Daily Digest

Germany just dropped a bombshell on the ransomware underworld. The BKA has publicly named and shamed “UNKN”—the elusive mastermind behind the notorious GandCrab and REvil ransomware gangs. Meet Daniil Maksimovich Shchukin, a 31-year-old Russian who allegedly ran two of the most destructive cybercrime operations in history. He’s accused of orchestrating at least 130 attacks across Germany, extorting nearly $2 million euros, and causing over 35 million euros in total damage. If you’ve ever wondered who was behind the double-extortion playbook that paralyzed hospitals, schools, and businesses worldwide—now you have a name and a face. The risk? This is a stark reminder that even the most anonymous hackers can be unmasked, and their victims are still counting the costs.

**What exactly happened** Germany’s Federal Criminal Police (BKA) has officially doxed the hacker known as “UNKN” or “UNKNOWN.” In a detailed advisory, they identified him as Daniil Maksimovich Shchukin, a 31-year-old Russian national. Shchukin is accused of being the head of both GandCrab and REvil—two ransomware groups that terrorized the digital world from 2019 to 2021. The BKA also named a co-conspirator, 43-year-old Anatoly Sergeevitsch Kravchuk, who allegedly helped execute the attacks. Together, they extorted nearly $2 million euros from victims across 24 cyberattacks. The total economic damage? A staggering 35 million euros. **Who is affected and how** The victims were primarily in Germany, but the ripple effects were global. GandCrab and REvil targeted hospitals, schools, government agencies, and private companies. These weren’t just data breaches—they were life-or-death situations. Hospitals lost access to patient records. Schools couldn’t operate. Businesses faced weeks of downtime. The double-extortion model meant victims paid twice: once to unlock their systems, and again to prevent stolen data from being leaked online. It was a brutal, no-escape trap. **The real-world impact and consequences** Beyond the immediate financial losses, the psychological toll was immense. Victims lived in fear of their private data being exposed. Some companies never recovered. Shchukin’s unmasking is a major win for law enforcement, but it also sends a chilling message to the cybercrime ecosystem. The BKA didn’t just name him—they released his mugshot, showing a man who once thought he was untouchable. This case also highlights how ransomware groups evolve. GandCrab was a pioneer, and REvil took its brutality to new heights. Their downfall shows that even the most sophisticated gangs can be dismantled. **Technical breakdown (the “how” explained simply)** GandCrab first appeared in January 2018 as a ransomware-as-a-service (RaaS) operation. It paid affiliates—enterprising hackers—huge commissions to spread the malware. The gang used phishing emails, exploit kits, and compromised remote desktop protocols to break into networks. Once inside, they encrypted files and demanded payment in cryptocurrency. REvil, which emerged later, added the double-extortion twist. They stole sensitive data before encryption, then threatened to publish it if victims didn’t pay. This made the attacks far more damaging and harder to ignore. Shchukin’s digital trail was eventually traced through cryptocurrency wallets. A U.S. Justice Department filing from February 2023 revealed a wallet tied to him containing over $317,000 in ill-gotten crypto. **What should be done — mitigation and recommendations** For organizations, the lessons are clear. First, never assume you’re too small to be a target. Ransomware gangs like REvil hit anyone with a pulse. Second, invest in offline backups. If your data is encrypted, the only way to recover without paying is to have clean copies stored separately. Third, train employees to spot phishing attempts. Most ransomware infections start with a single click. Finally, report attacks immediately. Law enforcement can’t help if they don’t know. The BKA’s success in this case came from victims coming forward and sharing forensic evidence. **Why this matters in the bigger cybersecurity landscape** This unmasking is a landmark moment. It proves that anonymity in cybercrime is not absolute. The BKA, working with international partners, showed that persistence and collaboration can crack even the most secretive operations. It also underscores the evolving nature of ransomware. GandCrab and REvil were trailblazers, but their takedown doesn’t mean the threat is gone. New groups will emerge, learning from their mistakes. For the cybersecurity community, this is a reminder to stay vigilant. For the public, it’s a warning that the digital world is not a lawless frontier—but only if we keep fighting back.

A cybercrime group just threw a digital grenade into the Iran conflict—and it’s not your typical ransomware. Meet TeamPCP, a relatively new crew that unleashed a worm called CanisterWorm over the weekend, targeting systems set to Iran’s time zone or Farsi language. This isn’t just data theft. It’s a wiper attack that destroys files, spreads through cloud misconfigurations, and exploits war tensions for profit. If your organization uses Docker, Kubernetes, or Redis in the cloud, you’re in the crosshairs. The stakes? Extortion, data loss, and a chilling new playbook for cybercrime.

**What exactly happened** TeamPCP, a financially motivated group that emerged in December 2025, launched a wiper campaign against Iran this past weekend. The worm, dubbed CanisterWorm, targets systems with Iran’s time zone or Farsi as the default language—wiping data instead of just encrypting it. This isn’t a state-sponsored attack; it’s a criminal group piggybacking on geopolitical conflict. The worm spreads through exposed cloud services, including Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. Once inside, it moves laterally, stealing credentials and demanding payment via Telegram. The twist? It doesn’t just encrypt—it destroys. **Who is affected and how** Any organization with poorly secured cloud infrastructure is at risk, but the primary targets are those in Iran or using Iranian settings. However, the worm’s self-propagating nature means it can spread globally through misconfigured environments. Azure and AWS account for 97% of compromised servers, according to security firm Flare. Victims face data loss, operational disruption, and extortion threats. The group’s Telegram channel is used to pressure targets, adding a layer of psychological warfare to the technical attack. **The real-world impact and consequences** This attack blurs the line between cybercrime and cyberwar. By targeting Iran-specific settings, TeamPCP injects itself into a volatile geopolitical landscape. The wiper aspect makes recovery nearly impossible without backups—and even then, lateral movement can reinfect clean systems. For businesses, the message is clear: cloud misconfigurations aren’t just a compliance issue. They’re a direct path to data destruction. The attack also highlights how cybercrime groups can weaponize existing tools and vulnerabilities at scale, without needing zero-days. **Technical breakdown (explain the “how” simply)** TeamPCP doesn’t invent new exploits. Instead, it industrializes known vulnerabilities and misconfigurations. The worm targets exposed control planes—think of them as the “master switches” for cloud environments. By compromising Docker APIs or Kubernetes clusters, the group gains a foothold. From there, it uses automated scripts to spread, steal credentials, and deploy the wiper. The worm checks system settings: if the time zone is Iran or the language is Farsi, it triggers data destruction. Otherwise, it may still steal data for extortion. Flare’s analysis calls this a “cloud-native exploitation platform” that turns exposed infrastructure into a self-propagating criminal ecosystem. **What should be done — mitigation and recommendations** First, lock down cloud control planes. Disable public access to Docker APIs, Kubernetes dashboards, and Redis servers unless absolutely necessary. Use network segmentation and firewalls to limit lateral movement. Second, enforce strong authentication—multi-factor everywhere, especially for cloud management interfaces. Monitor for unusual API calls or credential harvesting activity. Finally, maintain offline backups. If a wiper hits, online backups can be destroyed too. For organizations using GitHub Actions or similar CI/CD tools, watch for supply chain attacks. TeamPCP has already compromised legitimate repositories to push malware, as seen with the KICS vulnerability scanner. **Why this matters in the bigger cybersecurity landscape** CanisterWorm is a wake-up call. It shows how cybercrime groups can exploit geopolitical events for profit, using automation to scale attacks without advanced skills. The shift from ransomware to wipers—even by criminals—signals a dangerous trend: data destruction as a business model. This also underscores the fragility of cloud security. Misconfigurations are the new soft underbelly of the internet. As more organizations migrate to the cloud, the attack surface grows. TeamPCP’s playbook is likely to be copied, making this not just a regional incident, but a blueprint for future attacks worldwide.

Forget everything you thought you knew about Chinese state hackers hiding their tracks. The UK’s NCSC just dropped a bombshell advisory with ten international allies, revealing that the playbook has fundamentally changed. The majority of China-nexus hacking groups have ditched their own servers. Instead, they are now piggybacking on a massive, living network of hijacked home routers, security cameras, and old NAS drives. If you own a small office router or a smart device, it could be a silent pawn in a state-sponsored cyberattack—and you wouldn’t even know it.

**What exactly happened** The United Kingdom’s National Cyber Security Centre (NCSC-UK), alongside agencies from the US, Australia, Canada, Germany, Japan, and five other nations, issued a joint advisory with a stark warning. Chinese state-backed hackers are now overwhelmingly using vast botnets made from compromised consumer devices to mask their attacks. This isn’t a small shift. The advisory states that the *majority* of China-nexus threat actors have moved away from buying their own infrastructure. Instead, they are building and maintaining multiple covert networks, constantly updating them with fresh, hijacked nodes. **Who is affected and how** The primary victims are everyday devices you probably have at home or in a small office. Think SOHO routers from brands like Cisco and Netgear, internet-connected cameras, video recorders, and network-attached storage (NAS) boxes. These devices are often left unpatched or use default passwords. The attackers don’t just use one device. They chain them together. Traffic enters the network at one compromised router, hops through several others across the globe, and then exits near the final target. This makes it incredibly hard to trace the attack back to its source. **The real-world impact and consequences** We aren’t talking about nuisance attacks. These botnets have been linked to campaigns targeting the military, government agencies, higher education, telecoms, and the defense industrial base. The primary targets are in the US and Taiwan. Take the “Raptor Train” botnet. In 2024, it infected over 260,000 devices worldwide. The FBI linked it directly to the Chinese state-sponsored group Flax Typhoon and a sanctioned Chinese company. The FBI disrupted it in September 2024, but the scale shows how deep the problem runs. Another network, “KV-Botnet,” was used by the infamous Volt Typhoon group. It relied on outdated Cisco and Netgear routers. Even after the FBI wiped the malware in January 2024, Volt Typhoon started reviving the botnet by November 2024. These networks are persistent and resilient. **Technical breakdown** How does it work? The hackers scan the internet for vulnerable devices—usually those with default credentials or unpatched firmware. Once compromised, the device becomes a “node” in the botnet. The attacker then routes their malicious traffic through multiple nodes. This creates a proxy chain. For a defender, blocking a single IP address is useless because the botnet has thousands of others ready to go. As the advisory notes, traditional defenses based on static IP blocklists are becoming obsolete. **What should be done — mitigation and recommendations** For organizations, the advice is clear. Stop relying on simple IP blocking. Start mapping every network edge device you own. Implement multifactor authentication everywhere you can. Leverage dynamic threat feeds that include indicators from known covert networks. Where possible, apply IP allowlists and zero-trust controls. Machine certificate verification can also help ensure only authorized devices connect to your network. For individuals, the basics still matter. Change default passwords on your router and smart devices. Keep firmware updated. If a device is no longer receiving security patches, consider replacing it. **Why this matters in the bigger cybersecurity landscape** This advisory signals a major escalation in the cat-and-mouse game of attribution. By using your home router as a proxy, state actors can attack critical infrastructure while making it look like the attack originated from a random IP in your neighborhood. Paul Chichester, NCSC-UK’s Director of Operations, put it bluntly: these botnets exploit everyday devices to carry out large-scale cyber attacks. The threat is no longer just about sophisticated malware. It’s about the sheer volume of compromised, unassuming hardware sitting in homes and small offices around the world.

A new state-backed hacking group called GopherWhisper is turning your favorite chat apps into weapons. Since 2023, this Chinese-linked crew has been using Slack, Discord, and even Microsoft Outlook to secretly control malware inside government networks. The first known victim? A government agency in Mongolia. But ESET researchers warn the real number of compromised systems could be in the dozens—and we don’t know where they are yet. If you’re in government or critical infrastructure, this one’s aimed at you.

**What exactly happened** ESET uncovered a previously unknown threat actor, GopherWhisper, that has been active since at least 2023. The group’s signature move? Using legitimate services like Slack, Discord, and Microsoft 365 Outlook as command-and-control (C2) channels for their malware. In January 2025, ESET detected the first Go-based backdoor, named LaxGopher. That discovery opened the door to a whole toolkit of custom malware, most written in Go, designed to evade traditional detection by hiding in plain sight. **Who is affected and how** The confirmed victim is a Mongolian government institution, where GopherWhisper compromised 12 systems. But the real picture is much bigger. By accessing the attacker’s own Slack and Discord accounts, ESET recovered over 9,000 messages—revealing commands sent to “dozens of other victims” worldwide. The group used hardcoded credentials in their backdoors, which let researchers log into the same C2 servers. That’s how they saw the full scope: victims beyond Mongolia, but with no visibility into their geography or sector. **The real-world impact and consequences** This isn’t just a technical curiosity. GopherWhisper’s toolkit includes a custom exfiltration tool called CompactGopher, which compresses stolen data and uploads it to the file-sharing service File.io. That means sensitive government data—diplomatic cables, internal communications, classified documents—could be siphoned out silently. The use of Slack and Discord also makes detection harder. These platforms are often whitelisted in corporate environments, so traffic to them looks benign. Traditional network monitoring might miss the attack entirely. **Technical breakdown (the “how” explained simply)** GopherWhisper’s malware suite is a mix of Go and C++ tools, each with a specific job: - **LaxGopher** – A Go backdoor that pulls commands from a private Slack server, executes them via Command Prompt, and downloads new payloads. - **RatGopher** – Same idea, but uses Discord for C2. Commands and results are posted to a configured channel. - **BoxOfFriends** – A Go backdoor that abuses Microsoft Graph API to create and modify draft emails in Outlook for stealthy communication. - **SSLORDoor** – A C++ backdoor using OpenSSL over raw sockets on port 443, capable of file operations and drive enumeration. - **JabGopher** – An injector that hides LaxGopher inside svchost.exe memory. - **FriendDelivery** – A DLL loader that executes BoxOfFriends. - **CompactGopher** – A file collection tool that compresses and exfiltrates data to File.io. All these tools use hardcoded credentials for the C2 platforms, which ironically gave ESET a backdoor into the attacker’s own operations. **What should be done — mitigation and recommendations** ESET has published indicators of compromise (IoCs) to help defenders block GopherWhisper. But the real lesson is about visibility. Organizations should monitor for unusual API calls to Slack, Discord, and Microsoft Graph—especially from non-browser processes. Network segmentation and strict application allowlisting can also limit the damage. If a government workstation shouldn’t be talking to Discord, block it at the firewall. **Why this matters in the bigger cybersecurity landscape** GopherWhisper represents a growing trend: state-sponsored groups using legitimate SaaS platforms as C2 infrastructure. It’s cheap, reliable, and blends in with normal traffic. As more organizations move to cloud-first environments, this attack vector will only become more common. The group’s Chinese attribution, based on timezone analysis and locale metadata, also shows how attackers are adapting to avoid traditional attribution methods. For defenders, the takeaway is clear: trust no app, verify every connection.

A new Mirai botnet campaign is actively weaponizing a command-injection flaw in D-Link DIR-823X routers—and these devices are already past their expiration date. The vulnerability, tracked as CVE-2025-29635, lets attackers hijack routers with a single POST request, turning them into DDoS zombies. If you're still using an end-of-life D-Link router, you're the prime target. No patch is coming, and the attackers are already scanning for victims. This isn't a theoretical risk—it's happening right now, and the clock is ticking for anyone relying on unsupported hardware.

**What exactly happened** Akamai's SIRT team spotted the first real-world exploitation of CVE-2025-29635 in early March 2026—over a year after the flaw was publicly disclosed. The vulnerability allows remote command execution on D-Link DIR-823X routers by sending a crafted POST request to the `/goform/set_prohibiting` endpoint. Attackers are using this to deploy a Mirai-based malware variant called "tuxnokill." **Who is affected and how** The flaw impacts D-Link DIR-823X series routers running firmware versions 240126 and 24082. These devices reached end-of-life in November 2024, meaning D-Link no longer provides security updates. If you own one of these routers, you're effectively sitting on an unpatched exploit magnet. The attackers are actively scanning for vulnerable devices and deploying malware within seconds of gaining access. **The real-world impact and consequences** Once compromised, your router becomes part of a botnet capable of launching massive DDoS attacks. The "tuxnokill" malware supports multiple architectures and includes Mirai's classic arsenal: TCP SYN/ACK/STOMP floods, UDP floods, and HTTP null attacks. This isn't just a nuisance—it can take down websites, disrupt services, and even impact critical infrastructure if enough devices are enlisted. **Technical breakdown** The attack chain is surprisingly simple. Attackers send a POST request that changes directories across writable paths, downloads a shell script (`dlink.sh`) from an external IP, and executes it. The script then installs the Mirai payload. No authentication is required—just network access to the vulnerable endpoint. The same pattern is being used to exploit flaws in TP-Link and ZTE routers, suggesting a single, well-organized threat actor behind the campaign. **What should be done — mitigation and recommendations** Since no patch is coming, your only real option is to replace the router with a supported model that receives regular security updates. In the meantime, disable remote administration if you don't absolutely need it, change default admin passwords, and monitor for unexpected configuration changes. If you see suspicious outbound traffic or unknown processes, assume compromise and disconnect immediately. **Why this matters in the bigger cybersecurity landscape** This campaign is a textbook case of the growing threat from end-of-life devices. Vendors like D-Link are under no obligation to patch unsupported hardware, even when active exploitation is confirmed. That leaves millions of routers as ticking time bombs. The attackers know this—they're banking on user inertia and the fact that most people never think about their router's firmware. The lesson is clear: if your device is EoL, it's not just old—it's dangerous. Upgrade before you become part of the next botnet.

Russia’s military hackers just pulled off a heist so quiet you’d miss it—unless you check your Microsoft login tokens. They didn’t break into servers or plant malware. Instead, they weaponized old, forgotten routers sitting in homes and offices to steal authentication tokens from over 5,000 devices and 200 organizations. This matters because those tokens let them slip into Microsoft Office accounts like ghosts, bypassing passwords and multi-factor authentication. If you’re using an outdated router—especially in government, law enforcement, or email services—your digital keys might already be in enemy hands.

**What exactly happened** A Russian state-backed hacking group known as Forest Blizzard—also called APT28 or Fancy Bear—exploited known flaws in aging internet routers to harvest Microsoft Office authentication tokens. Microsoft confirmed over 200 organizations and 5,000 consumer devices were compromised. The attackers didn’t need to deploy any malicious code; they simply turned vulnerable routers into silent surveillance nodes. **Who is affected and how** The primary targets were government agencies, including ministries of foreign affairs, law enforcement, and third-party email providers. But the net was wider: at its peak in December 2025, the operation ensnared more than 18,000 routers worldwide. Most were unsupported, end-of-life devices or routers far behind on security patches. If you own a router from 2018 or earlier, you might be in the crosshairs. **The real-world impact and consequences** This isn’t just about stolen data—it’s about persistent, invisible access. With authentication tokens, the hackers could log into Microsoft Office accounts as legitimate users, read emails, access documents, and pivot to other systems. For government agencies, that means classified communications exposed. For law enforcement, ongoing investigations compromised. The 2016 election interference by the same group shows how these tokens could be weaponized for geopolitical disruption. **Technical breakdown (explain the “how” simply)** Here’s the clever part: routers are the gateways to your internet traffic. Forest Blizzard used known vulnerabilities in older router firmware to intercept the authentication tokens Microsoft Office sends when you log in. These tokens are supposed to be temporary keys, but once stolen, they can be reused until they expire. The hackers didn’t need to install spyware—they just listened in on the traffic flowing through compromised routers. Think of it as picking the lock on your mailbox instead of breaking into your house. **What should be done — mitigation and recommendations** First, check your router’s model and firmware. If it’s more than five years old or no longer receiving updates, replace it immediately. Enable automatic updates for any device that supports them. For organizations, implement token expiration policies and monitor for unusual login patterns—like a token from a government office suddenly being used from a foreign IP. Microsoft has also issued patches and recommends enabling conditional access policies to flag suspicious token usage. **Why this matters in the bigger cybersecurity landscape** This attack is a wake-up call. Routers are often the forgotten stepchildren of network security—we upgrade phones and laptops, but let routers gather dust. Forest Blizzard exploited that neglect at scale, showing how low-tech methods (old hardware) can enable high-tech espionage. As the FCC debates new rules to block Chinese-made routers, this incident proves the real threat isn’t just supply chain—it’s the devices already sitting in our homes and offices, quietly aging into vulnerabilities.

Forget everything you thought you knew about fuzzing. A seasoned researcher just dropped a reality check on one of the most popular techniques: mutational grammar fuzzing. It turns out that more code coverage doesn't always mean better bug hunting. In fact, it can actively work against you. If you're using coverage-guided fuzzing to test parsers, compilers, or any structured input, you might be leaving critical vulnerabilities on the table without even knowing it.

**What exactly happened** A veteran security researcher publicly dissected the hidden flaws in mutational grammar fuzzing—a technique widely used to find bugs in software that processes structured data like XML, JSON, or programming languages. The researcher, who has previously uncovered serious issues in browser XSLT implementations and JIT engines, argues that the standard approach has a blind spot that casual users rarely notice. The problem isn't that the technique fails entirely—it's that it subtly optimizes for the wrong thing. **Who is affected and how** Anyone using coverage-guided grammar fuzzers—including popular tools like AFL, libFuzzer, or custom setups—could be impacted. This is especially relevant for developers testing parsers, compilers, interpreters, and any software that validates structured inputs. The real victims? The bugs that never get found. The fuzzer may appear to be making progress by discovering new code paths, but it's actually getting stuck in a local optimum, missing deeper, more complex vulnerabilities that require specific input structures. **The real-world impact and consequences** The consequences are straightforward but serious: your fuzzing campaign might be wasting CPU cycles. You could be running thousands of tests per second, watching coverage numbers climb, and still miss critical security flaws that an attacker could exploit. For organizations relying on fuzzing as part of their security testing pipeline—think browser vendors, compiler teams, or cloud infrastructure providers—this means false confidence. A clean fuzzing report doesn't mean clean code. **Technical breakdown: the "more coverage" trap** Here's the core issue in plain terms. Coverage-guided grammar fuzzing works by mutating valid inputs while keeping them grammatically correct. When a new input triggers unseen code, it gets saved to the corpus for future mutations. The problem? The fuzzer becomes a victim of its own success. Once it finds a set of inputs that cover most code paths, it stops exploring novel structures. It keeps tweaking the same successful seeds, like a musician playing the same hit song on repeat instead of writing new material. The researcher calls this "coverage saturation." The fuzzer's corpus becomes stale, filled with samples that are too similar to each other. Meanwhile, interesting edge cases—like deeply nested structures or unusual combinations of features—never get a chance to form. **What should be done: the simple fix** The researcher's countermeasure is deceptively simple: periodically inject random, valid-but-unusual grammar structures into the corpus, even if they don't immediately increase coverage. Think of it as forcing the fuzzer to take a creative detour. By occasionally replacing older corpus entries with fresh, structurally diverse samples, you break the coverage stagnation loop. The researcher tested this on libxslt and found bugs faster than with default settings. The key insight: novelty matters more than coverage. A fuzzer that explores diverse input structures—even at the cost of some coverage metrics—will find more real-world bugs. **Why this matters in the bigger cybersecurity landscape** This research highlights a growing tension in automated security testing: we're drowning in metrics but starving for insight. Coverage numbers, pass rates, and execution speeds are easy to measure but don't always correlate with actual security. As fuzzing becomes a standard practice in DevSecOps pipelines, understanding these subtle failure modes is critical. The best fuzzing setups aren't the ones that generate the most data—they're the ones that ask the right questions about what data actually matters. The takeaway? Don't trust your fuzzer blindly. Experiment with different strategies, challenge your assumptions, and remember that sometimes the most dangerous bugs hide in the paths you never think to explore.

Microsoft’s GetProcessHandleFromHwnd API has been quietly leaking process handles for years, allowing attackers to bypass security protections and elevate privileges. The API, designed for UI Automation scenarios, was found to be dangerously flawed—granting full access to any process window without proper checks. The real kicker? This vulnerability was publicly disclosed in a UAC bypass using Quick Assist, a built-in Windows tool. If you’re running Windows 10 or 11 (pre-24H2), your system may be at risk from local attackers who can exploit this to gain admin-level control. Time to pay attention.

**What exactly happened** Security researchers uncovered a critical flaw in the GetProcessHandleFromHwnd API, a Windows function that retrieves a process handle from a window handle (HWND). The API was supposed to be a convenience tool for UI Automation, but its implementation in Windows 10 and early Windows 11 versions was dangerously broken. The vulnerability was first publicly demonstrated in a UAC bypass using Quick Assist, a remote assistance tool. Researchers found that the API could be abused to obtain a full-access handle to any process, including those running at higher integrity levels—completely bypassing User Interface Privilege Isolation (UIPI). **Who is affected and how** Any Windows user running version 10 or 11 (before 24H2) is potentially at risk. The attack requires local access, meaning a malicious program or user already on the system can exploit it. This isn’t a remote exploit, but it’s a powerful privilege escalation tool once an attacker gains a foothold. The Quick Assist UAC bypass showed how this could be weaponized: an attacker with standard user privileges could launch a UI Access application, call GetProcessHandleFromHwnd to grab a handle to a high-integrity process, and then inject code to elevate to admin. No admin password needed. **The real-world impact and consequences** This flaw undermines one of Windows’ core security features: UIPI, which is meant to prevent lower-integrity processes from interacting with higher-integrity ones. By breaking this barrier, the API effectively neuters the security model for local attacks. For enterprises, this means that even if users are running as standard accounts, a determined attacker with local code execution can escalate to SYSTEM or admin privileges. This could lead to full system compromise, data theft, or persistent malware installation. **Technical breakdown — the “how” explained simply** The API’s documentation claimed it used a complex method involving windows hooks and UI Access. But in reality, Windows 11’s implementation was much simpler—and more dangerous. The kernel function directly opened a process handle using the window’s process ID, without checking integrity levels or protected process status. The critical oversight: the API didn’t verify whether the target process was a “protected process” (like those running antivirus or critical system components). It also ignored UIPI rules, allowing a low-integrity caller to get a handle to a high-integrity process. The only check was that both processes ran as the same user, which is trivial to satisfy. **What should be done — mitigation and recommendations** Microsoft has fixed this in Windows 11 24H2, where the API now properly respects UIPI and protected process checks. For older systems, the only mitigation is to apply the latest security updates—though Microsoft hasn’t issued a specific patch for this flaw outside of the 24H2 release. System administrators should prioritize upgrading to Windows 11 24H2 or later. For those stuck on older versions, consider restricting UI Access applications and monitoring for unusual API calls from low-integrity processes. Security tools that detect handle duplication anomalies can also help. **Why this matters in the bigger cybersecurity landscape** This vulnerability is a textbook example of how “convenience” APIs can become security nightmares. The GetProcessHandleFromHwnd API was designed to simplify UI Automation, but its implementation skipped fundamental security checks that have existed for years. It also highlights the danger of relying on documentation that doesn’t match reality. The API’s docs claimed it used windows hooks and required UI Access—neither of which was true in practice. This disconnect between documentation and implementation is a recurring theme in Windows security flaws. Finally, the Quick Assist UAC bypass shows that even built-in tools can be weaponized. As Windows continues to add features for accessibility and automation, each new API must be scrutinized for unintended privilege escalation paths. The fix in 24H2 is a step forward, but the lesson remains: trust, but verify—especially when it comes to process handles.

Windows just got a major security upgrade called Administrator Protection, designed to finally fix the broken User Account Control (UAC) system we've all learned to ignore. But here's the kicker—a security researcher found nine ways to bypass it before it even launched. Five of those bypasses exploit a long-standing weakness called UI Access, a problem Microsoft has known about since Vista days. If you're running Windows, your admin protections might not be as solid as you think.

**What exactly happened** Researcher James Forshaw discovered nine distinct bypasses in Microsoft's new Administrator Protection feature for Windows. Five of these bypasses share a common root cause: the UI Access mechanism, a feature designed to let certain applications interact with elevated windows. Microsoft has patched all nine vulnerabilities before the feature's official release, but the findings reveal deeper structural issues in Windows security architecture. **Who is affected and how** Any Windows user running Administrator Protection is potentially at risk. The bypasses allow a standard user process to interact with and potentially control windows belonging to higher-privileged processes. This means malware running at user level could theoretically manipulate admin-level interfaces, tricking the system into performing privileged actions without proper authorization. **The real-world impact and consequences** The most dangerous scenario involves a shatter attack—an ancient technique where low-privilege code sends malicious messages to privileged windows. With Administrator Protection bypassed, attackers could potentially execute code at SYSTEM level. This undermines the entire purpose of Administrator Protection, which was supposed to create a genuine security boundary between user and admin processes. **Technical breakdown (explain the "how" simply)** The UI Access mechanism was originally created to solve a legitimate problem: some applications, like screen readers and input method editors, need to interact with windows across privilege boundaries. Microsoft implemented this by granting certain signed applications a special token attribute called UI Access. These applications can bypass UIPI (User Interface Privilege Isolation) restrictions. The flaw? The implementation had gaps. Forshaw found that in certain scenarios, a standard user process could trick the system into granting UI Access capabilities, or exploit timing windows where protections weren't active. One specific bypass involved abusing the "Interactive Services Detection" service, which could be triggered to display UI from SYSTEM context accessible to lower-privilege processes. **What should be done — mitigation and recommendations** Microsoft has already patched all nine bypasses in recent Windows updates. Users should ensure they're running the latest Windows builds with all security patches applied. For organizations, the researcher recommends enabling Administrator Protection now that known bypasses are fixed. The feature provides genuine security improvements over traditional UAC. Security teams should also review any applications that request UI Access privileges, as these represent potential attack vectors if the underlying mechanism is compromised again. **Why this matters in the bigger cybersecurity landscape** This research exposes a fundamental tension in Windows security: the balance between accessibility and isolation. UI Access was a necessary compromise, but it created a persistent attack surface. The fact that Microsoft missed these bypasses during development suggests their security review processes need improvement. As Forshaw notes, "more rigorous testing during development would have prevented many pre-existing UAC bypasses from being missed." Administrator Protection represents Microsoft's most serious attempt yet to fix UAC's broken promise. But this research proves that even well-intentioned security boundaries can have hidden cracks. The lesson? Trust no feature, verify everything, and always assume attackers are looking for the same loopholes you are.

Microsoft just shipped a major security upgrade for Windows 11—only to have a researcher punch nine holes straight through it before it even hit the mainstream. Administrator Protection, the long-awaited replacement for UAC, was supposed to lock down admin privileges like never before. But security researcher Alon Leviev found multiple ways to bypass it silently, gaining full admin rights without triggering a single alert. The feature has since been temporarily disabled by Microsoft. If you’re running Windows 11 25H2, your new security layer just got a critical reality check.

**What exactly happened** Windows 11 25H2 introduced Administrator Protection as a headline security feature. Its mission: replace the notoriously weak User Account Control (UAC) with a hardened system that grants admin privileges only when absolutely needed. But before the feature even reached general availability, security researcher Alon Leviev discovered nine separate vulnerabilities that completely bypassed it. Every single one allowed an attacker to silently gain full administrator privileges—exactly what the feature was designed to prevent. Microsoft has since fixed all nine issues, either through optional update KB5067036 or subsequent security bulletins. As of December 1, 2025, Microsoft also disabled the feature entirely due to an unrelated application compatibility issue. **Who is affected and how** Anyone running Windows 11 25H2 with Administrator Protection enabled is potentially affected. The vulnerabilities don’t require user interaction—they can be exploited silently by malware already running with limited privileges on the machine. This matters because Administrator Protection was marketed as a hard security boundary. If you enabled it thinking you were safe from privilege escalation attacks, these findings show that trust was premature. **The real-world impact and consequences** The core problem is that Administrator Protection was supposed to solve UAC’s biggest flaw: it was never a true security boundary. UAC could be bypassed by malware that simply tricked users into clicking "Yes" on a prompt. Leviev’s research proves that even this new, more robust system has serious design issues. Malware that already has limited access on a machine can still elevate to full admin rights without any user notification. That means ransomware, spyware, or any other malicious code could take complete control of a system—silently. **Technical breakdown—how the bypass works** While the full details of all nine vulnerabilities aren’t public, Leviev describes one specific bypass in detail. The attack exploits how Administrator Protection handles token assignments and privilege checks during elevation requests. In simple terms: the system was designed to verify that a process requesting admin rights actually needs them. But Leviev found a way to manipulate the verification process itself, essentially tricking the system into granting privileges without proper authentication. The bypass works at the kernel level, making it invisible to standard security tools. **What should be done—mitigation and recommendations** First, check if you’re running Windows 11 25H2. If so, ensure you’ve applied KB5067036 and all subsequent security updates from Microsoft. Second, understand that Administrator Protection is currently disabled by Microsoft. Even when it returns, treat it as a defense-in-depth layer—not a silver bullet. The safest approach remains: never run as an administrator day-to-day, regardless of which UAC version you use. Third, maintain standard security hygiene. Keep your system updated, use reputable antivirus software, and avoid downloading suspicious files or clicking unknown links. **Why this matters in the bigger cybersecurity landscape** This research highlights a recurring pattern in modern security: new features often ship with critical flaws because they’re rushed to market. Administrator Protection was Microsoft’s answer to years of UAC criticism, yet it still failed basic security testing. The bigger lesson is that no single feature can replace fundamental security practices. Even the most advanced privilege management system is useless if malware can bypass it silently. Until operating system vendors prioritize security-by-design from day one, researchers will keep finding these gaps—and attackers will keep exploiting them.