Trojan:Win32/Regsup is a specialized malware variant designed to aggressively modify Windows Registry security settings, actively disabling built-in defenses to pave the way for secondary payloads.
Understanding Regsup
To an end-user, a Regsup infection might manifest as a sudden inability to open Windows Defender or run antivirus scans. For incident responders, Regsup is a critical 'Defense Impairment' tool. Its primary function is not to steal data itself, but to systematically tear down the endpoint's security posture—disabling UAC, shutting down Windows Update, and neutralizing active AV engines.
Execution and Evasion Strategies
Regsup is typically dropped as a precursor payload by larger botnets or exploit kits. Upon execution, it immediately targets the HKLM\SOFTWARE\Policies\Microsoft\Windows Defender and HKLM\SOFTWARE\Microsoft\Security Center registry hives. It injects values like DisableAntiSpyware and forcefully stops critical security services via the command line (e.g., net stop WinDefend). Regsup establishes persistence via Run keys to ensure defenses remain down even after a reboot.
Indicators of Compromise (IoCs)
The impact of Regsup is a completely vulnerable endpoint. Threat hunters will observe a massive spike in EDR alerts relating to 'Registry Modification - Security Controls' or 'Service Termination'. Incident responders should immediately investigate any endpoint where Windows Security Center reports that protection has been unexpectedly turned off by an 'Administrator'. Network logs will quickly show the subsequent download of severe secondary payloads like ransomware.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1112 | Modify Registry | Defense Evasion |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
T1489 | Service Stop | Impact |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Persistence |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Execution |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_REGSUP {
meta:
description = "Detects Regsup (trojan_generic)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "regsup" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Regsup Activity
id: 76974a6dd7f87404949eb9a5294ac4f9
status: experimental
description: Detects generic indicators of the regsup malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*regsup*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/regsup.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.