Silver Fox’s ICMLuaUtil UAC Bypass: Abusing Auto-Elevated COM for Stealthy Privilege Escalation

In modern Windows security architecture, User Account Control (UAC) serves as a key defensive layer against unauthorized privilege escalation. Its primary purpose is to limit the impact of malicious code execution by enforcing user consent before allowing administrative actions. Among the numerous UAC bypass techniques documented over the years, one of the more notable methods involves the ICMLuaUtil COM interface. This method gained renewed attention when it was observed in campaigns attributed to the Silver Fox Advanced Persistent Threat (APT) group, an actor known for its sophisticated tradecraft and focus on persistence with minimal detection.