{ "id": "191a687d-5ebb-4943-984e-1d17bb8290ff", "created_at": "2026-04-06T02:10:50.872219Z", "updated_at": "2026-04-10T13:12:26.405334Z", "deleted_at": null, "sha1_hash": "f6efc74df793c55a0b99397cda08558143736055", "title": "Windows Error Reporting Tool Abused to Load Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47605, "plain_text": "Windows Error Reporting Tool Abused to Load Malware\r\nBy Ian Reynolds\r\nPublished: 2023-01-08 · Archived: 2026-04-06 02:06:17 UTC\r\nA legitimate Windows executable is being abused by malicious actors to stealthily infect devices with malware\r\nwithout raising any alarms. The Windows Error Reporting tool WerFault.exe can be exploited to load malware\r\nonto a system using a DLL sideloading technique in an attack K7 Security Labs have published an analysis for last\r\nweek. This legitimate Windows 10 and 11 tool is normally used to report errors related to applications or the\r\noperating system itself, and can also receive solution recommendations for the problem experienced.  \r\nThe attack studied in this analysis resulted in the execution of Pupy RAT malware, an open-source remote admin\r\ntool believed to have originated in 2013. Pupy RAT is credited for the Iranian-backed attack on a European energy\r\nsector mail server in late 2019, along with other attacks of Iranian origin by groups known as APT33 and APT35.\r\nWritten mostly in Python, this cross-platform remote access trojan is available on GitHub for free, making it easily\r\navailable for widespread use by any threat actors and therefore a high security risk businesses and individuals\r\nneed to be aware of. \r\nAn attack begins by the threat actors sending the victim an email with an ISO image called recent inventory \u0026 our\r\nspecialities.iso as an attachment. This ISO image contains a shortcut file with the same name, recent inventory \u0026\r\nour specialities.lnk, which when run is the start of the infection chain. The ISO image also contains 3 other files\r\nused in the attack: a legitimate copy of Windows tool WerFault.exe, a DLL file called  faultrep.dll, and an XLS\r\nfile called File.xls. The XLS file analysed was in Chinese, leading to the assumption that the victim in the K7\r\nLabs analysis was Chinese and the XLS sheet is translated by the targeted device. When the ISO image is clicked,\r\nit mounts itself as a new drive letter containing the 4 files. When the shortcut file recent inventory \u0026 our\r\nspecialities.lnk is then opened it uses scriptrunner.exe, a living off the land binary via command line interpreter, to\r\nrun WerFault.exe from this location.  \r\nBecause the default Windows DLL used by WerFault.exe is called Faultrep.dll, the attacker can manipulate the\r\noutcome so that when WerFault.exe starts executing, the version of faultrep.dll from the ISO is loaded instead.\r\nThis is performed through a DLL sideloading technique where the legitimate path is hijacked, and a malicious file\r\nis executed instead. To mimic the function of the legitimate DLL, the malicious faultrep.dll has a dummy export\r\nfunction called WerpInitiateCrashReporting, and has two custom API resolving arguments, a DLL hash and a\r\nFunction hash. Despite the majority of this attack being written in python code, the malicious DLL is compiled in\r\nC. The DLL resolves these APIs through kernel32.dll and advapi32.dll using the same resolving function as\r\nshellcode-based downloader malware GuLoader.  \r\nAfter the APIs are resolved, the function CreateThread is used to create two threads, the first of which opens the\r\nfinal file from the ISO image, the Excel sheet file.xls. The second thread resolves SystemFunction032 through\r\nadvapi32.dll, which can go unnoticed as the XLS file has opened in front as a decoy event. SystemFunction032 is\r\nthe Pupy RAT, dll_pupyx64.dll, which is first loaded into the memory and then executed from the memory in the\r\nbackground while the WerFault.exe is being executed in the foreground. Pupy RAT can then remotely execute any\r\nhttps://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/\r\nPage 1 of 2\n\nportable executable file in memory through a ReflectiveLoader function. The RAT attempts a C2 connection to\r\ndownload additional files and proceed with the attack, however during the time of analysis by K7 Security Labs\r\nthis connection was down, and the RAT was unable to connect to the C2 server.  \r\nBecause WerFault.exe is a legitimate Windows reporting tool, it’s launch does not trigger the response from\r\nantivirus software that might otherwise warn the user that the device has been infected with malware. If the C2\r\nservers are functional, this malware attack could result in threat actors having full access to the victim’s device,\r\nincluding the ability to execute arbitrary commands, data exfiltration, install additional malware or ransomware\r\nfiles, and possibly even spread laterally through the network. K7 Security Labs included a table of the Indicators\r\nof Compromise (IoCs) for this attack, including the filenames and hash values, that can be used to determine\r\nwhether a system has fallen victim to this attack. \r\nDespite the ability of Pupy RAT to disguise itself behind legitimate executables to trick some antivirus software,\r\nthere are precautions that can be taken to protect your device from this form of attack. Behavioural patterns of\r\nknown malware are tracked by some endpoint detection systems, which can identify malicious execution patterns\r\nin the early stages and prevent the attack from continuing to the point of full infection. Most importantly, this\r\nattack involves user interaction to initiate the download and launch of the malicious executable files. Falling\r\nvictim to this attack can be prevented by not opening the initial email attachment of an ISO image and by not\r\nrunning the shortcut file included in the ISO. Email attachments from unknown sources should always be treated\r\nwith high suspicion, and educating colleagues to do the same will help protect your entire network from attack.  \r\nSource: https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/\r\nhttps://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/" ], "report_names": [ "windows-error-reporting-tool-abused-to-load-malware" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441450, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6efc74df793c55a0b99397cda08558143736055.pdf", "text": "https://archive.orkl.eu/f6efc74df793c55a0b99397cda08558143736055.txt", "img": "https://archive.orkl.eu/f6efc74df793c55a0b99397cda08558143736055.jpg" } }