{
	"id": "a307070c-cbd0-4bfd-b1ef-67ca7bf71d36",
	"created_at": "2026-04-06T00:12:42.756017Z",
	"updated_at": "2026-04-10T13:12:19.986512Z",
	"deleted_at": null,
	"sha1_hash": "f33c38cbbb9b71ca775e871ceea1ae5a6a77e742",
	"title": "TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2033292,
	"plain_text": "TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection\r\nBy Lawrence Abrams\r\nPublished: 2020-01-16 · Archived: 2026-04-05 19:00:02 UTC\r\nThe TrickBot Trojan has received an update that adds a UAC bypass targeting the Windows 10 operating system so that it\r\ninfects users without displaying any visible prompts.\r\nA UAC bypass allows programs to be launched without displaying a User Account Control prompt that asks users to allow a\r\nprogram to run with administrative privileges.\r\nExample of UAC prompt\r\nIn a new TrickBot sample, Head of SentinelLabs Vitali Kremez discovered that the trojan is now using the Windows 10\r\nFodhelper bypass.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nUsing Windows 10 UAC bypass\r\nWhen executed, TrickBot will check if the operating system is Windows 7 or Windows 10.\r\nIf it is Windows 7, TrickBot will utilize the CMSTPLUA UAC bypass and if Windows 10, will now use the Fodhelper UAC\r\nBypass.\r\nThe Fodhelper bypass was discovered in 2017 and uses the legitimate Microsoft C:\\Windows\\system32\\fodhelper.exe\r\nexecutable to execute other programs with administrative privileges.\r\n\"Fodhelper.exe is a trusted binary on Windows 10 that TrickBot uses to execute the malware stage bypassing UAC via the\r\nregistry method,\" Kremez told BleepingComputer in a conversation.\r\nWhen properly configured, when executed Fodhelper will also launch any command stored in the default value of the\r\nHKCU\\Software\\Classes\\ms-settings\\shell\\open\\command key.\r\nAs Fodhelper is a trusted Windows executable, it allows auto-elevation without displaying a UAC prompt. Any programs\r\nthat it executes will be executed without showing a UAC prompt as well.\r\nTrickBot utilizes this bypass to launch itself without a warning to the user and thus evading detection by the user.\r\nCommand executed by the Fodhelper UAC bypass\r\nAs more users move to Windows 10 and as Windows Defender matures, more malware has begun to target the operating\r\nsystem and its security features.\r\nIn September 2019 we reported how the GootKit banking Trojan also added the Fodhelper bypass in 2019 to execute a\r\ncommand that whitelists the malware executable's path in Windows Defender.\r\nIn July 2019, TrickBot also targeted Windows Defender by trying to disable various scan options. With the inclusion of\r\nFodhelper, we continue to see the malware developers attempt to reduce the security features found in Windows 10.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/"
	],
	"report_names": [
		"trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f33c38cbbb9b71ca775e871ceea1ae5a6a77e742.pdf",
		"text": "https://archive.orkl.eu/f33c38cbbb9b71ca775e871ceea1ae5a6a77e742.txt",
		"img": "https://archive.orkl.eu/f33c38cbbb9b71ca775e871ceea1ae5a6a77e742.jpg"
	}
}