Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network.

CVE-2025-29969: MS-EVEN RPC Remote Code Execution Vulnerability

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and…

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and unauthorized data sharing.

Roblox, a platform known for its popularity among children and teens, is now the focus of a class action lawsuit that accuses the company of covertly harvesting data from its youngest users.

Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit claims Roblox has been quietly monitoring players without proper consent. According to the 45-page complaint, Roblox uses hidden tracking tools to collect a wide range of data, from keystrokes and chat messages to mouse activity and search queries.

The lawsuit also alleges that the company links these interactions to individual devices using unique identifiers. This allows Roblox to build detailed behavioural profiles of players, which the plaintiffs say are used for targeted content and shared with third-party advertisers.

Roblox has been secretly collecting detailed personal data and intercepting user activity through hidden tracking code built into its site and apps, without users or their parents knowing.

> _“This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent, and continues across platforms (web, iOS, Android, macOS, Windows) via persistent identifiers and fingerprinting techniques.”_
> 
> _Source: Class Action Complaint, Garcia v. Roblox Corporation, U.S. District Court, Northern District of California, 2024._

This legal move puts Roblox in the same spotlight as other tech companies facing criticism over data privacy practices affecting children. While the company promotes itself as a safe space for play and creativity, the complaint suggests a different story unfolding behind the scenes.

Kern Smith, Vice President of Global Solutions at mobile security firm Zimperium, warns that mobile security often takes a back seat in discussions about child safety online. “Parents focus heavily on what their kids are doing in the game, but the device and the app itself are also areas of concern,” he said.

“When a mobile app is widely used, it becomes a bigger target for phishing, malware, and data breaches. If a phone or tablet is compromised, it opens the door for attackers to access sensitive data or manipulate app behaviour.”

The lawsuit shows the public worry about how companies collect and use data from minors. Under federal law, including the Children’s Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13. The Garcias claim that Roblox sidesteps these requirements through silent tracking that parents never see.

For now, the case remains in the early stages, but it indicates legal pressure on platforms serving young audiences. If the court finds the claims valid, Roblox could face serious consequences, not only in the form of financial penalties but also tougher oversight of its data handling practices.

Parents concerned about their child’s digital safety are advised to monitor not only app content but also the security of the devices their kids use. Tools that offer real-time threat detection and malware protection can help reduce risks tied to invisible data collection.

Roblox Corporation has not issued a public statement in response to the lawsuit as of publication.

Roblox Lawsuit Claims Hidden Tracking Used to Monetize Kids Data

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone…

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone looking to streamline your personal digital workflow, improving your efficiency can save you time, reduce stress, and boost performance. Here are some practical strategies to enhance your digital efficiency.

****1\. Streamline Your Digital Workspace****

A cluttered digital environment can slow you down significantly. Organize your desktop, categorize your files, and declutter unnecessary applications. Use cloud storage services like Dropbox or Google Drive to keep essential documents accessible and secure, reducing the need for excessive local storage.

Use productivity tools like Trello, Asana, or Notion to effectively manage tasks and projects. These platforms help you visualize your workload, prioritize tasks, and collaborate seamlessly with others.

****2\. Automate Repetitive Tasks****

Automation is a game-changer when it comes to digital efficiency. Identify repetitive tasks that consume your time and automate them. For instance:

*   **Email filtering and sorting**: Use rules and filters to automatically categorize incoming messages.
*   **Social media scheduling**: Use platforms like Buffer or Hootsuite to schedule posts in advance, saving you from constant manual posting.
*   **Data entry and reporting**: Utilize tools such as Zapier or Integromat to automate workflows between different apps.

Automating routine processes frees up valuable time for more strategic and creative tasks.

****3\. Optimize Your Internet and Hosting Solutions****

Slow-loading websites and unreliable hosting services can hamper your efficiency, especially if you rely on web-based applications. Upgrading to a reliable DS hosting solution can significantly boost your website’s performance, ensuring faster loading times and improved reliability. Dedicated servers offer more control, security, and better resource allocation compared to shared hosting, making them ideal for businesses or resource-intensive applications.

****4\. Use Keyboard Shortcuts and Productivity Hacks****

Mastering keyboard shortcuts can drastically decrease the time spent navigating your computer or specific applications. For example:

*   **Ctrl + C** and **Ctrl + V** for copy-paste
*   **Ctrl + Z** to undo
*   **Alt + Tab** to switch between windows quickly.

In addition, explore browser extensions like LastPass for password management or Grammarly for real-time grammar checks, making your digital activities more streamlined and error-free.

****5\. Limit Digital Distractions****

Distractions are one of the main barriers to digital efficiency. Use website blockers like Freedom or StayFocusd to limit time-wasting sites during work hours. Turn off unnecessary notifications and schedule regular tech-free breaks to improve your focus. You can also investigate app blockers for your smartphone to limit distractions more generally. 

****6\. Leverage Cloud-Based Collaboration Tools****

For teams, cloud-based collaboration tools are essential for maintaining efficiency. Platforms like Slack, Microsoft Teams, and Google Workspace allow for real-time communication, file sharing, and collaboration, decreasing the need for lengthy email threads and streamlining project management.

****Final Thoughts****

Improving your digital efficiency doesn’t require a massive overhaul, it’s about making small, intentional changes to your workflow. From investing in reliable DS hosting to automating repetitive tasks, every improvement adds up to significant time and productivity gains. Embrace these strategies and watch your digital efficiency soar.

(Image by Moondance from Pixabay)

Practical Ways to Improve Your Digital Efficiency

Check Point’s April 2025 malware report reveals increasingly sophisticated and hidden attacks using familiar malware like FakeUpdates, Remcos,…

Check Point’s April 2025 malware report reveals increasingly sophisticated and hidden attacks using familiar malware like FakeUpdates, Remcos, and AgentTesla. Education remains the top targeted sector. Learn about the latest cyber threats and how to stay protected.

Check Point Research (CPR) has revealed its findings for April 2025, which describe a concerning trend of attackers using more complex and sneaky methods to deliver harmful software. Although some well-known malware families remain prevalent, the methods used to infect systems are becoming more sophisticated, making them harder to detect.

According to CPR, most attacks discovered in April involved phishing emails disguised as order confirmations. These emails contained a hidden 7-Zip file that released scrambled instructions, leading to the installation of common malware like AgentTesla, Remcos, and XLoader.

The attacks were particularly concerning due to their well-hidden nature, using encoded scripts and injecting malicious software into legitimate Windows processes. Researchers also noticed a “dangerous convergence of commodity tools with advanced threat actor tactics” means even basic malware is now being used in highly sophisticated operations, CPR’s blog post read.

Despite these new sneaky methods, some familiar names still topped the list of most prevalent malware in April, including the following:

****FakeUpdates****

This malware remained the most widespread, affecting 6% of organizations globally. It tricks users into installing fake browser updates from compromised websites has been linked to the Russian hacking group Evil Corp and is used to deliver further malicious software.

****Remcos and AgentTesla:****

This remote access tool, often spread through malicious documents in phishing emails, can bypass Windows security features, giving attackers high-level control over infected systems.

AgentTesla, which is an advanced tool, can log keystrokes, steal passwords, take screenshots, and grab login details for various applications. It is openly sold online.

Malware families’ analysis revealed a rise in Androxgh0st usage, which targets web applications to steal sensitive information, while the use of remote access tool AsyncRat has declined. Other notable families included in the top ten include Formbook, Lumma Stealer, Phorpiex, Amadey, and Raspberry Robin.

In April, SatanLock emerged as a new ransomware group, listing numerous victims on their data leak site. However, most of these victims had already been claimed by other groups, indicating a potentially competitive environment within the cybercrime community. Moreover, Akira was the most prevalent ransomware group, followed by SatanLock and Qilin.

Mobile devices remain a significant target, with Anubis, AhMyth, and Hydra topping the list of mobile malware in April. Most concerning is that these malware are becoming increasingly sophisticated, offering remote access, ransomware capabilities, and multi-factor authentication interceptions.

Furthermore, for a third consecutive month, the education sector remained the most vulnerable globally, probably due to its large user base and weak cybersecurity infrastructure. Government and telecommunications sectors followed closely. Whereas, regional analysis showed varying malware trends, with Latin America and Eastern Europe experiencing more FakeUpdates and Phorpiex, and Asia witnessing increased activity of Remcos and AgentTesla.

Given this increasingly complex and persistent cyber threat environment, CPR recommends that organizations adopt a “prevention-first” strategy, including employee training on phishing, regular software updates, and the implementation of advanced threat prevention solutions to detect and block these sophisticated attacks before they can cause harm.

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability. The vulnerability from the April Microsoft Patch Tuesday allows an attacker operating under a regular user account to escalate their privileges to SYSTEM level.🔻 According to Microsoft, the vulnerability was exploited in attacks against organizations in the U.S., Venezuela, Spain, and Saudi […]

**About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability.** The vulnerability from the April Microsoft Patch Tuesday allows an attacker operating under a regular user account to escalate their privileges to SYSTEM level.  
  
🔻 According to Microsoft, the vulnerability was exploited in attacks against organizations in the U.S., Venezuela, Spain, and Saudi Arabia. The exploit was embedded in the PipeMagic malware used by the Storm-2460 group to deploy ransomware.

🔻 On May 7, Symantec reported technical details about another exploit for the vulnerability, used by Balloonfly group (associated with the Play ransomware) in an attack on a U.S. organization prior to April 8.

👾 Are there public exploits? According to BDU FSTEC — yes. NVD also lists “exploit links”, but they point to detection and mitigation scripts. 🤷‍♂️ No mentions yet in exploit packs or on GitHub.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability

Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites

Google has expressed plans to use Artificial Intelligence (AI) to stop tech support scams in Chrome.

With the launch of Chrome version 137, Google plans to use the on-device Gemini Nano large language model (LLM) to recognize and block tech support scams.

Users already have the ability to chose Enhanced Protection under **Settings > Privacy and security > Security > Safe Browsing.**

Safe Browsing settings

Google’s reasoning, and we agree, is that LLMs are fairly good at understanding and classifying the varied, complex nature of websites. Meaning that, since many malicious sites have a very short lifespan, it is more effective to learn and recognize their behavior rather than keep adding a host of domain names to a block-list (something which Google has frustrated with the introduction of Manifest V3, by the way).

Tech support scams typically follow a certain pattern that should be simple to learn:

*   They make your browser tab full screen
*   Display the number they want you to call all over the place
*   Show the visitor fake ongoing scans and alerts

These are just a few of the characteristics I’d teach the LLM. I’m not speaking for Google here. They just mention they’ll be looking at usage of the Keyboard Lock API.

On that, the Keyboard Lock API is a web technology that allows websites to “capture” keyboard input, meaning they can prevent certain key combinations (or all keys) from working as they normally do in your browser or operating system. Originally, this tool was designed for legitimate purposes, like making web games or remote desktop apps more immersive by stopping accidental key presses from interrupting the experience. But tech support scammers exploit the Keyboard Lock API to make it harder for victims to escape their scam pages. This means that when a visitor tries to close the scam page or switch to another program, nothing happens, making them feel trapped on the site. Which also makes them think their system is actually infected.

Google explains why it went for the on-device method, saying it allows them to see the threats at the same moment the users see them and in the same way the users see them.

> “We’ve found that the average malicious site exists for less than 10 minutes, so on-device protection allows us to detect and block attacks that haven’t been crawled before.”

**How it works**

When the user lands on a suspicious page, which is decided by the on-device LLM, based on specific triggers like the Keyboard Lock API, Chrome provides the LLM with the contents of the page that the user is on and queries it to extract security signals, such as the intent of the page. This information is then sent to a Safe Browsing server for a final verdict.

If Safe Browsing decides the website is malicious, Chrome will block the content and show the user a big warning screen, called an “interstitial.”

Image courtesy of Google

By making the target think their system is infected, tech support scammers try to gain remote access or obtain payment information. Google says:

> “Tech Support scams are an increasingly prevalent form of cybercrime, characterized by deceptive tactics aimed at extorting money or gaining unauthorized access to sensitive data.”

Malwarebytes’ Browser Guard data over the last month shows that 30% of the fraudulent websites we blocked through the browser extensions are tech support scams.

30% of the three fraud categories are TSS

So, it’s nice of Google to let Chrome help us take care of some of those, but Chrome is not the only browser. We’re even hearing stories from users that ran into a website telling them their Windows machine was infected while they were using the Safari browser on their iPad.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google Chrome will use AI to block tech support scam websites 

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2025 Q1 Security Researcher Leaderboard are 0x140ce, VictorV, Vaisha Bernard of Eye Security!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2025 Q1 Security Researcher Leaderboard are **0x140ce, VictorV, Vaisha Bernard of Eye Security!**

Check out the full list of researchers recognized this quarter here.  

Congratulations to the top Azure researchers this quarter: **Anonymous, Sandro Poppi, and Vaisha Bernard of Eye Security!**

Congratulations to the top Office researchers this quarter: **0x140ce, Li Shuang and willJ, and f4!**

Congratulations to the top Windows researchers this quarter: **VictorV, wkai, Zhiniang Peng with HUST & R4nger with CyberKunLun!**

Congratulations to the top Dynamics researchers this quarter: **Brad Schlintz, Dhiral Patel (@dhiralpatel94), and Artem Shymshyrian (Xtytia0922)!**

This 2025 Q1 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between January 1, 2025, and March 31, 2025
    
*   Submitted to the MSRC team between October 1, 2024, and December 31, 2024 (last program period), but assessed after January 1, 2025
    

While Researcher Recognition points have been part of MSRC’s reward program for many years, this year marks the first time they are visible in the researcher portal. This added transparency allows you to track your standing more easily throughout the year. If assessment criteria are updated, your points may be adjusted accordingly, which could affect your quarterly score. However, please note that Quarterly and Annual leaderboard rankings are based on the point value at the time you receive the “You’ve Made Leaderboard” notification email. These rankings remain fixed, even if your point total changes afterward.

Past quarterly and annual leaderboard announcements:  

*   MSRC 2024 Q4 Security Researcher Leaderboard
    
*   MSRC 2024 Q3 Security Researcher Leaderboard
    
*   MSRC 2024 Most Valuable Security Researcher Leaderboard
    
*   MSRC 2024 Q2 Security Researcher Leaderboard
    
*   MSRC 2024 Q1 Security Researcher Leaderboard
    
*   MSRC 2023 Q4 Security Researcher Leaderboard
    
*   MSRC 2023 Q3 Security Researcher Leaderboard
    
*   MSRC 2023 Q2 Security Researcher Leaderboard  
    
*   MSRC 2023 Q1 Security Researcher Leaderboard  
    
*   MSRC 2023 Most Valuable Security Researcher Leaderboard
    

Keep up the awesome work and we look forward to seeing you next quarter!

Madeline Eckert, MSRC

Congratulations to the Top MSRC 2025 Q1 Security Researchers!

Bitdefender exposes Facebook ad scams using fake crypto sites and celebrity lures to spread malware via malicious desktop…

Bitdefender exposes Facebook ad scams using fake crypto sites and celebrity lures to spread malware via malicious desktop clients and PowerShell scripts.

A persistent malware campaign is exploiting Facebook’s advertising network to target cryptocurrency enthusiasts, security researchers at Bitdefender revealed today.

The operation leverages the trusted names of major cryptocurrency exchanges like Binance and TradingView, and images of celebrities such as Elon Musk and Zendaya in Facebook ads to lend credibility to the fake cryptocurrency exchange promotions and lure unsuspecting users into downloading malicious software.

Source: Bitdefender

Bitdefender’s investigation, shared with Hackread.com ahead of its publishing, found a multi-layered attack that delivers malware through a covert communication channel between the website and the victim’s own computer.

According to researchers, cybercriminals are hijacking Facebook accounts or creating fake ones to run deceptive ads promising quick financial gains or crypto bonuses. Clicking these ads redirects victims to convincing but fraudulent websites that mimic legitimate cryptocurrency platforms, urging them to download a “desktop client.”

When downloaded, the desktop client drops a malicious DLL file, which launches a local .NET\-based server on the victim’s machine. This server acts as a hidden C2 centre. The fake website’s front end contains a deobfuscated script that communicates with the server, sends WMI (Windows Management Instrumentation) queries, and instructs it to execute further malicious payloads.

The final stage often involves the execution of multiple encoded PowerShell scripts, which download additional malware from remote servers. Furthermore, the attackers implement advanced anti-sandbox checks, ensuring that the malware is only delivered to users who meet specific demographic and behavioural profiles deemed valuable by the cybercriminals.

Bitdefender researcher Ionut Baltariu highlighted that users without specific Facebook ad tracking parameters, those not logged into Facebook, or those with uninteresting IP addresses or operating systems are also shown harmless content instead. This targeted approach allows the attackers to maximize their impact while minimizing exposure to security analysis.

****100 Malicious Ads in Just 24 Hours****

The scale of the operation is significant as researchers have identified hundreds of Facebook accounts actively promoting these malicious pages. In one case, a single page ran over 100 ads in just 24 hours.

While Facebook often removes these fraudulent ads, many gather thousands of views before being taken down. The targeting is often finely tuned, with one instance focusing on men aged 18 and over in Bulgaria and Slovakia.

Adding another layer of deception, the attackers have even created fake Facebook pages that perfectly mirror the official pages of platforms like TradingView, complete with fabricated posts and comments touting fake giveaways. However, the links embedded in these fake pages lead directly to the malware-distributing websites.

Facebook’s continued role as a vector for malware distribution is hard to overlook as earlier findings, including today’s discovery from Morphisec which shows cybercriminals have been using deceptive Facebook ads promoting fake AI platforms to distribute the new Noodlophile Stealer.

It also shows how cybercriminals exploit the platform’s reach and advertising capabilities for malicious purposes, emphasizing the need for user vigilance and platform security enhancements.

Bitdefender advises users to be cautious of online ads, use scam and link-checking tools, keep security software updated and report suspicious ads on Facebook to stay protected.

Fake Crypto Exchange Ads on Facebook Spread Malware

About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability. It was patched in the March Microsoft Patch Tuesday. VM vendors didn’t mention this vulnerability in their reviews; it was only known to be exploited via user interaction with a malicious file. A month later, on April 16, Check Point published a blog post with technical details, revealing […]

**About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability.** It was patched in the March Microsoft Patch Tuesday. VM vendors didn’t mention this vulnerability in their reviews; it was only known to be exploited via user interaction with a malicious file.

A month later, on April 16, Check Point published a blog post with technical details, revealing that the vulnerability is exploited using specially crafted files…

✋ Wait a minute — there was a trending vulnerability in March MSPT: CVE-2025-24071, related to the same files. 🤔 Turns out, it’s **THE SAME vulnerability**. 🤪 Check Point reports: _“Microsoft had initially assigned the vulnerability the CVE identifier_ CVE-2025-24071_, but it has since been updated to_ CVE-2025-24054_“._ What a mess. 🤷‍♂️ Technical details in the previous post.

👾 Since March 19, Check Point has tracked about 11 campaigns exploiting this vulnerability to collect NTLMv2-SSP hashes.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Spoofing – Windows NTLM (CVE-2025-24054) vulnerability

Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States.
The attack, per the Symantec Threat Hunter Team, part of Broadcom, leveraged CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver. It was patched by

Tag

#windows