The analyzed threat is a malicious script leveraging fileless malware tactics to minimize its footprint on the infected Windows system’s filesystem. It achieves persistence by copying itself to the %APPDATA%\Microsoft\Windows\Templates directory as dwm.cmd and registering this script to run at system boot via the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The script uses a copy command to replicate itself and then executes a PowerShell one-liner to remove the Zone.Identifier alternate data stream (ADS) from the copied file. The ADS is a metadata stream Windows attaches to files downloaded from the internet, indicating their origin and often triggering security warnings or forensic flags. By removing this ADS, the malware evades detection during digital forensic and incident response (DFIR) investigations that scan for files marked as downloaded from untrusted sources. The script then executes another PowerShell command to deploy DonutLoader, a known malware loader capable of loading additional payloads in memory, furthering the infection. This approach combines registry-based persistence, ADS removal for stealth, and in-memory malware loading, making detection and remediation more challenging. The threat does not require elevated privileges beyond the current user context and does not rely on network exploitation, limiting its attack vector to local execution or social engineering delivery of the script.

Organizations worldwide face risks from this threat primarily in the form of stealthy persistence and subsequent malware deployment. The removal of ADS metadata complicates forensic investigations, potentially delaying detection and response efforts. The use of registry Run keys for persistence means the malware can survive reboots and maintain a foothold on infected systems. Deployment of DonutLoader can lead to further compromise, including data theft, lateral movement, or ransomware infection depending on subsequent payloads. Although the initial infection requires local execution, the stealth and persistence mechanisms increase the likelihood of prolonged undetected presence, raising the risk of significant operational disruption, data breaches, and financial loss. Organizations with large Windows user bases, especially those with less mature endpoint detection and response (EDR) capabilities, are particularly vulnerable. The threat also poses challenges to incident responders due to its evasion of common forensic indicators.

To mitigate this threat, organizations should implement advanced endpoint detection solutions capable of monitoring registry Run key modifications and detecting suspicious script executions, especially those involving PowerShell commands that manipulate ADS or drop loaders like DonutLoader. Monitoring and alerting on removal of Zone.Identifier ADS streams can be a useful detection heuristic. Employ application whitelisting to restrict execution of unauthorized scripts and binaries in user AppData directories. Enforce least privilege principles to limit user ability to write to sensitive registry keys and directories. Regularly audit registry Run keys and user AppData folders for unknown or suspicious entries. Deploy PowerShell logging with script block transcription and module logging enabled to capture malicious command execution. Educate users on the risks of executing untrusted scripts and implement email and web filtering to reduce delivery of malicious scripts. Incident response teams should be trained to recognize ADS removal as an evasion technique and incorporate ADS scanning in forensic workflows. Finally, keep endpoint security tools and OS patches up to date to reduce exploitation opportunities.