Threat actors caught using MSIX packages to distribute Ghostpulse malware loader

Threat actors caught using MSIX packages to distribute Ghostpulse malware loader

Researchers at Elastic Security Labs discovered a new malware campaign that leverages MSIX application packages to infect Windows machines with a stealthy malware loader called ‘Ghostpulse.’ The loader uses defense evasion techniques to decrypt and inject its final payload into the system.

MSIX is a new unified packaging format that allows organizations to create secure and high-performing applications.

“With App Installer, MSIX packages can be installed with a double click. This makes them a potential target for adversaries looking to compromise unsuspecting victims. However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources,” the researchers said.

The victims are lured to download malicious MSIX packages through compromised websites, search engine optimization (SEO) techniques, or malvertising. The researchers said they observed malicious packages masquerading as installers for Chrome, Brave, Microsoft Edge, Grammarly, and WebEx.

Once the user clicks on the “Install” button, a PowerShell script is covertly executed to download, decrypt, and run Ghostpulse on the system.

The malware infection process includes three stages that are used to execute the final payload. The first stage is embedded in a malicious DLL that is side-loaded through a benign executable. The second stage is decrypted from a file that is downloaded by the PowerShell script. The third stage is injected into a legitimate process using process hollowing. Ghostpulse employs Process Doppelgänging, leveraging the NTFS transactions feature to inject the final payload into a new child process.

The final payload varies from sample to sample but is typically an information stealer such as SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport, Elastic Security Labs said.


Back to the list

Latest Posts

Cyber Security Week in Review: July 25, 2025

Cyber Security Week in Review: July 25, 2025

In brief: Microsoft SharePoint zero-days exploited in widespread attacks, the Russian aerospace and defense industries targeted in Operation CargoTalon, and more.
25 July 2025
Microsoft warns of Warlock ransomware attacks exploiting SharePoint flaws

Microsoft warns of Warlock ransomware attacks exploiting SharePoint flaws

The attackers are using the flaws to deploy a malicious web shell named spinstall0.aspx.
24 July 2025
Lumma infostealer returns after May police crackdown

Lumma infostealer returns after May police crackdown

Lumma has shifted away from previous use of Cloudflare and is now leveraging alternative cloud services, particularly the Russian provider Selectel.
23 July 2025