{ "id": "31086952-61a6-4870-b8c3-271735f9d21c", "created_at": "2026-04-06T00:22:02.766531Z", "updated_at": "2026-04-10T03:25:12.829132Z", "deleted_at": null, "sha1_hash": "9316b1d321a89d370adbb25f3ef78c65bccbf5aa", "title": "Windows Task Scheduler Zero Day Exploited by Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 957968, "plain_text": "Windows Task Scheduler Zero Day Exploited by Malware\r\nBy Ionut Ilascu\r\nPublished: 2018-09-05 · Archived: 2026-04-02 10:51:58 UTC\r\nMalware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after\r\nproof-of-concept code for the vulnerability appeared online.\r\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a\r\nsecurity bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\r\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions,\r\nallowing write privileges on files in C:\\Windows\\Task.\r\nhttps://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\r\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in\r\nactive malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in\r\nPowerShell for lateral movement.\r\nPowerPool targets GoogleUpdate.exe\r\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines,\r\nPoland, Russia, the United Kingdom, the United States, and Ukraine.\r\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some\r\nsubtle changes to the source code before recompiling it.\r\n\"PowerPool’s developers chose to change the content of the file C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe.\r\nThis is the legitimate updater for Google applications and is regularly run under administrative privileges by a Microsoft\r\nWindows task,\" ESET notes.\r\nThreat actor changes permissions of the Google Updater executable\r\nThis allows PowerPool to overwrite the Google updater executable with a copy of a backdoor they typically use in the\r\nsecond stages of their attacks. The next time the updater is called, the backdoor launches with SYSTEM privileges.\r\nAccording to the researchers, PowerPool malware operators likely use the second-stage backdoor only on victims of interest,\r\nfollowing a reconnaissance step.\r\nMicrosoft did not patch the ALPC bug to this day, but it is expected to release a fix in its monthly security updates, on\r\nSeptember 11.\r\nSome mitigation is possible without Microsoft's help, though the company did not approve it. A solution provided by\r\nKarsten Nilsen blocks the exploit and allows scheduled tasks to run, but it may break things created by the legacy Task\r\nScheduler interface.\r\nUsers of 64-bit Windows 10, version 1803, can mitigate the problem by applying a micropatch. The fix is temporary and\r\nrequires the installation of the 0patch Agent from Acros Security.\r\nThe company makes the source code for the micropatch available in the tweet below:\r\nhttps://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/\r\nhttps://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/" ], "report_names": [ "windows-task-scheduler-zero-day-exploited-by-malware" ], "threat_actors": [ { "id": "62985c5c-6938-4365-8432-29573e99ecf4", "created_at": "2022-10-25T16:07:24.075092Z", "updated_at": "2026-04-10T02:00:04.859737Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [], "source_name": "ETDA:PowerPool", "tools": [ "ALPC Local PrivEsc", "FireMaster", "PowerDump", "PowerSploit", "Quarks PwDump", "SMBExec" ], "source_id": "ETDA", "reports": null }, { "id": "adee5dfb-98d1-488f-969d-48eed28cd7e4", "created_at": "2023-01-06T13:46:38.799427Z", "updated_at": "2026-04-10T02:00:03.105089Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [ "IAmTheKing" ], "source_name": "MISPGALAXY:PowerPool", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775791512, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9316b1d321a89d370adbb25f3ef78c65bccbf5aa.pdf", "text": "https://archive.orkl.eu/9316b1d321a89d370adbb25f3ef78c65bccbf5aa.txt", "img": "https://archive.orkl.eu/9316b1d321a89d370adbb25f3ef78c65bccbf5aa.jpg" } }