(Image credit: Pixabay)

Microsoft has disabled the ms-appinstaller protocol handler as default after it found new evidence of hackers using it to deploy malware

“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” Microsoft said in a new security advisory

Furthermore, the Redmond giant saw hackers selling malware kits on the dark web, which use the MSIX file format and the ms-appinstaller protocol handler.

Four threat actors

Apparently, the threat actors are creating malicious fake ads for legitimate and popular software, to redirect the victims to websites under their control. There, they trick them into downloading malware. A second distribution vector is phishing through Microsoft Teams, the company said.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” the advisory reads.

Since mid-November this year, at least four threat actors abused the App Installer service, Microsoft further explained, with those being Storm-0569, Storm-1113, Sangria Tempest (AKA FIN7), and Storm-1674. The former is an access broker that usually hands off the access to Storm-0506, which then deploys the Black Basta ransomware. FIN7, which researchers also observed impersonating banking software earlier this week, used the App Installer service to drop Gracewire, while Storm-1674 masquerades as Microsoft OneDrive and SharePoint through Teams messages. 

The handler is disabled in the App Installer version 1.21.3421.0 or higher.

This is not the first time MSIX Windows app package files were abused in malware distribution, TheHackerNews says. In October 2023, Elastic Security Labs found such files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex being used to distribute a malware loader dubbed GHOSTPULSE. What’s more, Microsoft disabled the handler once before, in February last year. 

More from TechRadar Pro

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

[ For more curated Computing news, check out the main news page here]

The post Microsoft disables one of its own software tools following multiple malware attacks first appeared on

Microsoft disables one of its own software tools following multiple malware attacks

New reasons to get excited everyday.

Get the latest tech news delivered right in your mailbox

You may also like

Notify of
Inline Feedbacks
View all comments

More in computing