ClickCease MSIX App Installer Disabled Amid Microsoft Malware Attacks

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

MSIX App Installer Disabled Amid Microsoft Malware Attacks

Wajahat Raja

January 11, 2024 - TuxCare expert team

In a recent announcement, Microsoft disclosed its decision to once again disable the ms-appinstaller protocol handler by default amid the Microsoft malware attacks. They took a proactive stance against its exploitation by various threat actors for malware distribution. 

This move comes in response to the ongoing abuse of the Windows AppX Installer spoofing vulnerability, identified as CVE-2021-43890, which was first documented by Microsoft a couple of years ago. It has led to an increased emphasis on enhancing MSIX security measures.

In this blog post, we’ll have a look at the recent developments surrounding Microsoft malware attacks, specifically focusing on how the MSIX App Installer has been disabled to enhance security measures and keep users protected.


Background On The Microsoft Malware Attacks


The vulnerability, documented by Microsoft a couple of years ago, had previously been exploited by attackers crafting packages containing ransomware. Back then, Microsoft security measures included recommending users either update to the latest Installer version or disable the ms-appinstaller protocol using Group Policy. However, a resurgence in the exploitation of these app installer vulnerabilities has prompted Microsoft to issue new guidance.

Threat Actor Activity


The Microsoft Threat Intelligence team has observed threat actors abusing the current implementation of the ms-appinstaller protocol handler as an access vector for malware. This has particularly led to ransomware distribution, emphasizing the critical need for secure software installation practices to mitigate such risks and fortify overall system security

Notably, cybercriminals are offering a malware kit as a service, leveraging the MSIX file format and ms-appinstaller protocol handler for their illicit activities. These changes have been implemented in App Installer version 1.21.3421.0 or higher.

Microsoft Malware Attacks – The Methods


Several financially motivated hacking groups have been identified exploiting the App Installer service since mid-November 2023. The attacks involve signed malicious MSIX application packages distributed through Microsoft Teams or deceptive advertisements on popular search engines. 

These attacks have been attributed to groups such as Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, each employing unique tactics for infiltration and subsequent ransomware activities.



  • Acts as an initial access broker.
  • Propagates BATLOADER through SEO poisoning.
  • Deploys Cobalt Strike and facilitates Black Basta ransomware deployment.




  • Functions as an initial access broker.
  • Utilizes bogus MSIX installers masquerading as Zoom to distribute EugenLoader.
  • Acts as a conduit for various stealer malware and remote access trojans.


Sangria Tempest (Carbon Spider and FIN7)


  • Uses EugenLoader from Storm-1113 to drop Carbanak.
  • Relies on Google ads to distribute malicious MSIX application packages and POWERTRASH.




  • Operates as an initial access broker.
  • Sends landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages.
  • Uses TeamsPhisher tool to distribute a malicious MSIX installer containing SectopRAT or DarkGate payloads.

Previous Incidents

This isn’t the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler. In February 2022, similar steps were taken to prevent threat actors from delivering Emotet, TrickBot, and Bazaloader using this vector. Implementing robust cybersecurity strategies is crucial for effective
malware attacks prevention within any digital infrastructure.

Reason for Exploitation

Threat actors are drawn to the ms-appinstaller protocol handler vector due to its ability to bypass safety mechanisms designed to protect users from malware. This includes circumventing Microsoft Defender SmartScreen and built-in browser warnings for executable file downloads. Hence, regularly applying
Windows security updates is imperative to ensure the ongoing protection and resilience of your operating system against evolving cyber threats.


In conclusion, Microsoft’s decision to disable the ms-appinstaller protocol handler by default underscores the seriousness of the ongoing threat posed by malicious actors. The significance of
MSIX security emerges as a pivotal aspect in maintaining a resilient and safeguarded software ecosystem. 

Users are strongly advised to update to the latest App Installer version to ensure the implementation of enhanced security measures, contributing to robust cyber threat mitigation and safeguarding their systems against evolving risks. 

As the cybersecurity landscape continues to evolve, staying vigilant and adopting cybersecurity best practices remains crucial in safeguarding against emerging threats. Malicious software prevention is a top priority in our cybersecurity measures as we strive to safeguard our systems against potential threats. 

Stay safe!

The sources for this piece include articles in The Hacker News and Bleeping Computer.

MSIX App Installer Disabled Amid Microsoft Malware Attacks
Article Name
MSIX App Installer Disabled Amid Microsoft Malware Attacks
Stay protected against Microsoft malware attacks. Learn how MSIX App Installer vulnerabilities are addressed to safeguard your system.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter