Windows 11 KB5079391 update rolls out Smart App Control

What Happened

Microsoft has released the KB5079391 preview cumulative update for Windows 11, featuring significant improvements to its Smart App Control feature. This update, containing 29 changes, aims to enhance application security by providing stricter control over untrusted software execution. Concurrently, threat intelligence reveals a surge in ransomware activity attributed to the pro-Ukrainian group Bearlyfy, which has reportedly hit over 70 Russian companies with a custom variant called GenieLocker since January 2025. The timing highlights a critical period where defensive platform enhancements are rolling out alongside an aggressive offensive campaign.

Why It Matters

The parallel developments underscore a pivotal dynamic in cybersecurity: the continuous arms race between platform defenders and threat actors. Smart App Control is a core Microsoft security feature designed to block malicious or untrusted applications, a direct countermeasure to ransomware payloads like GenieLocker. For security teams, this update represents a tangible tool to harden endpoints against a prevalent attack vector. The Bearlyfy campaign demonstrates that ransomware remains a high-volume, impactful threat, particularly in geopolitically charged contexts, making the efficacy of built-in controls like Smart App Control more critical than ever for organizations worldwide.

Technical Details

The KB5079391 update enhances Smart App Control’s ability to evaluate application trust using a combination of code signing, reputation services, and heuristic analysis within a hardened Windows security model. This is a preventive measure against unauthorized execution. In contrast, the Bearlyfy group’s GenieLocker ransomware operates as a malicious executable that would be a primary target for such a control. While specific initial access vectors for the recent campaign are not detailed in the provided sources, ransomware typically deploys via phishing, exploit kits, or compromised credentials. The update does not address a specific CVE but improves systemic application allow-listing defenses.

Immediate Risk

The immediate risk is bifurcated. Organizations delaying the deployment of the KB5079391 update, particularly those in sectors or regions that may be collateral targets of ideologically motivated groups, maintain a higher exposure to ransomware threats. The Bearlyfy campaign, while currently focused on Russian entities, exemplifies the rapid operational tempo of modern ransomware groups that can easily shift targets. There is high urgency for security teams to validate and deploy this update in their testing cycles to leverage the improved security posture before their environment is probed or targeted by similar threats.

Security Insight

This correlation is a stark reminder that software vendors and defenders are in a constant cycle of action and reaction. Proactively enabling and testing features like Smart App Control is a fundamental step in mitigating ransomware risk. Security teams should treat this update not as a routine patch but as a strategic enhancement to their application control policy. Furthermore, defense-in-depth remains essential; while Smart App Control is a robust barrier, it should be complemented with other measures such as CVE-2026-32194 and CVE-2026-32191 patches, network segmentation, and robust backup strategies to create a resilient security architecture against determined adversaries.