Microsoft Disables MSIX App Installer Protocol

12344881295?profile=RESIZE_400xA Microsoft representative announced on 28 December 2023 that it is again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.  "The observed threat actor activity abuses the current implementation of the ms-app installer protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said.  It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-app installer protocol handler.  The changes have gone into effect in App Installer version 1.21.3421.0 or higher.[1]

The attacks take the form of signed malicious MSIX application packages distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.  At least four financially motivated hacking groups have taken advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity.

  • Storm-0569, an initial access broker that propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and hand the access to Storm-0506 for Black Basta ransomware deployment.
  • Storm-1113, an initial access broker that uses bogus MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which acts as a conduit for a variety of stealer malware and remote access trojans.
  • Sangria Tempest (aka Carbon Spider and FIN7), which uses Storm-1113's EugenLoader to drop Carbanak that, in turn, delivers an implant called Gracewire. Alternatively, the group has relied on Google ads to lure users into downloading malicious MSIX application packages from rogue landing pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.
  • Storm-1674, an initial access broker that sends fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the TeamsPhisher tool, urging recipients to open PDF files that, when clicked, prompts them to update their Adobe Acrobat Reader to download a malicious MSIX installer that contains SectopRAT or DarkGate payloads.

Microsoft described Storm-1113 as an entity that dabbles in "as-a-Service," providing malicious installers and landing page frameworks mimicking well-known software to other threat actors such as Sangria Tempest and Storm-1674.

In October 2023, cyber threat researchers detailed another campaign in which spurious MSIX Windows app package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader dubbed GHOSTPULSE.

This is not the first time Microsoft has disabled Windows's MSIX ms-app installer protocol handler. In February 2022, the tech giant took the same step to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader.  "Threat actors have likely chosen the ms-app installer protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," per Microsoft.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or   




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!