We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Backdoor:MSIL/ShellClient.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus removes this threat.
This malware is a custom remote access trojan (RAT) known as GhostShell or ShellClient. It masquerades as a legitimate Windows program such as "RuntimeBroker.exe” or “svchost.exe” to evade detection. This RAT steals and exfiltrates data by using Dropbox as a command-and-control (C2) channel.
This RAT is capable of the following:
- Collects system information such as hostname, IP address, antivirus products
- Connects to https://ipinfo.io for additional IP information
- Installs as service
- Starts CMD or PowerShell
- Starts TCP / FPT / Telnet client
- Uploads, downloads, and launches PowerShell commands
- Replicates the targeted client for additional connection
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
