{ "id": "c5342c5c-d25b-429a-ae99-8c779728aef3", "created_at": "2026-04-06T00:12:12.559382Z", "updated_at": "2026-04-10T03:35:53.179402Z", "deleted_at": null, "sha1_hash": "2b92911dc1cad928ecfc8a42d00850cf737d8722", "title": "Rewterz Threat Alert - Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49132, "plain_text": "Rewterz Threat Alert - Widely Abused MSIX App Installer\r\nDisabled by Microsoft – Active IOCs - Rewterz\r\nPublished: 2023-12-30 · Archived: 2026-04-05 18:17:54 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nMicrosoft stated that it is disabling the ms-appinstaller protocol handler again after various threat actors exploited\r\nit as an initial access vector to distribute malware. It was discovered that many cybercriminals are selling a\r\nmalware kit that uses the ms-appinstaller protocol handler and MSIX file format.\r\nThe attacks utilize signed malicious MSIX application packages spread through Microsoft Teams or malvertising\r\nof legitimate popular software on Google Search. At least four financially motivated threat groups have been\r\ndetected leveraging the App Installer service since November 2023 and using it for initial access for further\r\nransomware operations. These groups are:\r\nStorm-0569 is an initial access broker that distributes BATLOADER using search engine optimization\r\n(SEO) poisoning with websites that spoof Zoom, TeamViewer, Tableau, and AnyDesk. It uses the loader\r\nmalware to inject the Cobalt Strike payload and transfers access to Storm-0506 for the deployment of the\r\nBlack Basta ransomware.\r\nStorm-1113 is an initial access broker that uses fake MSIX installers pretending to be Zoom to spread\r\nEugenLoader (aka FakeBat), acting as a conduit for several remote access trojans and stealer malware.\r\nSangria Tempest (aka FIN7 and Carbon Spider) uses Storm-1113’s EugenLoader to distribute Carbanak\r\nwhich delivers an implant named Gracewire. The group also relied on Google ads as a lure so victims\r\ndownloaded malicious MSIX application packages from rogue landing pages to inject POWERTRASH\r\nwhich is used to load Gracewire and NetSupport RAT.\r\nStorm-1674 is an initial access broker that uses Teams messages to send fake landing pages that look like\r\nMicrosoft OneDrive and SharePoint by using the TeamsPhisher tool. It urges the users to open PDF files\r\nthat prompt them to update their Adobe Acrobat Reader. It downloads a malicious MSIX installer that has\r\nDarkGate or SectopRAT payloads.\r\nIn October 2023, another campaign was discovered in which fake MSIX Windows app package files for Microsoft\r\nEdge, Google Chrome, Grammarly, Brave, and Cisco Webex were used to propagate a malware called\r\nGHOSTPULSE. This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in\r\nWindows as in February 2022, the company did it to prevent attackers from leveraging it to spread Emotet,\r\nBazaloader, and TrickBot.\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/\r\nPage 1 of 3\n\nThe reason cyber criminals choose to abuse the ms-appinstaller protocol handler is that it is capable of bypassing\r\nsecurity mechanisms that are designed to keep users safe from malware, like Microsoft Defender SmartScreen and\r\nbuilt-in browser warnings for downloads of executable file formats.\r\nImpact\r\nSecurity Bypass\r\nFinancial Loss\r\nSensitive Information Theft\r\nIndicators of Compromise\r\nDomain Name\r\namydeks.ithr.org\r\nscheta.site\r\ngertefin.com\r\nseptcntr.com\r\ninfo-zoomapp.com\r\nstorageplace.pro\r\nsun1.space\r\nMD5\r\ndd131870c45342afdd00f314730481ca\r\na2a868e6a1f660b8349a9083ccd44565\r\n7d27ed94ba01dc9c2761af0ed84c616f\r\n2ac5924081c7976cd114def3e603a178\r\n140aa1b7d3ca8ba8c525624165c86b49\r\nSHA-256\r\n48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e\r\n11b71429869f29122236a44a292fde3f0269cde8eb76a52c89139f79f4b97e63\r\n44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5\r\n2ba527fb8e31cb209df8d1890a63cda9cd4433aa0b841ed8b86fa801aff4ccbd\r\n06b4aebbc3cd62e0aadd1852102645f9a00cc7eea492c0939675efba7566a6de\r\nSHA-1\r\ne915271b74704df25dca82a291330b14d36d4788\r\n2a067ae967fe4035baccbbb5e1c38da31a09ab5b\r\nc2d9ecb9e0496dd21e636a77fac370325b8ae6ef\r\n55ccec9cafca2b3680e898d5fe7614d4807ff176\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/\r\nPage 2 of 3\n\n6a688c406f72a4f6892c80f221c222705299db10\r\nURL\r\nhttps://scheta.site/api.store/ZoomInstaller.msix\r\nhttps://scheta.site/api.store/Setup.msix\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for Indicators of compromise (IOCs) in your environment utilizing your respective security controls\r\nEnsure that all systems, software, and applications are up-to-date with the latest security patches. Regularly\r\ncheck for and apply updates to eliminate known vulnerabilities that attackers could exploit.\r\nEducate employees about phishing emails, social engineering tactics, and safe online behavior. Effective\r\ntraining can reduce the likelihood of users inadvertently initiating an attack.\r\nRegularly back up critical data and systems to offline or isolated storage. Test the backup restoration\r\nprocess to ensure that it is effective in case of an attack.\r\nImplement a web application firewall to filter out malicious traffic and protect against common web-based\r\nthreats.\r\nImplement strong access controls, including limiting login attempts and using two-factor authentication\r\n(2FA) to enhance login security.\r\nDeploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring,\r\nand real-time protection against malware and ransomware.\r\nEmploy robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and\r\nlinks from reaching user inboxes.\r\nThoroughly assess third-party vendors and software before integrating them into your environment. Ensure\r\nthey have strong security practices and adhere to cybersecurity standards.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/" ], "report_names": [ "rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "cf4d333d-ef79-40aa-b233-886e6de875a3", "created_at": "2023-12-08T02:00:05.754609Z", "updated_at": "2026-04-10T02:00:03.494821Z", "deleted_at": null, "main_name": "DEV-0569", "aliases": [ "Storm-0569" ], "source_name": "MISPGALAXY:DEV-0569", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f994aa54-3581-460a-9c1f-5ca6b1af4aa1", "created_at": "2024-08-20T02:00:04.537819Z", "updated_at": "2026-04-10T02:00:03.686083Z", "deleted_at": null, "main_name": "Storm-0506", "aliases": [], "source_name": "MISPGALAXY:Storm-0506", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "5bc89c36-f1dd-4152-ae19-59eb5d8d19c2", "created_at": "2024-01-09T02:00:04.196078Z", "updated_at": "2026-04-10T02:00:03.508389Z", "deleted_at": null, "main_name": "Storm-1113", "aliases": [ "APOTHECARY SPIDER" ], "source_name": "MISPGALAXY:Storm-1113", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fa806f03-ec33-42db-99ee-59db37666ee0", "created_at": "2024-02-02T02:00:04.090714Z", "updated_at": "2026-04-10T02:00:03.566756Z", "deleted_at": null, "main_name": "Storm-1674", "aliases": [], "source_name": "MISPGALAXY:Storm-1674", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434332, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b92911dc1cad928ecfc8a42d00850cf737d8722.pdf", "text": "https://archive.orkl.eu/2b92911dc1cad928ecfc8a42d00850cf737d8722.txt", "img": "https://archive.orkl.eu/2b92911dc1cad928ecfc8a42d00850cf737d8722.jpg" } }