We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
SupportScam:Win32/Screcwon!AMTB
Aliases: No associated aliases
Summary
SupportScam:Win32/Screcwon!AMTB is classified as a severe threat, representing a specialized form of malware designed not for covert data theft but for overt device manipulation to facilitate technical support fraud. This Win32-targeted malware acts as a gateway, deliberately creating a controlled environment of device instability and alarming user prompts. Its primary objective is to convince the user their Windows device is critically compromised, thereby motivating them to seek and contact fraudulent technical support channels operated by malicious actors. The remote operators can command the malware to perform a wide array of damaging actions, making it a flexible and persistent threat capable of file modification, Windows setting changes, and significant resource consumption, leading directly to financial risk and data loss.
- Upon suspicion of infection, the first step is to physically disconnect the infected device from all networks, including wired, Wi-Fi, and Bluetooth. If the device is part of a larger network, power it down to halt any ongoing data exfiltration or lateral movement attempts.
- Inspect and remove suspicious entries from the Run and RunOnce registry keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run) and the Startup folder.
- Manually review and delete unfamiliar files and folders in %TEMP%, %LOCALAPPDATA%, and %PROGRAMDATA% directories.
- Reset any modified Windows settings, including desktop backgrounds and browser configurations (homepage, search provider).
- Use Windows recovery tools in an elevated Command Prompt: Run sfc /scannow to repair protected system files.
- Follow with DISM /Online /Cleanup-Image /RestoreHealth to correct the Windows system image.
- Change passwords immediately for all critical accounts (email, banking, social media). Activate multi-factor authentication on every available service.
- Contact your financial institution using a verified official number to report potential fraud and dispute unauthorized transactions.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
