Regsup

Category: trojan_generic · Aliases: None known · Sample count (EMBER 2018): 296 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Regsup is a specialized malware variant designed to aggressively modify Windows Registry security settings, actively disabling built-in defenses to pave the way for secondary payloads.

Understanding Regsup
To an end-user, a Regsup infection might manifest as a sudden inability to open Windows Defender or run antivirus scans. For incident responders, Regsup is a critical 'Defense Impairment' tool. Its primary function is not to steal data itself, but to systematically tear down the endpoint's security posture—disabling UAC, shutting down Windows Update, and neutralizing active AV engines.

Execution and Evasion Strategies
Regsup is typically dropped as a precursor payload by larger botnets or exploit kits. Upon execution, it immediately targets the HKLM\SOFTWARE\Policies\Microsoft\Windows Defender and HKLM\SOFTWARE\Microsoft\Security Center registry hives. It injects values like DisableAntiSpyware and forcefully stops critical security services via the command line (e.g., net stop WinDefend). Regsup establishes persistence via Run keys to ensure defenses remain down even after a reboot.

Indicators of Compromise (IoCs)
The impact of Regsup is a completely vulnerable endpoint. Threat hunters will observe a massive spike in EDR alerts relating to 'Registry Modification - Security Controls' or 'Service Termination'. Incident responders should immediately investigate any endpoint where Windows Security Center reports that protection has been unexpectedly turned off by an 'Administrator'. Network logs will quickly show the subsequent download of severe secondary payloads like ransomware.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1112Modify RegistryDefense Evasion
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion
T1489Service StopImpact
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence
T1059.003Command and Scripting Interpreter: Windows Command ShellExecution

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_REGSUP {
    meta:
        description = "Detects Regsup (trojan_generic)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "regsup" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Regsup Activity
id: 76974a6dd7f87404949eb9a5294ac4f9
status: experimental
description: Detects generic indicators of the regsup malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*regsup*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint immediately; if Regsup has successfully disabled defenses, secondary destructive payloads are likely already downloading.
  2. Deploy a scripted Group Policy update to forcefully re-enable Windows Defender, UAC, and Security Center services across the domain.
  3. Utilize a known-good, offline AV scanner (Live CD) to identify and remove the Regsup persistence mechanisms in the registry.
  4. Assume the endpoint is severely compromised and perform a full forensic analysis to identify any payloads dropped while defenses were down.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not assume the endpoint is safe simply because you re-enabled the AV; Regsup's persistence mechanisms will likely disable it again on reboot.
  2. Avoid ignoring 'AV Disabled' alerts in the SOC; they are frequently the first indicator of a massive, impending ransomware deployment.

References & External Analysis

Related Families (Category: trojan_generic)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/regsup.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.