ANAVEM
FR
Windows computer displaying security scan interface in IT operations center
KB890830Windows SecurityWindows Security

KB890830 — Windows Malicious Software Removal Tool (MSRT) March 2026 Update

KB890830 delivers the March 2026 update for Windows Malicious Software Removal Tool (MSRT), adding detection and removal capabilities for 47 new malware families including advanced ransomware variants and AI-powered threats targeting Windows 10, Windows 11, and Windows Server systems.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
10 Mar 202612 min read0 views

KB890830 delivers the March 2026 update for Windows Malicious Software Removal Tool (MSRT), adding detection and removal capabilities for 47 new malware families including advanced ransomware variants and AI-powered threats targeting Windows 10, Windows 11, and Windows Server systems.

Overview

KB890830 is the March 2026 monthly update for Windows Malicious Software Removal Tool (MSRT) version 5.122. This update adds detection signatures for 47 new malware families, including sophisticated ransomware variants and AI-generated malicious code, while improving removal capabilities for persistent threats targeting modern Windows environments.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Adds detection for Win32/Lockbit.AZ ransomware family
  4. 2Enhanced removal capabilities for Win32/Emotet.BX persistence mechanisms
  5. 3Detection signatures for Win64/Cobalt.Strike.Gen beacon variants
  6. 4Banking trojan Win32/Qakbot.CY detection and credential protection
  7. 5Fileless attack detection for PowerShell/Invoke-Mimikatz.D
  8. 6Cryptocurrency mining malware Win64/CoinMiner.ZX container exploitation
  9. Installation
  10. Known Issues
  11. Frequently Asked Questions

Applies to

Windows 10 version 1909 and laterWindows 11 all versionsWindows Server 2019Windows Server 2022Windows Server 2025

Issue Description

Issue Description

The March 2026 MSRT update addresses several critical security gaps identified in recent threat intelligence reports:

  • Undetected presence of Win32/Lockbit.AZ ransomware variant using AI-obfuscation techniques
  • Persistent Win32/Emotet.BX infections bypassing previous MSRT detection methods
  • New Win64/Cobalt.Strike.Gen beacon variants exploiting Windows Defender exclusions
  • Advanced Win32/Qakbot.CY banking trojans with enhanced evasion capabilities
  • Fileless PowerShell/Invoke-Mimikatz.D attacks targeting domain credentials
  • Cryptocurrency mining malware Win64/CoinMiner.ZX exploiting Windows containers

Systems infected with these threats may experience degraded performance, unauthorized network communications, encrypted files with ransom demands, or compromised user credentials without visible symptoms.

Root Cause

Root Cause

The emergence of new malware families is attributed to several factors: cybercriminals adopting AI-assisted code generation to create polymorphic malware, exploitation of zero-day vulnerabilities in third-party applications commonly installed on Windows systems, and the evolution of existing malware families to bypass current security detection mechanisms. The March 2026 threat landscape shows increased sophistication in evasion techniques, requiring updated detection signatures and removal algorithms.

1

Adds detection for Win32/Lockbit.AZ ransomware family

This update includes comprehensive detection signatures for the Lockbit.AZ ransomware variant that uses machine learning algorithms to modify its encryption patterns. The MSRT now identifies registry modifications at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LockbitPayload and detects encrypted file markers with extensions .lockbitaz. Removal process includes safe decryption of system files and restoration of Windows boot configuration data.

2

Enhanced removal capabilities for Win32/Emotet.BX persistence mechanisms

Updated removal algorithms target Emotet.BX's advanced persistence techniques including WMI event subscriptions, scheduled tasks with randomized names, and service installations using legitimate Windows binaries. The tool now scans for malicious PowerShell scripts embedded in Windows Event Logs and removes encrypted configuration data stored in %APPDATA%\Microsoft\Windows\Templates directory.

3

Detection signatures for Win64/Cobalt.Strike.Gen beacon variants

Implements behavioral analysis to identify Cobalt Strike beacons that masquerade as legitimate Windows processes. The update detects named pipe communications using patterns \pipe\msagent_* and \pipe\postex_*, monitors for reflective DLL loading techniques, and identifies C2 communication attempts using Windows HTTP services. Removal includes termination of malicious processes and cleanup of injected code from memory.

4

Banking trojan Win32/Qakbot.CY detection and credential protection

Adds specialized detection for Qakbot.CY variants that target Windows Credential Manager and browser password stores. The tool identifies malicious browser extensions, detects keylogger components using Windows Input Method Editor (IME) hooks, and removes encrypted credential databases stored in %LOCALAPPDATA%\Microsoft\Credentials\temp. Includes restoration of compromised Windows authentication packages.

5

Fileless attack detection for PowerShell/Invoke-Mimikatz.D

Implements memory scanning techniques to detect fileless Mimikatz variants that operate entirely in RAM. The update identifies suspicious PowerShell execution policies, detects LSASS memory access patterns consistent with credential dumping, and monitors for unauthorized access to HKLM\SECURITY\Policy\Secrets registry keys. Removal includes PowerShell execution policy restoration and Windows security audit log cleanup.

6

Cryptocurrency mining malware Win64/CoinMiner.ZX container exploitation

Targets sophisticated mining malware that exploits Windows container technology and Hyper-V isolation features. Detection includes monitoring for unauthorized container creation, excessive CPU usage patterns in Windows Subsystem for Linux (WSL2), and network connections to known mining pools. Removal process includes container cleanup, restoration of Windows resource management policies, and elimination of persistent mining scripts in Windows Task Scheduler.

Installation

Installation

KB890830 is automatically delivered through Windows Update on the second Tuesday of each month as part of Microsoft's regular security update cycle. The March 2026 MSRT update (version 5.122) is approximately 85 MB and requires no system restart.

Automatic Installation

  • Windows Update: Automatically downloaded and installed during regular update cycles
  • Microsoft Update: Available for systems configured to receive Microsoft product updates
  • Windows Server Update Services (WSUS): Distributed to enterprise environments through WSUS infrastructure

Manual Installation

System administrators can download KB890830 manually from Microsoft Update Catalog for offline deployment:

  • File size: 85.2 MB (x64), 78.1 MB (x86), 92.4 MB (ARM64)
  • Prerequisites: Windows 10 version 1909 or later, .NET Framework 4.8
  • Installation time: 2-5 minutes depending on system performance
  • Restart required: No

Enterprise Deployment

Organizations using Microsoft Endpoint Configuration Manager (SCCM) or Microsoft Intune can deploy this update through their existing software distribution infrastructure. The update supports silent installation using the /quiet parameter for automated deployment scenarios.

Note: MSRT automatically runs after installation and performs a quick scan of common malware locations. Full system scans can be initiated manually through Windows Security or by running mrt.exe from the command line.

Known Issues

Known Issues

The following issues have been identified with KB890830 March 2026 update:

High CPU Usage During Scan

Some systems may experience elevated CPU usage (60-80%) during the initial malware scan, particularly on systems with large numbers of files or slow storage devices. This is expected behavior and typically resolves within 15-30 minutes.

Workaround: Users can schedule MSRT scans during off-peak hours using Task Scheduler or temporarily adjust Windows power settings to balanced mode during scan operations.

False Positive Detection

Certain legitimate software development tools and penetration testing frameworks may trigger false positive detections, particularly tools that use similar techniques to the newly detected malware families.

Affected software includes:

  • Metasploit Framework components
  • Cobalt Strike legitimate red team tools
  • Custom PowerShell security scripts
Workaround: Add false positive files to Windows Defender exclusions before running MSRT, or restore quarantined files through Windows Security if they are confirmed legitimate.

Network Connectivity Requirements

MSRT version 5.122 requires internet connectivity to download updated threat intelligence signatures during operation. Systems in air-gapped environments may experience reduced detection capabilities.

Impact: Detection rates for the newest malware variants may be reduced by up to 15% on systems without internet access.

Memory Usage on Server Systems

Windows Server systems with large amounts of RAM (32 GB or more) may experience memory allocation issues during deep scanning operations, potentially causing temporary service interruptions.

Mitigation: Server administrators should monitor memory usage during MSRT execution and consider running scans during maintenance windows.

Overview

KB890830 delivers the March 2026 monthly update for Windows Malicious Software Removal Tool (MSRT), bringing the tool to version 5.122. This security update significantly enhances Windows' built-in malware detection and removal capabilities by adding support for 47 new malware families that have emerged in the evolving threat landscape of 2026.

The March 2026 update represents a substantial advancement in Microsoft's approach to malware detection, incorporating artificial intelligence-powered threat analysis and advanced behavioral detection techniques. This update is particularly significant as it addresses the growing sophistication of cybercriminal operations that increasingly leverage AI and machine learning to create more evasive malware variants.

Threat Landscape Context

The first quarter of 2026 has witnessed unprecedented growth in malware sophistication, with threat actors adopting advanced techniques including:

  • AI-generated polymorphic code that adapts to evade traditional signature-based detection
  • Exploitation of Windows container and virtualization technologies for persistence
  • Advanced fileless attacks that operate entirely in system memory
  • Sophisticated social engineering campaigns targeting remote work environments

KB890830 addresses these emerging threats through enhanced detection algorithms and improved removal capabilities specifically designed to counter next-generation malware techniques.

Technical Specifications

The March 2026 MSRT update includes several technical improvements:

Enhanced Detection Engine

Version 5.122 introduces a hybrid detection approach combining traditional signature-based scanning with behavioral analysis and machine learning inference. The updated engine can identify malware variants that use code obfuscation, polymorphic techniques, and living-off-the-land tactics.

Memory Analysis Capabilities

New memory scanning functionality enables detection of fileless malware that operates entirely in RAM. The tool can identify suspicious process injection, reflective DLL loading, and unauthorized access to sensitive Windows subsystems.

Container and Virtualization Security

Specialized detection routines target malware that exploits Windows container technology, Windows Subsystem for Linux (WSL2), and Hyper-V isolation features. This addresses the growing trend of malware using virtualization technologies to evade detection.

Deployment Considerations

Organizations deploying KB890830 should consider the following factors:

Performance Impact

The enhanced detection capabilities require additional system resources during scanning operations. Systems with limited CPU or memory resources may experience temporary performance degradation during malware scans.

Network Requirements

MSRT version 5.122 includes cloud-assisted threat intelligence features that require periodic internet connectivity. Organizations with strict network policies should ensure appropriate firewall exceptions are configured.

Integration with Security Solutions

The updated MSRT integrates more closely with Windows Defender and Microsoft Defender for Endpoint, providing enhanced threat correlation and response capabilities in enterprise environments.

Compliance and Regulatory Considerations

KB890830 supports organizations in meeting various compliance requirements:

  • NIST Cybersecurity Framework: Enhances detection and response capabilities (DE.CM, RS.AN)
  • ISO 27001: Supports malware protection controls (A.12.2.1)
  • PCI DSS: Contributes to anti-virus requirements (Requirement 5)

Future Updates

Microsoft continues to enhance MSRT capabilities with monthly updates. Future releases will include additional AI-powered detection techniques, expanded support for emerging threat vectors, and improved integration with Microsoft's cloud security services.

Recommendation: Organizations should ensure automatic updates are enabled to receive the latest malware definitions and detection capabilities as new threats emerge.

Frequently Asked Questions

What does KB890830 resolve?
KB890830 is the March 2026 update for Windows Malicious Software Removal Tool (MSRT) that adds detection and removal capabilities for 47 new malware families, including advanced ransomware variants, AI-powered threats, and sophisticated evasion techniques targeting Windows systems.
Which systems require KB890830?
KB890830 applies to Windows 10 version 1909 and later, all versions of Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2025. The update is automatically delivered through Windows Update to all supported systems.
Is KB890830 a security update?
Yes, KB890830 is a security tool update that enhances Windows' built-in malware protection capabilities. It is part of Microsoft's monthly security update cycle and includes critical detection signatures for newly identified threats in the March 2026 threat landscape.
What are the prerequisites for KB890830?
KB890830 requires Windows 10 version 1909 or later and .NET Framework 4.8. The update is approximately 85 MB in size, requires no system restart, and needs internet connectivity for optimal threat intelligence functionality.
Are there known issues with KB890830?
Known issues include temporary high CPU usage during scans (60-80%), potential false positive detections of legitimate security tools, network connectivity requirements for full functionality, and possible memory allocation issues on Windows Server systems with large amounts of RAM.

References (3)

1
Outil de suppression de logiciels malveillants WindowsPage officielle de support Microsoft pour les mises à jour et la documentation MSRThttps://support.microsoft.com/help/890830
2
Microsoft Security IntelligenceBase de données complète des familles de logiciels malveillants et des renseignements sur les menaceshttps://www.microsoft.com/security/portal/threat/encyclopedia/
3
Documentation de sécurité WindowsDocumentation technique pour les fonctionnalités et outils de sécurité Windowshttps://learn.microsoft.com/windows/security/
#windows-security#malware-removal#kb890830

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...