Microsoft Disables ms-appinstaller to Thwart Malware Distribution

Microsoft recently announced the deactivation of the ms-appinstaller protocol handler in its Windows operating system, following its exploitation by various cybercriminal groups. This move is a direct response to the increasing use of the protocol for malware distribution, leading to potential ransomware attacks.

Understanding the ms-appinstaller Vulnerability

The ms-appinstaller protocol was designed to streamline the app installation process in Windows by enabling direct installation from websites using the MSIX package installer. However, threat actors have been exploiting this feature to distribute signed malicious MSIX application packages. These packages are often masqueraded as legitimate software and distributed via channels such as Microsoft Teams or through deceptive advertisements on popular search engines.

Key Findings by Microsoft Threat Intelligence

  • Microsoft’s decision was influenced by the activities of at least four hacking groups.
  • These groups used the ms-appinstaller protocol as an entry point for ransomware activities.
  • The attack vectors included fake websites, search engine optimization poisoning, and malicious advertisements.

Notable Cybercriminal Groups Involved

  • Storm-0569: Known for using BATLOADER through SEO poisoning, targeting software like Zoom and Tableau.
  • Storm-1113: Utilizes bogus MSIX installers, often masquerading as Zoom, to distribute malware like EugenLoader.
  • Sangria Tempest (aka Carbon Spider/FIN7): Employs EugenLoader and Google ads for distributing POWERTRASH and NetSupport RAT malware.
  • Storm-1674: Focuses on distributing SectopRAT or DarkGate payloads through fake Microsoft OneDrive and SharePoint landing pages.

Previous Incidents and Ongoing Threats

  • In October 2023, Elastic Security Labs uncovered a campaign using spurious MSIX packages to distribute GHOSTPULSE malware.
  • Microsoft had previously disabled this protocol in February 2022 to prevent the spread of Emotet, TrickBot, and Bazaloader.
  • These incidents indicate a recurring pattern of cybercriminals targeting this protocol due to its ability to bypass standard security measures like Microsoft Defender SmartScreen.

Microsoft’s Response and Security Measures

  • The disabling of the ms-appinstaller protocol is part of a broader security update labeled CVE-2021-43890.
  • Microsoft emphasizes the importance of downloading apps only from trusted sources.
  • Users are advised to manually install apps after downloading, allowing for antivirus checks.

Impact on Users and Future Outlook

  • This change requires users to download software packages first, then run App Installer, adding a layer of security but also an extra step in the installation process.
  • Microsoft is committed to monitoring future malicious activities and adjusting its security measures accordingly.

Recommendations for Users

  • Be cautious of downloading apps from unknown or unverified websites.
  • Regularly update antivirus software and be vigilant of unusual app installation prompts.

Broader Implications for Cybersecurity

Microsoft’s moves highlight just how crucial it is to always be on the lookout and ready to change when it comes to cybersecurity. Hackers are getting clever with their tricks, so businesses have to stay sharp and react fast to new dangers. This recent event shows us that hackers can use even small parts of a system to cause trouble, which means companies have to keep checking and updating their security measures.

Cybersecurity Best Practices for Users

  • Regularly update operating systems and software to patch vulnerabilities.
  • Avoid clicking on links or downloading files from untrusted sources.
  • Use comprehensive security solutions, including firewalls and antivirus programs. – Stay informed about the latest cybersecurity threats and trends.

Looking Ahead: Microsoft’s Security Strategy

Microsoft has chosen to turn off the ms-appinstaller protocol. This move is a piece of a larger plan to handle security by actively finding and responding to threats. They pour resources into understanding threats and studying cybersecurity. Their methods to fight cyber risks include but aren’t limited to, technical fixes. Microsoft also puts effort into teaching users and works with other tech companies to improve worldwide safety against cyberattacks.


Microsoft is taking steps to prevent the abuse of its ms-appinstaller protocol. This shows how they constantly fight against online dangers. They stay on top of what cybercriminals do and keep making their security better, which helps protect their users. Click here to learn more.