattern. Victims received a compressed folder containing what looked like a legitimate document or utility. Inside sat a shortcut that looked ordinary but actually executed a concealed command once it was opened.


Microsoft introduces a quiet mitigation

Although Microsoft first said the bug did not meet the criteria for out-of-band servicing because it required user interaction, the company nonetheless issued a silent fix via standard Windows patching. With the patches in place, Windows now displays the full Target field in a shortcut's properties window instead of truncating the display after about 260 characters.

This adjustment does not automatically remove malicious arguments inside a shortcut, nor does it pop up with a special warning when an unusually long command is present. It merely provides full visibility to users, which may make suspicious content more easily identifiable for the more cautious users.

When questioned about the reason for the change, Microsoft repeated its long-held guidance: users shouldn't open files from unknown sources and should pay attention to its built-in security warnings.


Independent patch offers stricter safeguards

Because Microsoft's update is more a matter of visibility than enforcement, ACROS Security has issued an unofficial micropatch via its 0patch service. The update its team released limits the length of Target fields and pops up a warning before allowing a potentially suspicious shortcut to open. This more strict treatment, according to the group, would block the vast majority of malicious shortcuts seen in the wild.

This unofficial patch is now available to 0patch customers using various versions of Windows, including editions that are no longer officially supported.


How users can protect themselves

Users and organizations can minimize the risk by refraining from taking shortcuts coming from unfamiliar sources, especially those that are wrapped inside compressed folders. Security teams are encouraged to ensure Windows systems are fully updated, apply endpoint protection tools, and treat unsolicited attachments with care. Training users to inspect file properties and avoid launching unexpected shortcut files is also a top priority.

However, as the exploitation of CVE-2025-9491 continues to manifest in targeted attacks, the updated Windows behavior, user awareness, and security controls are layered together for the best defense for now. 

Read more »
Windows
AI ChatGPT Cloud Cyber Security Data Windows

AI Models Trained on Incomplete Data Can't Protect Against Threats


In cybersecurity, AI is being called the future of threat finder. However, AI has its hands tied, they are only as good as their data pipeline. But this principle is not stopping at academic machine learning, as it is also applicable for cybersecurity.

AI-powered threat hunting will only be successful if the data infrastructure is strong too.

Threat hunting powered by AI, automation, or human investigation will only ever be as effective as the data infrastructure it stands on. Sometimes, security teams build AI over leaked data or without proper data care. This can create issues later. It can affect both AI and humans. Even sophisticated algorithms can't handle inconsistent or incomplete data. AI that is trained on poor data will also lead to poor results. 

The importance of unified data 

A correlated data controls the operation. It reduces noise and helps in noticing patterns that manual systems can't.

Correlating and pre-transforming the data makes it easy for LLMs and other AI tools. It also allows connected components to surface naturally. 

A same person may show up under entirely distinct names as an IAM principal in AWS, a committer in GitHub, and a document owner in Google Workspace. You only have a small portion of the truth when you look at any one of those signs. 

You have behavioral clarity when you consider them collectively. While downloading dozens of items from Google Workspace may look strange on its own, it becomes obviously malevolent if the same user also clones dozens of repositories to a personal laptop and launches a public S3 bucket minutes later.

Finding threat via correlation 

Correlations that previously took hours or were impossible become instant when data from logs, configurations, code repositories, and identification systems are all housed in one location. 

For instance, lateral movement that uses short-lived credentials that have been stolen frequently passes across multiple systems before being discovered. A hacked developer laptop might take on several IAM roles, launch new instances, and access internal databases. Endpoint logs show the local compromise, but the extent of the intrusion cannot be demonstrated without IAM and network data.


Read more »
Windows
AI ChatGPT Cloud Data Technology virus Windows

Hackers Exploit AI Stack in Windows to Deploy Malware


The artificial intelligence (AI) stack built into Windows can act as a channel for malware transmission, a recent study has demonstrated.

Using AI in malware

Security researcher hxr1 discovered a far more conventional method of weaponizing rampant AI in a year when ingenious and sophisticated quick injection tactics have been proliferating. He detailed a living-off-the-land attack (LotL) that utilizes trusted files from the Open Neural Network Exchange (ONNX) to bypass security engines in a proof-of-concept (PoC) provided exclusively to Dark Reading.

Impact on Windows

Programs for cybersecurity are only as successful as their designers make them. Because these are known signs of suspicious activity, they may detect excessive amounts of data exfiltrating from a network or a foreign.exe file that launches. However, if malware appears on a system in a way they are unfamiliar with, they are unlikely to be aware of it.

That's the reason AI is so difficult. New software, procedures, and systems that incorporate AI capabilities create new, invisible channels for the spread of cyberattacks.

Why AI in malware is a problem

The Windows operating system has been gradually including features since 2018 that enable apps to carry out AI inference locally without requiring a connection to a cloud service. Inbuilt AI is used by Windows Hello, Photos, and Office programs to carry out object identification, facial recognition, and productivity tasks, respectively. They accomplish this by making a call to the Windows Machine Learning (ML) application programming interface (API), which loads ML models as ONNX files.

ONNX files are automatically trusted by Windows and security software. Why wouldn't they? Although malware can be found in EXEs, PDFs, and other formats, no threat actors in the wild have yet to show that they plan to or are capable of using neural networks as weapons. However, there are a lot of ways to make it feasible.

Attack tactic

Planting a malicious payload in the metadata of a neural network is a simple way to infect it. The compromise would be that this virus would remain in simple text, making it much simpler for a security tool to unintentionally detect it.

Piecemeal malware embedding among the model's named nodes, inputs, and outputs would be more challenging but more covert. Alternatively, an attacker may utilize sophisticated steganography to hide a payload inside the neural network's own weights.

As long as you have a loader close by that can call the necessary Windows APIs to unpack it, reassemble it in memory, and run it, all three approaches will function. Additionally, both approaches are very covert. Trying to reconstruct a fragmented payload from a neural network would be like trying to reconstruct a needle from bits of it spread through a haystack.

Read more »
Windows
AI Cloud Data Microsoft Technology Windows

Microsoft Warns Windows 10 Users: Hackers Target Outdated Systems

Microsoft Warns Windows 10 Users: Hackers Target Outdated Systems

Modern cyberattacks rarely target the royal jewels.  Instead, they look for flaws in the systems that control the keys, such as obsolete operating systems, aging infrastructure, and unsupported endpoints.  For technical decision makers (TDMs), these blind spots are more than just an IT inconvenience.  They pose significant hazards to data security, compliance, and enterprise control.

Dangers of outdated windows 10

With the end of support for Windows 10 approaching, many businesses are asking themselves how many of their devices, servers, or endpoints are already (or will soon be) unsupported.  More importantly, what hidden weaknesses does this introduce into compliance, auditability, and access governance?

Most IT leaders understand the urge to keep outdated systems running for a little longer, patch what they can, and get the most value out of the existing infrastructure.

Importance of system updates

However, without regular upgrades, endpoint security technologies lose their effectiveness, audit trails become more difficult to maintain, and compliance reporting becomes a game of guesswork. 

Research confirms the magnitude of the problem.  According to Microsoft's newest Digital Defense Report, more than 90% of ransomware assaults that reach the encryption stage originate on unmanaged devices that lack sufficient security controls.  

Unsupported systems frequently fall into this category, making them ideal candidates for exploitation.  Furthermore, because these vulnerabilities exist at the infrastructure level rather than in individual files, they are frequently undetectable until an incident happens.

Attack tactic

Hackers don't have to break your defense. They just need to wait for you to leave a window open. With the end of support for Windows 10 approaching, hackers are already predicting that many businesses will fall behind. 

Waiting carries a high cost. Breaches on unsupported infrastructure can result in higher cleanup costs, longer downtime, and greater reputational harm than attacks on supported systems. Because compliance frameworks evolve quicker than legacy systems, staying put risks falling behind on standards that influence contracts, customer trust, and potentially your ability to do business.

What next?

Although unsupported systems may appear to be small technical defects, they quickly escalate into enterprise-level threats. The longer they remain in play, the larger the gap they create in endpoint security, compliance, and overall data security. Addressing even one unsupported system now can drastically reduce risk and give IT management more piece of mind. 

TDMs have a clear choice: modernize proactively or leave the door open for the next assault.

Read more »
Windows
AI Cloud Internet Microsoft PCs Technology Windows

Microsoft to end support for Windows 10, 400 million PCs will be impacted


Microsoft is ending software updates for Windows 10

From October 14, Microsoft will end its support for Windows 10, experts believe it will impact around 400 million computers, exposing them to cyber threats. People and groups worldwide are requesting that Microsoft extend its free support. 

According to recent research, 40.8% of desktop users still use Windows 10. This means around 600 million PCs worldwide use Windows 10. Soon, most of them will not receive software updates, security fixes, or technical assistance. 

400 million PCs will be impacted

Experts believe that these 400 million PCs will continue to work even after October 14th because hardware upgrades won’t be possible in such a short duration. 

“When support for Windows 8 ended in January 2016, only 3.7% of Windows users were still using it. Only 2.2% of Windows users were still using Windows 8.1 when support ended in January 2023,” PIRG said. PIGR has also called this move a “looming security disaster.”

What can Windows users do?

The permanent solution is to upgrade to Windows 11. But there are certain hardware requirements when you want to upgrade, and most users will not be able to upgrade as they will have to buy new PCs with compatible hardware. 

But Microsoft has offered few free options for personal users, if you use 1,000 Microsoft Rewards points. Users can also back up their data to the Windows Backup cloud service to get a free upgrade. If this impacts you, you can earn these points via Microsoft services such as Xbox games, store purchases, and Bing searches. But this will take time, and users don’t have it, unfortunately. 

The only viable option for users is to pay $30 (around Rs 2,650) for an Extended Security Updates (ESU) plan, but it will only work for one year.

According to PIGR, “Unless Microsoft changes course, users will face the choice between exposing themselves to cyberattacks or discarding their old computers and buying new ones. The solution is clear: Microsoft must extend free, automatic support.”

Read more »
Windows
AnonDoor Confucius espionage malware Windows

Confucius Espionage: Gang Hijacks to Attack Windows Systems Via Malware


Confucius gang strikes again

The Confucius hacking gang, infamous for its cyber-espionage operations and alleged state-sponsored links, has advanced its attack tactics in recent times, shifting from document stealers such as WooperStealer to advanced Python-based backdoors like AnonDoor malware. 

The testimony to this is the December 2024 campaign, which showed the gang’s highly advanced engineering methods, using phishing emails via malicious PowerPoint presentations (Document.ppsx) that showed "Corrupted Page” notification to victims. 

Attack tactic

“The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities. Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness,” FortiGuard Labs said.

The infected file consisted of embedded OLE objects that prompted a VBScript command from remote infrastructure, starting a malicious chain.

FortiGuard Labs discovered how this gang has attacked Office documents and infected LNK files to damage Windows systems throughout the South Asian region, including organizations in Pakistan. The attack tactic uses DLL side-loading; the malware imitates genuine Windows commands such as fixmapi.exe, to user directories for persistence. 

About LNK-based attacks

Earlier this year, Confucius moved to disguise infected LNK files as genuine documents such as “Invoice_Jan25.pdf.lnk.” These documents trigger PowerShell commands that install an infected DLL and fake PDF documents via remote servers, creating a disguised, authentic file access while building backdoor access.

These files execute PowerShell commands that download malicious DLLs and decoy PDF documents from remote servers, maintaining the illusion of legitimate file access while establishing backdoor access. The downloaded DLL makes persistence channels and creates Base64-coded remote host addresses for payload deployment. 

Findings

The study found that the final payload remained WooperStealer, modified to extract different file types such as archives, images, documents, and email files with different extensions.

One major development happened in August 2025 with AnonDoor, an advanced Python-based backdoor, different from older NET-based tools.

Plan forward

According to Fortinet, “the layered attack chain leverages encoded components, DLL side-loading, and scheduled task persistence to secure long-term access and exfiltrate sensitive data while minimizing visibility.” 

Organizations are advised to be vigilant against different attack tactics, as cyber criminal gangs keep evolving their methods to escape detection. 

Read more »
Windows
2FA Antivirus Computer Devices malware Windows

How Six Simple Habits Can Keep Your Computer Safe From Malware

 



For many, the first encounter with malware comes during student years, often through experiments with “free” software or unprotected internet connections like USB tethering. The result is almost always the same: a badly infected system that needs a complete reinstall of Windows. That hard lesson shows why consistent security habits matter. Fourteen years and several computers later, users who follow basic precautions rarely face malware again.


1. Be selective with downloads

Unsafe downloads are the main entry point for malware. Cracked or “premium” software shared on random forums can secretly install hidden programs, such as cryptocurrency mining tools, that hijack your computer’s resources. The safest option is to download software only from official websites, verified GitHub repositories, or trusted app stores. If paying for premium tools is not possible, free alternatives are widely available. For example, LibreOffice can replace Microsoft Office, GIMP is a strong substitute for Photoshop, and many platforms provide safe, free video games.


2. Keep your antivirus protection updated

Antivirus tools are only effective if they are current. On Windows, the built-in security program updates automatically, scanning files against Microsoft’s threat database and blocking or quarantining suspicious files before they run. Unlike many third-party programs, Windows Security works quietly in the background without constant interruptions or slowing your device. Whether you choose the built-in system or another provider, keeping it updated is essential.


3. Approach email attachments with caution

Phishing emails often look convincing, sometimes copying entire designs from services like PayPal. In one example, a fake message claimed a new address had been added to an account and urged immediate action. The scam was revealed by its sender address — “paypal-support@secureverify-payment.com” instead of a genuine PayPal domain. Today’s phishing attempts go beyond suspicious links, with QR codes, PDFs, or fake DocuSign prompts that ask for login details. To protect yourself, disable automatic image loading, never open unexpected attachments, and always confirm unusual requests with the sender through another trusted method.


4. Avoid public Wi-Fi without protection

Public Wi-Fi in airports, cafés, hotels, or libraries may be convenient, but it is also risky. Other users on the same network can intercept traffic, and cybercriminals often set up fake hotspots with names like “Free_Airport_WiFi” to trick unsuspecting users. A safer approach is to use mobile data or a personal hotspot. If you must connect to public Wi-Fi, always use a virtual private network (VPN) to encrypt your traffic, and avoid logging into banking or other sensitive accounts until you are on a trusted network.


5. Keep Windows updated

Those frequent updates and restarts on Windows serve a purpose: patching security vulnerabilities. Once Microsoft releases a fix, attackers study it to find the weakness and then target systems that delay updating. While feature updates can be postponed, security patches should never be skipped. Enabling automatic updates is the most reliable way to stay protected.


6. Strengthen account security

Reusing the same password across multiple accounts is one of the fastest ways to be compromised through credential stuffing. Use a password manager to generate unique logins, and enable two-factor authentication (2FA) on any account involving personal or financial information. An even stronger option is to adopt passkeys, which use device biometrics and cryptographic keys. Passkeys cannot be phished, reused, or stolen, making them far safer than traditional passwords.


Staying free from malware does not require expensive tools or advanced skills. By practicing safe downloading, keeping antivirus tools and operating systems updated, approaching emails cautiously, protecting yourself on public networks, and securing accounts with strong authentication, you can keep your devices safe for years to come.



Read more »
Subscribe to: Comments (Atom)