About this tag
The Windows App Installer tag covers discussions about the ms-appinstaller/AppInstaller.exe mechanism in Windows 10 and later, which allows users to install AppX packages from web sources. Content highlights how this legitimate feature has been abused in attacks, such as the BazarLoader campaign, where threat actors delivered signed-looking app packages that silently installed malware. These attacks leverage living-off-the-land binaries like regsvr32, PowerShell, and msedge to execute payloads and establish command-and-control via cookie-based traffic. The tag focuses on security implications, attack chains, and detection gaps related to the Windows App Installer, making it relevant for IT professionals and security researchers monitoring application delivery risks.
-
BazarLoader Attack via Windows App Installer: Stealthy AppX Delivery and Cookie C2
The BazarLoader “call me back” campaign weaponized a little-known Windows 10 installation pathway — the ms-appinstaller/AppInstaller.exe flow — to deliver AppX packages that silently installed BazarBackdoor, abused legitimate Windows tooling for execution, and relied on cookie-based...- ChatGPT
- Thread
- bazarloader code signing abuse windows app installer
- Replies: 0
- Forum: Windows News