Agregátor RSS

Microsoft 365 (and Office 365) subscribers get more frequent software updates than those who have purchased Office without a subscription, which means subscribers have access to the latest features, security patches, and bug fixes. But it can be hard to keep track of the changes in each update and know when they’re available. We’re doing this for you, so you don’t have to.

Following are summaries of the updates to Microsoft 365/Office 365 for Windows over the past year, with the latest releases shown first. We’ll add info about new updates as they’re rolled out.

Note: This story covers updates released to the Current Channel for Microsoft 365/Office 365 subscriptions. If you’re a member of Microsoft’s Office Insider preview program or want to get a sneak peek at upcoming features, see the Microsoft 365 Insider blog.

Version 2605 (Build 20026.20140)

Release date: June 3, 2026

This build fixes a single bug, in which images didn’t display when using top and bottom text wrapping in classic Outlook.

Get more info about Version 2605 (Build 20026.20140).

Version 2605 (Build 20026.20112)

Release date: May 26, 2026

This build offers “various fixes to functionality and performance,” according to Microsoft.

Get more info about Version 2605 (Build 20026.20112).

Version 2605 (Build 20026.20076)

Release date: May 20, 2026

This build fixes several bugs, including one in which Excel or PowerPoint closed unexpectedly in rare cases while the user was actively co-authoring, particularly when opening a document for the first time.

Get more info about Version 2605 (Build 20026.20076).

Version 2604 (Build 19929.20172)

Release date: May 14, 2026

This build fixes a bug in Outlook in which sending mail failed when multiple Exchange accounts were configured.

Get more info about Version 2604 (Build 19929.20172).

Version 2604 (Build 19929.20164)

Release date: May 12, 2026

The build plugs a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2604 (Build 19929.20164).

Version 2604 (Build 19929.20136)

Release date: May 5, 2026

This build fixes a bug in which Outlook closed unexpectedly after replying to a mail item with labels.

Get more info about  Version 2604 (Build 19929.20136).

Version 2604 (Build 19929.20106)

Release date: April 29, 2026

This build includes “various fixes to functionality and performance,” according to Microsoft.

Get more info about Version 2604 (Build 19929.20106).

Version 2604 (Build 19929.20090)

Release date: April 21, 2026

This build includes “various fixes to functionality and performance,” according to Microsoft.

Get more info about Version 2604 (Build 19929.20090).

Version 2603 (Build 19822.20182)

Release date: April 14, 2026

In this build, Copilot can now edit your PowerPoint documents. Copilot can start a new presentation or build on an existing one, generate slides, update content, improve layouts, and polish design, while preserving formatting, structure, and branding. 

The build also plugs a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2603 (Build 19822.20182).

Version 2603 (Build 19822.20168)

Release date: April 9, 2026

This build fixes several bugs, including one in Outlook in which users could not close the Copilot chat pane using a keyboard. Users can now close the pane by navigating to the Close button using a keyboard or by using the assigned keyboard shortcut.

Get more info about Version 2603 (Build 19822.20168).

Version 2603 (Build 19822.20142)

Release date: March 31, 2026

This build includes “various fixes to functionality and performance,” according to Microsoft.

Get more info about Version 2603 (Build 19822.20142).

Version 2603 (Build 19822.20114)

Release date: March 24, 2026

This build fixes a single bug in which PowerPoint sometimes closed unexpectedly when opening a newly created empty file from the OneDrive folder.

Get more info about Version 2603 (Build 19822.20114).

Version 2602 (Build 19725.20190)

Release date: March 18, 2026

This build fixes an Outlook bug in which updating a single instance of a recurring meeting in a Microsoft 365 group calendar updated the entire series.

Get more info about Version 2602 (Build 19725.20190).

Version 2602 (Build 19725.20172)

Release date: March 10, 2026

This build introduces agent mode in Word, which adds a conversational chat experience that helps create, edit, and refine document content as you work. In addition, the build fixes a bug that impacted the rendering of extended characters in calendar items, causing certain characters to appear as question marks.

The build also plugs a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2602 (Build 19725.20172).

Version 2602 (Build 19725.20152)

Release date: March 3, 2026

This build fixes a bug in which closing a document sometimes remained in progress indefinitely after the Office app resumed from sleep or hibernation.

Get more info about Version 2602 (Build 19725.20152).

Version 2602 (Build 19725.20126)

Release date: February 24, 2025

This build fixes several bugs, including one that caused OneNote to close unexpectedly upon startup.

Get more info about Version 2602 (Build 19725.20126).

Version 2601 (Build 19628.20214)

Release date: February 17, 2025

This build includes, in Microsoft’s words, “various fixes to functionality and performance.”

Get more info about Version 2601 (Build 19628.20214).

Version 2601 (Build 19628.20204)

Release date: February 10, 2026

This build fixes a bug that sometimes prevented users from opening emails with the Encrypt Only label in Outlook.

It also plugs a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2601 (Build 19628.20204).

Version 2601 (Build 19628.20166)

Release date: February 3, 2026

This build includes, in Microsoft’s words, “various fixes to functionality and performance.”

Get more info about Version 2601 (Build 19628.20166).

Version 2601 (Build 19628.20150)

Release date: January 27, 2025

In this build, OneNote applies your chosen proofing language more consistently, so you don’t have to reset it for every paragraph when writing in multiple languages. In addition, the build fixes several bugs, including one that caused Office applications to become unresponsive when profile card-related activities were performed.

Get more info about Version 2601 (Build 19628.20150).

Version 2512 (Build 19530.20184)

Release date: January 21, 2025

This build includes, in Microsoft’s words, “Various fixes to functionality and performance.”

Get more info about Version 2512 (Build 19530.20184).

Version 2512 (Build 19530.20144)

Release date: January 13, 2026

This build fixes a number of bugs, including one that caused Excel, PowerPoint, and Word to become unresponsive when profile card-related activities were performed.

It also plugs a number of security holes. For details, see Release notes for Microsoft Office security updates.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2512 (Build 19530.20144).

Version 2512 (Build 19530.20138)

Release date: January 8, 2025

This build offers, in Microsoft’s words, “Various fixes to functionality and performance.”

Get more info about Version 2512 (Build 19530.20138).

Version 2511 (Build 19426.20218)

Release date: December 16, 2025

This build offers, in Microsoft’s words, “Various fixes to functionality and performance.”

Get more info about Version 2511 (Build 19426.20218).

Version 2511 (Build 19426.20186)

Release date: December 9, 2025

This Patch Tuesday build offers, in Microsoft’s words, “Various fixes to functionality and performance.” The build also has a variety of security updates (see details).

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2511 (Build 19426.20186).

Version 2511 (Build 19426.20170)

Release date: December 3, 2025

This build includes, in Microsoft’s words, “Various fixes to functionality and performance.”

Get more info about Version 2511 (Build 19426.20170).

Version 2510 (Build 19328.20244)

Release date: November 20, 2025

This build fixes a bug in Outlook that caused users to see “Contacting the server for information” repeatedly when loading some emails.

Get more info about Version 2510 (Build 19328.20244).

Version 2510 (Build 19328.20232)

Release date: November 18, 2025

This build includes, in the words of Microsoft, “various fixes to functionality and performance.”

Get more info about Version 2510 (Build 19328.20232).

Version 2510 (Build 19328.20190)

Release date: November 11, 2025

This Patch Tuesday build fixes a bug in Outlook that caused some recipients to be unable to access OneDrive links shared with them via email. The build also has a variety of security updates (see details).

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2510 (Build 19328.20190).

Version 2510 (Build 19328.20178)

Release date: November 4, 2025

This build fixes a single bug, in which @mention searches produced no results in Office apps.

Get more info about Version 2510 (Build 19328.20178).

Version 2510 (Build 19328.20158)

Release date: October 30, 2025

This build introduces a new Get Data dialog in Windows that simplifies finding and using external data, and adds Analyze Data to the Data tab.

The build also fixed an bug in Outlook that prevented users from downloading web add-ins in some virtualized environments.

Get more info about Version 2510 (Build 19328.20158).

Version 2509 (Build 19231.20216)

Release date: October 21, 2025

This build has, in Microsoft’s words, “various fixes to functionality and performance.”

Get more info about Version 2509 (Build 19231.20216).

Version 2509 (Build 19231.20194)

Release date: October 14, 2025

This build has a variety of security updates (see details), along with various fixes to functionality and performance.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2509 (Build 19231.20194).

Version 2509 (Build 19231.20172)

Release date: October 7, 2025

This build has, in Microsoft’s words, “various fixes to functionality and performance.”

Get more info about Version 2509 (Build 19231.20172).

Version 2509 (Build 19231.20156)

Release date: October 1, 2025

This build fixes two bugs, one in Excel in which ribbon controls were not rendered when rejoining Office sessions in a virtual machine, Azure Virtual Desktop, or remote desktop environment, and another that caused Outlook to terminate unexpectedly when starting.

Get more info about Version 2509 (Build 19231.20156).

Version 2508 (Build 19127.20264)

Release date: September 23, 2025

This build has, in Microsoft’s words, “various fixes to functionality and performance.”

Get more info about Version 2508 (Build 19127.20264).

Version 2508 (Build 19127.20240)

Release date: September 16, 2025

This build has, in Microsoft’s words, “various fixes to functionality and performance.”

Get more info about Version 2508 (Build 19127.20240).

Version 2508 (Build 19127.20222)

Release date: September 9, 2025

This build has multiple security updates (see details), along with various fixes to functionality and performance.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2508 (Build 19127.20222).

Version 2508 (Build 19127.20192)

Release date: September 3, 2025

This build fixes a bug in which some Outlook add-ins were getting “Office.auth.getAccessToken is not a function” errors.

Get more info about Version 2508 (Build 19127.20192).

Version 2508 (Build 19127.20154)

Release date: August 26, 2025

This build fixes a bug that caused Outlook to terminate unexpectedly when sending a meeting invite with an encryption label. It also adds support for pixelated rendering of embedded images in SVG assets for the entire Office suite.

Get more info about Version 2508 (Build 19127.20154).

Version 2507 (Build 19029.20208)

Release date: August 19, 2025

This build fixes a variety of bugs.

Get more info about Version 2507 (Build 19029.20208).

Version 2507 (Build 19029.20184)

Release date: August 12, 2025

This build fixes a bug which required users to restart Outlook to open a .msg file after initially accessing it once. The build also includes a variety of security updates (see details).

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2507 (Build 19029.20184).

Version 2507 (Build 19029.20156)

Release date: August 5, 2025

This build fixes a single bug, in which users had to restart Outlook to open a .msg file after initially accessing it once.

Get more info about Version 2507 (Build 19029.20156).

Version 2507 (Build 19029.20136)

Release date: July 30, 2025

This build fixes a wide variety of bugs, including in which Outlook closed unexpectedly shortly after launch, and another in Word in which the word count sometimes displayed incorrectly.

Get more info about Version 2507 (Build 19029.20136).

Version 2506 (Build 18925.20184)

Release date: July 22, 2025

This build fixes two bugs, one that caused the Copilot Command Center to continue to be visible after disabling the Copilot user interface, and another in which when creating handouts in PowerPoint, certain characters (full-width numbers) couldn’t be properly transferred to the handout.

Get more info about Version 2506 (Build 18925.20184).

Version 2506 (Build 18925.20168)

Release date: July 15, 2025

This build fixes two bugs, one that caused Visio 32-bit to close unexpectedly when using the Drawing control, particularly in setups involving COM components or .NET integrations, and another in Word in which copying and pasting content between documents sometimes changed the applied style unexpectedly.

Get more info about Version 2506 (Build 18925.20168).

Version 2506 (Build 18925.20158)

Release date: July 8, 2025

This Patch Tuesday build fixes several bugs in Outlook, PowerPoint, Word, and the whole Office suite, including one that caused the Copilot icon to unexpectedly display in Outlook when Copilot had been disabled by the admin in government cloud.

The release also includes a variety of security updates (see details).

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2506 (Build 18925.20158).

Version 2506 (Build 18827.20176)

Release date: July 1, 2025

This build fixes a wide variety of bugs, including one in Word in which print preview sometimes stopped working when printing long emails.

Get more info about Version 2506 (Build 18827.20176).

Version 2505 (Build 18827.20176)

Release date: June 26, 2025

This build introduces several new features, including one in Excel in which the PivotTables dialog box interface has been replaced by a redesigned panel, making it easier to view all of your options and simpler to change your data selection before inserting a recommended PivotTable.

Get more info about Version 2505 (Build 18827.20176).

Version 2505 (Build 18827.20164)

Release date: June 17, 2025

This build fixes a bug that caused the “Try the new Outlook” toggle to be enabled when working in Classic Outlook side by side with the new Outlook.

Get more info about Version 2505 (Build 18827.20164).

Version 2505 (Build 18827.20150)

Release date: June 10, 2025

This build fixes several bugs, including one for the entire Office suite in which a Save As attempt on an existing file didn’t complete successfully, and subsequent attempts continued to encounter issues when trying to save to a file that no longer existed.

This Patch Tuesday release also includes a variety of security updates: see details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about  Version 2505 (Build 18827.20150).

Version 2505 (Build 18827.20140)

Release date: June 3, 2025

This build offers a variety of bug and performance fixes.

Read about Version 2505 (Build 18827.20140).

Version 2504 (Build 18730.20186)

Release date: May 20, 2025

This build introduces a new PowerPoint feature: Notification emails for mentions, tasks, comments, and replies will now contain context previews even when the source document is encrypted, and the email will inherit the document’s security policies.

Get more info about Version 2504 (Build 18730.20186).

Version 2504 (Build 18730.20168)

Release date: May 13, 2025

This build fixes a bug in which users were seeing high CPU usage when typing in Outlook. It also includes a variety of security updates: see details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2504 (Build 18730.20168).

Version 2504 (Build 18730.20142)

Release date: May 6, 2025

This build includes various bug and performance fixes.

Get more info about Version 2504 (Build 18730.20142).

Version 2504 (Build 18730.20122)

Release date: April 29, 2025

This build fixes a wide variety of bugs, including one in which PowerPoint was unable to open a file from a network mapped drive from File Explore, another in which Word closed unexpectedly when opening .doc files, and another for the entire Office suite in which large 3D files couldn’t be inserted.

Get more info about Version 2504 (Build 18730.20122).

Version 2503 (Build 18623.20208)

Release date: April 17, 2025

This build fixes a bug that could cause Excel to stop responding.

Get more info about Version 2503 (Build 18623.20208).

Version 2503 (Build 18623.20178)

Release date: April 8, 2025

This build fixes a single bug in Word in which users may have encountered an issue with saving, seeing the message “saving…” in the title bar. It  also includes a variety of security updates. Go here for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2503 (Build 18623.20178).

Version 2503 (Build 18623.20156)

Release date: April 2, 2025

This build lets you use Dark Mode in Excel, which darkens your entire sheet, including cells, and may reduce eye strain. It also fixes several bugs, including one in Word in which opening specific files that contain many tracked changes and comments resulted in poor performance, and one in PowerPoint in which the app was not displaying the icon for an inserted PDF object.

Get more info about Version 2503 (Build 18623.20156).

Version 2502 (Build 18526.20168)

Release date: March 11, 2025

This build fixes several bugs, including one in which some Word files with numerous tracked changes and comments were slow. It also includes a variety of security updates: see details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2502 (Build 18526.20168).

Version 2502 (Build 18526.20144)

Release date: March 5, 2025

This build fixes a wide variety of bugs, including one in Word in which the default font size may not be 12pt as expected, and another in which PowerPoint automatically closed when the system went into hibernate or sleep mode.

Get more info about Version 2502 (Build 18526.20144).

Version 2501 (Build 18429.20158)

Release date: February 11, 2025

This build removes the option to display Track Changes balloons in left margin in Word. It also includes a variety of security updates. See “Release notes for Microsoft Office security updates” for details.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

Get more info about Version 2501 (Build 18429.20158).

Příkazy PowerShellu na Windows jsou sice extrémně mocným nástrojem, s jehož pomocí ovládnete a automatizujete prakticky celý operační systém, normou na poli serverů je dnes ale Linux, a tak se téměř žádný vývojář neobejde i bez znalosti jeho terminálu. I kdyby třeba jen spravoval svoje domácí ...

One of the best parts about using Android is the good old-fashioned geeky fun that comes with finding new ways to improve your digital environment — and improve your day-to-day efficiency.

That capability manifests itself in all sorts of interesting freedoms that (cough, cough) other mobile platforms don’t trust their users enough to allow — from added on-screen elements to custom air gestures, advanced multitasking additions, and all sorts of other shape-shifting enhancements that can completely change the way you interact with your device.

Perhaps the most classic example of advanced Android customization, though, is a splendid little somethin’ called the home screen launcher — a fancy way of saying the system that controls how your home screen and app drawer look and work. Your phone has a built-in process that handles that by default, but here in the land o’ Googley matters, you can always replace that with something completely different and make your device adapt to the way you like to work instead of the other way around.

We’ve got no shortage of interesting Android launcher options, too, ranging from versatile blank slates for complete customization to carefully crafted frameworks for ergonomic efficiency and even throwbacks to mobile operating systems past.

The real beauty of this ecosystem, though, is how much power it gives to Android developers — and subsequently to us, as Android-appreciating animals who embrace these creations! — to experiment and try out all sorts of new concepts. Sometimes, an Android launcher approach speaks to you for its practicality. Other times, it’s just a refreshingly interesting take on how you can get around your phone and get stuff done.

Today, I’ve got a perfect example to share with you. It’s a whole new approach to the Android home screen that’s both unlike anything else I’ve ever seen in this arena and delightfully familiar, in a retro-tech sense.

Lemme show ya what it’s all about.

[Get fresh Googley goodness in your inbox with my free Android Intelligence newsletter — three new things to try every Friday.]

The T9 Android launcher — with a modern twist

My friend and fellow enlightened Android phone owner, allow me to introduce you to a creative little concoction called Key Launcher.

Key Launcher has only been out and available on the Play Store for a matter of weeks now, but it’s impressively polished — and, even more important, impressively original while also having some fantastic geek-tech throwback vibes.

To that end, the core distinctive element of Key Launcher is the T9-style dialpad that sits front and center on the lower third of its primary panel. It is quite literally the same set of letter-packin’ numbers and characters you’d see on an old-school phone — or in the dialer of your favorite Android phone app.

width="1024" height="1022" sizes="auto, (max-width: 1024px) 100vw, 1024px">The T9 keypad is the centerpiece of the Key Launcher Android home screen experience.

JR Raphael, Foundry

And in this context, it serves some pretty interesting purposes:

• In true T9 style, you can find and access any app or contact on your phone simply by tapping the letter that corresponds with its name — and if you want to narrow down the list even further, you can keep typing letters to refine the results.
• You can long-press any number to create and then access a custom “super shortcut” — anything from a single specific action (opening a particular app or calling or texting a certain contact) to launching a group or category of apps or contacts, launching an on-demand pop-up widget or swipeable stack of widgets, or even launching a pre-filled search query.

One press, and poof: Any widget you want — or series of swipeable widgets, even — is right there and ready.

JR Raphael, Foundry

• If you tap the # key (known as “pound” in this context — not “hashtag” — for any non-olds among us), you can set up and then access a special “vault” area, where apps are hidden and only visible and accessible with authentication.
• And, in an especially nifty touch, you can also just use the dialpad as an actual dialpad — to punch in any number you want to text or call, even if it isn’t already in your contacts.

Your phone dialer is always right in front of you with Key Launcher as your home screen.

JR Raphael, Foundry

Function-packed as all of that may be, that dialpad is still just one piece of the Key Launcher puzzle. Above it sits a grid of app shortcuts that includes both your own pinned favorites and a dynamic selection of recently opened items. And above that is a handy built-in widget that shows a rotating array of upcoming calendar events from your agenda along with the local time and weather — and, in an especially neat twist, can also be customized to act as an interactive stack that lets you flip through your own set of standard Android widgets right then and there as well.

Key Launcher’s primary widget spot can be configured to hold numerous widgets in a swipeable stack.

JR Raphael, Foundry

Speaking of widgets, if you swipe toward the left on Key Launcher’s dialpad, you’ll reveal the launcher’s built-in “Widget Center” panel — which is an entire screen dedicated to holding however many widgets you want, in any configuration you like, for easy ongoing access.

The Widget Center is another interesting way to access widgets within Key Launcher.

JR Raphael, Foundry

A swipe in the other direction will take you to an enlarged view of your active notifications, meanwhile, while a swipe downward can be set to launch either a quick search (of Google or whatever provider you prefer), a search of your apps, or a direct Android app shortcut within any app on your device.

Swiping down on your home screen can trigger a shortcut of your choice.

JR Raphael, Foundry

And if all of that seems like a lot of productivity-boosting possibilities, just wait ’til you get into this thing’s settings. Key Launcher is overflowing with options to customize and control practically every facet of its operation, ranging from basic visuals to the specifics of how the dialpad works and even a toggle for optimizing the interface for left- or right-handed use.

Key Launcher is no slouch when it comes to settings.

JR Raphael, Foundry

Key Launcher is free on its base level with an optional Pro upgrade that unlocks certain limitations and more advanced features. That path is available for five bucks a year or $10 as a single lifetime purchase, and you get a month-long trial the first time you install the app so you can check it out in its full form.

The Pro path adds in lots of extras, but even Key Launcher’s free version is quite pleasant and functional.

JR Raphael, Foundry

Even if you just stick to the free version, though, this thing has an awful lot to offer — and it really is unlike anything else out there, with so many clever and potentially useful touches.

It’s that kind of creativity and constant discovery that keeps Android so interesting and advantageous, even after all this time — and that’s true whether you end up sticking with Key Launcher for the long haul or just giving it a go for a few hours and appreciating the deliciously original thinking it offers.

Keep the geeky goodies coming with my free Android Intelligence newsletter — three new things to try every Friday, straight from me to you.

Google is introducing a new Android security feature that will detect and flag phone calls in which scammers use artificial intelligence to impersonate a user's personal contacts. [...]

In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities for the attackers. We dubbed this malware family “Argamal”.

The malware uses COM hijacking to persist on the victim’s machine, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. This task is triggered when the user logs in, effectively allowing the malware to run at startup.

Kaspersky solutions detect this threat as Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen and HEUR:Trojan-Downloader.Win32.Argamal.gen.

Technical details Background

In April, as part of our ongoing monitoring of telemetry data, we found some suspicious DLLs. Further analysis revealed that various versions of these DLLs have existed since at least 2024.

The DLLs were spawned by different games written using various game engines and programming languages, including RenPy (Python) and RPG Maker MV (JavaScript), among others. However, they all had one thing in common: they were all hentai games. We searched for the distribution sources and found a number of websites hosting game screenshots and download links. These links redirected users to PixelDrain, a free file transfer service.

Adult games catalogue

In addition to these websites, the trojanized games have also been distributed via different torrent trackers, including AniRena.

Malicious game torrent in AniRena

Delivery

Both the dedicated websites and torrents delivered an archive containing the infected game.

Contents of the game archive

This archive contained fully functional, legitimate game files, as well as a modified FFmpeg DLL (SHA1: 42add9475e67a1ccc6a6af94b5475d3defc01b85), that imported the DllGetClassObject function from a file called natives2_blob.bin. Since the game needs ffmpeg.dll to run properly, the library loads as soon as the user starts the game.

Script executor

The natives2_blob.bin (SHA1: edce72f59e4c1d136cd1946af70d334c19df858d) file is a DLL that executes a Base64-encoded PowerShell script when loaded.

The natives2_blob.bin file code

This PowerShell script, which we’ll call Stage1, performs basic checks for controlled environments. For example, it checks for the Sandboxie folder in Program Files and Procmon64 in the process list. If all the checks indicate that the process is not running in a controlled environment, it proceeds to establish persistence.

Stage1 sets the MI_V environment variable (and also MI_V2 in the new versions of malware) for the current user to another Base64-encoded PowerShell script, which we’ll call Stage2. After that, it sets the InprocServer32 registry key at HKCU\SOFTWARE\Classes\CLSID\{722D0F89-B69C-4700-AE8C-4A44350E4876} to a random DLL file name in a random subdirectory of %USER%\AppData\Local, as well as the ShellFolder subkey to another random DLL file name in the same location. Stage1 also creates a scheduled task that will execute three days later. This task executes Stage2 and runs once.

Stage2 is a payload downloader script. It takes previously generated DLL filenames from the registry and downloads an encrypted payload called zaesdl.dat from GitHub using bitsadmin.exe. The downloaded payload is saved in the settings.dat file in the randomly chosen subdirectory of %USER%\AppData\Local. Stage2 decrypts it using AES-CBC with the key zbcd1j9234r670eh and an IV equal to the key. The decrypted payload is then saved in the DLL file specified in the ShellFolder registry subkey.

The decrypted payload is set as InprocServer32 at HKCU\SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}, which is a COM object used by the \Microsoft\Windows\WindowsColorSystem\Calibration Loader scheduled task. This task runs every time a user logs in, allowing the malware to run during every user session.

Before quitting, Stage2 also removes the changes made under the HKCU\SOFTWARE\Classes\CLSID\{722D0F89-B69C-4700-AE8C-4A44350E4876} registry key, unsets the MI_V environment variable (and MI_V2 in newer versions), and removes the scheduled task that launched Stage2.

Malicious agent

Early payload versions decrypted themselves using the 0xB0C1D4E9 rolling XOR key, where the decryption key for the i + 1 block is the encrypted content of the i block (each encrypted block being four bytes long). The most recent agent versions don’t do that.

The samples we found had string encryption; they use a simple substitution with a key that corresponds position-by-position to the following alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@#$./:<>*&~. The decryption process involves finding the position of each symbol of the encrypted strings in the key, and replacing it with the symbol that occupies the same position in the alphabet.
During our investigation, we found the following keys were used:

• 17htUno/I3L&fK2H#yapE@b5NqZ$Q4xmeF.s96uB>jkdWCPvAgD*XwO:iR~TMrV0YGl8z<JSc
• 71htUno/I3L&fK2H#aypE@b5NqZ$Q4xmeF.s96uB>jdkWCPvAgD*XwO:iR~TMrV0YGl8z<JSc
• E1hUtno/IL3&fK2H#ypa7@b5NqZ$Q4xmeF.s69uB>jkdWCvPAgD*XwO:iR~TrMV0YGl8z<JcS

All symbols not used in the key remain unchanged.

String decryption

The payload checks for the presence of the following security solutions using the output of the tasklist command:

• Kaspersky
• Avast
• McAfee
• BitDefender
• MalwareBytes
• +36 other solutions

Security solution detection logic

The payload itself is a RAT with broad functionality. The default C2 server is asper1[.]freeddns[.]org for earlier versions and Winst0[.]kozow[.]com for the latest versions of the payload. Both domains point to 186[.]158.223.35. We also saw another IP address for the first C2 in pDNS records, though we haven’t actually seen it in use. The C2 address can change based on a C2 reply or when certain conditions are met. For example, if the user’s default locale is set to “zh-CN”, the RAT sets its C2 address to country1[.]ignorelist[.]com. During most of our investigation, this domain pointed to 127[.]0.0.1, but starting April 26, it has been pointing to 186[.]158.223.35 as well.

The payload sends UDP heartbeats to port 57441 of the C2 server. These heartbeats contain information about detected security solutions, system startup time, time since last input activity, architecture info, machine IP address and username.

The C2 may respond to the heartbeat. Based on this response, the payload can perform different actions. Below is the full list of available commands.

Response first byte Description 0x31 Run DLL on the system 0x57 Send UDP request to the specified address 0x55 Open file or link from the response 0x50 Collect information about the infected system (e.g. process list and architecture) 0x53 Execute command from the response using ShellExecuteW 0x52 Run the file specified in the response using WinExec 0x42 Delete the file specified in the response 0x41 Update C2 domain 0x59 Get new payload: connect to C2 port 63559/UDP, get new DLL and update COM path in the registry

The C2 can also set a flag in the response that will turn on the extended RAT mode. In this mode, the payload communicates with the C2 server using the 3747/tcp port.

TCP communications are encrypted using a simple substitution cipher. Each character is replaced using a fixed mapping defined by the key:

koP]Y4Os-_t?cB',aK.Wm>QM2[U!^C`*@Ff:X\6Dp8H%ATydE<e(#G&LhwRZ5znjJqgNrl)I7V$3=910"+Svxi/;ub

This key corresponds position-by-position to the standard ASCII character sequence:

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}

In other words, each character in the ASCII set is replaced by the corresponding character in the key string.

C2 requests and responses are divided into two parts by the first space character. The first part is a command and the second part is usually an argument.
After connecting and before receiving information from the C2, the malware sends metadata about the infected machine using the NOOP command. This metadata includes a run cycle counter, mounted drive metadata, time since the last input activity and data about the display settings.

Based on the C2 command, the malware can execute commands on the infected machine, perform reboot and shutdown actions, control the cursor, take screenshots, compress files into archives, and send files to other specified servers. In short, it can fully control the machine. The full list of commands is as follows:

System control

• KILL REBOOT: Reboots the infected system
• KILL POWER: Shuts down the infected system
• KILL SELF: Same as the QUIT command (described below)
• KILL ME: Exits process running the malware

Surveillance

• SCREEN / SCREEN9: makes a screenshot, saves it to the ~wra1269.tmp file and sends it to the C2

File operations

• DELETE <filename>: deletes specified file
• DELDIR <dirname>: deletes specified directory
• REN <file path 1>#<file path 2>: moves specified file
• MAKDIR <path>: creates directory
• ZIPFILE <file or folder name> / ZIPFOLDER <file or folder name>: compresses specified file/folder into a .zip archive
• TAR <file or folder name> / TAR2 <file or folder name>: compresses specified file/folder into a .tar archive
• GETFILEDATE <filename>: sends file’s last modification date
• SETFILEDATE <filename>: sets file’s last modification date
• GETFILEACC <filename>: sends file’s last access date
• DWLOAD <filename>: sends file to the C2
• UPLOAD <filename>#<C2 address>: uploads file to the specified C2 server

Reconnaissance

• USER: sends username
• KALIVE: sends run cycle counter
• IDLE: sends number of seconds passed since last input activity
• DRIVES: sends information about mounted drives
• FOLDEX <folder type>: sends full path to a directory of the specified type:
• – type = 0x63: temporary directory
• – type = 0x64: \Google\Chrome\User Data\Default\ in AppData\Local folder
• – type = 0x65: \Downloads\ in user home directory
• – type = 0x66: \Microsoft\Excel\XLSTART\ in AppData folder
• – type = 0x67: AppData folder
• LFILES <folder path>: lists and sends paths to all files in the directory
• OSVER: sends information about user, hostname, OS architecture and version
• COMPILERDATE: sends constant hardcoded in the RAT, e.g., 25.10.2025

Generic control

• DSOCKE: recreates TCP keep-alive socket
• QUIT: notifies the C2 about quitting, closes the socket and stops the process
• RUNHID <command> / RUN <command>: runs specified command inside ShellExecuteW
• RUNDOS <command>: runs specified command inside CreateProcessW
• RUNTASK <command>: creates, runs and deletes task that executes specified command
• SKEY <key code>: presses specified key
• MOUSE FREEZE: freezes mouse movement
• MOUSE <command>: clicks the specified mouse button or sets the cursor position to the specified coordinates

Other delivery methods

During our research, we also observed other delivery methods for the RAT. Instead of patching FFmpeg and downloading the payload from GitHub, the attackers included the main payload as libpython64.dat or another file with a similar name in the lib\py3-windows-x86_64 directory of the game. This .dat file was loaded by one of the libraries used in the game, which was patched for this purpose.

In another case, the threat actor posted their malicious DLL file (payload downloader) on a gaming forum, disguising it as a cheat.

Infrastructure

Our research revealed the following infrastructure was used in this attack.

Domain IP First seen ASN asper1[.]freeddns[.]org 181[.]116.218.56 September 16, 2024 11664 186[.]158.223.35 July 01, 2025 11664 country1[.]ignorelist[.]com 186[.]158.223.35 September 10, 2025 11664 127[.]0.0.1 November 11, 2025 – Winst0.kozow[.]com 186[.]158.223.35 April 26, 2026 11664 Victims

According to our telemetry, hundreds of individuals were infected with this malware. The majority of the victims were located in Russia, Brazil, Germany and Vietnam.

Distribution of victims (download)

Attribution

Based on the language of the comments in the code, infrastructure data and other facts we assess with medium confidence that the developer of the downloader chain speaks Spanish.

The actor behind this attack uses Spanish in variable names and comments. For example, the Base64-decoded delivery script contains the following lines:

Part of the PowerShell script used in the payload delivery

In addition, the JavaScript code from the website distributing infected games contains variable names, function names and comments in Spanish:

JavaScript code from the malicious site

Notably, the malware payloads used in this attack had previously chosen 127.0.0.1 as their C2 server when the victim’s default locale is set to “zh-CN”, thus not targeting Chinese users. This may indicate that the attacker is associated with a Chinese-speaking threat actor or uses payloads developed by a Chinese-speaking threat actor. However, we still believe it’s unlikely that the developer of these delivery chains is Chinese-speaking.

Conclusions

The Argamal Trojan is a new RAT targeting individuals who seek adult games. During our analysis, we observed a steady stream of updates to the payload, including the addition of new features and fixes for various bugs, as well as changes to the infrastructure. This leads us to believe that the threat actor behind this malware will continue to develop and enhance it. The campaign’s goal is likely data and credential theft; however, the RAT enables the attacker to take full control of the device and execute any malicious activity they want.

Creating malware in today’s development landscape has become significantly easier thanks to the wide availability of detailed guides, tooling, and automation resources. As a result, it is crucial not only to detect known malware but also to identify new and evolving threats as they emerge. Kaspersky solutions prevented the malicious activity in the earliest stages of the attack. The solutions help ensure device security by identifying not only known threats but also the behavior of the software and its actions, providing comprehensive protection against malware.

Indicators of Compromise

File hashes
RAT payloads:
76253fb55aed707440e808ea78e7101318436b1c
1405a3c5e0aeb08012484134e16cdec4ab29b4a4
535f4337f261b6da20a3c614eb13270bed2d533a
d2cb0d7a9ad2b5d4ea7c2da8aec62beb37cf36d6
e05f1767c2a337910ed75e90288838d6d0541164
dad26f61da7b8bccc78364411812be74c025b475
29f1d346a6e71774c7dad25b90f446b2974393df
e815a9b418d09c2d4bcd074c2c0bc21406eeb22f
17f8f8f34dfa737f36182fed7ff9e9814a114058
954722b0c9c678b1313d1f8b204e102842dc5889
69331cfdac792dc79240e6a6bb6e803eabd70beb
901cfa97b1baaf908fd4a02bb52d970f576c4193
5f1f3689bcf23de1b280b5f35712946da0f7978f
c2d9d48b3b10bd58cdf5df9463e3ffcd60533ff3
2423a5bf0fa7cb9ec09211630a5488629499691b
ae4601a19d28332a3ec6ac31b385cdf53be53450

Trojan downloaders:
9803604ec45f31f9ef75bcca1e1310d8ac1fc3a6
edce72f59e4c1d136cd1946af70d334c19df858d
02819d200d1424882af81cb504b3e8614b32397a

Domains and IPs
asper1[.]freeddns[.]org
Winst0[.]kozow[.]com
Country1[.]ignorelist[.]com
186[.]158.223.35

GitHub repositories used in the campaign
hxxps://github[.]com/gmz159/u
hxxps://github[.]com/DnyP/files
hxxps://github[.]com/mgzv/p

Pluto.jl, reaktivní notebook pro programovací jazyk Julia, dospěl do verze 1.0.

Windows 11 Insider Experimental Preview build 26300.8553 vyšly. • Rozšiřují možnosti přizpůsobení nabídky Start. • Vyhledávat můžete od středu názvů souborů.

Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability has been codenamed HTTP/2 Bomb by Calif. "The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining

Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability has been codenamed HTTP/2 Bomb by Calif. "The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Společnost Rambus představila kompletní řešení pro DDR5-9600, čipset pro paměťové moduly, který zvládne zajistit stabilitu při až 9600 MT/s. Počítá zřejmě s desktopem a notebooky příští generace…

A security researcher has released exploit code for a Visual Studio Code (VS Code) zero-day vulnerability that allows attackers to steal GitHub authentication tokens by tricking users into clicking a link. [...]

Odhalte technologie a fyzikální principy, díky kterým se z hodinek stala zdravotní laboratoř na zápěstí.

Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems. The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820

Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems. The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820 Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Cloud computing has reached a crossroads. The high cost and data sensitivity of AI workloads are raising the appeal of private clouds, even as neoclouds and sovereign clouds shake up the cloud provider landscape. New cyberthreats, shifting compute requirements, and management complexity are adding to cloud complications.

Download the June 2026 issue of the Enterprise Spotlight from the editors of CIO, Computerworld, CSO, InfoWorld, and Network World, and learn how to navigate the latest cloud strategy developments.

Ačkoliv se mohlo v posledních dvou letech zdát, že bed slingery nemají budoucnost a symbolem desktopové FDM/FFF 3D tiskárny se definitivně stane krabice s kinematikou CoreXY, Bambu Lab si to ještě úplně nemyslí. Tiskový objemem 330×320×325 milimetrů Světle šedá mašinka A1 se totiž dočkala nové ...

Intel oznámil, že jeho profesionální akcelerátor Crescent Island, který vzešel z architektury Celestial, podporuje až 480 GB LPDDR5X. To by ale musel nějaký výrobce osadit, Intel sám zůstane na 160GB…