Windows 11 tool to add Google Play secretly installed malware

A popular Windows 11 ToolBox script that was used to add the Google Play Store to the Android subsystem has secretly infected users with malicious scripts, Chrome extensions, and potentially other malware.

When Windows 11 was released in October, Microsoft announced that it would allow users to run built-in Android apps directly from Windows.

This feature was exciting for many users, but when the preview of Android for Windows 11 was released in February, many were disappointed that they could not use it with Google Play and got stuck with apps from the Amazon App Store.

While there were ways to use ADB to sideload Android apps, users started looking for methods that let them add Google Play Store to Windows 11.

Around that time, someone released a new tool called Windows Toolbox on GitHub with a host of features, including the ability to debloat Windows 11, activate Microsoft Office and Windows, and install the Google Play Store for the Android subsystem.

Windows Toolbox on GitHub
Windows Toolbox on GitHub

Once technical sites discovered the script, it was quickly promoted and installed by many.

But without everyone knowing until this week, Windows Toolbox was actually a Trojan that executed a series of blurry, malicious PowerShell scripts to install a Trojan clicker and possibly other malware on devices.

Abuse of Cloudflare workers to install malware

Over the past week, various users shared the discovery that the Windows Toolbox script was a front for a very smart malware attack, leading to a surprisingly low quality malware infection.

While the Windows Toolbox script performed all the functions described on GitHub, it also contained blurred PowerShell code that would download various scripts from Cloudflare workers and use them to execute commands and download files on an infected device.

To run Windows Toolbox, the developer asked users to execute the following command, which loads a PowerShell script from a Cloudflare worker hosted at

Original GitHub instructions to start the script
Original GitHub instructions to start the script

The use of Cloudflare Workers to host the malicious scripts was smart, as it allowed the threat actors to modify the scripts as needed and use a platform that has not been overused to distribute malware, so it will probably be less easy to detect.

This script looks like it does what is advertised with, with features to debloat Windows 11, disable telemetry, repair your phone app, configure power profiles, and so on.

On lines 762 and 2,357 in the script, however, there is blurred code, but at first glance, it does not appear to pose any risk.

Blurred PowerShell
Blurred PowerShell

But when it is debugged, it is converted to PowerShell code [Stage 1, Stage 2, Stage 3] loading malicious scripts from Cloudflare workers and files from the GitHub repository.

Threat actors' GitHub repository
Threat actors’ GitHub repository

This repository contains several files, including a renamed Python distribution, 7Zip executable, Curl, and various batch files.

Unfortunately, some scripts stored on Cloudflare required special headings to be sent to access them, or they are simply no longer available, making it difficult to analyze exactly what this mess of PowerShell scripts, batches, and files did. an infected device.

Sends special headlines to Cloudflare employees
Sends special headlines to Cloudflare employees

What we do know is that the malicious scripts targeted only US users and created several scheduled tasks with the following names:

Microsoft\Windows\Application Experience\Maintenance

These scheduled tasks are used to configure various variables, create other scripts to be run by the tasks, and kill processes such as chrome.exe, msedge.exe, brave.exe, powershell.exe, python.exe, pythonw.exe, cdriver .exe and mdriver.exe.

It also created a hidden c:\systemfile folder and copied the default Chrome, Edge, and Brave profiles into the folder.

PowerShell scripts created a Chromium extension in this directory to execute a script from when launching the browser.

This script appears to be the most important malicious component of this attack, and while it uploads geographic location information about the victim, its malicious behavior is, oddly enough, only used to generate revenue by redirecting users to affiliate and referral URLs.

When users visit, the script will redirect them to one of the following random URLs, which contain “monetize” scams, browser notification scams, and unwanted software promotions.

The impact of the payload delivered by hits intricate clutter of scripts is so small that it almost feels like something is missing.

This can be the case as one of the scheduled tasks executes code from which may contain more malicious behavior. However, this script was not archived and is not available.

For those who have previously run this script and are concerned that they may be infected, you can check for the above scheduled tasks and the C: \ system file folder.

If these are present, delete the associated tasks, the system file folder and the Python files installed as C: \ Windows \ security \ pywinvera, C: \ Windows \ security \ pywinveraa and C: \ Windows \ security \ winver.png.

Leave a Comment