We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
HackTool:Win64/JuicyPotato!rfn
Aliases: No associated aliases
Summary
HackTool:Win64/JuicyPotato!rfn is not a self-propagating malware but rather, is a local privilege escalation tool for 64-bit Windows. The intended function is to cover weaknesses in architecture in Windows using the Component Object Model (COM) is a common way to elevate a threat actors' accesses. If they have already gained a foothold on the device with a standard or service account, JuicyPotato can use escalated privileges to gain the highest "NT AUTHORITY\SYSTEM" level access for total control over the targeted device. Availability of its many variant exploits led to the JuicyPotato being used against a wider array of COM components. While JuicyPotato and its software generally do not contain a payload that destructs, it is the sole ability of taking over a device that causes major antivirus vendors, like Microsoft Defender, to detect and classify it as a malicious hack tool for removal.
- Unplug the ethernet cable or deactivate Wi-Fi to prevent the malware from communicating with its C2 servers and exfiltrating your data.
- Focus on determining how the attacker gained initial access to your device. The JuicyPotato binary must have been delivered and launched somehow; common methods include being dropped by other malware or downloaded from malicious sites.
- Rebuild or reimage the device from a trusted source if compromise is severe.
- Reset credentials for affected accounts, especially if credential theft is suspected.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
