Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Tarrask

Tarrask is a Windows defense-evasion and persistence malware/tool identified by Microsoft Threat Intelligence Center (MSTIC) and linked to the China-linked HAFNIUM threat actor. It maintains persistence by creating scheduled tasks and then hiding them from normal administrative visibility. Specifically, Tarrask creates task-related registry entries under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree<TASK_NAME> and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{GUID}, then deletes the Security Descriptor (SD) value from the TaskCache\Tree path. Removing the SD value causes the scheduled task to disappear from Windows Task Scheduler and the schtasks utility, while remaining detectable through manual registry inspection. In observed activity, a scheduled task named "WinUpdate" was created to re-establish dropped command-and-control connections. The malware has masqueraded as executable names including winupdate.exe, date.exe, and win.exe. MSTIC also reported Tarrask leverages token theft to obtain lsass.exe security permissions so the SD value can be deleted in the SYSTEM context. Reported HAFNIUM targeting associated with Tarrask included organizations in the telecommunications, internet service provider, and data services sectors, and Microsoft noted the actor had previously used exploitation of internet-facing and zero-day vulnerabilities, web shells, and other malware in broader operations.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
hafnium

Microsoft Threat Intelligence Center (MSTIC) highlighted the simplicity of the technique employed by the Tarrask malware that creates “hidden” scheduled tasks on the system to maintain persistence.

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

Hafnium, while most notable for Exchange Server attacks, has since leveraged unpatched zero-day vulnerabilities as initial vectors to drop web shells and other malware

Execution

3 techniques
T1053Scheduled Task/JobEvidence1

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

T1053.005Scheduled TaskEvidence7

During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate". MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs. Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.

T1059.003Windows Command ShellEvidence2

The experts pointed out that executing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt.

Persistence

4 techniques
T1053Scheduled Task/JobEvidence1

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

T1053.005Scheduled TaskEvidence7

During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate". MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs. Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.

T1112Modify RegistryEvidence5

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

T1505.003Web ShellEvidence1

leveraged unpatched zero-day vulnerabilities as initial vectors to drop web shells and other malware, including Tarrask

Privilege Escalation

4 techniques
T1053Scheduled Task/JobEvidence1

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

T1053.005Scheduled TaskEvidence7

During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate". MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs. Tarrask may abuse the Windows schtasks command-line tool to create "hidden" scheduled tasks.

T1134Access Token ManipulationEvidence1

The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.

T1134.001Token Impersonation/TheftEvidence1

Stealth

7 techniques
T1036MasqueradingEvidence2

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

T1036.004Masquerade Task or ServiceEvidence1
T1036.005Match Legitimate Resource Name or LocationEvidence2

Akira has used legitimate names and locations for files to evade defenses.

T1070Indicator RemovalEvidence2

Bisonal has deleted Registry keys to clean up its prior activity. FIN8 has deleted Registry keys during post compromise cleanup activities. SUNBURST also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.

T1134Access Token ManipulationEvidence1

The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.

T1134.001Token Impersonation/TheftEvidence1
T1564Hide ArtifactsEvidence5

Tarrask is able to create "hidden" scheduled tasks for persistence.

Defense Impairment

1 technique
T1112Modify RegistryEvidence5

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
detections digest rulecheckNews
Feb 2, 2026
Detections Digest #20260202 - by RuleCheck.io

Malware referenced as using scheduled-task hiding via deletion of the Task 'SD' registry value/key (defense evasion).

Read more
splunk researchNews
Jan 23, 2026
Detection: Windows Registry Delete Task SD | Splunk Security Content

Tarrask is malware referenced in connection with using scheduled tasks for defense evasion, specifically by deleting or hiding scheduled task security descriptors in the registry to conceal persistence.

Read more
security affairsNews
Apr 13, 2022
China-linked Hafnium APT leverages Tarrask malware to gain persistence

A Windows persistence malware/tool used to create hidden scheduled tasks by manipulating Task Scheduler registry keys and deleting the Security Descriptor (SD) value so tasks are hidden from Task Scheduler and schtasks. It also used token theft to obtain SYSTEM-level permissions associated with lsass.exe to delete the SD value and re-establish dropped C2 connections.

Read more
the hacker newsNews
Apr 13, 2022
Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers

A Windows persistence and defense evasion malware used to create hidden scheduled tasks by deleting the Security Descriptor value from the TaskCache\Tree registry path, causing the task to disappear from Task Scheduler and schtasks while maintaining access and re-establishing C2 connectivity.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.