{
	"id": "f546891a-4b4a-41f2-ab6f-0eed09938abf",
	"created_at": "2026-04-06T00:22:18.701095Z",
	"updated_at": "2026-04-12T02:22:22.212351Z",
	"deleted_at": null,
	"sha1_hash": "1f60211796631c32fac63dc1d2ded5e30701098d",
	"title": "TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 710223,
	"plain_text": "TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly\r\nBy Lawrence Abrams\r\nPublished: 2020-01-30 · Archived: 2026-04-05 14:39:12 UTC\r\nThe TrickBot Trojan has switched to a new Windows 10 UAC bypass to execute itself with elevated privileges without\r\nshowing a User Account Control prompt.\r\nWindows uses a security mechanism called User Account Control (UAC) that will display a prompt every time a program is\r\nrun with administrative privileges.\r\nWhen these prompts are shown, they will ask logged in user if they wish to allow the program to makes changes, and if the\r\nprogram is suspicious or unrecognized, allows the user to prevent the program from running.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nUAC Prompt\r\nThese UAC bypasses are found in legitimate Microsoft Windows programs that are used by the operating system to launch\r\nother programs. As they are not considered a high priority to Microsoft, it could be a while before discovered bypasses are\r\nfixed, if at all.\r\nTo avoid being detected, malware developers sometimes use a UAC bypass so that the malware runs with administrative\r\nprivileges, but without displaying a UAC prompt and alerting the user.\r\nTrickbot switches to the Wsreset.exe UAC bypass\r\nJust recently we reported that TrickBot had begun using a Windows 10 UAC bypass that utilizes the legitimate Microsoft\r\nfodhelper.exe program.\r\nThis week, ReaQta discovered that TrickBot has now switched to a different UAC bypass that utilizes the\r\nWsreset.exe program.\r\nWsreset.exe is a legitimate Windows program used to reset the Windows Store cache.\r\nWhen executed, Wsreset.exe will read a command from the default value of the\r\nHKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command key and execute it.\r\nWhen executing the command it will not display a UAC prompt and users will have no idea that a program has been\r\nexecuted.\r\nTrickBot is now exploiting this UAC bypass to launch itself with elevated privileges, but without the logged in Windows\r\nuser being notified by a UAC prompt.\r\nRegistry commands added by TrickBot\r\nSource: ReaQta\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/\r\nPage 3 of 4\n\nThis allows the trojan to run silently in the background while it harvests saved login credentials, SSH keys, browser history,\r\ncookies, and more.\r\nTrickBot is particularly dangerous as it can propagate throughout the network and if it gains admin access to a domain\r\ncontroller, it can steal the Active Directory database to gain further credentials on the network.\r\nEventually, TrickBot is known to open a reverse shell back to the Ryuk Ransomware actors so that they can encrypt the\r\nentire compromised network.\r\nUpdate 1/30/20:  MorphiSec published analysis of TrickBot using the Wsreset.exe UAC bypass and it's great read for those\r\nwho want a more technical nosedive.\r\nH/T @gN3mes1s\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/"
	],
	"report_names": [
		"trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly"
	],
	"threat_actors": [],
	"ts_created_at": 1775434938,
	"ts_updated_at": 1775960542,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f60211796631c32fac63dc1d2ded5e30701098d.pdf",
		"text": "https://archive.orkl.eu/1f60211796631c32fac63dc1d2ded5e30701098d.txt",
		"img": "https://archive.orkl.eu/1f60211796631c32fac63dc1d2ded5e30701098d.jpg"
	}
}