More scenes from the fantastic #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education Creating Learning Environments module exhibition! #WeAreIOE #LoveUCL #earlyyears #EarlyChildhoodEducation

Our #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education students had a session with Careers! We discussed CVs, cover letters, and had mock interviews. We closely connect to future careers in our practice-based modules. #WeAreIOE #LoveUCL #earlyyears #EarlyChildhoodEducation

Our #DLL @ioe.bsky.social @ucl.ac.uk MA Early Years Education students enjoyed their lecture in Contemporary Issues in Early Childhood Education. The module changes every year to reflect the most current issues in education. #WeAreIOE #LoveUCL #earlyyears #EarlyChildhoodEducation

Very proud to work at @ioe.bsky.social! Come join us on our #DLL MA Early Years Education and BA Early Childhood Education programmes! #edchat #education #earlyyears #EarlyChildhoodEducation #WeAreIOE #LoveUCL

Excelente entrada, Lucía. Un modelo de análisis de #blog de #DLL para las clases de #INVTICUA26 e #INVLIJUA26

The lovely Dr Bin Guo, our former #DLL PGTA and PhD student, came back to @ioe.bsky.social @ucl.ac.uk to talk about her career with the BA #EarlyChildhoodEducation cohort. Bin is now working in museums! An #education degree can take us in so many directions. #WeAreIOE #LoveUCL

Fake IT Support on Microsoft Teams Used to Deliver New A0Backdoor Threat   A contemporary cyber campaign has been identified where attackers are using Microsoft Teams to target employees in financial and healthcare organizations, eventually infecting systems with a newly observed malware known as A0Backdoor. Research from BlueVoyant shows that the attackers rely heavily on social engineering. They begin by overwhelming an employee’s inbox with large volumes of spam emails. Soon after, they contact the same individual on Microsoft Teams, pretending to be part of the company’s IT support team and offering help to resolve the issue. This sequence is designed to build trust and make the request appear routine. Once the victim is convinced, the attacker asks them to start a remote session using Quick Assist, a built-in Windows feature meant for remote troubleshooting. After access is granted, the attacker delivers a set of malicious tools through MSI installer files. These installers are digitally signed and hosted on a personal Microsoft cloud storage account, which helps them appear legitimate at first glance. The researchers found that these MSI files are disguised as familiar Microsoft-related components, including Microsoft Teams elements and CrossDeviceService, a real Windows service used by the Phone Link application. This naming strategy helps the files blend in with normal system processes. To execute the attack, the threat actor uses a technique called DLL sideloading. This involves running trusted Microsoft programs to load a malicious file named hostfxr.dll. Inside this file is data that is either compressed or encrypted. When the file is loaded into memory, it decrypts this data into shellcode and begins execution. The malware also uses the CreateThread function to generate multiple threads. This behavior is not meant to improve performance but to make analysis harder. According to the researchers, creating too many threads can cause debugging tools to crash, even though it does not noticeably affect normal system activity. After execution begins, the shellcode checks whether it is running inside a sandbox environment, which is commonly used by security analysts. If no such environment is detected, it proceeds to create a cryptographic key derived from SHA-256. This key is then used to decrypt the A0Backdoor payload, which is protected using AES encryption. Once decrypted, the malware moves itself to a different region in memory and activates its main functions. It collects system-level information using Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This allows it to identify and profile the infected machine. For communication with its operators, the malware avoids traditional methods and instead uses DNS traffic. It sends DNS MX queries that contain encoded data within complex subdomains to public recursive DNS servers. The responses it receives include MX records that carry encoded instructions. The malware extracts the relevant part of the response, decodes it, and then follows the commands. Researchers explain that using MX records helps the traffic appear normal, making it harder to detect compared to other DNS-based techniques, especially those that rely on TXT records, which are more commonly monitored. The campaign has already targeted at least two organizations, including a financial institution in Canada and a global healthcare company. BlueVoyant assesses with moderate to high confidence that this activity builds on methods previously linked to the BlackBasta group. Although that group reportedly shut down after internal chat logs were leaked, parts of its approach appear to be continuing in this operation. At the same time, the researchers point out that several elements in this campaign are new. These include the use of signed MSI installers, the A0Backdoor malware itself, and the use of DNS MX records for command-and-control communication. This case reflects how attackers are adapting their methods by combining trusted tools, familiar platforms, and layered techniques to bypass detection.

Fake IT Support on Microsoft Teams Used to Deliver New A0Backdoor Threat #DLL #DNSattacks #Emails

Original post on techrepublic.com

Hackers Pose as IT Staff in Microsoft Teams to Install Malware Hackers are impersonating IT staff in Microsoft Teams to trick employees into installing malware, giving attackers stealthy access to ...

#Cybersecurity #International #Microsoft #News #Security #Windows #cybersecurity #dll […]

What an amazing session! Our #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education students enjoyed an exciting and interactive activity in the Play and Pedagogy Around the World module. I have some truly amazing colleagues! #EarlyChildhoodEducation #earlyyears #WeAreIOE #LoveUCL

Fake FileZilla Website Distributes Malware-Infected Download   A fraudulent website is distributing a modified portable edition of FileZilla version 3.69.5 that contains embedded malware. The archive appears legitimate and includes the authentic open-source FTP client, but attackers inserted one additional file, a rogue dynamic-link library named version.dll, before repackaging and circulating it online. When users download this altered ZIP file, extract it, and launch filezilla.exe, Windows follows its standard DLL loading order. The operating system checks the application’s own directory before referencing system libraries stored in C:\Windows\System32. Because the malicious version.dll is placed inside the FileZilla folder, Windows loads it first. From that moment, the malicious code executes within the legitimate FileZilla process. This method relies on a long-established Windows behavior known as DLL search order hijacking. It does not involve a vulnerability in FileZilla itself. Instead, the compromise depends on users downloading the installer from an unofficial domain such as filezilla-project[.]live, which imitates the legitimate project site. The attack spreads through deception, including lookalike domains and search engine manipulation, rather than automated self-propagation. Archive Examination Reveals a Single Suspicious File The compromised archive contains 918 files. Among them, 917 entries show a last-modified date of 2025-11-12, consistent with the authentic portable release of FileZilla 3.69.5. One file differs: version.dll carries a timestamp of 2026-02-03, nearly three months newer than the rest. A genuine portable distribution of FileZilla does not include version.dll. Legitimate libraries in the package typically include files such as libfilezilla-50.dll and libfzclient-private-3-69-5.dll. The Windows Version API library normally resides inside the operating system directory and has no reason to be bundled with FileZilla. Its inclusion forms the basis of the compromise. The SHA-256 hash of the trojanized archive is: 665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755 The SHA-256 hash of the malicious version.dll is: e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 Execution Behavior Observed on a Live System Monitoring the application with Process Monitor confirms the sideloading sequence. When filezilla.exe starts, Windows attempts to load required libraries. For files such as IPHLPAPI.DLL and POWRPROF.dll, the application directory does not contain a copy, producing “NAME NOT FOUND.” Windows then retrieves legitimate versions from the system directory. For version.dll, however, the malicious copy is present locally. Windows maps it into memory without consulting System32. The attacker’s code now operates inside the trusted application process. Approximately 17 milliseconds after loading, the malicious DLL attempts to locate version_original.dll in the same directory. The lookup fails. This pattern suggests DLL proxying, where attackers forward legitimate function calls to a renamed original library to preserve application stability. In this case, the renamed library was not included, which may explain abrupt application termination during testing. FileZilla invokes LoadLibrary using only the file name rather than a full system path. While common in Windows software design, this practice enables directory-based DLL substitution. Anti-Analysis Checks and Network Communication Before activating its main payload, the DLL performs environmental checks. These include BIOS version inspection, system manufacturer queries, probing for VirtualBox registry keys, disk enumeration, memory allocation using write-watch techniques, and delayed execution loops. These checks aim to detect virtual machines or sandbox environments. If the system appears genuine, the malware initiates encrypted domain resolution using DNS-over-HTTPS. It sends the following request to Cloudflare’s public resolver: https://1.1.1.1/dns-query?name=welcome.supp0v3[.]com&type=A Using HTTPS for DNS queries prevents traditional monitoring systems that rely on port 53 inspection from detecting the request. After resolving the domain, the malware contacts: https://welcome.supp0v3.com/d/callback?utm_tag=tbs2&utm_source=dll Memory inspection revealed the embedded configuration: { "tag":"tbs", "referrer":"dll", "callback":"https://welcome.supp0v3.com/d/callback?utm_tag=tbs2&utm_source=dll" } The UTM-style parameters suggest structured tracking of distribution channels. The malware also attempts connections to 95.216.51[.]236 over TCP port 31415, a non-standard port. Ten connection attempts were recorded across two sessions, indicating retry logic designed to maintain communication. Additional Capabilities Identified Automated behavioral analysis indicated potential FTP credential harvesting. Because FileZilla stores connection details locally, unauthorized access could expose remote servers and hosting accounts. Other flagged behaviors included: • Creation of suspended processes with memory injection • Runtime .NET compilation using csc.exe • Registry modifications consistent with persistence mechanisms • Calls to Windows encryption-related APIs These behaviors indicate functionality beyond simple credential theft, potentially including persistence and process manipulation. Defensive Guidance Users should download FileZilla exclusively from the official domain filezilla-project.org and verify the published hash values before execution. Portable installations should not contain version.dll. Its presence signals compromise. Monitor outbound HTTPS traffic to public DNS resolvers such as 1.1.1.1 or 8.8.8.8 from non-browser applications. Review ZIP archive timestamps for inconsistencies before running software. Block the identified domains and IP address at the network perimeter if detected. Malwarebytes reports detection and blocking of known variants of this threat. Indicators of Compromise (IOCs) • SHA-256 Hashes 665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755    FileZilla_3.69.5_win64.zip e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 — version.dll • Domains filezilla-project[.]live welcome.supp0v3[.]com • Network Indicator 95.216.51[.]236:31415

Fake FileZilla Website Distributes Malware-Infected Download #DLL #Domain #malware

#dll #horny #freeballing #twink #teen #jerkoff #retwet #gayboy #young #chile #gaychile #novinho #kiffeur #tracksuit #kiffeursurvet #PINTOSAWARDS #bulge #bulto #chudai #horny #novinho #gaysex #asian #cruising #gaynsfw #asianboy #sex #bigdick #conteudos #exhib #hung #gayexhib

#dll #horny #freeballing #twink #teen #jerkoff #retwet #gayboy #young #chile #gaychile #novinho #kiffeur #tracksuit #kiffeursurvet #PINTOSAWARDS #bulge #bulto #chudai #horny #novinho #gaysex #asian #cruising #gaynsfw #asianboy #sex #bigdick #conteudos #exhib #hung #gayexhib

I was really honoured to welcome the Early Childhood Education Teachers' Union from #Finland to #DLL and @ioe.bsky.social @ucl.ac.uk this week! Thank you and kiitos paljon to Birgitta Vuorinen and the Embassy of Finland in London for introducing us. #WeAreIOE #LoveUCL #FinnishEducation #earlyyears

#dll #horny #freeballing #twink #teen #jerkoff #retwet #gayboy #young #chile #gaychile #novinho #kiffeur #tracksuit #kiffeursurvet #PINTOSAWARDS #bulge #bulto #chudai #horny #novinho #gaysex #asian #cruising #gaynsfw #asianboy #sex #bigdick #conteudos

Chinese teachers’ understandings and perceptions on child-initiated play and self-regulation Self-regulation has gained prominence as a critical indicator of learning during early childhood. However, opportunities to practice self-regulation, primarily through child-initiated play in presc...

I am very proud to be part of this publication! My former #DLL @ioe.bsky.social @ucl.ac.uk MA supervise has published this excellent article based on her MA dissertation. It is wonderful to see her develop in her academic career! #WeAreIOE #LoveUCL

www.tandfonline.com/doi/full/10....

Thank you to Tim and Heronsgate Sch for hosting our #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education students! They are learning about digital tech in #earlyyears. Our trip to the Apple Distinguished School was so valuable. Fun fact: Tim is an #IOE alumnus! #WeAreIOE #LoveUCL

A big thank you to Naazish, an alumna of our #DLL @ioe.bsky.social @ucl.ac.uk MA Early Years Education, who spoke to our BA Early Childhood Education students. She gave her perspective about professionalism as the director of an Ofsted Outstanding early years setting! #WeAreIOE #LoveUCL

Our #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education students were silently concentrating on their own critical reflection. They will start their practical experience very soon! #education #earlyyears #EarlyChildhoodEducation #WeAreIOE #LoveUCL

Exploring Protected Process Light and Exploits Red team technique—process injection—and how to leverage it against Protected Process Light (PPL)

Original text by Dang Duong Minh Nhat


Hello everyone, today I’m sharing another red team technique—process injection—and how to leverage it against Protected Process Light (PPL). Let’s explore it in the blog post below. #dll #injection #PPL #ProcessInjection #redteam #windows
core-jmp.org/?p=136

Our #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education has an amazing Digital Technologies module, which is team taught by three lecturers (including me!). We also have field trips and an innovative assessment. #WeAreIOE #LoveUCL #earlyyears #EarlyChildhoodEducation

DLL Hijacking in Windows Audio: A New Escalation Technique Original post by S1lkyThis article describes DLL hijacking in the context of the audiodg.exe process which may load vendor-supplied APO-related DLL dependencies

Original post by S1lkyThis article describes DLL hijacking in the context of the audiodg.exe process which may load vendor-supplied APO-related DLL dependencies from system paths. #dll #escalation #hijacking #system #windows
core-jmp.org/?p=89

Hackers Are Using LinkedIn DMs and PDF Tools to Deploy Trojans That LinkedIn message pretending to be job offer could just be malwre.

Parents of dual language learners (DLLs) have LOTS to say about the positive impact dual-language preschool programs have had on their children! #DualLanguageLearners #DLL #ECE #UPK #EarlyChildhoodEducation

Hackers Exploit LinkedIn DMs to Spread Malware as Job Offers Hackers are exploiting LinkedIn private messages to spread remote access trojans via DLL sideloading, disguising malware as job offers o...

#CybersecurityUpdate #Cybersecurity #threats #DLL […]

[Original post on webpronews.com]

Original post on securityweek.com

APT-Grade PDFSider Malware Used by Ransomware Groups Providing cyberespionage and remote code execution capabilities, the malware is executed via DLL sideloading. The post APT-Grade PDFSider Malwar...

#Malware #& #Threats #DLL #hijacking #DLL #sideloading […]

[Original post on securityweek.com]

Our Year 2 #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education students reflected upon their Year 1 practical experience. They are getting ready to go back into #earlyyears settings soon! #education #EarlyChildhoodEducation #WeAreIOE #LoveUCL

Our #DLL @ioe.bsky.social @ucl.ac.uk BA Early Childhood Education students reflected on their Term 1 core modules. This is very important before they go into #earlyyears settings for practical experience! #edchat #education #earlyyears #EarlyChildhoodEducation #WeAreIOE #LoveUCL

🏫 In many U.S. preschool programs, young children in multilingual homes are not always fully assessed

Limited access to interpreters, bilingual staff & translated materials can make it harder to share what children can do in their home language

Read more: bit.ly/preschool-DLL

#ECEC #DLL

More scenes from our #DLL @ioe.bsky.social @ucl.ac.uk MA Early Years Education and MA Primary Education party! #WeAreIOE #LoveUCL

More scenes from our #DLL @ioe.bsky.social @ucl.ac.uk MA Early Years Education and MA Primary Education party! #WeAreIOE #LoveUCL