Threat Watch

Malware Developer Uses Microsoft WSL To Facilitate Stealth Windows Loaders

A long-theorized attack vector has now been seen in the wild. The Microsoft Windows Subsystem for Linux (WSL) is a feature in Microsoft Windows allowing a Linux image to run without the use of a Virtual Machine. While this is a very useful feature for researchers, developers, and hobbyists, it is also a ripe environment for malware developers to attempt compromise of both environments. Researchers retrieved recent samples written in Python that creates an Executable and Linkable Format (ELF) file to inject into a running process using Windows API calls. Using this attack vector has provided the threat actor with a stealthy and next to, or actual, 0 detection rate on VirusTotal.

Researchers at BlackLotus explain, “Thus far, we have identified a limited number of samples with only one publicly routable IP address, indicating that this activity is quite limited in scope or potentially still in development…”. At this point in time, this attack vector is thought of as a tactic in development and not a widespread threat.


Most endpoint monitoring agents do not yet have signatures implemented to detect and analyze ELF files attempting these techniques within WSL. It is of utmost importance to enable WSL logging and push these logs to an EDR/SIEM for visibility and protection. As this attack vector has not been heavily used to date, strategies are still being developed to mitigate the threat. It is important to remember security teams are developing these strategies side-by-side with the threat actors developing the technique. A proactive approach to security is always recommended and the Threat Hunt team at Binary Defense provides such services by looking to identify techniques such as this in order to stop a potential or ongoing compromises.