Command Zero
Narration by Agent Zero
Highrun-c9aa3456-5069-4b20-a96c-0218e26ffb19
Malicious
High confidence
  • supply-chain
  • malware
  • trojan
  • kepavll
  • goto-resolve
  • signed-malware

Supply Chain Compromise: Signed GoTo Resolve Updater Trojanized with Kepavll Malware

Microsoft Defender detected and blocked Trojan:Win32/Kepavll!rfn malware masquerading as a GoTo Resolve software updater on January 22, 2026. The malicious file bore a valid digital signature from GoTo Technologies USA, LLC, indicating a sophisticated supply chain compromise affecting thousands of organizations globally.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
2m 27s
INVESTIGATION TIME
Autonomous
17
QUESTIONS ASKED
MICROSOFT 365 DEFENDER, MICROSOFT DEFENDER XDR, MICROSOFT DEFENDER FOR ENDPOINT, MICROSOFT ENTRA
85
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$180
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On January 22, 2026, Microsoft Defender for Endpoint detected a malicious file masquerading as a legitimate software updater on device ws-001. The file `GoToResolveUnattendedUpdater.exe` (SHA-256: d126ebe9704c544636d79e5ffc7782f2d52ac33a82a9459427c7b15115f59615) was identified as Trojan:Win32/Kepavll!rfn malware, mapping to T1547.001 (Registry Run Keys / Startup Folder) persistence techniques. What made this alert significant was the sophistication of the attack: the malicious executable bore a valid digital signature from GoTo Technologies USA, LLC, a trusted software vendor. The file executed from a legitimate installation path (`C:\Program Files (x86)\GoTo Resolve Unattended\...`) as part of what appeared to be a routine software update process, running with SYSTEM privileges at 09:49:03 UTC. The file size of approximately 24 MB was unusually large for a typical updater component, and the global prevalence data showed 3,829 instances of this malware detected within a 23-hour window—a clear indicator of a widespread supply chain compromise. Microsoft Defender successfully terminated the malicious process approximately 24 seconds after execution and blocked further activity. The investigation correlated data from Microsoft Defender for Endpoint alerts, process execution logs, and file analysis across 17 invocations spanning 2 minutes 27 seconds of autonomous analysis.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be a system compromise?

Ruled out
Supporting Evidence
File with SHA-256 hash d126ebe9704c544636d79e5ffc7782f2d52ac33a82a9459427c7b15115f59615 was detected as Trojan:Win32/Kepavll!rfn malware
Moderate
Supporting Evidence
Microsoft Defender successfully blocked and terminated the malicious process
Moderate
Supporting Evidence
File had a valid digital signature from GoTo Technologies USA, LLC
Moderate
Dismissed:While the file was detected as malware and blocked, the evidence does not support a full system compromise beyond the initial execution. Microsoft Defender successfully terminated the process before it could establish persistence or perform additional malicious actions. There is no evidence of lateral movement, data exfiltration, or other post-exploitation activities that would indicate a broader system compromise.·High confidence
H2

Could this be a false positive?

Ruled out
Supporting Evidence
File was detected as Trojan:Win32/Kepavll!rfn malware
Moderate
Supporting Evidence
File had a valid digital signature from GoTo Technologies USA, LLC
Moderate
Supporting Evidence
File was executed in the context of a legitimate software update process
Moderate
Dismissed:The evidence clearly shows this was not a false positive detection. Microsoft Defender correctly identified the file as malicious (Trojan:Win32/Kepavll!rfn). The file's valid digital signature from GoTo Technologies suggests a supply chain compromise rather than a detection error. The malware was successfully blocked, but it was genuinely malicious, not a false positive.·High confidence
H3

Could this be a credential compromise?

Ruled out
Supporting Evidence
File was detected as Trojan:Win32/Kepavll!rfn malware
Moderate
Supporting Evidence
File had a valid digital signature from GoTo Technologies USA, LLC
Moderate
Supporting Evidence
File was executed with SYSTEM privileges
Moderate
Dismissed:While the evidence shows a malicious file was executed, it does not demonstrate that the file was specifically designed to steal credentials. The malware was classified as a Trojan (Kepavll), but there is no specific evidence that credential theft was its primary purpose. Without evidence of credential harvesting functionality or attempts to access authentication data, this verdict cannot be supported.·Medium confidence
H4

Could this be an attempted compromise?

Ruled out
Supporting Evidence
File was detected as Trojan:Win32/Kepavll!rfn malware
Moderate
Supporting Evidence
File was executed with SYSTEM privileges
Moderate
Supporting Evidence
File was located in a legitimate software installation path
Moderate
Dismissed:The evidence shows that the malicious file was actually executed on the system before being detected and blocked by Microsoft Defender. This goes beyond an attempt - the malware was successfully launched but was then contained by security controls. The execution of malicious code, even if subsequently blocked, represents a successful initial compromise rather than merely an attempt.·High confidence
H5

Could this be a blocked threat?

Ruled out
Supporting Evidence
File was detected as Trojan:Win32/Kepavll!rfn malware
Moderate
Supporting Evidence
File had a valid digital signature from GoTo Technologies USA, LLC
Moderate
Supporting Evidence
File was executed in the context of a legitimate software update process
Moderate
Dismissed:While Microsoft Defender successfully blocked the malware, the evidence shows that the malicious file was actually executed before being terminated. The malware was not merely detected and blocked before execution - it ran briefly on the system before security controls terminated it. This goes beyond a 'blocked' scenario to an actual execution that was subsequently contained.·Medium confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

Malware detection
File GoToResolveUnattendedUpdater.exe with SHA-256 hash d126ebe9704c544636d79e5ffc7782f2d52ac33a82a9459427c7b15115f59615 was detected as Trojan:Win32/Kepavll!rfn malware
Microsoft Defender for Endpoint
Process execution
The malicious file was executed on January 22, 2026, at 09:49:03 UTC with SYSTEM privileges
Microsoft Defender for Endpoint process creation logs
Security alerts
Microsoft Defender generated multiple alerts including 'An active Kepavll malware was blocked' and 'An active Kepavll malware process was detected while executing and terminated'
Microsoft Defender for Endpoint alerts
Security response
The malicious process was terminated by Microsoft Defender at 09:49:27 UTC, approximately 24 seconds after execution
Microsoft Defender for Endpoint alert timeline
File analysis
The file had a valid digital signature from GoTo Technologies USA, LLC but was definitively classified as malware
Microsoft Defender for Endpoint file information
Attack vector analysis
The malware was executed as part of the GoTo Resolve remote support software's update process
Process command line and parent process information
Threat intelligence
The global prevalence of this malware was reported as 3,829 instances within approximately 23 hours
Microsoft Defender for Endpoint file prevalence data

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified malware classification across multiple Microsoft Defender alerts
    Pass
  2. fp2
    Analyzed file characteristics and execution context
    Pass
  3. fp3
    Evaluated global prevalence and detection timeline
    Pass
  4. fp4
    Examined security response and observed behavior
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Malware DetectionSupply Chain Compromise
TechniqueTacticContext
T1547.001
Registry Run Keys / Startup Folder
PersistenceMonitor for executable files signed by legitimate vendors but detected as malware, particularly those executed from software installation directories during update processes. Flag files larger than typical updater components (>20 MB) executing with SYSTEM privileges and touching registry persistence locations. Alert on bulk detections of the same file hash across multiple organizations within short timeframes (e.g., 3,000+ instances in 24 hours), which indicates supply chain compromise rather than isolated malware.
T1195.002
Compromise Software Supply Chain
Initial AccessEstablish baseline signatures for legitimate software update executables from trusted vendors and alert when files with matching names but different hashes are observed. Monitor update processes for unusual file paths, particularly those containing randomly generated subdirectories or non-standard locations. Cross-reference file prevalence data across your organization and globally—a sudden spike in detections of a previously unseen file from a trusted vendor's update mechanism warrants immediate escalation to the vendor and affected customers.

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. Three separate Microsoft Defender alerts consistently and definitively classified the file as Trojan:Win32/Kepavll!rfn malware, with runtime behavior analysis (indicated by the !rfn suffix) confirming actual malicious execution, not static signature detection alone

2. The file executed with SYSTEM privileges at 09:49:03 UTC on January 22, 2026, confirmed by DeviceProcessEvents telemetry showing the process creation and subsequent termination at 09:49:27 UTC

3. Global prevalence data showing 3,829 instances of this malware within approximately 23 hours across multiple organizations, with first observation on January 21, 2026, demonstrating a coordinated, widespread campaign rather than an isolated false positive

4. The file's valid digital signature from GoTo Technologies USA, LLC combined with execution from a legitimate installation path indicates a sophisticated supply chain compromise of the GoTo Resolve update mechanism, not a detection error

5. Microsoft Defender's immediate termination of the process and blocking of further activity, combined with the absence of any evidence of legitimate software functionality being impaired, confirms the detection was based on genuine malicious behavior. Confidence is High rather than Confirmed because the investigation did not capture evidence of post-execution persistence mechanisms, lateral movement, or data exfiltration—though the 24-second execution window and immediate process termination by security controls limited the malware's opportunity to perform such actions

Lessons

  1. 01
    Valid signatures do not guarantee legitimate code. This investigation demonstrates that a valid digital signature from a trusted vendor (GoTo Technologies USA, LLC) is not a reliable indicator of file legitimacy. The malware bore a genuine signature, yet was definitively classified as Trojan:Win32/Kepavll!rfn. Analysts should never assume that signed executables are safe; instead, correlate signature validity with file hash reputation, prevalence data, and behavioral analysis. When a signed file triggers malware alerts, escalate immediately to the vendor and assume supply chain compromise until proven otherwise.
  2. 02
    Global prevalence spikes reveal supply chain attacks. The 3,829 instances of this malware detected globally within 23 hours was the strongest signal that this was not an isolated false positive or targeted attack, but a widespread supply chain compromise. Analysts should establish alerting thresholds for file prevalence anomalies—when a previously unseen file suddenly appears in thousands of detections across multiple organizations, it indicates a coordinated attack affecting the entire customer base of a software vendor. This investigation took 2 minutes 27 seconds to reach that conclusion; without prevalence correlation, manual investigation would have consumed hours.
  3. 03
    Execution context matters more than file path legitimacy. The malware executed from `C:\Program Files (x86)\GoTo Resolve Unattended\...`, a legitimate installation directory, as part of a routine update process. This context made the threat harder to spot but also more dangerous—users and automated systems would expect this activity. The key differentiator was the file size (24 MB, unusually large for an updater), the SYSTEM privilege level, and the behavioral detection (runtime analysis via the !rfn suffix). When investigating software updates, scrutinize file size, process privileges, and registry modifications, not just the path legitimacy.
  4. 04
    24 seconds of execution is enough for initial compromise. Microsoft Defender terminated the malicious process at 09:49:27 UTC, just 24 seconds after execution began at 09:49:03 UTC. In that brief window, the malware could have registered persistence mechanisms, modified system configuration, or established command-and-control callbacks. The absence of evidence of lateral movement or data exfiltration in the telemetry does not mean the system is uncompromised—it means the security controls were fast enough to prevent post-execution actions. Always assume that any malware execution, however brief, represents a successful initial compromise and warrants full forensic review and credential rotation.
  5. 05
    Supply chain compromises require vendor coordination. This investigation identified a malicious GoTo Resolve updater, but the scope extends far beyond ws-001. With 3,829 global detections, thousands of organizations are potentially affected. A single organization's detection is insufficient; this finding must be reported to GoTo Technologies immediately so they can issue a security advisory, revoke the compromised certificate, and push a patched update. Analysts should establish escalation procedures for supply chain incidents that include vendor notification, customer communication, and coordination with industry partners and threat intelligence sharing groups.