Command Zero
Narration by Agent Zero
Mediumrun-eb2cbb31-edb9-4d43-a61c-bc13358bfc1e
Malicious
High confidence
  • malware
  • supply-chain
  • plugin-threat
  • wacatac
  • expressionengine
  • php-trojan

Wacatac Malware Embedded in ExpressionEngine Plugin Downloads

Microsoft Defender detected Wacatac malware in ExpressionEngine Freeform plugin files downloaded by a user. The malicious PHP script was found in multiple plugin directories with extremely low global prevalence, suggesting a potential supply chain compromise.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
2m 35s
INVESTIGATION TIME
Autonomous
10
QUESTIONS ASKED
MICROSOFT 365 DEFENDER, MICROSOFT DEFENDER XDR, MICROSOFT DEFENDER FOR ENDPOINT
19
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$129
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On February 10, 2026, Microsoft Defender for Endpoint detected Wacatac malware in ZIP files downloaded by user_1 on machine ws-001.[INTERNAL_DOMAIN_1].local. The detection escalated on February 13 when the same malware was found in extracted PHP files. The malicious file, `FreeformHelper.php`, carries SHA1 hash `103fe8ca80f50838e61d5709a023d4c3c7c6e11f` and is consistently identified as `Trojan:Script/Wacatac.C!ml` — a script-based trojan rather than a compiled executable. What made this signal noteworthy was its context: the file appeared in multiple locations within ExpressionEngine Freeform plugin directories, suggesting the malware was embedded in what appeared to be legitimate CMS plugin packages rather than downloaded as a standalone threat. The file's extremely low global prevalence (1 in Microsoft's telemetry) and small size (399 bytes) are consistent with a targeted malicious script, not a false positive or benign utility. The investigation correlated data from Microsoft Defender for Endpoint alerts, XDR advanced hunting, and file prevalence analysis across 10 invocations, completing in 2 minutes 35 seconds and covering 19 total records from three data sources.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be an account compromise?

Ruled out
Supporting Evidence
Consistent successful authentication patterns for user user_1
Moderate
Supporting Evidence
No failed login attempts or suspicious authentication behaviors
Moderate
Supporting Evidence
No evidence of unauthorized access to the account
Moderate
Dismissed:While there were malware detections on the system, there is no evidence that the user account was compromised. The user consistently authenticated with proper credentials from expected locations, and the malware was detected in downloaded files rather than showing signs of active account takeover.·High confidence
H2

Could this be a system compromise?

Ruled out
Supporting Evidence
Malware detections were in Veeam backup snapshots, not active system files
Moderate
Supporting Evidence
No evidence of malware execution or persistence mechanisms
Moderate
Supporting Evidence
No unusual system behavior reported beyond the file detections
Moderate
Dismissed:While malicious files were detected on the system, they were found in backup snapshots rather than in active execution. The malware was detected in downloaded plugin files but there is no evidence of successful execution or system compromise. The system's security controls detected the threats, and there are no indicators of active exploitation or system takeover.·Medium confidence
H3

Could this be normal activity?

Ruled out
Supporting Evidence
Detection of Wacatac malware in multiple file locations
Moderate
Supporting Evidence
Malicious files with SHA1 hash 103fe8ca80f50838e61d5709a023d4c3c7c6e11f found in user downloads
Moderate
Supporting Evidence
Files identified as Trojan:Script/Wacatac.C!ml by Microsoft Defender
Moderate
Dismissed:The presence of Wacatac malware in downloaded files cannot be classified as normal activity. While the user's login patterns appear normal, the download and presence of malicious files represents a security concern that requires attention.·High confidence
H4

Could this be a false positive?

Ruled out
Supporting Evidence
Consistent identification as Trojan:Script/Wacatac.C!ml across multiple detections
Moderate
Supporting Evidence
Extremely low global prevalence (1) suggesting uniqueness typical of malware
Moderate
Supporting Evidence
Small file size (399 bytes) consistent with malicious script
Moderate
Dismissed:Multiple security tools consistently identified the FreeformHelper.php file as malicious Wacatac malware. The file has extremely low global prevalence (1) and was detected across multiple locations with consistent hash values. The detection pattern and file characteristics strongly indicate this is a genuine malware detection rather than a false positive.·High confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

malware detection
Microsoft Defender detected 'Wacatac' malware in ZIP files downloaded by user user_1 on February 10, 2026
Microsoft Defender for Endpoint Alerts
malware detection
Microsoft Defender detected 'Wacatac' malware in PHP files (FreeformHelper.php) on February 13, 2026
Microsoft Defender for Endpoint Alerts
file location data
The malicious file FreeformHelper.php was found in multiple locations within ExpressionEngine Freeform plugin directories
Microsoft Defender XDR Alert Evidence
file hash data
All instances of the malicious file had identical SHA1 hash 103fe8ca80f50838e61d5709a023d4c3c7c6e11f
Microsoft Defender XDR Alert Evidence
prevalence data
The malicious file has extremely low global prevalence (1) according to Microsoft Defender telemetry
Microsoft Defender for Endpoint File Information
file metadata
The malicious file is small (399 bytes) and is not a PE file, consistent with a malicious script
Microsoft Defender for Endpoint File Information
file path data
The malicious files were found in paths containing downloaded ExpressionEngine Freeform plugin packages
Microsoft Defender XDR Alert Evidence

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified consistent malware identification across multiple detections
    Pass
  2. fp2
    Analyzed file prevalence and characteristics
    Pass
  3. fp3
    Examined file location patterns and context
    Pass
  4. fp4
    Evaluated detection progression over time
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Malware Detection - Trojan:Script/Wacatac.C!mlSupply Chain Threat Detection
TechniqueTacticContext
T1204.002
User Execution: Malicious File
Initial AccessMonitor for downloads of CMS plugin packages (ExpressionEngine, WordPress, Joomla) from untrusted or newly-registered sources. Flag ZIP archives containing PHP files with low global prevalence scores and non-standard names like FreeformHelper.php in plugin directories. Alert on extraction of archived files followed by malware detections within 72 hours, especially when the same file hash appears across multiple plugin subdirectories.
T1195.002
Supply Chain Compromise: Software Supply Chain
Initial AccessEstablish baseline hashes for legitimate plugin packages from official repositories. Flag deviations in plugin archive contents, especially when extracted files have global prevalence of 1 or contain script files not documented in official changelogs. Correlate malware detections in plugin directories across multiple machines to identify widespread supply chain compromise versus isolated user downloads.

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. Consistent identification of FreeformHelper.php as Trojan:Script/Wacatac.C!ml across multiple detections with identical SHA1 hash 103fe8ca80f50838e61d5709a023d4c3c7c6e11f, eliminating the possibility of a single false positive

2. Extremely low global prevalence

3. in Microsoft Defender telemetry, indicating the file is rare and not a common legitimate utility

4. File characteristics (399 bytes, non-PE PHP script) are consistent with a malicious script designed to execute in web environments, not a benign tool

5. Detection pattern across multiple plugin directories suggests deliberate embedding in software packages, not accidental or coincidental presence

6. Analyst notes confirm this was treated as a genuine security incident requiring remediation and escalation to the Service Desk. Confidence is High rather than Confirmed because the malicious files were detected in Veeam backup snapshots rather than in active system execution, leaving a small gap in evidence of actual exploitation or persistence on the live system

Lessons

  1. 01
    Backup snapshots can hide active threats. In this investigation, malware was detected in Veeam backup snapshots, which initially suggested the files were dormant. However, backups capture a point-in-time view and do not indicate whether files executed before or after the snapshot was taken. Always cross-reference backup detections with live system telemetry and process execution logs. If live system data shows no execution, the threat may still require remediation to prevent future activation if backups are restored.
  2. 02
    Low prevalence is a strong malware signal. The FreeformHelper.php file had a global prevalence of 1 in Microsoft Defender's telemetry. This extreme rarity, combined with consistent detection as Trojan:Script/Wacatac.C!ml across multiple locations, was a key confidence driver. When evaluating file detections, prioritize files with prevalence scores of 1–5 over those with higher prevalence, especially if they appear in unexpected directories like plugin folders.
  3. 03
    Supply chain threats embed in legitimate packages. The malware was found within ExpressionEngine Freeform plugin directories, suggesting it was embedded in what appeared to be a legitimate software package. This is a classic supply chain compromise pattern. Monitor plugin and third-party software downloads for hash mismatches against official repositories, and flag any extracted archives containing files not documented in official release notes.
  4. 04
    File hash consistency rules out coincidence. All instances of FreeformHelper.php shared the identical SHA1 hash 103fe8ca80f50838e61d5709a023d4c3c7c6e11f across multiple locations. This consistency eliminated the possibility of a false positive or unrelated file with the same name. When investigating malware, always verify hash matches across detections to confirm you are tracking the same malicious artifact.
  5. 05
    Normal login patterns do not rule out malware. User user_1 showed consistent, normal authentication patterns with no failed logins or suspicious access. This ruled out account compromise but did not rule out malware in downloaded files. Separate your analysis: account compromise, system compromise, and malware presence are distinct threats. Normal login activity can coexist with malware inadvertently downloaded by the user.