![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
The Microsoft-patch.hta file is normally detected by Windows Defender as Trojan:JS/Flafisi.D in Windows 10 – but might not be detected as malware on another version of Windows. The download page is most likely a new template being deployed by the Kovter Group malvertising campaign – and these pages frequently reappear with repeated connections to the malware-ridden domain(s):
These attacks are potentially very damaging because these HTML apps can actually be downloaded, and presumably executed, after Windows Defender has detected and “quarantined” them; as I’ve shown for the FlashPlayer.hta file in this discussion thread:
The download somehow evades detection by the Defender IOAV post-download scan and isn’t detected with a context-menu scan. Since these Kovter template HTML apps are known to contain highly obfuscated JavaScript code that runs a PowerShell downloader, they should always be presumed to be “armed and dangerous”:
The best defense would most likely be an ad-blocker like uBlock Origen that selectively blocks suspect domains:
Settings and More > Extensions > Get extensions from the store
GreginMich
