

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

Among other things, a third-party tool used to install the Google Play Store was found to be malicious. In fact, one of Neowin's readers, Eli, seems to have fallen victim to the tool as they appeared to have used it to install the Play Store.
The tool, called "Powershell Windows Toolbox," is hosted on GitHub, and user LinuxUserGD noticed that the underlying code was mysterious and contained malicious code. Later, user SuchByte raised the issue for the tool. The Powershell Windows toolbox has been removed from GitHub.
Here’s everything the tool claims to do:

First, the software uses a Cloudflare worker to load the script. In the "How to use" section of the tool, the developers have instructed users to run the following command in the CLI:

While the loaded script does the above, it was also found here Obfuscated code. Deobfuscation of this revealed that these were PowerShell code that loaded malicious scripts from Cloudflare workers and files from the GitHub repository of user alexrybak0444, a possible threat actor or one of them. These were also reported and removed (archived version here).

After this, the script ultimately creates a Chromium extension, which is believed to be the main malicious component of this malware campaign. The payload of the malware appears to be certain links or URLs used to generate revenue through affiliates and referrals by promoting certain software or some money-making scheme distributed through Facebook and WhatsApp messages.
If you happen to have the Powershell Windows Toolbox installed on your system, you can remove the following components created by the tool during an infection:
- Microsoft\Windows\AppID\ VerifiedCert
- Microsoft\Windows\Application Experience\Maintenance
- Microsoft\Windows\Services\CertPathCheck
- Microsoft\Windows\Services\CertPathw
- Microsoft\ Windows\Serviceing\ComponentCleanup
- Microsoft\Windows\Service\Service Cleanup
- Microsoft\Windows\Shell\ObjectTask
- Microsoft\Windows\Clip\ServiceCleanup
Also delete the "C:\systemfile" hidden folder created by the malicious script during the infection. If you are performing a system restore, make sure to use a restore point that is not done by the Powershell Windows Toolbox itself, as it will not remove malware from the system.
The above is the detailed content of Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Dreamweaver Mac version
Visual web development tools

EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
