A recently unveiled cyber assault campaign has uncovered a new threat in the form of GHOSTPULSE, a novel malware loader. This threat is spreading by mimicking MSIX Windows program package files of popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex. These forged files play a central role in this campaign.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users,” Elastic Security Labs researcher Joe Desimone stated in a technical study that was published last week. “MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users.”

“However, MSIX requires access to purchased or stolen code signing certificates, making them viable to groups of above-average resources.”

It is suspected that potential targets are lured into downloading the MSIX packages through well-established methods such as compromised websites, search engine optimization (SEO) poisoning, and malvertising, all of which were used as lures in this campaign.


Upon launching the MSIX file, a Windows prompt emerges, enticing users to click the ‘Install’ button. If users comply with this prompt, the compromised host will silently download GHOSTPULSE from a remote server, specifically identified as ‘manojsinghnegi[.]com,’ using a PowerShell script.

This operation takes place over a number of stages, with the first payload being a TAR archive file that contains an application that masquerades as the Oracle VM VirtualBox service (VBoxSVC.exe), but which is actually a legal program that’s bundled with Notepad++ (gup.exe).

A trojanized version of libcurl.dll is also included in the TAR archive. This file is loaded in order to forward the infection process to the next stage by taking advantage of the fact that gup.exe is susceptible to DLL side-loading. The handoff.wav file is also included in the TAR bundle.

“The PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll,” according to Desimone. “By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning.”

After that, the altered DLL file continues by parsing handoff.wav, which, in turn, packs an encrypted payload that is decoded and executed via mshtml.dll using a mechanism known as module stomping, finally leading to the loading of GHOSTPULSE.

GHOSTPULSE is a loader that employs a different approach known as process doppelganging to kick-start the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT. GHOSTPULSE also functions as a loader for other malware, including Rhadamanthys.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center