{"id":1234,"date":"2026-02-11T14:05:35","date_gmt":"2026-02-11T14:05:35","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/"},"modified":"2026-02-11T14:05:35","modified_gmt":"2026-02-11T14:05:35","slug":"wsl-in-the-malware-ecosystem-wed-feb-11th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/","title":{"rendered":"WSL in the Malware Ecosystem, (Wed, Feb 11th)"},"content":{"rendered":"
\n

WSL or \u201cWindows Subsystem Linux\u201d[1<\/a>] is a feature in the Microsoft Windows ecosystem that allows users to run a real Linux environment directly inside Windows without needing a traditional virtual machine or dual boot setup. The latest version, WSL2, runs a lightweight virtualized Linux kernel for better compatibility and performance, making it especially useful for development, DevOps, and cybersecurity workflows where Linux tooling is essential but Windows remains the primary operating system. It was introduced a few years ago (2016) as part of Windows 10.<\/p>\n

WSL can be compared to a LOLBIN (living-off-the-land) because it\u2019s implemented by Microsoft and allow many interesting operations. Attackers can drop Linux tools inside the WSL rootfs and execute it! Here is a quick example.<\/p>\n

You can access the WSL root filesystem through the \u201c\\wsl$\u201d share name:<\/p>\n

\"\"<\/p>\n

Once you copy a file into this directory, it becomes available in WSL:<\/p>\n

\"\"<\/p>\n

The test.sh file is just a simple shell script.<\/p>\n

But, more interesting, you can execute it from Windows too:<\/p>\n

\"\"<\/p>\n

Pretty cool isn’t it?<\/p>\n

I found a malware sample that checks for the presence of WSL in its code. Written in JavaScript, it first implement a method called is_wsl():<\/p>\n

\n\"is_wsl\": () => {\n  if (process.env.WSL_DISTRO_NAME) {\n    return true;\n  }\n  try {\n    if (fs.existsSync(\"\/proc\/version\")) {\n      const I = fs.readFileSync(\"\/proc\/version\", \"utf8\");\n      if (I.toLowerCase().includes(\"microsoft\") || I.toLowerCase().includes(\"wsl\")) {\n        return true;\n      }\n    }\n  } catch (S) {}\n  return false;\n},<\/pre>\n
Another interesting one is get_wu() that will retrieve the username:<\/p>\n
\n\"get_wu\": () => {\n  try {\n    const I = execSync(\"cmd.exe \/c echo %USERNAME%\", {\n      \"encoding\": \"utf8\"\n    }).trim();\n    if (I && I.length > 0 && !I.includes(\"%USERNAME%\")) {\n      return I;\n    }\n  } catch (g) {}\n  try {\n    if (fs.existsSync(\"\/mnt\/c\/Users\")) {\n      const Y = fs.readdirSync(\"\/mnt\/c\/Users\", {\n        \"withFileTypes\": true\n      });\n      const w = [\"Public\", \"Default\", \"All Users\", \"Default User\"];\n      for (const u of Y) {\n        if (u.isDirectory() && !w.includes(u.name)) {\n          return u.name;\n        }\n      }\n    }\n  } catch (M) {}\n  return process.env.USERNAME || process.env.USER || null;\n},<\/pre>\n
And later in the code:<\/p>\n
\nif (is_wsl()) {\n    const windowsUsername = get_wu();\n    if (windowsUsername) {\n        return getWindowsBrowserPaths(windowsUsername);\n   }\n}<\/pre>\n
If WSL is used, the \/mnt directory is added in the list of interesting directories to process. This mount point provides\u00a0indeed access to the host drives (C, D, …)<\/p>\n
\nif (is_wsl()) {\n    priorityDirs.push(\"\/mnt\");\n}<\/pre>\n
The malware sample is “ottercookie-socketScript-module-3.js” (SHA256:f44c2169250f86c8b42ec74616eacb08310ccc81ca9612eb68d23dc8715d7370). It’s an Cryxos trojan with infosteaker capabilities.<\/p>\n
[1] https:\/\/learn.microsoft.com\/en-us\/windows\/wsl\/<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
WSL or \u201cWindows Subsystem Linux\u201d[1] is a feature in the Microsoft Windows ecosystem that allows users to run a real Linux environment directly inside Windows without needing a traditional virtual machine or dual boot setup. The latest version, WSL2, runs a lightweight virtualized Linux kernel for better compatibility and performance, making it especially useful for […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-1234","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nWSL in the Malware Ecosystem, (Wed, Feb 11th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WSL in the Malware Ecosystem, (Wed, Feb 11th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"WSL or \u201cWindows Subsystem Linux\u201d[1] is a feature in the Microsoft Windows ecosystem that allows users to run a real Linux environment directly inside Windows without needing a traditional virtual machine or dual boot setup. The latest version, WSL2, runs a lightweight virtualized Linux kernel for better compatibility and performance, making it especially useful for […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-11T14:05:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"WSL in the Malware Ecosystem, (Wed, Feb 11th)\",\"datePublished\":\"2026-02-11T14:05:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/\"},\"wordCount\":312,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/\",\"name\":\"WSL in the Malware Ecosystem, (Wed, Feb 11th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png\",\"datePublished\":\"2026-02-11T14:05:35+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WSL in the Malware Ecosystem, (Wed, Feb 11th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WSL in the Malware Ecosystem, (Wed, Feb 11th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/","og_locale":"en_US","og_type":"article","og_title":"WSL in the Malware Ecosystem, (Wed, Feb 11th) - Imperative Business Ventures Limited","og_description":"WSL or \u201cWindows Subsystem Linux\u201d[1] is a feature in the Microsoft Windows ecosystem that allows users to run a real Linux environment directly inside Windows without needing a traditional virtual machine or dual boot setup. The latest version, WSL2, runs a lightweight virtualized Linux kernel for better compatibility and performance, making it especially useful for […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-02-11T14:05:35+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"WSL in the Malware Ecosystem, (Wed, Feb 11th)","datePublished":"2026-02-11T14:05:35+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/"},"wordCount":312,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/","name":"WSL in the Malware Ecosystem, (Wed, Feb 11th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png","datePublished":"2026-02-11T14:05:35+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260211-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/11\/wsl-in-the-malware-ecosystem-wed-feb-11th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"WSL in the Malware Ecosystem, (Wed, Feb 11th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1234"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1234\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}