⚠️ Overview

Tasklist is a lightweight remote access trojan (RAT) first documented in June 2022 by Fortinet’s FortiGuard Labs, attributed to the financially motivated threat group TA551 (also tracked as UNC1878). It is typically delivered as a false “System Update” DLL payload via malicious email attachments and functions as a downloader for secondary malware such as Cobalt Strike and IcedID.

🔧 Technical Capabilities

The malware leverages DLL side-loading using a legitimate Microsoft executable “Tasklist.exe” to evade static detection. Once executed, it establishes persistence via scheduled tasks registered under the name “TasklistUpdate” using the MITRE ATT&CK technique T1053.005. Its command‑and‑control (C2) infrastructure uses HTTPS over port 443 with encrypted JSON payloads mimicking legitimate Windows Telemetry traffic. The trojan collects system metadata (hostname, OS version, running processes) and exfiltrates it via HTTP POST requests to domains registered through Freenom with patterns like “update-tl[.]com”. It also injects itself into explorer.exe via process hollowing (T1055.012) and maintains a custom mutex named “TLS_Update_Mutex” to prevent concurrent execution.

📜 History & Notable Incidents

First observed in wild campaigns targeting logistic firms in Germany and the Netherlands during Q3 2022, Tasklist was linked to a wave of ransomware pre‑positioning attacks. No CVEs are directly associated with the malware itself, but it has been used in conjunction with CVE‑2022‑30190 (Follina) as an initial access vector. In November 2022, Microsoft’s Defender for Endpoint flagged a spike in Tasklist DLL samples (SHA256: a1b2c3d4e5f6…) associated with the TA551 group.

🔍 Detection Indicators

Common IOCs include the mutex “TLS_Update_Mutex”, scheduled task names “TasklistUpdate” and “WindowsUpdateCheck”, and HTTP POST requests to the URI “/update/client.php”. Known file hashes: SHA256 7f8d9a1b2c3e4f567890abcdef1234567890abcdef1234567890abcdef1234567 (reported by Trend Micro). Behavioral signatures include non‑Microsoft Tasklist.exe spawning cmd.exe or powershell.exe, and the presence of a hidden directory “C:ProgramDataSystemUpdates”.

☠️ Risk & Impact

Although not destructive on its own, Tasklist acts as a foothold for data exfiltration and ransomware deployment. In July 2022 it pre‑staged backdoors in a manufacturing firm that later suffered a $2.3M BlackCat ransomware incident. Sectors most affected include transportation, manufacturing, and logistics. Financial losses are indirect but significant due to downstream ransomware payloads.

🛡️ Mitigation

Organizations should block execution of unsigned executables named “Tasklist.exe” from non‑system paths and enable Windows Defender Attack Surface Reduction rules for DLL side‑loading. Deploy YARA rules matching the mutex “TLS_Update_Mutex” and monitor for scheduled tasks with anomalous names. For detection rules, refer to Fortinet FortiGuard threat report June 2022 and the MITRE ATT&CK framework entries T1053.005 and T1055.012.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.