Windows MSIX Package Support Framework AI_STUBS Execution

 1title: Windows MSIX Package Support Framework AI_STUBS Execution
 2id: af5732ed-764e-489d-826d-0447c8b36242
 3status: experimental
 4description: |
 5    Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
 6    This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.    
 7references:
 8    - https://redcanary.com/blog/threat-intelligence/msix-installers/
 9    - https://redcanary.com/threat-detection-report/techniques/installer-packages/
10    - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
11    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
12author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-11-03
14tags:
15    - attack.defense-evasion
16    - attack.execution
17    - attack.t1218
18    - attack.t1553.005
19    - attack.t1204.002
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        Image|endswith:
26            - '\AI_STUBS\AiStubX64Elevated.exe'
27            - '\AI_STUBS\AiStubX86Elevated.exe'
28            - '\AI_STUBS\AiStubX64.exe'
29            - '\AI_STUBS\AiStubX86.exe'
30        OriginalFileName: 'popupwrapper.exe'
31    condition: selection
32falsepositives:
33    - Legitimate applications packaged with Advanced Installer using Package Support Framework
34level: low

References

• MSIX installer malware delivery on the rise - Red Canary

  

  Red Canary has detected multiple distinct adversaries leveraging MSIX installers to deliver a variety of malware payloads in recent months.

  
  Read More

• Installer Packages - Red Canary Threat Report

  

  Adversaries are packaging their fake installers with Microsoft’s latest installer format, MSIX, to trick users into downloading malware.

  
  Read More

• https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework

  
  Read More

• The Lost Payload: MSIX Resurrection | Splunk

  

  Threat actors weaponize MSIX for malware delivery – learn about MSIX attacks, distribution, and how Splunk's MSIXBuilder helps security teams test detection safely.

  
  Read More

Related rules

• Windows AppX Deployment Full Trust Package Installation
• Windows AppX Deployment Unsigned Package Installation
• Indirect Command Execution By Program Compatibility Wizard
• Suspicious Csi.exe Usage
• Windows Shell/Scripting Processes Spawning Suspicious Programs