Trojan:MSIL/Socelar.SCC is a multi-stage malware threat written in Microsoft Intermediate Language (MSIL/.NET) that operates as a loader and information stealer. First observed in the wild in late 2022, this trojan belongs to a family of modular threats designed to establish persistence on Windows systems, download additional payloads, and exfiltrate sensitive data including credentials, browser information, and system fingerprints. The "SCC" suffix indicates a specific variant within the Socelar family, though the core behavior patterns remain consistent across versions.

Trojan:MSIL/Socelar.SCC — cybersecurity illustration
Photo by cottonbro studio on Pexels

Once installed, Socelar.SCC typically operates quietly in the background, masquerading as a legitimate system process while communicating with remote command-and-control servers. The modular nature of this threat means infected machines often serve as launch points for secondary infections—ransomware, cryptominers, remote access tools, or banking trojans may follow depending on the attacker's objectives. Detection rates vary as threat actors frequently recompile and obfuscate the code to evade signature-based antivirus products.

Think you're infected right now? Disconnect from the internet immediately (unplug Ethernet or disable Wi-Fi), then restart your computer in Safe Mode with Networking. Download Malwarebytes or similar reputable anti-malware software from a clean device if necessary, transfer it via USB, and run a full scan before reconnecting. If you're uncomfortable performing these steps or the infection persists after scanning, call Computer Repair Roswell at (770) 691-6089 or bring your machine to our shop at 1865 Woodstock Rd.

Threat Profile

Attribute Details
Threat Family Socelar trojan-loader family
Also Known As MSIL/Socelar, Socelar.SCC, Agentb.SCC (by some vendors)
Platform Windows (all versions); requires .NET Framework 4.0 or higher
First Observed Q4 2022 (variant SCC identified early 2023)
Distribution Methods Malicious email attachments, software cracks, fake installers, exploit kits, drive-by downloads
Persistence Mechanisms Registry Run keys, scheduled tasks, startup folder shortcuts, COM hijacking (varies by deployment)
Primary Capabilities Payload download and execution, credential theft, browser data harvesting, system reconnaissance, keylogging (via downloaded modules)
Typical File Locations %APPDATA%\[random folder]\[random].exe, %LOCALAPPDATA%\Temp\[GUID]\, %PROGRAMDATA%\[fake company name]\
Network Behavior HTTPS POST requests to compromised WordPress sites or bulletproof hosting; often uses legitimate cloud services (Discord CDN, Pastebin, GitHub) for C2 or payload hosting
Data Exfiltration Browser cookies/passwords, cryptocurrency wallet files, FTP credentials, email client data, system configuration details
Detection Difficulty Moderate to high; frequent obfuscation updates, legitimate code-signing occasionally observed, uses process hollowing and injection to hide
Removal Complexity Moderate; requires identifying all persistence points and ensuring no secondary payloads remain active

How It Spreads

Trojan:MSIL/Socelar.SCC primarily reaches victims through social engineering tactics that trick users into executing malicious files. The most common infection vector involves phishing emails disguised as invoices, shipping notifications, or urgent account alerts. These messages contain ZIP or RAR archives with executables inside, often double-extension files like "Invoice_March.pdf.exe" that appear safe to inexperienced users who have file extensions hidden in Windows Explorer. Less frequently, the trojan arrives bundled with pirated software, keygen tools, or game cracks downloaded from file-sharing sites.

Drive-by download campaigns also play a significant role in Socelar.SCC distribution. Compromised websites—particularly outdated WordPress installations—may host exploit kits that probe visitor browsers for unpatched vulnerabilities in Adobe Flash, Java, or Internet Explorer components. If successful, the trojan downloads and executes silently without user interaction. In some enterprise environments, the infection spreads laterally after an initial compromise via password-spraying attacks against SMB shares or exploitation of unpatched Windows services.

  • Malicious email attachments: ZIP/RAR files containing obfuscated .NET executables, often with convincing filenames related to business documents
  • Software piracy: Bundled with cracks, keygens, "portable" versions of commercial software, and game trainers from torrent sites and warez forums
  • Fake installers: Disguised as legitimate software updates (Flash Player, codec packs, browser updates) on download portals and malvertising networks
  • Exploit kits: Automated infection via browser vulnerabilities when visiting compromised or malicious websites
  • Malvertising: Malicious advertisements on legitimate websites that redirect to landing pages hosting the trojan
  • Social media links: Shortened URLs in Facebook/LinkedIn messages leading to fake download pages
  • USB propagation: Less common, but some variants include worm-like autorun functionality to spread via removable media

What It Does On Your Machine

Upon execution, Trojan:MSIL/Socelar.SCC immediately begins establishing persistence to survive system reboots. The trojan typically copies itself to a hidden or obscure directory within the user's AppData folder, using randomized folder and file names to avoid easy detection. Common locations include directories with GUID-style names or folders disguised as legitimate Windows components. The malware then modifies Windows Registry Run keys to ensure it launches automatically at startup, and may also create scheduled tasks that execute the payload at regular intervals or specific system events.

The core functionality revolves around reconnaissance and data theft. Socelar.SCC systematically inventories the infected system, collecting details about installed software, running processes, security products, network configuration, and hardware specifications. This fingerprint helps attackers determine the machine's value and what additional payloads might be profitable. The trojan specifically targets web browser profile folders, extracting stored credentials, cookies, autofill data, and browsing history from Chrome, Firefox, Edge, and other Chromium-based browsers. Cryptocurrency wallet files, FileZilla FTP credentials, and email client databases frequently appear on the exfiltration list.

As a modular loader, Socelar.SCC serves as the entry point for more dangerous threats. After establishing its foothold and transmitting initial reconnaissance data, the trojan contacts command-and-control servers to receive instructions and download secondary payloads. These might include ransomware variants, cryptocurrency mining software that consumes CPU/GPU resources, remote administration tools granting attackers full system control, or additional information stealers targeting specific data types. The malware uses code injection techniques to hide these processes within legitimate Windows services, making detection more challenging.

Typical Socelar.SCC Filesystem Artifacts: C:\Users\\AppData\Roaming\{6F4A8B2C-9D3E-4F1A-A5B6-7C8D9E0F1A2B}\ svchosts.exe ← Main trojan executable (note misspelling) config.dat ← Encrypted configuration data C:\Users\\AppData\Local\Temp\ ~DF8A2B.tmp ← Temporary payload staging Registry Persistence Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Windows Security Update" = "%APPDATA%\{GUID}\svchosts.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemHealthCheck" = "C:\ProgramData\WindowsHealth\healthcheck.exe" Scheduled Tasks: \Microsoft\Windows\SystemMaintenance\SecurityUpdate Trigger: At log on, repeats every 30 minutes Action: Executes trojan with hidden window

Manual Removal — Step by Step

01

Disconnect from the Network Immediately

Before attempting any removal steps, disconnect your computer from the internet to prevent the trojan from downloading additional payloads or exfiltrating more data. Unplug the Ethernet cable or disable Wi-Fi through the network icon in the system tray. This breaks the malware's communication channel with its command-and-control servers and limits potential damage.

02

Boot Into Safe Mode with Networking

Restart your computer and repeatedly press F8 (or Shift+F8 on newer systems) before Windows loads. Select "Safe Mode with Networking" from the Advanced Boot Options menu. This prevents most malware from loading automatically while still allowing you to download security tools if needed. On Windows 10/11, you can also access Safe Mode through Settings → Update & Security → Recovery → Advanced startup.

03

Terminate Malicious Processes

Press Ctrl+Shift+Esc to open Task Manager. Look for suspicious processes—especially those with random names in your user AppData folders, processes consuming unusual CPU resources, or executables masquerading as Windows services (like "svchosts.exe" instead of "svchost.exe"). Right-click suspicious entries, select "Open file location" to verify the path, then End Task if confirmed malicious. Document the file locations before proceeding.

04

Remove Registry Persistence Entries

Press Windows Key + R, type "regedit" and hit Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to executables in AppData folders or other suspicious locations documented in Step 3. Right-click these entries and delete them. Also check the RunOnce keys in the same locations. Create a System Restore point first if you're uncertain about any entries.

05

Delete Scheduled Tasks

Open Task Scheduler (search for it in the Start menu). Expand Task Scheduler Library and examine recent or suspicious tasks, particularly those in Microsoft\Windows subfolders that shouldn't exist. Look for tasks with vague names like "SecurityUpdate" or "HealthCheck" that execute programs from AppData or ProgramData folders. Right-click suspicious tasks, select Properties to verify the action/trigger details, then delete confirmed malicious entries.

06

Delete the Malware Files and Folders

Using File Explorer with hidden files visible (View → Options → Show hidden files), navigate to the folders identified in Step 3. Delete the entire containing folder (typically with a GUID name in AppData\Roaming or AppData\Local). Also check C:\ProgramData for suspicious folders. Empty the Recycle Bin afterward. If you receive "file in use" errors, the process wasn't properly terminated in Step 3—return to Task Manager and end all related processes.

07

Scan with Reputable Anti-Malware Software

Download and install Malwarebytes Free or another reputable anti-malware tool (using a clean computer if necessary, transferring via USB). Update the definitions to the latest version, then run a full system scan—not just a quick scan. The software should detect any remaining components, secondary payloads, or artifacts that manual removal missed. Quarantine or delete all detected threats. Consider running a second scan with a different tool (like Emsisoft Emergency Kit) for confirmation.

08

Reset Browser Settings and Clear Data

Since Socelar.SCC steals browser credentials and may install extensions, reset your browsers to default settings. In Chrome/Edge, go to Settings → Reset settings → Restore settings to original defaults. In Firefox, use Help → More Troubleshooting Information → Refresh Firefox. Clear all browsing data including cookies, cached files, and saved passwords. Check installed extensions and remove anything unfamiliar that appeared around the time of infection.

09

Change All Passwords from a Clean Device

Assume all credentials stored in your browsers or typed during the infection period have been compromised. Using a different, known-clean computer or mobile device, change passwords for email accounts, banking sites, social media, cloud storage, and any other sensitive services. Enable two-factor authentication wherever possible. Monitor financial accounts for unauthorized transactions over the following weeks.

10

Reboot and Verify Clean Status

Restart your computer normally (exit Safe Mode). Once Windows loads, reconnect to the network and immediately check Task Manager for suspicious processes. Run another quick scan with your anti-malware software to confirm the system remains clean. Monitor system performance and network activity for several days—unusual slowness, unexpected network connections, or new unknown processes may indicate incomplete removal or reinfection. If problems persist, professional assistance is recommended.

Prevention

  1. Maintain updated security software: Install reputable antivirus/anti-malware with real-time protection enabled. Keep definitions automatically updated. While no solution catches 100% of threats, modern security suites detect most Socelar variants through behavioral analysis even when signatures lag.
  2. Keep Windows and all software patched: Enable automatic Windows Updates and install them promptly. Pay special attention to patching Adobe products, Java, browsers, and other internet-facing software that exploit kits commonly target. Remove software you no longer use rather than leaving it unpatched.
  3. Exercise extreme caution with email attachments: Never open attachments from unexpected senders, even if they appear to come from known contacts (email spoofing is trivial). Be especially wary of executable files, archives, and Office documents with macros. When in doubt, contact the purported sender through an independent channel before opening.
  4. Show file extensions in Windows: In File Explorer, go to View → Options → View tab and uncheck "Hide extensions for known file types." This simple change reveals double-extension tricks like "document.pdf.exe" that fool users into running malware.
  5. Download software only from official sources: Avoid third-party download sites, torrent repositories, and "free crack" websites entirely. These are primary malware distribution channels. Purchase legitimate software or use official free alternatives—the cost savings from pirated software pale in comparison to dealing with data theft or ransomware.
  6. Use standard user accounts for daily activities: Don't operate with administrator privileges for routine tasks. Create a separate standard user account for web browsing and email. Malware executed without admin rights has more limited persistence options and reduced system access.
  7. Implement browser security best practices: Disable Java and Flash plugins entirely (both are deprecated and unnecessary for modern websites). Install ad-blocking and script-blocking extensions like uBlock Origin. Configure browsers to prompt before downloading files and to scan downloads with Windows Defender.
  8. Regularly backup critical data: Maintain offline backups of important files on external drives disconnected when not backing up. Cloud backups with versioning (that retain previous file versions) provide additional protection against ransomware often deployed after trojan infections. Test restoration periodically to verify backup integrity.
90-Day Warranty on All Malware Removals: When Computer Repair Roswell cleans your system, we stand behind our work. If the same infection returns within 90 days, we'll re-clean your machine at no additional charge. We use professional-grade tools and techniques that go beyond consumer antivirus software, manually verifying complete removal before returning your computer. Our technicians also provide specific recommendations for preventing reinfection based on how the malware originally entered your system.

Bring It In

Trojan infections like Socelar.SCC often leave behind hidden components that evade standard removal procedures. Even after following the manual steps above, secondary payloads may remain dormant, registry corruption could cause system instability, or stolen credentials might already be circulating on underground forums. Computer Repair Roswell's technicians have removed thousands of malware infections from Roswell-area homes and businesses, and we maintain current threat intelligence on evolving trojan families.

Our malware removal service includes forensic analysis to determine what data may have been compromised, complete eradication of the infection and any secondary malware, security hardening to prevent reinfection, and detailed documentation of what we found and fixed. We're located at 1865 Woodstock Road in Roswell, open Monday through Saturday with same-day service available for urgent cases. Call us at (770) 691-6089 to schedule an appointment or stop by with your infected computer—we'll provide a free diagnostic assessment and transparent pricing before beginning any work. Don't gamble with your personal data or business information; let professionals ensure your system is truly clean.