According to Windows Central, this time, the alert is for Tarrask, a “defense evasion malware” that uses Windows Task Scheduler to hide a device’s compromised status from itself.
“As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors,” the company said in a blogpost.
The attack comes from Hafnium, the state-sponsored, China-based group that users may recall to be a big deal because of its involvement in the Microsoft Exchange meltdown of 2021.
The data gathered during that ordeal has been speculated to be fuel for AI innovations by the Chinese government, the report said.
The company said it is currently tracking Hafnium’s activity when it comes to novel exploits of the Windows subsystem.
Hafnium is using Tarrask malware to ensure that compromised PCs remain vulnerable, employing a Windows Task Scheduler bug to clean up trails and make sure that on-disk artifacts of Tarrask’s activities don’t stick around to reveal what’s going on.
The tech giant also demonstrated how threat actors create scheduled tasks, how they cover their tracks, how the malware’s evasion techniques are used to maintain and ensure persistence on systems and how to protect against this tactic.