We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Backdoor:Win64/Wainscot.A!dha
Aliases: No associated aliases
Summary
Backdoor:Win64/Wainscot.A!dha represents a sophisticated tool used in a complex cyber espionage campaign. Initially developed by a cybercrime group, this backdoor has been co-opted by state-aligned threat actor Secret Blizzard. This group has been observed commandeering the existing infrastructure and infections, a technique often called "freeloading," to conduct its own intelligence-gathering operations without establishing direct initial access.
This campaign primarily targets government and defense-related organizations. Secret Blizzard uses the repurposed Wainscot backdoor to maintain persistent, stealthy access to compromised devices. From there, they can launch commands, steal sensitive data, and conduct surveillance, effectively piggybacking on the prior work of other threat actors to further their own strategic interests.
For more details, read our Microsoft Security blog: Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog
- Immediately disconnect the affected device from the network to sever contact with the command-and-control server.
- Inspect and replace any renamed or tampered Windows utilities, such as credwiz.exe, with clean versions from a trusted source.
- Review device and network logs for evidence of data exfiltration and compromised accounts.
- Change all credentials that were stored on or accessible from the infected device.
- If the infection is severe, consider rebuilding the device from a known-clean backup or installation media.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
