Security News > 2023 > December > Microsoft disables MSIX protocol handler abused in malware attacks
Microsoft has again disabled the MSIX ms-appinstaller protocol handler after multiple financially motivated threat groups abused it to infect Windows users with malware.
Microsoft says the threat actors use both malicious advertisements for popular software and Microsoft Teams phishing messages to push signed malicious MSIX application packages.
"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-app installer protocol handler."
In a private Microsoft threat analytics report seen by BleepingComputer, FIN7 was also connected to attacks targeting PaperCut printing servers with Clop ransomware.
The AppX Installer spoofing vulnerability was exploited to distribute the BazarLoader malware using malicious packages hosted on Microsoft Azure, using *.web.
Microsoft previously disabled the ms-appinstaller protocol handler in February 2022 to thwart Emotet's onslaught.
News URL
Related news
- Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader (source)
- New Android malware steals your credit cards for NFC relay attacks (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks (source)
- SK Telecom warns customer USIM data exposed in malware attack (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
- Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool (source)
- Nebulous Mantis Targets NATO-Linked Entities with Multi-Stage Malware Attacks (source)
- US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks (source)
- Disney Slack attack wasn't Russian protesters, just a Cali dude with malware (source)