Security researchers have identified new and stealthy techniques leveraging Microsoft’s Component Object Model (COM) and Distributed COM (DCOM) technologies for lateral movement and persistence within Windows environments. One report details the discovery of a previously undocumented DCOM object that can be abused for remote command execution and persistence by exploiting Control Panel items, highlighting both the technical mechanisms and detection strategies for defenders. The research also reviews the current state of tools like Impacket’s dcomexec script and discusses how adversaries enumerate and leverage COM objects for malicious purposes.
In a separate breach assessment, investigators uncovered a threat actor using a ComHandler within Windows Scheduled Tasks to maintain long-term command-and-control access. The attacker deployed custom surrogate DLLs and targeted tasks named User_Feed_Synchronization-{GUID} to execute code, remaining undetected for at least seven months. This technique, tracked as UKC-1230, demonstrates the real-world application of COM-based persistence and the challenges defenders face in detecting such abuse, especially when attackers mimic legitimate system activity.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Securelist published research on abuse of the previously undocumented COpenControlPanel DCOM object for remote command execution and persistence. The report explained how attackers with administrative privileges could register arbitrary DLLs as Control Panel items, have them loaded by dllhost.exe, and use the method for lateral movement and persistence.
On publication, BHIS disclosed technical details of the UKC-1230 technique, including its use of COM Surrogate, scheduled task abuse, an imphash shared across samples, and attempted beaconing to techdataservice[.]us infrastructure. The report also provided hunting guidance and YARA/Sigma-style detections for defenders.
During a breach assessment, BHIS observed a stealthy Windows persistence and command-and-control technique that had remained active in a victim environment for at least seven months. The actor modified User_Feed_Synchronization scheduled tasks and used COM registration to load GUID-named malicious DLLs from disk.
Black Hills Information Security reported artifacts indicating the UKC-1230 persistence technique was in use in the wild as early as 2024-01-31. The activity involved hijacking legacy Windows scheduled tasks to invoke attacker-registered COM objects and load malicious DLLs through dllhost.exe.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
securelist.com
Open sourceblackhillsinfosec.com
Open sourcesynacktiv.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.