Microsoft Store App Vibing.exe Accused of Harvesting Screens, Audio, and Clipboard Data

A recently discovered application named Vibing.exe has triggered serious privacy and security concerns after researchers found it covertly collecting sensitive user data, including screenshots, audio recordings, and clipboard content.

Initially distributed through the Microsoft Store as an AI-powered productivity tool, the app was removed in late April 2026 following public disclosure of its behavior.

Security analysts revealed that Vibing.exe operated stealthily in the background, automatically launching upon Windows login to maintain persistence.

Once active, the application continuously monitored user activity without providing clear consent prompts or notifications.

It captured periodic screenshots of the user’s desktop and intercepted clipboard data, allowing it to copy sensitive text such as passwords or internal communications.

The captured screenshots were converted into base64-encoded data and transmitted to a remote server.

In addition to visual data, Vibing also activated the system microphone to record audio.

These data streams were bundled with a unique hardware GUID, enabling operators to track individual devices over time and build detailed behavioral profiles.

To evade traditional network defenses, Vibing transmitted data via WebSocket connections, bypassing many proxy filtering mechanisms.

The application also collected contextual information such as window titles and predefined keywords, further increasing the risk of sensitive data exposure.

Hidden Microsoft Link Raises Concerns

Independent security researcher Kevin Beaumont uncovered that, despite claims of being developed by an unknown “Vibing-Team,” the application was digitally signed by Yaoyao Chang, a researcher associated with Microsoft’s GenAI labs in Beijing.

Further investigation using open-source intelligence tools showed that the exfiltrated data was routed to a Microsoft-owned Azure tenant.

The project was presented as an open-source initiative on GitHub under the “VibeVoice” name. However, the repository contained no actual source code, only an 80MB executable binary raising immediate red flags.

Developers who questioned the app’s behavior reported that their concerns were dismissed, with issue tickets closed without resolution.

Researchers highlighted multiple critical risks associated with Vibing.exe:

• Lack of transparency about remote data collection and transmission.
• Misleading privacy policies claimed user-configurable APIs, while endpoints were hardcoded.
• Persistent tracking using unique hardware identifiers.
• Absence of clear data governance or retention policies.

Following mounting scrutiny, Microsoft removed the application and disabled its backend infrastructure on April 24, 2026.

The company has since launched an internal investigation to determine how the app bypassed its security and compliance review processes.

Security teams are advised to proactively hunt for indicators of compromise. This includes identifying files such as vibing.exe or Vibing Installer.exe on endpoints.

Network defenders should also monitor and block outbound traffic to the Azure endpoint:

• vibing-api-ccegdhbrg2d6bsd7.b02.azurefd.net

Organizations are urged to review endpoint activity logs and ensure no residual data exfiltration is occurring.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Microsoft Store App Vibing.exe Accused of Harvesting Screens, Audio, and Clipboard Data appeared first on Cyber Security News.