The Lost Payload: MSIX Resurrection
How adversaries weaponize MSIX packages for initial access, and how to detect it. Plus introducing MSIXBuilder for safe testing of detection coverage.
Originally published on the Splunk Security Blog
Read the full article: The Lost Payload: MSIX Resurrection
They Thought It Was Just a Package
MSIX was engineered as the future of Windows app deployment—containerization, trust, and control. But in the shadows of convenience, something ancient stirred.
Threat actors aren’t just side-loading—they’re evolving. From Loader-as-a-Service operations to sophisticated malvertising campaigns, the MSIX ecosystem has become the perfect hunting ground.
The Business Model: Loader-as-a-Service
For $1,500/week or $4,000/month, cybercriminals can purchase MSIX-packaged malware that bypasses traditional security controls. Premium tiers ($1,800/week) provide properly code-signed packages that slip past SmartScreen undetected.
Distribution Methods
- Malvertising - Fake ads for Chrome, Teams, Zoom
- Social Engineering - Fake SharePoint/OneDrive notifications via Teams
- SEO Poisoning - Compromised sites redirecting to fake download pages
MSIXBuilder: Test Your Defenses Safely
How do you test detection capabilities without deploying real malware? We built MSIXBuilder to solve this.
# Generate test MSIX package
.\Create-MSIXPackage.ps1 -PackageName "SecurityTest" -Publisher "RedTeam" -OutputPath "C:\Output"Key Detection: PowerShell from WindowsApps
| tstats summariesonly count FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="powershell.exe"
AND (Processes.parent_process_path="*\\WindowsApps\\*"
OR Processes.process="*WindowsApps*.ps1*")Read the full technical breakdown: The Lost Payload: MSIX Resurrection
Related Modules
MSIXBuilder
MSIX Building Made Easy for Defenders. Create MSIX packages for testing and analysis.