VirusTotal (VT) is making important changes to its platform access and pricing. These updates aim to improve accessibility and strengthen its commitment to collaboration.
The initiative, detailed in a recent company announcement, aims to simplify user options while reinforcing VT’s commitment to the global cybersecurity community as an open, collaborative platform for the common good.
The changes come in light of community feedback and as part of a broader evolution within Google’s security ecosystem, which now features the unified Google Threat Intelligence (GTI) platform.
Founded on the principle that collective effort strengthens cyber defense, VirusTotal is refocusing on three primary goals: preserving the platform’s openness, providing a sustainable framework for contributors, and improving access for academics and researchers.
The company emphasized that while Google Threat Intelligence, which combines the power of VT, Mandiant, and Google, delivers advanced, curated intelligence for enterprises, VirusTotal will remain the community-driven foundation for threat sharing and analysis.
This dual approach allows VT to serve its core user base while integrating its vast data into Google’s more comprehensive enterprise offerings.
New Tiers For A Diverse Community
Key to the announcement is the launch of simplified pricing and new access tiers aimed at serving a diverse user base, from individual researchers to large organizations.
A key addition is the VT Contributor tier, a dedicated model for technology partners who integrate their detection engines with the platform.
This tier rewards their crucial role with free access to feeds of their blind spots, priority support, and early access to new features. The other tiers include:
VT Community: A robust free tier for individual researchers, academics, and educators, offering file and URL scanning, public API access, and community features.
VT Lite: Aimed at small teams, startups, and small MSSPs for non-commercial use, this tier provides advanced search, YARA hunting, and private scanning capabilities, with pricing starting from $5,000 for low API volumes.
VT Duet: Designed for large organizations, this option provides the full feature set with a high API quota.
In a move that reaffirms a long-standing 2016 commitment, VirusTotal stated that security vendors who do not contribute detections are not included in these new tiers.
This decision underscores the company’s focus on fostering a “healthy community” where participation and contribution are valued.
The company actively encourages organizations to become contributors and join its mission of protecting the digital commons.
This evolution ensures that VirusTotal continues to serve as a transparent, collaborative hub for global threat intelligence, strengthening its foundational role in the cybersecurity landscape for years to come.
A new technique enables attackers to exploit antivirus software by injecting harmful code directly into the antivirus processes. This approach makes it easier for them to evade detection and compromise the security that antivirus software is designed to provide.
This method, detailed by cybersecurity researcher Two Seven One Three on X (@TwoSevenOneT), involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder, bypassing standard defenses.
The approach highlights a vulnerability in how antivirus solutions prioritize their own stability. By injecting code into these “unkillable” processes, researchers gain elevated privileges to perform actions like writing files to restricted directories, all while evading detection.
As antivirus programs evolve to combat sophisticated threats, such techniques underscore the delicate balance between robust security and operational reliability.
Bypassing Antivirus Defenses
Antivirus software employs multiple strategies to shield its core processes from interference, ensuring uninterrupted protection for users.
These programs typically run with SYSTEM-level privileges, granting them broad access to monitor and neutralize threats across the system.
Process introspection allows the antivirus to vigilantly scan its own threads for anomalies, such as unauthorized code injections from external sources.
Further safeguards include code integrity checks that verify the authenticity of loaded modules and the use of Windows’ Protected Process Light (PPL) feature.
This isolates user-mode processes, preventing tampering even by administrators. In the kernel, antivirus drivers deploy sensors to block alterations to detection mechanisms, while self-protection routines automatically restart compromised components or alert on suspicious activity.
Determining which processes qualify for protection is equally meticulous. Developers avoid simplistic checks like process names, which attackers could spoof by mimicking filenames.
Instead, solutions like Bitdefender combine verification of the process’s ImagePath, ensuring the executable resides in the correct directory, with restrictions on file writes to installation folders.
Digital signatures of loaded DLLs add another layer, though attackers can attempt to bypass these through advanced evasion tactics.
Modifying the Process Environment Block (PEB) or using the CreateProcess API handles proves futile, as kernel drivers monitor initialization from the outset.
The technique’s ingenuity lies in leveraging the antivirus’s reliance on operating system features while exploiting less-guarded auxiliary components.
Modern antivirus suites bundle extras like firewalls, VPNs, and user interfaces, each running protected processes with installation folder write access. Since direct termination or suspension of these is blocked short of kernel exploits or tools like EDR-Freeze, researchers turn to cloning.
By manually exporting and importing registry keys for an antivirus service, such as Bitdefender’s BDProtSrv, a duplicate service can be created with identical configurations.
A system reboot loads this clone into Services.exe’s cache, spawning a new protected process. Testing with Process Explorer confirms protection via “access denied” errors when attempting termination.
Injection occurs by hijacking the Windows Cryptography API, which antivirus processes use for encryption and signing. Modifying the registry key HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider to point to a malicious DLL triggers loading during service startup.
To evade signature checks, the DLL is signed using cloned certificates from legitimate Windows programs, a method detailed in SpecterOps research.
Steps include creating the cloned service, altering the provider, trusting the signature, launching the service, verifying execution, and restoring the registry to avoid instability.
IAmAntimalware: A Tool for Testing and Evasion
To automate this process, Two Seven One Three developed IAmAntimalware, an open-source tool available on GitHub. It clones services, modifies cryptographic providers or COM objects, imports certificates, and starts the duplication all with command-line parameters specifying the original service, clone name, certificate file, and DLL path.
In tests with Bitdefender, the tool signed a sample DLL using CertClone, another GitHub utility that duplicates signatures. The DLL, which outputs debug strings and writes a “mark.txt” file to the installation folder, was successfully injected after execution.
Similar results emerged with Trend Micro and Avast, though Avast required tweaks to target its GUI process for reliability. This method’s implications are profound: malware could embed backdoors in antivirus environments, executing undetected.
Prevention demands vigilant monitoring of module loads from anomalous paths, auditing trusted certificates in the registry, and enforcing PPL alongside behavioral analytics.
As pentesting evolves, such disclosures push antivirus vendors to fortify against their own strengths turning into liabilities.
Critical flaws uncovered in the network communication between Microsoft Defender for Endpoint (DFE) and its cloud services, allowing post-breach attackers to bypass authentication, spoof data, disclose sensitive information, and even upload malicious files to investigation packages.
These vulnerabilities, detailed in a recent analysis by InfoGuard Labs, highlight ongoing risks in endpoint detection and response (EDR) systems, potentially undermining incident response efforts.
Reported to Microsoft’s Security Response Center (MSRC) in July 2025, the issues were deemed low severity, with no fixes confirmed as of October 2025.
The research builds on prior explorations of EDR attack surfaces, focusing on the agent’s interaction with cloud backends. By intercepting traffic using tools like Burp Suite and bypassing certificate pinning through memory patches in WinDbg, the analysis revealed how DFE’s MsSense.exe process handles commands and data uploads.
Certificate pinning, a common security measure, was circumvented by altering the CRYPT32!CertVerifyCertificateChainPolicy function to always return a valid result, enabling plaintext inspection of HTTPS traffic.
Similar patches were applied to SenseIR.exe for complete interception, including Azure Blob uploads.
Azure Upload
Authentication Bypasses and Command Interception
According to InfoGuard Labs the core issue lies in the agent’s requests to endpoints like https://[location-specific-host]/edr/commands/cnc, where it polls for commands such as isolation, forensics collection, or scans.
Despite including Authorization tokens and Msadeviceticket headers, the backend ignores them entirely. An attacker with the machine ID and tenant ID easily obtainable by low-privileged users via registry reads can impersonate the agent and intercept responses.
For instance, an intruder tool like Burp’s Intruder can continuously query the endpoint, snatching available commands before the legitimate agent receives them.
This allows spoofing responses, such as faking an “Already isolated” status for an isolationcommand, leaving the device unisolated while the Microsoft Defender Portal reports it as secured.
The serialization format, often in Microsoft Bond, complicates manual crafting, but capturing and modifying legitimate responses suffices for proof-of-concept exploits.
A parallel vulnerability affects /senseir/v1/actions/ endpoints for Live Response and Automated Investigations. Here, CloudLR tokens are similarly ignored, obtainable without authentication using just the machine ID.
Attackers can decode action payloads with custom scripts leveraging large language models for Bond deserialization and upload fabricated data to provided Azure Blob URIs via SAS tokens, which remain valid for months.
Information Disclosure and Malicious File Risks
Unauthenticated access extends to incident response (IR) exclusions via the registration endpoint, requiring only the organization ID from the registry.
More alarmingly, polling /edr/commands/cnc without credentials yields an 8MB configuration dump, including RegistryMonitoringConfiguration, DriverReadWriteAccessProcessList, and ASR rules. While not tenant-specific, this data reveals detection logic valuable for evasion.
Post-breach, attackers can enumerate investigation packages on the filesystem, readable by any user, containing autoruns, installed programs, and network connections.
For ongoing investigations, spoofed uploads to these packages enable embedding malicious files with innocuous names, tricking analysts into execution during review.
These flaws underscore the challenges in securing EDR communications, where simple oversights persist despite multiple token types. The analyst urges remediation, arguing that post-breach disruption and analyst-targeted attacks merit a higher priority than MSRC’s assessment.
Cybersecurity company Huntress on Friday warned of “widespread compromise” of SonicWall SSL VPN devices to access multiple customer environments.
“Threat actors are authenticating into multiple accounts rapidly across compromised devices,” it said. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”
A significant chunk of
Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.
The threat actor’s use of the security utility was documented by Sophos last month. It’s assessed that the attackers
Microsoft has rolled out a fix in its latest preview builds to resolve a notorious glitch with the “update and shut down” feature.
This long-standing issue, which has haunted the operating system for years, tricked users into believing their PCs were powering off when updates were pending, only for the machines to restart unexpectedly and disrupt sleep cycles with noisy fans.
The bug emerged shortly after Windows 11’s launch in 2021 and quickly became a source of irritation across forums and social media.
When users selected the “update and shut down” option from the Start menu or Windows Update settings, the system appeared to comply by initiating the shutdown process.
However, instead of fully powering down, the PC would install the update and reboot, often landing back at the lock screen or desktop. This behavior stemmed from how Windows handles cumulative updates, which bundle security patches, bug fixes, and feature improvements.
If an update encountered even a minor hiccup during installation, such as a temporary file lock or driver conflict, the system would default to a restart rather than a clean shutdown. Overnight, idle detection kicked in, prompting another installation attempt and creating a cycle of unwanted reboots.
User complaints painted a vivid picture of the annoyance. Home users described coming downstairs in the middle of the night to find their desktops humming loudly, with fans whirring at full speed to cool spiking CPU and disk activity.
Office workers reported interrupted workflows, as machines that should have been off instead cycled through updates during off-hours, potentially exposing sensitive data or draining power unnecessarily.
The issue wasn’t universal but affected a significant portion of Windows 11 devices, especially those on older hardware, where update failures were more common due to compatibility quirks.
Microsoft’s Patch in Preview Builds
Microsoft acknowledged the problem in its Windows Insider preview blog on September 29, 2025, detailing Build 26220.6760 for the Dev Channel. The release notes simply state: “Fixed an underlying issue which could lead ‘Update and shutdown’ to not actually shut down your PC after.”
This fix targets the core mechanics of the shutdown sequence, ensuring that pending updates no longer trigger automatic restarts if a shutdown is explicitly requested.
Testing in the Insider program has shown promising results, with early feedback indicating that PCs now properly power off as intended, halting the disruptive cycle.
The company highlighted that this is part of broader efforts to refine Windows Update’s reliability. Preview builds like this one allow Microsoft to iron out issues before they hit the stable release, expected in a future monthly update.
For now, Insiders in the Dev or Beta channels can access the fix by enabling the toggle in Settings > Windows Update. Microsoft advised non-Insiders to hold off, as preview software carries risks like instability.
This resolution brings much-needed relief to the Windows 11 community, where the bug had eroded trust in the update process.
Power users and IT administrators, who rely on scheduled shutdowns for maintenance, stand to benefit most, avoiding the manual interventions that previously mitigated the problem.
As Windows 11 approaches its fourth year, such fixes underscore Microsoft’s commitment to polishing the user experience amid competition from macOS and Linux distributions.
Looking ahead, experts predict this could pave the way for smarter update controls, like customizable shutdown behaviors or AI-driven failure predictions.
For everyday users, the immediate takeaway is simpler: the next time an update prompts “update and shut down,” it should finally mean what it says. With the fix now in testing, a stable rollout could arrive by late 2025, restoring peace to late-night computing.
Security researchers have identified a new, active campaign of the Stealit malware that uses an experimental Node.js feature to infect Windows systems. According to a report from FortiGuard Labs, threat actors are leveraging Node.js’s Single Executable Application (SEA) functionality to package and distribute their malicious payloads. This updated tactic marks a shift from previous Stealit […]
Clicking on a malicious link can quickly turn your device into a security risk. Just seconds after clicking, your browser might start downloading malware, taking advantage of weaknesses, or sending you to fake websites that try to steal your personal information.
The crucial moments following this action determine whether you’ll successfully contain the threat or become another victim of cybercrime.
This comprehensive guide provides the essential steps every computer and mobile device user must take to protect themselves and their data when they realize they’ve clicked on a suspicious link.
Immediate Response Flowchart for Suspicious Link Clicks
The immediate response to clicking a suspicious link requires swift, strong action across multiple fronts. Modern phishing attacks have evolved far beyond simple email scams, now incorporating sophisticated social engineering techniques, artificial intelligence-powered content generation, and advanced malware delivery systems that can compromise devices within seconds.
Understanding the proper response protocol can mean the difference between a minor security scare and a devastating data breach that could cost thousands of dollars and months of recovery time.
Understanding The Immediate Threats
Automatic Malware Downloads And Drive-by Attacks
The moment you click a malicious link, several dangerous processes can begin automatically without any additional user interaction.
Drive-by downloads represent one of the most insidious threats, as they exploit vulnerabilities in web browsers, plugins, or operating systems to install malware on your device silently.
These attacks work by scanning your system for unpatched software vulnerabilities and automatically selecting the appropriate exploit to compromise your device.
Modern drive-by download attacks operate through multiple vectors, including compromised legitimate websites, malicious advertisements (malvertising), and specially crafted phishing sites.
The malware payload can range from ransomware and keyloggers to remote access trojans that give cybercriminals complete control over your device.
What makes these attacks particularly dangerous is their stealth nature – the entire infection process occurs in the background, often without any visible indicators that your system has been compromised.
The sophistication of these attacks has increased dramatically in recent years. Attackers now use exploit kits – automated toolkits that identify and exploit system vulnerabilities – to maximize their success rates.
These kits can detect your browser version, installed plugins, and operating system configuration to deploy the most effective malware variant for your specific setup.
Some advanced attacks even use fileless techniques, injecting malicious code directly into memory to avoid detection by traditional antivirus software.
Browser Exploitation And Session Hijacking
Beyond automatic downloads, malicious links can exploit browser vulnerabilities to compromise your online sessions and steal authentication credentials.
Cross-site scripting (XSS) attacks inject malicious JavaScript code into legitimate websites, allowing attackers to steal session cookies, capture keystrokes, or redirect users to phishing sites.
These attacks are particularly dangerous because they abuse the trust relationship between your browser and legitimate websites. Session hijacking attacks specifically target the cookies that maintain your logged-in status on websites.
Once an attacker steals these session cookies, they can impersonate you on any website where you’re currently authenticated, potentially accessing your email, banking, social media, and other sensitive accounts.
Modern malware families increasingly include “infostealer” modules specifically designed to extract cookies from browser sessions, with these stolen credentials then sold on dark web marketplaces.
The implications of successful session hijacking extend far beyond individual account compromise. Attackers can use hijacked sessions to access corporate networks, steal intellectual property, or launch additional attacks against your contacts and colleagues.
The average cost of a data breach resulting from compromised credentials exceeds $150 per record, making this a particularly expensive form of cybercrime. Until you’re certain your device is clean, it is essential to protect your entire digital ecosystem.
5 Steps to Take After Clicking a Malicious Link
Disconnect From the Internet Immediately
The first and most critical step is to sever your device’s connection to the internet. Unplug the Ethernet cable for a wired connection or turn off the Wi-Fi on your device.
This action can prevent malware from fully installing, stop it from spreading to other devices on your network, and cut off any unauthorized transmission of your data to an attacker’s server.
Back Up Your Essential Files
Before attempting to remove any potential malware, back up your important files to an external hard drive or a USB drive. This ensures that your sensitive documents, photos, and other irreplaceable data are safe in case they are corrupted or erased during the cleanup process.
Be selective and only back up essential files to avoid accidentally saving any malicious programs that may have been downloaded.
Run a Full System Scan for Malware
Use a reputable antivirus or anti-malware program to perform a comprehensive scan of your device. This will help detect and quarantine or remove any malicious software that may have been installed when you clicked the link.
Ensure your security software is up to date to identify the latest threats effectively. If you do not have security software, you will need to reconnect to the internet to download it briefly.
Change Your Passwords
Immediately change the passwords for any accounts you may have entered credentials for on a suspicious site. It is also a critical security measure to update the passwords for your most important accounts, such as email, banking, and social media.
Use strong, unique passwords for each account and enable multi-factor authentication (MFA) wherever possible to add a crucial layer of security.
Monitor Accounts and Report the Incident
Keep a close watch on your financial statements and online accounts for any suspicious activity. If you believe sensitive information like your Social Security number was compromised, consider placing a fraud alert with the major credit bureaus.
Finally, report the phishing attempt to relevant organizations, such as the Federal Trade Commission (FTC), the Internet Crime Complaint Center (IC3), and the company that was being impersonated. If the incident occurred on a work device, notify your IT department immediately.
A massive, coordinated botnet campaign is actively targeting Remote Desktop Protocol (RDP) services across the United States.
Security firm GreyNoise reported on October 8, 2025, that it has been tracking a significant wave of attacks originating from over 100,000 unique IP addresses spanning more than 100 countries.
The operation appears to be centrally controlled, with the primary objective of compromising RDP infrastructure, a critical component for remote work and administration.
The scale and organized nature of this campaign pose a significant threat to organizations that depend on RDP for their daily operations.
The investigation into this widespread attack began after GreyNoise analysts detected an anomalous spike in traffic from Brazilian-geolocated IPs.
This initial finding prompted a broader analysis, which quickly uncovered similar surges in activity from a multitude of countries, including Argentina, Iran, China, Mexico, Russia, and South Africa. Despite the diverse geographic origins, the attacks share a common target: RDP services within the United States.
Botnet Targeting RDP Infrastructure
Analysts are highly confident that this activity is the work of a single, large-scale botnet. This conclusion is supported by the fact that nearly all participating IPs share a similar TCP fingerprint. This technical signature suggests a standard, centralized command-and-control structure orchestrating the attacks.
The threat actors behind this campaign are employing two specific attack vectors to identify and compromise vulnerable systems.
The first is an RD Web Access timing attack, a method where attackers measure the server’s response time to login attempts to differentiate between valid and invalid usernames anonymously.
The second vector is an RDP web client login enumeration, which systematically attempts to guess user credentials. These methods allow the botnet to efficiently scan for and identify exploitable RDP access points without immediately triggering standard security alerts.
The synchronized use of these specific, non-trivial attack methods across such a vast number of nodes further points to a coordinated operation managed by a single operator or group.
Mitigations
In response to this ongoing threat, GreyNoise has released specific recommendations for network defenders. The firm advises organizations to check their security logs for any unusual RDP probing proactively or failed login attempts that match the patterns of this campaign.
For more direct protection, GreyNoise has created a dynamic blocklist template, named “microsoft-rdp-botnet-oct-25,” available through its platform.
This allows customers to automatically block all known IP addresses associated with this malicious botnet activity, effectively cutting off the attacks at the network perimeter.
Organizations that use RDP for remote work should check their RDP security. They need to enforce strong password policies and use multi-factor authentication whenever possible. This will help protect against large-scale hacking attempts, such as brute-force attacks.
Along with the release of Kali Linux 2025.3, a major update introduces an innovative tool that combines artificial intelligence and cybersecurity: the llm-tools-nmap.
A new experimental plugin, llm-tools-nmap, has been released, providing Simon Willison’s command-line Large Language Model (LLM) tool with network scanning capabilities.
This package integrates the powerful and widely used Nmap security scanner, enabling LLMs to perform network discovery and security auditing tasks through function calling.
The recent release of Kali Linux 2025.3 introduces a new tool, including gemini-cli, among others.
The plugin allows users to issue natural language commands to the LLM, which are then translated into specific Nmap scanning actions.
The primary function of llm-tools-nmap is to act as a bridge between the LLM and the Nmap tool. Its features cover a wide range of network scanning tasks essential for security professionals and system administrators.
The plugin can perform network discovery to identify local network information and suggest appropriate scan ranges.
It supports various scanning types, including quick scans of common ports, targeted scans of specific port ranges, and ping scans to discover live hosts on a network.
More advanced capabilities include service detection to identify the software and versions running on open ports, operating system detection to profile target systems, and the ability to run Nmap Scripting Engine (NSE) scripts for customized and advanced vulnerability detection.
Installation and Usage
To use the plugin, several prerequisites must be met. Users need a working installation of Python 3.7 or higher, Simon Willison’s LLM tool, and, critically, a functional Nmap installation.
Nmap can be easily installed on most operating systems, such as via sudo apt-get install nmap on Debian/Ubuntu systems or brew install nmap on macOS.
The tool functions are currently experimental and can be invoked using the --functions flag in the command line.
nmap_scan(target, options=""): Generic Nmap scan with custom options
nmap_quick_scan(target): Fast scan of common ports (-T4 -F)
nmap_port_scan(target, ports): Scan specific ports
nmap_service_detection(target, ports=""): Service version detection (-sV)
nmap_os_detection(target): Operating system detection (-O)
nmap_ping_scan(target): Ping scan to discover live hosts (-sn)
nmap_script_scan(target, script, ports=""): Run NSE scripts
For example, a user could initiate a scan by running a command like llm --functions llm-tools-nmap.py "scan my network for open databases".
Other examples include discovering local network information or performing detailed service detection on specific IP addresses and ports.
The package provides a suite of specific functions, including get_local_network_info(), nmap_quick_scan(target), nmap_os_detection(target), and nmap_script_scan(target, script).
While these functions offer powerful automation, the developers have issued strong security warnings. Users are reminded that giving an LLM access to security tools is experimental and could lead to unintended consequences.
Certain Nmap features, such as OS detection, require root or administrator privileges to function correctly. Furthermore, users must always have explicit permission to scan the target networks and remain compliant with their organization’s security policies regarding network scanning activities.
