Black Lotus Labs revealed on Thursday that it’s discovered new malware that uses the Windows Subsystem for Linux (WSL) to avoid being detected by security tools.
WSL debuted in 2016 alongside the Windows 10 Anniversary Update as a way to access GNU and Linux tools without having to boot into a different operating system. It didn’t originally provide true access to the Linux kernel—it used a compatible kernel developed by Microsoft—but that changed when WSL 2 arrived in June 2019.
That release officially brought the Linux kernel to Windows, and while that’s usually a good thing for people who don’t want to fuss with dual booting or using a different virtual machine environment, it turns out that it poses a security risk as well. Black Lotus Labs said the malware it found was used to covertly attack target PCs.