• Latest
  • Trending
Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

February 10, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Friday, 17 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

by ITECHNEWS
February 10, 2022
in Infosec, Leading Stories
0 0
0
Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot.

A Windows living-off-the-land binary (LOLBin) known as Regsvr32 is seeing a big uptick in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

LOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs.

This long reach is catnip to cyberattackers, who can abuse the utility via the “Squiblydoo” technique, Uptycs researchers warned.

“Threat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,” they explained in a Wednesday writeup. “This method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.”

The .OCX Connection

Malicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cybercrooks specifically attempting to register .OCX files in the Registry via various types of malicious Microsoft Office documents. As a class, .OCX files contain ActiveX controls, which are code blocks that Microsoft developed to enable applications to perform specific functions, such as displaying a calendar.

“The Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,” researchers warned. “During our analysis of these malware samples, we have identified that some of the malware samples belonged to Qbot and Lokibot attempting to execute .OCX files…97 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.”

Most of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, they added, which are types that contain embedded macros. During the attack, these usually download or execute a malicious payload from the URL using the formulas in the macros.

Similarly, some campaigns use Microsoft Word, Rich Text Format data or Composite Document (.DOC, .DOCX or .DOCM files embedded with malicious macros, according to Uptycs.

Identifying Suspicious regsvr32 Executions

Because Regsvr32, like other LOLBins, is used for legitimate daily operations, its abuse often evades traditional cybersecurity defenses. However, researchers noted that security teams can monitor for a couple of specific behaviors in order to track its activity:

  • Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;
  • And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.

 

Source: Tara Seals
Via: threatpost
Tags: Regsvr32 to Spread Malware
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version