Hack the Sandbox: APT10 Turns Safety into Stealth

Show Notes

Summary:In this episode, we explore how the APT10 subgroup “MirrorFace” abused the Windows Sandbox feature to establish stealthy persistence. By enabling and configuring the sandbox remotely, they launched malware designed to run only inside that isolated environment, avoiding detection entirely.

Defensive Recommendations:

• Disable Windows Sandbox if not in use organization-wide
• Monitor for sudden sandbox activation or system reboots with feature changes
• Watch for background execution of wsb.exe or sandbox-related memory activity
• Use memory forensics to inspect vmmemWindowsSandbox or vmmem processes
• Apply AppLocker or similar policies to prevent unauthorized sandbox usage
• Detect Tor-based outbound connections from host IPs

Artifacts and Tools to Watch:

• Windows Sandbox configuration changes or sudden feature activations
• Usage of wsb.exe from unknown users or automation scripts
• Scripts unpacking archives or scheduling hidden tasks within the sandbox
• Shared folder usage between host and sandbox environments
• Sandbox memory processes exposing RAT or C2 tool signatures

Thanks for spending a few minutes on the CyberBrief Project.

If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.

You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.

And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support

Your support means a lot.

See you in the next one, and thank you for listening.