If you're running LDPlayer, BlueStacks, MuMu, VirtualBox, or VMware on a fresh Windows 11 24H2 install and everything is stuck, slow, or crashing — this is why.

Microsoft introduced an undocumented change in 24H2 that ties Virtualization-Based Security (VBS) to Windows Hello. Even if you've done everything right — SVM enabled in BIOS, Hyper-V disabled, Memory Integrity off, hypervisorlaunchtype set to off — the Windows hypervisor is still loading silently in the background.

Your emulator can't access AMD-V or VT-x directly. Instead it falls back to NEM, a software emulation layer that runs like garbage. LDPlayer sits at 94% forever. VirtualBox throws "AMD-V is not available." VMware says the host doesn't support virtualization. All lies. Your hardware is fine. Windows is hijacking it.

The smoking gun is in the VirtualBox log:

HM: HMR3Init: Attempting fall back to NEM: AMD-V is not available

That line means the hypervisor intercepted your CPU's virtualization extensions before VirtualBox could touch them.

I burned hours debugging this on a brand new Ryzen 7 7700X + RTX 5060 Ti build. Every troubleshooting guide on the internet was useless. The fix was buried in a Reddit thread from late 2024 and confirmed across multiple Microsoft Q&A posts that were all marked "not answered."

The culprit is a single registry key that doesn't appear in any official Microsoft documentation:

HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\WindowsHello\Enabled

Set it to 0. That's the one everyone is missing. But it's not the only thing you need to hit — there are four phases to fully kill VBS on 24H2.

I wrote a PowerShell script that handles all of it: BCD config, the full DeviceGuard registry tree including the hidden WindowsHello key, Windows feature removal, and Group Policy overrides to stop it from coming back after updates.

Grab it here: https://sevlegend.com/?page=codes&code=Ld-amd&cp=1

After running it and rebooting, msinfo32 should show "Virtualization-based security: Not enabled" and your VBox.log should read "AMD-V is active" instead of that NEM fallback garbage.

Filed under: things Microsoft should have documented but didn't.

The Socket Threat Research Team has identified a sophisticated typosquatting attack within the NuGet ecosystem. A malicious package, Tracer.Fody.NLog, has been found impersonating the popular and legitimate Tracer.Fody library. By mimicking the naming convention of the original author, the attacker (using the handle csnemess) aims to deceive developers into integrating a silent cryptocurrency wallet stealer into their production environments.

How the Attack Works:

Typosquatting: The package uses a name nearly identical to the official library to catch developers making accidental typos during installation.

Silent Exfiltration: The malicious code is embedded within standard helper functions, allowing it to bypass basic code reviews.

Targeted Theft: It specifically scans for Stratis cryptocurrency wallet files (*.wallet.json) and attempts to exfiltrate them, along with passwords, to a remote server.

Immediate Actions Required:

Audit Dependencies: Check all .csproj and packages.config files for any reference to Tracer.Fody.NLog.

Remove & Purge: If found, remove the reference immediately and purge your local NuGet cache.

Rotate Credentials: If you have used this package, consider all local wallets and environment variables compromised.

I have developed a custom PowerShell scanner to automate this detection and removal process. You can find the source in the [CODE] section of this deck.

Source: https://socket.dev/blog/malicious-nuget-package-typosquat...