BleepingComputer reports that threat actors have leveraged a Windows 11 Toolbox script
released on GitHub that allowed the inclusion of the Google Play Store in the Android Subsystem to unknowingly infect Microsoft users with malware.
The Windows Toolbox script, which was also said to be capable of activating Microsoft Office and Windows, and reducing Windows 11 bloat, was discovered to feature obfuscated PowerShell code
that would fetch different Cloudflare worker scripts that will then be leveraged for command execution and file downloads on compromised devices.
Only U.S.-based users have been targeted by the malicious scripts that prompt the creation of various Scheduled Tasks, which include multiple variable configurations, process killing, and the creation of other scripts for tasks.
A concealed c:system file folder created by the scripts does not only contain default Edge, Chrome, and Brave profiles but also a Chromium extension executing a script that facilitates revenue generation through redirections to referral and affiliate URLs.