Three Ways to Weaponize an MSC File, and the Mythic C2 Agent We Found Inside One
GrimResource, ExecuteShellCommand, and XSLT Transform — plus a Rust-based Mythic C2 implant with its AES-256 PSK extracted
Microsoft Saved Console files (.MSC) are having a moment. Originally designed to save customized Management Console snap-in configurations, they've become one of 2026's preferred initial access vectors -- and most security teams aren't watching for them.
Starting from a tip by @ElementalX2 about a suspicious .MSC file pulled from a WebDAV instance, we mapped three distinct weaponization techniques actively in use, recovered two live payloads from Cloudflare-hosted C2 infrastructure, and extracted the AES-256 pre-shared key from a Mythic C2 "coffee" agent compiled in Rust.
Why MSC Files Work
MSC files are XML-based configurations for the Microsoft Management Console (mmc.exe). They're trusted by Windows, often allowed through email gateways, and execute under a signed Microsoft binary. Most EDR solutions don't flag mmc.exe loading a local .msc file because it's expected behavior.
The attack surface comes from three capabilities embedded in the MSC format that were never intended for code execution.
Technique 1: GrimResource (apds.dll XSS)
The first technique abuses a cross-site scripting vulnerability in apds.dll -- a library loaded by mmc.exe when rendering certain console components. The MSC file references res://apds.dll in a way that triggers JavaScript execution within the MMC context.
The JavaScript payload runs with the privileges of the MMC process, which inherits the user's token. From there, it's a standard chain: download a second stage, write to disk, execute.
This technique was first documented in mid-2024 and has since been adopted by multiple threat actors. The key detection point is mmc.exe making unexpected network connections or spawning child processes.
Technique 2: ExecuteShellCommand (Direct PowerShell)
The second technique is more direct. MSC files support an external.ExecuteShellCommand() method that runs arbitrary commands through the shell. No exploit required -- it's a documented feature.
We recovered a live payload using this technique from icewrap[.]com-smartattachment[.]workers[.]dev -- a Cloudflare Workers endpoint serving a "CLASSIFIED DOCUMENT ACCESS POINT" lure page. When the MSC file opens, it calls:
external.ExecuteShellCommand("powershell -w hidden -c \"IEX(...)\"")
The downloaded payload (c6210ba0..., 245 KB) has a .data section with entropy of 7.96 -- near-maximum, indicating encrypted or packed content. The legitimate-looking Cloudflare Workers domain adds credibility to the delivery.
Technique 3: XSLT Transform (JScript via ms:script)
The third technique is the most sophisticated. MSC files can reference XSLT stylesheets, and XSLT supports scripting via the ms:script namespace. The attack embeds JScript directly in an XSLT transform that executes when the MSC file is loaded.
We found an active campaign using this technique on s3-ap-northeast-1-amazonaws-com[.]pages[.]dev -- a Cloudflare Pages domain typosquatting AWS S3. The XSLT payload chains multiple stages:
- Downloads a DLL disguised as
p4z3rs.png - Copies the legitimate
msdtc.exefor DLL sideloading - Creates two scheduled tasks for persistence
- Opens a decoy PDF to maintain the social engineering illusion
The sideloaded DLL is where things get interesting.
The Mythic C2 Coffee Agent
The DLL recovered from the XSLT chain (67d7f993..., 354 KB) is a Mythic C2 "coffee" agent -- the Rust-based implant for the Mythic command-and-control framework. Mythic is an open-source, cross-platform C2 framework popular with both red teams and threat actors.
From the binary, we extracted the agent's AES-256 pre-shared key:
H0QmHqnUMbcVE6M3vAHZ52ZQ5dFbsFfkDJlcugxKcZ0=
This PSK is used to encrypt all communications between the implant and the Mythic server. With it, any captured network traffic from an infected host can be decrypted and analyzed -- a significant intelligence advantage for incident responders.
The "coffee" agent supports:
- Command execution and shell access
- File upload/download
- Process listing and injection
- Screenshot capture
- Token manipulation
- Lateral movement primitives
Infrastructure
Both active C2 endpoints use Cloudflare's edge compute platforms (Workers and Pages) rather than traditional VPS hosting. This provides:
- Legitimate-looking domains:
*.workers.devand*.pages.devare Cloudflare-owned TLDs used by millions of legitimate developers - Global edge delivery: Payloads served from the nearest Cloudflare PoP, fast worldwide
- Domain fronting potential: Traffic to Cloudflare's IP ranges is difficult to block without collateral damage
- Free tier abuse: Both Workers and Pages have generous free tiers, enabling infrastructure at zero cost
The original LOTUSLITE C2 at 172[.]81[.]60[.]97 is offline (only port 139 visible), confirming the campaign has rotated to Cloudflare infrastructure.
Detection
By Technique
| Technique | Detection Point |
|---|---|
| GrimResource | mmc.exe loading apds.dll + making network connections |
| ExecuteShellCommand | mmc.exe spawning powershell.exe or cmd.exe |
| XSLT Transform | mmc.exe creating files outside expected paths |
| All three | .msc files received via email or downloaded from the internet |
Rules
Seven YARA rules covering each MSC technique variant, the Mythic Coffee agent, and the DLL sideloading pattern are available on our GitHub:
- STIX Bundle
- IOCs by investigation
- All YARA rules
- All Suricata rules
- Full IOC feed (JSON) Seven Suricata signatures detect the Cloudflare-hosted C2 communications and payload delivery.
Hunt Queries
mmc.exewith network connections to*.workers.devor*.pages.dev- Scheduled tasks created by
msdtc.exechild processes - Files named
p4z3rs.pngthat are actually PE DLLs .mscfiles in email attachments or browser download directories
Indicators of Compromise
Network Indicators
icewrap[.]com-smartattachment[.]workers[.]devs3-ap-northeast-1-amazonaws-com[.]pages[.]dev172[.]81[.]60[.]97(original C2, offline)
File Indicators
| SHA256 (partial) | Description |
|---|---|
c6210ba0... | Encrypted loader from ExecuteShellCommand chain (245 KB) |
67d7f993... | Mythic C2 Coffee agent / sideloaded DLL (354 KB) |
Mythic C2 Configuration
- Agent type: Coffee (Rust)
- AES-256 PSK:
H0QmHqnUMbcVE6M3vAHZ52ZQ5dFbsFfkDJlcugxKcZ0= - Sideload binary:
msdtc.exe(legitimate Microsoft DTC)
h/t @ElementalX2 for the initial tip.