SOC Prime Bias: Medium

13 Jan 2026 17:06
newspaper icon GitHub

Fsquirt.exe Exploit: Malicious bthprops.cpl Loading via Bluetooth

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Fsquirt.exe Exploit: Malicious bthprops.cpl Loading via Bluetooth
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The article presents a proof-of-concept demonstrating how the legitimate Windows binary Fsquirt.exe can be coerced into loading a malicious Control Panel applet (bthprops.cpl) from its current working directory. If the rogue CPL is present, Fsquirt.exe loads it and executes attacker-controlled code—illustrated by a MessageBox triggered from the DLL’s DllMain entry point. The example highlights how trusted binaries can be abused for arbitrary code execution when attackers can place a crafted CPL alongside the legitimate executable.

Investigation

Researchers published a repository containing the source code for a malicious bthprops.cpl and a build script to compile it. The CPL is engineered so Fsquirt.exe discovers and loads it when both files are located in the same directory. Successful execution is validated when the CPL displays a MessageBox, confirming that the trusted binary loaded and ran code from the attacker-supplied applet. The PoC is positioned as a classic LOLBin-style abuse case that leaves minimal network telemetry.

Mitigation

Use application allowlisting to ensure only approved CPL files can execute from expected system locations, and restrict execution paths to prevent binaries like Fsquirt.exe from running in non-standard directories. Monitor Fsquirt.exe for attempts to load Control Panel applets outside trusted system folders and block suspicious launches from user-writable paths. Add endpoint detections for unusual DllMain-initiated behaviors and interactive UI artifacts (e.g., MessageBox calls) originating from trusted Windows executables. Regularly audit endpoints for unexpected .cpl files, particularly in directories where users or applications can write.

Response

Alert immediately when Fsquirt.exe loads a non-standard bthprops.cpl or when a CPL is observed executing from an unexpected path. Isolate the host, preserve the malicious CPL and related execution telemetry, and perform full malware triage across disk and memory. Remove the rogue CPL and review persistence mechanisms or follow-on tooling that may have accompanied the drop. Finally, hunt environment-wide for similar LOLBin execution patterns and tighten policy controls to reduce exposure to trusted-binary side-loading.

Attack Flow

We are still updating this part. Sign up to get notified

Notify Me

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:

    The adversary first places a malicious bthprops.cpl (crafted to execute a payload that captures the screen) in the same directory as Fsquirt.exe. By invoking Fsquirt.exe with the argument bthprops.cpl, Windows treats the CPL as a control‑panel applet and loads it, executing the embedded malicious code. This generates a process‑creation event where the CommandLine contains the exact string bthprops.cpl, satisfying the Sigma rule.

  • Regression Test Script:

    # -------------------------------------------------------------
#  Fsquirt CPL Load – malicious simulation
#  Prerequisite: Sysmon & Security Auditing enabled (see pre‑flight)
# -------------------------------------------------------------
$workDir   = "C:TempFsquirtTest"
$fsquirt   = "$workDirFsquirt.exe"
$cpl       = "$workDirbthprops.cpl"
$payload   = "$workDirCaptureScreen.ps1"

# 1. Prepare working directory
New-Item -Path $workDir -ItemType Directory -Force | Out-Null

# 2. Download a known Fsquirt binary (publicly available)
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Fsquirt.exe" -OutFile $fsquirt

# 3. Create a malicious CPL (stub) – for demo we use a simple scriptlet
#    In a real test, compile a C++ CPL that runs the payload.
$cplContent = @"
[Version]
Signature="$Windows NT$"
[Control PanelDesktop]
"@
Set-Content -Path $cpl -Value $cplContent -Encoding ASCII

# 4. Create a dummy payload (e.g., take a screenshot)
$payloadContent = @"
Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing
$bounds = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds
$bitmap = New-Object System.Drawing.Bitmap $bounds.Width, $bounds.Height
$graphics = [System.Drawing.Graphics]::FromImage($bitmap)
$graphics.CopyFromScreen($bounds.Location, [System.Drawing.Point]::Empty, $bounds.Size)
$bitmap.Save('$workDirscreenshot.png')
"@
Set-Content -Path $payload -Value $payloadContent -Encoding UTF8

# 5. Execute Fsquirt.exe loading the malicious CPL
Write-Host "Executing Fsquirt with malicious CPL..."
Start-Process -FilePath $fsquirt -ArgumentList "bthprops.cpl" -WorkingDirectory $workDir -NoNewWindow -Wait

# 6. Verify payload execution (screenshot creation)
if (Test-Path "$workDirscreenshot.png") {
    Write-Host "Payload executed – screenshot captured."
} else {
    Write-Host "Payload did NOT execute."
}
# -------------------------------------------------------------

  • Cleanup Commands:

    # Remove test artifacts
$workDir = "C:TempFsquirtTest"
if (Test-Path $workDir) {
    Remove-Item -Path $workDir -Recurse -Force
    Write-Host "Cleanup complete."
} else {
    Write-Host "No artifacts to clean."
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free