#microsoftdefender — Public Fediverse posts

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

The Gentleman Ransomware | Defense Evasion TTPs Uncovered

In April and May 2026, investigations revealed two incidents involving The Gentlemen ransomware-as-a-service operation, which has claimed over 400 victims across 70 countries since mid-2025. Both incidents demonstrated common tactics including Scheduled Tasks, PowerShell commands, and defense evasion techniques such as clearing Security, System, and Application Event Logs, disabling Microsoft Defender, and adding antivirus exclusions. A leaked internal database in early May exposed the operation's infrastructure, affiliate structure, and targeting of vulnerabilities like CVE-2024-55591. The attacks showed threat actors using RDP connections, disguised executables, SOCKS proxy connections for persistence, and domain-wide deployment via NETLOGON shares. Despite attempts to evade detection, sufficient forensic telemetry remained for analysis, revealing workstation names previously associated with Qilin ransomware and Lazarus infrastructure.

Pulse ID: 6a0f8f34dd916c38a643df30
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f34dd916c38a643df30
Pulse Author: AlienVault
Created: 2026-05-21 23:03:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Lazarus #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RDP #RansomWare #RansomwareAsAService #bot #AlienVault

The Gentleman Ransomware | Defense Evasion TTPs Uncovered

In April and May 2026, investigations revealed two incidents involving The Gentlemen ransomware-as-a-service operation, which has claimed over 400 victims across 70 countries since mid-2025. Both incidents demonstrated common tactics including Scheduled Tasks, PowerShell commands, and defense evasion techniques such as clearing Security, System, and Application Event Logs, disabling Microsoft Defender, and adding antivirus exclusions. A leaked internal database in early May exposed the operation's infrastructure, affiliate structure, and targeting of vulnerabilities like CVE-2024-55591. The attacks showed threat actors using RDP connections, disguised executables, SOCKS proxy connections for persistence, and domain-wide deployment via NETLOGON shares. Despite attempts to evade detection, sufficient forensic telemetry remained for analysis, revealing workstation names previously associated with Qilin ransomware and Lazarus infrastructure.

Pulse ID: 6a0f8f34dd916c38a643df30
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f34dd916c38a643df30
Pulse Author: AlienVault
Created: 2026-05-21 23:03:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Lazarus #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RDP #RansomWare #RansomwareAsAService #bot #AlienVault

The Gentleman Ransomware | Defense Evasion TTPs Uncovered

In April and May 2026, investigations revealed two incidents involving The Gentlemen ransomware-as-a-service operation, which has claimed over 400 victims across 70 countries since mid-2025. Both incidents demonstrated common tactics including Scheduled Tasks, PowerShell commands, and defense evasion techniques such as clearing Security, System, and Application Event Logs, disabling Microsoft Defender, and adding antivirus exclusions. A leaked internal database in early May exposed the operation's infrastructure, affiliate structure, and targeting of vulnerabilities like CVE-2024-55591. The attacks showed threat actors using RDP connections, disguised executables, SOCKS proxy connections for persistence, and domain-wide deployment via NETLOGON shares. Despite attempts to evade detection, sufficient forensic telemetry remained for analysis, revealing workstation names previously associated with Qilin ransomware and Lazarus infrastructure.

Pulse ID: 6a0f8f34dd916c38a643df30
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f34dd916c38a643df30
Pulse Author: AlienVault
Created: 2026-05-21 23:03:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Lazarus #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RDP #RansomWare #RansomwareAsAService #bot #AlienVault

The Gentleman Ransomware | Defense Evasion TTPs Uncovered

In April and May 2026, investigations revealed two incidents involving The Gentlemen ransomware-as-a-service operation, which has claimed over 400 victims across 70 countries since mid-2025. Both incidents demonstrated common tactics including Scheduled Tasks, PowerShell commands, and defense evasion techniques such as clearing Security, System, and Application Event Logs, disabling Microsoft Defender, and adding antivirus exclusions. A leaked internal database in early May exposed the operation's infrastructure, affiliate structure, and targeting of vulnerabilities like CVE-2024-55591. The attacks showed threat actors using RDP connections, disguised executables, SOCKS proxy connections for persistence, and domain-wide deployment via NETLOGON shares. Despite attempts to evade detection, sufficient forensic telemetry remained for analysis, revealing workstation names previously associated with Qilin ransomware and Lazarus infrastructure.

Pulse ID: 6a0f8f34dd916c38a643df30
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f34dd916c38a643df30
Pulse Author: AlienVault
Created: 2026-05-21 23:03:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Lazarus #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RDP #RansomWare #RansomwareAsAService #bot #AlienVault

The Gentleman Ransomware | Defense Evasion TTPs Uncovered

In April and May 2026, investigations revealed two incidents involving The Gentlemen ransomware-as-a-service operation, which has claimed over 400 victims across 70 countries since mid-2025. Both incidents demonstrated common tactics including Scheduled Tasks, PowerShell commands, and defense evasion techniques such as clearing Security, System, and Application Event Logs, disabling Microsoft Defender, and adding antivirus exclusions. A leaked internal database in early May exposed the operation's infrastructure, affiliate structure, and targeting of vulnerabilities like CVE-2024-55591. The attacks showed threat actors using RDP connections, disguised executables, SOCKS proxy connections for persistence, and domain-wide deployment via NETLOGON shares. Despite attempts to evade detection, sufficient forensic telemetry remained for analysis, revealing workstation names previously associated with Qilin ransomware and Lazarus infrastructure.

Pulse ID: 6a0f8f34dd916c38a643df30
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f34dd916c38a643df30
Pulse Author: AlienVault
Created: 2026-05-21 23:03:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Lazarus #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RDP #RansomWare #RansomwareAsAService #bot #AlienVault

https://www.europesays.com/ie/495789/ 2 New Microsoft Defender Zero-Days Exploited—Patch Now Rolling Out #CISA #CVE202641091 #CVE202645498 #DefenderZeroDayAttacks #Éire #IE #Ireland #Kev #MicrosoftDefender #MicrosoftDefenderEmergencyUpdate #MicrosoftDefenderZeroDayExploitConfirmed #Technology #ZeroDay

🖥️🛡️ Comment ajouter une exclusion dans Microsoft Defender sur Windows 11

👉 https://www.justgeek.fr/ajouter-exclusion-microsoft-defender-windows-11-150865/

#Windows11 #MicrosoftDefender #SécuritéWindows #Sécurité #Tutoriel

🖥️🛡️ Comment ajouter une exclusion dans Microsoft Defender sur Windows 11

👉 https://www.justgeek.fr/ajouter-exclusion-microsoft-defender-windows-11-150865/

#Windows11 #MicrosoftDefender #SécuritéWindows #Sécurité #Tutoriel

🖥️🛡️ Comment ajouter une exclusion dans Microsoft Defender sur Windows 11

👉 https://www.justgeek.fr/ajouter-exclusion-microsoft-defender-windows-11-150865/

#Windows11 #MicrosoftDefender #SécuritéWindows #Sécurité #Tutoriel

AI-powered defense for an AI-accelerated threat landscape https://www.yayafa.com/2799125/ #AgenticAi #AI #ArtificialGeneralIntelligence #ArtificialIntelligence #Copilot #Microsoft #MicrosoftAI #MicrosoftCopilot #MicrosoftDefender #MicrosoftSecurity #エージェント型AI #人工知能 #汎用人工知能

https://winbuzzer.com/2026/05/06/microsoft-defender-digicert-root-certificates-cerdigent-false-positive-xcxwbn/

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

#MicrosoftDefender #Microsoft #DigiCert #Cybersecurity #Malware #AntivirusSoftware #WindowsSecurity #ThreatIntelligence #Windows11 #MicrosoftWindows

https://winbuzzer.com/2026/05/06/microsoft-defender-digicert-root-certificates-cerdigent-false-positive-xcxwbn/

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

#MicrosoftDefender #Microsoft #DigiCert #Cybersecurity #Malware #AntivirusSoftware #WindowsSecurity #ThreatIntelligence #Windows11 #MicrosoftWindows

https://winbuzzer.com/2026/05/06/microsoft-defender-digicert-root-certificates-cerdigent-false-positive-xcxwbn/

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

#MicrosoftDefender #Microsoft #DigiCert #Cybersecurity #Malware #AntivirusSoftware #WindowsSecurity #ThreatIntelligence #Windows11 #MicrosoftWindows

https://winbuzzer.com/2026/05/06/microsoft-defender-digicert-root-certificates-cerdigent-false-positive-xcxwbn/

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

#MicrosoftDefender #Microsoft #DigiCert #Cybersecurity #Malware #AntivirusSoftware #WindowsSecurity #ThreatIntelligence #Windows11 #MicrosoftWindows

https://winbuzzer.com/2026/05/06/microsoft-defender-digicert-root-certificates-cerdigent-false-positive-xcxwbn/

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

#MicrosoftDefender #Microsoft #DigiCert #Cybersecurity #Malware #AntivirusSoftware #WindowsSecurity #ThreatIntelligence #Windows11 #MicrosoftWindows

DigiCert breached via malicious screensaver file
#DigiCert #MicrosoftDefender #ZhongStealer
https://www.helpnetsecurity.com/2026/05/04/digicert-breach-code-signing-certificates-malware/

DigiCert breached via malicious screensaver file
#DigiCert #MicrosoftDefender #ZhongStealer
https://www.helpnetsecurity.com/2026/05/04/digicert-breach-code-signing-certificates-malware/

DigiCert breached via malicious screensaver file
#DigiCert #MicrosoftDefender #ZhongStealer
https://www.helpnetsecurity.com/2026/05/04/digicert-breach-code-signing-certificates-malware/

DigiCert breached via malicious screensaver file
#DigiCert #MicrosoftDefender #ZhongStealer
https://www.helpnetsecurity.com/2026/05/04/digicert-breach-code-signing-certificates-malware/

DigiCert breached via malicious screensaver file
#DigiCert #MicrosoftDefender #ZhongStealer
https://www.helpnetsecurity.com/2026/05/04/digicert-breach-code-signing-certificates-malware/

#MicrosoftDefender wrongly flags #DigiCert certs as #Trojan:Win32/Cerdigent(dot)A!dha

https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

#cybersecurity #Microsoft

#MicrosoftDefender wrongly flags #DigiCert certs as #Trojan:Win32/Cerdigent(dot)A!dha

https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

#cybersecurity #Microsoft

#MicrosoftDefender wrongly flags #DigiCert certs as #Trojan:Win32/Cerdigent(dot)A!dha

https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

#cybersecurity #Microsoft

#MicrosoftDefender wrongly flags #DigiCert certs as #Trojan:Win32/Cerdigent(dot)A!dha

https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

#cybersecurity #Microsoft

#MicrosoftDefender wrongly flags #DigiCert certs as #Trojan:Win32/Cerdigent(dot)A!dha

https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

#cybersecurity #Microsoft

Der #MicrosoftDefender stuft nach einem Signatur-Update legitime #Zertifikate als #Trojaner ein und löscht sie. Dadurch kam es zu Störungen bei Webseiten und Anwendungen. Ein Fix steht bereit. #Fehlalarm https://winfuture.de/news,158482.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Der #MicrosoftDefender stuft nach einem Signatur-Update legitime #Zertifikate als #Trojaner ein und löscht sie. Dadurch kam es zu Störungen bei Webseiten und Anwendungen. Ein Fix steht bereit. #Fehlalarm https://winfuture.de/news,158482.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Der #MicrosoftDefender stuft nach einem Signatur-Update legitime #Zertifikate als #Trojaner ein und löscht sie. Dadurch kam es zu Störungen bei Webseiten und Anwendungen. Ein Fix steht bereit. #Fehlalarm https://winfuture.de/news,158482.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Der #MicrosoftDefender stuft nach einem Signatur-Update legitime #Zertifikate als #Trojaner ein und löscht sie. Dadurch kam es zu Störungen bei Webseiten und Anwendungen. Ein Fix steht bereit. #Fehlalarm https://winfuture.de/news,158482.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Der #MicrosoftDefender stuft nach einem Signatur-Update legitime #Zertifikate als #Trojaner ein und löscht sie. Dadurch kam es zu Störungen bei Webseiten und Anwendungen. Ein Fix steht bereit. #Fehlalarm https://winfuture.de/news,158482.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Microsoft Defender's recent false positive, flagging legitimate DigiCert root certificates as 'Trojan:Win32/Cerdigent.A!dha', sent IT teams globally into a frenzy on May 3. This widespread incident consumed valuable operational time, undermined faith in automated defenses, and highlights the urgent need for more stringent testing of security intelligence updates for foundational system…

https://www.tpp.blog/1f9adaw

#cybersecurity #microsoftdefender #digicert

🤖 This post was AI-generated.

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
#MicrosoftDefender #DigiCert #GoldenEyeDog #ZhongStealer
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
#MicrosoftDefender #DigiCert #GoldenEyeDog #ZhongStealer
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
#MicrosoftDefender #DigiCert #GoldenEyeDog #ZhongStealer
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
#MicrosoftDefender #DigiCert #GoldenEyeDog #ZhongStealer
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
#MicrosoftDefender #DigiCert #GoldenEyeDog #ZhongStealer
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

Microsoft Defender Flags DigiCert Certificates as Malware in False Positives

Microsoft Defender's recent signature update mistakenly flagged legitimate DigiCert root certificates as malware, causing widespread alerts and removal of the certificates, and even prompting some users to reinstall Windows. DigiCert quickly revoked the affected certificates within 24 hours of discovery,…

https://osintsights.com/microsoft-defender-flags-digicert-certificates-as-malware-in-false-positives?utm_source=mastodon&utm_medium=social

#FalsePositives #MicrosoftDefender #Digicert #CertificateRevocation #MalwareDetection

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.

Pulse ID: 69f29e7612b827a15dfc7787
Pulse Link: https://otx.alienvault.com/pulse/69f29e7612b827a15dfc7787
Pulse Author: AlienVault
Created: 2026-04-30 00:12:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #GitHub #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RCE #RDP #SMB #SSL #VPN #Windows #bot #AlienVault

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.

Pulse ID: 69f29e7612b827a15dfc7787
Pulse Link: https://otx.alienvault.com/pulse/69f29e7612b827a15dfc7787
Pulse Author: AlienVault
Created: 2026-04-30 00:12:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #GitHub #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RCE #RDP #SMB #SSL #VPN #Windows #bot #AlienVault

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.

Pulse ID: 69f29e7612b827a15dfc7787
Pulse Link: https://otx.alienvault.com/pulse/69f29e7612b827a15dfc7787
Pulse Author: AlienVault
Created: 2026-04-30 00:12:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #GitHub #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RCE #RDP #SMB #SSL #VPN #Windows #bot #AlienVault

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.

Pulse ID: 69f29e7612b827a15dfc7787
Pulse Link: https://otx.alienvault.com/pulse/69f29e7612b827a15dfc7787
Pulse Author: AlienVault
Created: 2026-04-30 00:12:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #GitHub #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RCE #RDP #SMB #SSL #VPN #Windows #bot #AlienVault

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

On April 16, 2026, a threat actor leveraged stolen VPN credentials to access a Windows workstation and deployed a SYSTEM-level backdoor using the Komari agent, an open-source monitoring tool with built-in command-and-control capabilities. The attacker authenticated through an SSLVPN session from IP 45.153.34[.]132 and used Impacket smbexec.py to enable RDP on the target system. The Komari agent was installed as a persistent Windows service named 'Windows Update Service' using NSSM, pulling the installer directly from the official GitHub repository. Komari provides bidirectional control through WebSocket connections, offering arbitrary command execution, interactive reverse shell access, and network probing capabilities by default. Microsoft Defender quarantined an earlier registry dump attempt, forcing the adversary to pivot to this GitHub-based approach. This represents the first publicly documented case of Komari being abused in a real-world intrusion.

Pulse ID: 69f29e7612b827a15dfc7787
Pulse Link: https://otx.alienvault.com/pulse/69f29e7612b827a15dfc7787
Pulse Author: AlienVault
Created: 2026-04-30 00:12:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #GitHub #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RCE #RDP #SMB #SSL #VPN #Windows #bot #AlienVault

We'll install MS Defender on your VMs, they said.
It will make them more secure, they said.

#infosec #Defender #MicrosoftDefender
#RedSun #BlueHammer #UnDefend

We'll install MS Defender on your VMs, they said.
It will make them more secure, they said.

#infosec #Defender #MicrosoftDefender
#RedSun #BlueHammer #UnDefend

We'll install MS Defender on your VMs, they said.
It will make them more secure, they said.

#infosec #Defender #MicrosoftDefender
#RedSun #BlueHammer #UnDefend