We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Script/Wacatac
Aliases: No associated aliases
Summary
Trojan:Script/Wacatac is classified as a broad heuristic label. It captures a range of malicious activities from modular malware families that employ advanced scripting and evasion techniques. This detection is not a single virus, but a behavioral signature often triggered by unauthorized registry changes, in-memory code execution, and the misuse of trusted system processes. These infections typically spread through social engineering, such as pirated software or phishing campaigns. Once inside a device, they focus on establishing persistence, deactivating Microsoft Defender, and creating covert communication channels. The heuristic nature of this detection can sometimes lead to false positives, where legitimate software is flagged.
- Immediately disconnect the infected device from all networks, including wired, Wi-Fi, and Bluetooth, to halt data theft.
- Boot the computer into Safe Mode to prevent most non-essential startup programs and malware persistence mechanisms from loading.
- Manually clear all files from temporary directories including C:\Windows\Temp, %LOCALAPPDATA%\Temp, and %APPDATA%\Temp.
- Carefully inspect and remove malicious registry entries in autostart paths like HKCU\Software\Microsoft\Windows\CurrentVersion\Run and file association hijacks in HKEY_CLASSES_ROOT. Always back up the registry before making changes.
- Fully reset affected web browsers to their default state to remove malicious extensions, scripts, and proxy settings.
- If a file is incorrectly flagged, use the Microsoft Defender command line tool to clear the cache and update signatures. Open an elevated command prompt in the Defender directory and run MpCmdRun.exe -removedefinitions -dynamicsignatures followed by MpCmdRun.exe -SignatureUpdate.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
