Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTULSE Maware

Oct 30, 2023NewsroomMalware / Endpoint Security

MSIX App Packages

A new cyber attack campaign has been observed using lies MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a new malware loader called. GHOSTULSE.

“MSIX is a Windows app package format that developers can use to package, distribute, and install their applications to Windows users,” said Elastic Security Labs researcher Joe Desimone. SAYS in a technical report published last week.

“However, MSIX requires access to purchased or stolen code signing certificates which makes it possible for groups with more than average resources.”


Based on the installers used as baits, it is suspected that potential targets will be lured into downloading MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising.

Launching the MSIX file will open Windows prompting users to click the Install button, resulting in a stealthy download of GHOSTPULSE to the compromised host from a remote server (“manojsinghnegi(. )com”) via a PowerShell script.

This process takes place in several stages, with the first payload being a TAR archive file containing an executable masquerading as an Oracle VM VirtualBox service (VBoxSVC.exe) but actually a legitimate binary compiled with Notepad++ (gup.exe).

Also contained within the TAR archive is handoff.wav and a trojanized version of libcurl.dll that is loaded to take the infection process to the next stage by exploiting the fact that gup.exe is vulnerable to DLL side-loading.


“PowerShell executes the binary VBoxSVC.exe to side load from the current directory the malicious DLL libcurl.dll,” Desimone said. “By reducing the on-disk footprint of the encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.”

The tampered DLL file next proceeds by parsing handoff.wav, which, in turn, wraps an encrypted payload that is decoded and executed via mshtml.dll, a method that known as modules tramplingto finally load GHOSTULSE.

GHOSTPULSE acts as a loader, using another technique known as process doppelgänging to start executing the latest malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment