Threat Watch

Windows Systems Being Accessed Through Abuse of Narrator Utility

Unknown: New research has discovered that attackers are taking advantage of the narrator utility in Windows. The effort starts by attackers implementing the Pcshare backdoor on a targeted user device. This backdoor has all it needs to carry out this campaign including additional command-and-control encryption, as well as proxy bypass functionality. Attackers install post-exploitation tools after access to the machine is gained.  Fake Narrator, one of the post-exploitation tools, was discovered as a helping hand in obtaining access to admin privileges through tampering with Microsoft Accessibility features. The legitimate Narrator.exe screen reader utility is replaced with the attacker’s version, which gives the attacker access to a command prompt with system privileges and everything can be accessed remotely. Technology companies in Southeast Asia seem to be the targets currently.


While there is no specific group being mentioned, the location of the targeted users and the utilization of Chinese open-source tools, it is possible that Chinese-based threat actors are behind these attacks. Tropic Trooper, which targeted southeast Asia in 2015, also went after Windows machines. There is a chance that this group is returning based on their previous attacks and the similarities that have been found between the two.