Cursor’s MCP: A Stealthy New Persistence Technique Hiding Malware in Windows Cursors
In the ever-evolving landscape of cybersecurity, attackers are constantly devising new and inventive ways to achieve persistence on compromised systems while evading detection. A recently uncovered technique, dubbed “Cursor’s MCP,” exemplifies this trend by abusing a seemingly harmless component of the Windows operating system: the cursor file.
This method allows threat actors to execute malicious code by hiding it within .cur and .ani (animated cursor) files, using a legitimate Microsoft executable to run their payload. By leveraging trusted system components, this attack can fly under the radar of many traditional security solutions.
This article breaks down how the Cursor’s MCP technique works, why it’s so effective, and what you can do to defend your systems against it.
What is the Cursor’s MCP Technique?
Cursor’s MCP (Microsoft Connection Pass-through) is a persistence and code execution technique that hides malicious shellcode inside the file structure of a Windows cursor. It’s a classic example of a Living off the Land (LotL) attack, as it relies entirely on legitimate Windows files and signed executables to achieve its goals. This makes it incredibly difficult for standard antivirus programs, which are often looking for overtly malicious executables, to spot.
The core of the attack involves three main components:
- A specially crafted cursor file (
.anior.cur). - A legitimate Windows executable:
mshta.exe. - The Windows Registry for achieving persistence.
How the Attack Works: A Step-by-Step Breakdown
To understand the danger, it’s crucial to see how these legitimate components are chained together to execute malicious code.
Hiding Code in the ‘JUNK’ Chunk
The Windows animated cursor (.ani) file format contains various “chunks” of data that define the animation, frames, and rates. One of these is the ‘JUNK’ chunk, a section designed to hold optional information like author or copyright details. Attackers have found that they can insert malicious shellcode directly into this chunk without corrupting the file or preventing it from being recognized as a valid cursor.Abusing a Trusted Microsoft Executable:
mshta.exe
The key to executing the hidden code ismshta.exe, a native Windows utility designed to run Microsoft HTML Applications (HTA files). While its intended purpose is to render web content, it can also be instructed to load other types of resources. Attackers exploit this functionality becausemshta.exeis a signed, trusted Microsoft binary, meaning it won’t be flagged by simple application control or whitelisting policies.The
res://Protocol as a Trigger
The attack is triggered using a specific command that pointsmshta.exeto the malicious cursor file. This is done using theres://protocol, which tells the executable to load a resource from a specified file path. Whenmshta.exeis instructed to load the specially crafted.anifile via this protocol, it processes the file and unintentionally executes the shellcode hidden within the ‘JUNK’ chunk.Achieving Persistence Through the Registry
To ensure the malicious code runs automatically, attackers need to establish persistence. This is achieved by modifying the Windows Registry. An attacker can change the registry keys that define the default system cursors (e.g., the standard arrow or waiting-in-background spinner) to point to their malicious.anifile.For example, by altering a value in
HKEY_CURRENT_USER\Control Panel\Cursors, the malicious cursor will be loaded every time a user logs in or a specific system event occurs, guaranteeing that the hidden code is executed repeatedly.
Why is This Technique So Dangerous?
The Cursor’s MCP method is particularly effective for several reasons:
- Extreme Stealth: The attack uses only legitimate, signed Microsoft components. There are no suspicious
.exeor.dllfiles dropped onto the system, making it highly evasive. - File Type Obscurity: Security scanners and EDRs are not typically configured to perform deep inspection of
.curand.anifiles for embedded code, allowing them to pass through security checks unnoticed. - Reliable Persistence: Linking the execution to a common system event via the registry ensures the attacker maintains access even after a system reboot.
How to Defend Against Cursor’s MCP Attacks
Protecting against such a stealthy technique requires a defense-in-depth strategy focused on behavior rather than just signatures. Here are actionable security tips for detection and mitigation:
Monitor
mshta.exeProcess Execution: Security teams should implement strict monitoring formshta.exe. Pay close attention to its parent processes and command-line arguments. Execution ofmshta.exewith command lines containing theres://protocol is highly suspicious and should be investigated immediately.Enhance File and Registry Monitoring: Configure your security tools to monitor for changes in the
HKEY_CURRENT_USER\Control Panel\Cursorsregistry key. Additionally, scan for.anifiles with abnormally large ‘JUNK’ chunks or unusual file sizes, which could indicate embedded shellcode.Leverage Advanced EDR Solutions: Modern Endpoint Detection and Response (EDR) tools are essential for catching LotL attacks. An EDR can detect the anomalous behavioral chain—for instance,
mshta.exespawning a command shell (cmd.exe) or PowerShell process—which is a strong indicator of compromise.Apply the Principle of Least Privilege: Ensure that standard user accounts do not have permissions to modify critical system registry keys. This can prevent an attacker from easily establishing persistence.
By understanding the mechanics of this novel technique, security professionals can adjust their defensive posture, tune their monitoring tools, and better prepare for the creative methods that threat actors will inevitably use next.
Source: https://go.theregister.com/feed/www.theregister.com/2025/08/05/mcpoison_bug_abuses_cursor_mcp/
