We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Script/Metasploit!MSR
Aliases: No associated aliases
Summary
Trojan:Script/Metasploit!MSR represents a critical detection for weaponized scripts, crafted in JavaScript or VBScript, that function as the initial loader in a multi-stage attack chain leveraging the Metasploit Framework. This malicious script serves as a delivery mechanism, often distributed through phishing emails with deceptive attachments or by exploiting vulnerabilities in unpatched software. Upon launch, its primary function is to retrieve and deploy a memory-resident Meterpreter payload from a remote server under the threat actor’s control.
This advanced payload then establishes a reverse TCP, HTTP, or HTTPS connection to a designated command-and-control (C2) server, creating a covert channel for remote administration. The connection provides the threat actor with comprehensive system-level command access, activating a range of malicious activities from credential harvesting and keystroke logging to file exfiltration and the deployment of secondary payloads such as ransomware.
Operating in memory (fileless), the payload injects itself into legitimate system processes to evade traditional file-based detection. The initial script attempts to establish persistence through Windows Registry modifications or scheduled tasks to ensure survival after a system reboot.
- Disconnect the compromised device from all networks (both wired and Wi-Fi) as soon as possible. This severs the threat actor’s remote connection and prevents further data exfiltration.
- Inspect startup entries, scheduled tasks, and running processes for any malicious components that may have established persistence.
- Check and clean startup entries, scheduled tasks, and running processes for any components the malware may have used to maintain persistence.
- Examine financial, messaging, and essential platforms for atypical transactions indicative of unauthorized entry.
- Change passwords for local user profiles, privileged accounts, and linked online services immediately, as they may have been intercepted.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
