Cisco Talos Details How Windows Malware Weaponizes COM and DCOM for Stealth and Lateral Movement
Cisco Talos published deep-dive research on how threat actors abuse Windows Component Object Model and Distributed COM for lateral movement, persistence, evasion, and system discovery.
Cisco Talos has released a comprehensive technical analysis of how threat actors leverage the Windows Component Object Model (COM) and its distributed counterpart (DCOM) to execute a wide range of malicious activities, including lateral movement, persistence, evasion, and system discovery. The research, presented at the AVAR 2025 conference in Kuala Lumpur and a CARO 2026 workshop in Innsbruck, maps these techniques to the MITRE ATT&CK framework under T1021.003 (Remote Services: Distributed Component Object Model).
COM is a fundamental Windows technology that enables inter-process communication and component reuse across different programming languages. This same language independence makes COM attractive to attackers. Malware commonly uses COM interfaces to execute commands, automate built-in Windows and Office functionality, exfiltrate data, and establish persistence. DCOM extends this capability across the network, allowing a client to activate and use COM objects on remote systems via Microsoft RPC.
Reverse engineering COM-heavy binaries presents unique challenges for analysts. Malware often constructs GUIDs dynamically on the stack before creating objects, making static analysis harder. Talos provides a detailed methodology for analyzing such binaries, covering how to identify COM usage by inspecting import tables for APIs like CoCreateInstanceEx and examining the Windows registry under HKEY_CLASSES_ROOT\CLSID and HKEY_CLASSES_ROOT\Interface.
The post walks through practical examples of how malware families abuse COM for execution and lateral movement. For instance, the WScript.Shell COM object, accessible from VBScript, PowerShell, or Python, can be used to read and write registry values, execute commands, and create shortcuts. DCOM usage can be distinguished from local COM by the presence of CoCreateInstanceEx with remote server parameters.
Beyond execution, COM enables sophisticated evasion techniques. By abusing trusted COM objects—such as the Windows Task Scheduler service or Browser Helper Objects—malware can blend into legitimate system activity and bypass security products. Talos emphasizes that manual analysis of COM functionality is often deprioritized during triage due to its complexity, but understanding these patterns is critical for incident response and threat hunting.
The research also highlights how DCOM fits into broader attack chains, particularly for lateral movement in enterprise environments. MITRE ATT&CK lists DCOM as T1021.003, and Talos notes that it is frequently paired with other techniques like WMI and PowerShell remoting. The post concludes with a curated list of resources for further reading, including tools and references for analyzing COM in malicious binaries.