{
	"id": "444aa81c-a930-483a-bbfb-de6a7bcc03db",
	"created_at": "2026-04-06T00:14:23.083903Z",
	"updated_at": "2026-04-10T03:21:29.898629Z",
	"deleted_at": null,
	"sha1_hash": "e257a0d1c33266859a6e6af17182478d7ecacc5e",
	"title": "Trickbot Trojan Leveraging a New Windows 10 UAC Bypass",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1622801,
	"plain_text": "Trickbot Trojan Leveraging a New Windows 10 UAC Bypass\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 19:33:30 UTC\r\nThe Trickbot trojan is one of the most advanced malware delivery vehicles currently in use. Attackers have\r\nleveraged it to deliver a wide variety of malicious code, in many different methods. Just yesterday, Bleeping\r\nComputer reported that news articles from President Trump’s impeachment trial have been used to hide Trickbot\r\nfrom antivirus scanners.\r\nOn almost a daily basis, malicious actors reinvent Trickbot and work to find new pathways to deliver the trojan\r\nonto user machines. This is what makes Trickbot among the most advanced malware delivery vehicles; the\r\nconstant evolution of methodologies used for delivery.\r\nThe latest revision, which the Morphisec Labs team detected in new samples, leverages the Windows 10 WSReset\r\nUAC Bypass to circumvent user account control and deliver its payload onto user machines.\r\nThe Trickbot Trojan and Windows 10\r\nThe WSReset UAC Bypass process begins with Trickbot checking to see if the system it’s on is running Windows\r\n7 or Windows 10. If it is running under Windows 7, it will utilize the CMSTPLUA UAC bypass (the same one as\r\nin previous samples). It’s only when the system is running Windows 10 that Trickbot uses the WSReset UAC\r\nBypass.\r\nFigure 1 OS version check.\r\nhttps://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass\r\nPage 1 of 5\n\nFigure 2 If Windows 10 – utilize WSReset UAC Bypass.\r\nThe WSReset UAC Bypass, discovered in March 2019, allows Trickbot authors to take advantage of the\r\nWSReset.exe process. The WSReset.exe process is a Microsoft signed executable that is used to reset Windows\r\nStore settings, according to its manifest file. What’s most important here, though, is that the ‘autoElevate’ property\r\nis set to “true.” This is what allows the WSReset UAC Bypass to be used for privilege escalation.\r\nFigure 3 WSReset manifest.\r\nTrickbot decrypts its strings in order to use the WSReset UAC Bypass, such as the registry path and the command\r\nto execute.\r\nhttps://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass\r\nPage 2 of 5\n\nFigure 4 Trickbot command preparation.\r\nNext, Trickbot uses “reg.exe” in order to add the relevant keys that allows it to utilize the WSReset UAC Bypass.\r\nFigure 5 Using reg.exe to add relevant keys.\r\nFigure 6 Registry before WSReset execution.\r\nThe final step in this bypass is to execute WSReset.exe, which will cause Trickbot to run with elevated privileges\r\nwithout a UAC prompt. Trickbot does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to\r\ndeliver its payload onto workstations and other endpoints.\r\nhttps://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass\r\nPage 3 of 5\n\nFigure 7 WSReset.exe execution.\r\nMorphisec Secures Your Endpoints Against the Trickbot Malware\r\nThe Morphisec Preemptive Cyber Defense Platform blocks Trickbot before it is able to execute its process,\r\nincluding the WSReset UAC Bypass, through the power of Automated Moving Target Defense. By morphing the\r\napplication memory structures on endpoints, we take away the attackers’ ability to accurately target our customers’\r\ncritical systems. This protects workstations, servers, VDIs, and cloud workloads against this and other damaging\r\nattacks.\r\nIOC: (SHA-1)\r\n● b9cc1b651f579ff1afb11427f0ec1c882afde710\r\n● 24263d91575bb825c33e3fd27f35bc7bd611cee3\r\n● 864d3e3f7ad0f144f8d838ea9638d4c264c5c063\r\n● f33c057d652aa70c5f1332e14c0b8d9c77a5aa1c\r\n● b1f7f71b5f7fee1cf38e2591e50cb181f7bd5353\r\n● 6de843fb12f456b0ea42876d82f39fe35b5cf6ca\r\nAbout the author\r\nhttps://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass\r\nPage 4 of 5\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass\r\nhttps://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass"
	],
	"report_names": [
		"trickbot-uses-a-new-windows-10-uac-bypass"
	],
	"threat_actors": [],
	"ts_created_at": 1775434463,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e257a0d1c33266859a6e6af17182478d7ecacc5e.pdf",
		"text": "https://archive.orkl.eu/e257a0d1c33266859a6e6af17182478d7ecacc5e.txt",
		"img": "https://archive.orkl.eu/e257a0d1c33266859a6e6af17182478d7ecacc5e.jpg"
	}
}