Windows 11 Tool to Add Secretly Installed Malware to Google Play

Windows 11 Malware

A popular Windows 11 ToolBox script used to add the Google Play Store to the Android subsystem has secretly infected users with malicious scripts, Chrome extensions, and potentially other malware.

When Windows 11 released in October, Microsoft announced that it would allow users to run native Android apps directly from Windows.

This feature was exciting for many users, but when the Android preview for Windows 11 was released in February, many were disappointed that they couldn’t use it with Google Play and were stuck with apps from the Amazon App. Store.

While there were ways to use ADB to sideload Android apps, users started looking for ways to add Google Play Store to Windows 11.

Around this time someone released a new tool called Windows Toolbox on GitHub with a host of features including the ability to unlock Windows 11, activate Microsoft Office and Windows, and install Google Play Store for the subsystem Android.

Windows Toolkit on GitHub
Windows Toolkit on GitHub

Once tech sites discovered the script, it was quickly promoted and installed by many people.

However, unbeknownst to anyone until this week, the Windows Toolkit was actually a Trojan that ran a series of obfuscated and malicious PowerShell scripts to install a Trojan clicker and possibly other software. malware on devices.

Abusing Cloudflare employees to install malware

Over the past week, various users shared the discovery that the Windows Toolbox script was a front for a very clever malware attack, leading to a surprisingly low quality malware infection.

While the Windows Toolbox script performed all the functionality described on GitHub, it also contained obfuscated PowerShell code that grabbed various scripts from Cloudflare workers and used them to run commands and download files to an infected device.

To run Windows Toolbox, the developer instructed users to run the following command, which loaded a PowerShell script from a Cloudflare worker hosted at

Original instructions from GitHub to run the script
Original instructions from GitHub to run the script

Using Cloudflare Workers to host the malicious scripts was smart because it allowed threat actors to modify the scripts as needed and use a platform that hasn’t been overused to distribute malware. , so it will probably be less easily detected.

This script appears to do what is advertised, with functionality to deflate Windows 11, disable telemetry, repair the Your Phone app, configure power profiles, and more.

However, at lines 762 and 2357 of the script there is some obfuscated code, but at first glance it doesn’t look like it could pose a risk.

obfuscated powershell
obfuscated powershell

However, when deobfuscated, it converts to PowerShell code [Stage 1, Stage 2, Stage 3] which loads malicious scripts from Cloudflare workers and files from the repository.

Threat Actors GitHub Repository
Threat Actors GitHub Repository

This repository contains many files, including a renamed Python distribution, a 7Zip executable, Curl, and various batch files.

Unfortunately, some scripts stored on Cloudflare required special headers to be sent to access them or are simply no longer available, making it difficult to accurately analyze what this mess of PowerShell scripts, batch files, and files did on an infected device.

Sending Special Headers to Cloudflare Workers
Sending Special Headers to Cloudflare Workers

What we do know is that the malicious scripts only targeted users in the United States and created numerous scheduled tasks with the following names:

Microsoft\Windows\Application Experience\Maintenance

These scheduled tasks are used to set various variables, create other scripts for the tasks to run, and kill processes, such as chrome.exe, msedge.exe, brave.exe, powershell.exe, python.exe, pythonw.exe , cdriver.exe and mdriver.exe.

He also created a hidden c:\systemfile folder and copied the default profiles for Chrome, Edge and Brave to the folder.

PowerShell scripts created a Chromium extension in this folder to run a script from on browser startup.

This script appears to be the main malicious component of this attack, and although it downloads geographical location information about the victim, its malicious behavior is strangely only used to generate revenue by redirecting users to affiliate URLs and reference.

When users visit, the script redirects them to one of the following random URLs, which contain “money making” scams, browser notification scams, and unwanted software promotions.

The payload impact provided by convoluted script hits is so minor that it almost feels like something is missing.

This may be the case because one of the scheduled tasks is running code from, which may contain more malicious behavior. However, this script has not been archived and is not available.

For those who have run this script in the past and are worried about being infected, you can check for the existence of the above scheduled tasks and the C:\systemfile folder.

If present, remove the associated tasks, systemfile folder, and Python files installed as C:\Windows\security\pywinvera, C:\Windows\security\pywinveraa, and C:\Windows\security\winver.png .