search
HomeCommon ProblemPowershell Windows Toolbox that helps install Google Play on Windows 11 is malware

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

Among other things, a third-party tool used to install the Google Play Store was found to be malicious. In fact, one of Neowin's readers, Eli, seems to have fallen victim to the tool as they appeared to have used it to install the Play Store.

The tool, called "Powershell Windows Toolbox," is hosted on GitHub, and user LinuxUserGD noticed that the underlying code was mysterious and contained malicious code. Later, user SuchByte raised the issue for the tool. The Powershell Windows toolbox has been removed from GitHub.

Here’s everything the tool claims to do:

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

First, the software uses a Cloudflare worker to load the script. In the "How to use" section of the tool, the developers have instructed users to run the following command in the CLI:

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

While the loaded script does the above, it was also found here Obfuscated code. Deobfuscation of this revealed that these were PowerShell code that loaded malicious scripts from Cloudflare workers and files from the GitHub repository of user alexrybak0444, a possible threat actor or one of them. These were also reported and removed (archived version here).

Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware

After this, the script ultimately creates a Chromium extension, which is believed to be the main malicious component of this malware campaign. The payload of the malware appears to be certain links or URLs used to generate revenue through affiliates and referrals by promoting certain software or some money-making scheme distributed through Facebook and WhatsApp messages.

If you happen to have the Powershell Windows Toolbox installed on your system, you can remove the following components created by the tool during an infection:

  • Microsoft\Windows\AppID\ VerifiedCert
  • Microsoft\Windows\Application Experience\Maintenance
  • Microsoft\Windows\Services\CertPathCheck
  • Microsoft\Windows\Services\CertPathw
  • Microsoft\ Windows\Serviceing\ComponentCleanup
  • Microsoft\Windows\Service\Service Cleanup
  • Microsoft\Windows\Shell\ObjectTask
  • Microsoft\Windows\Clip\ServiceCleanup

Also delete the "C:\systemfile" hidden folder created by the malicious script during the infection. If you are performing a system restore, make sure to use a restore point that is not done by the Powershell Windows Toolbox itself, as it will not remove malware from the system.

The above is the detailed content of Powershell Windows Toolbox that helps install Google Play on Windows 11 is malware. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:云东方. If there is any infringement, please contact admin@php.cn delete

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

mPDF

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Dreamweaver Mac version

Dreamweaver Mac version

Visual web development tools

EditPlus Chinese cracked version

EditPlus Chinese cracked version

Small size, syntax highlighting, does not support code prompt function