Think Inside the Box: In-the-Wild Abuse of Windows Sandbox in Targeted Attacks
Black Hat Asia 2025 · Day 1 · Briefings
In a revealing presentation at Black Hat Asia, Hiakih Har, a Staff Engineer at Trend Micro, unveiled the first observed instance of threat actors leveraging **Windows Sandbox** for defense evasion in real-world targeted attacks. The talk, titled "Think Inside the Box," meticulously detailed how the China-aligned espionage group **Earth Kasha** (part of the broader APT10 umbrella) exploited this built-in Windows virtualization feature to circumvent endpoint detection and response (EDR) and endpoint protection platform (EPP) solutions. This marks a significant evolution in adversary tactics, moving beyond traditional virtual machine or container abuse to exploit a readily available, often overlooked, operating system component.
AI review
Dr. Har's presentation on Earth Kasha's novel abuse of Windows Sandbox for EDR evasion is a critical, must-see piece of research. This is the first observed in-the-wild exploitation of a built-in OS virtualization feature by a sophisticated actor, demonstrating a significant shift in evasion tactics. The detailed breakdown of TTPs—including SYSTEM account execution, mapped folders for exfiltration, and the new WSB.exe vectors—provides immediate, actionable intelligence for defenders, highlighting a blind spot that demands urgent attention and adaptation in monitoring strategies.