Windows 10 background image tool can be abused to download malware


Level 32
Nov 10, 2017
A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.
Known as living-of-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.

The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.



Level 69
Content Creator
Malware Hunter
Aug 17, 2014
Executive Summary
  • Security professionals care about uncovering LOLBins; we found a new one that can be used to download arbitrary files as an alternative to certutil.
  • It can be run by standard users on most versions of Window 10 used in the enterprise.
  • EDR practitioners should update their queries and watchlists to treat desktopimgdownldr.exe (new LOLBin binary) like certutil.exe.


Level 21
Nov 19, 2012
Is there anything in Windows that can't be abused!
I think every program can be abused, no matter how much a program is updated and patched there will always be a way to hack it.
Its also true for hardware, whatever protection the vendor makes there will always be someone who will be able to crack that protection.