The Trojan Horse You Already Installed

In March 2024, a lone developer named Andres Freund noticed something odd: SSH connections were taking 500 milliseconds too long. That curiosity uncovered the XZ Utils backdoor — a sophisticated supply chain attack where a threat actor had spent two years building trust as a legitimate open-source contributor, only to inject a backdoor into a compression library used by virtually every Linux distribution. The attacker had effectively removed legitimate code and replaced it with a weaponized version, right under the community's nose.

This isn't a one-off. Attackers have increasingly removed legitimate software components — libraries, plugins, browser extensions, even entire applications — and substituted malicious replacements designed to steal credentials, deploy ransomware, or establish persistent access. And your organization is almost certainly running software that could be targeted this way.

This post breaks down how this attack pattern works, why it's accelerating in 2025, and what specific steps you can take to protect your environment.

What "Removed Legitimate" Actually Means in an Attack

The Core Tactic: Trust Hijacking

When security researchers say an attacker "removed legitimate" code or software, they mean one of several things. The attacker may have replaced a genuine software package in a repository with a trojanized version. They may have taken over a maintainer's account and pushed a malicious update. Or they may have physically or remotely removed legitimate security tools from a compromised endpoint to avoid detection.

In every case, the attacker exploits one thing: trust. Your systems trust the software repository. Your employees trust the browser extension they've used for years. Your security stack trusts the process that's been whitelisted. The threat actor weaponizes that trust.

Three Flavors of This Attack

  • Supply chain substitution: Legitimate packages in repositories like PyPI, npm, or NuGet are replaced or typosquatted with malicious versions. The 2025 Verizon Data Breach Investigations Report noted a significant increase in supply chain interdependencies as a vector, with exploitation of vulnerabilities in third-party software continuing to climb.
  • Account takeover of maintainers: Threat actors use credential theft — often via phishing — to gain access to a developer's account and push poisoned updates. This is precisely what happened with the XZ Utils attack.
  • Defensive tool removal: After gaining initial access, attackers remove legitimate security software — EDR agents, logging tools, Windows Defender — to operate undetected. The FBI's IC3 2023 Internet Crime Report highlighted ransomware actors routinely disabling security tools as a standard part of their playbook.

Why This Tactic Is Surging in 2025

Three converging trends have made the "removed legitimate" attack pattern more dangerous than ever.

Open-Source Dependency Sprawl

The average enterprise application has hundreds of transitive dependencies. Most development teams couldn't name half of them. When a single maintainer controls a widely used package — and that maintainer gets phished or burns out and hands off control — the blast radius is enormous. I've seen organizations with over 1,200 open-source dependencies in a single microservice. Nobody is auditing all of those.

The Rise of Living-Off-the-Land Attacks

Attackers no longer need to drop custom malware. They remove legitimate tools that would catch them and then use your own system utilities — PowerShell, WMI, PsExec — to move laterally. This is the "living off the land" approach, and it's devastatingly effective because every action looks like normal admin behavior. Security awareness among IT teams is critical to recognizing when legitimate tools disappear from endpoints.

AI-Assisted Social Engineering

Gaining maintainer access or tricking developers into installing compromised packages is easier when threat actors can craft perfect phishing emails at scale. Social engineering in 2025 isn't the clumsy Nigerian prince email. It's a targeted, technically fluent message that references your actual codebase, your actual colleagues, and your actual deployment pipeline.

Real Incidents Where Attackers Removed Legitimate Components

XZ Utils (CVE-2024-3094)

As mentioned, a contributor named "Jia Tan" spent over two years building trust in the XZ Utils project. They gradually removed legitimate test files and replaced them with obfuscated binary blobs that, when compiled, created a backdoor in sshd via systemd. The attack was caught by accident, weeks before it would have shipped in stable releases of Debian and Red Hat. CISA issued an emergency alert urging immediate action.

3CX Supply Chain Compromise (2023)

North Korean threat actors compromised the build environment of 3CX, a VoIP software company with over 600,000 customers. They removed legitimate DLLs from the application package and replaced them with trojanized versions that deployed infostealer malware. The compromised update was digitally signed by 3CX's own certificate, so traditional verification methods offered zero protection.

Ransomware Operators Disabling Defenses

Groups like BlackCat (ALPHV) and LockBit have been documented removing legitimate endpoint protection tools as a standard pre-encryption step. They use tools like GMER or custom kernel drivers to kill EDR processes. In multiple incidents I've worked, the first sign of compromise wasn't an alert — it was the absence of alerts, because the security tools had been silently removed.

How Do Attackers Remove Legitimate Software Without Detection?

This is one of the most common questions I get, and it's worth answering directly for anyone researching this topic.

Attackers remove legitimate software by first escalating privileges — typically to local admin or SYSTEM on Windows, or root on Linux. From there, they use built-in tools to stop and uninstall security services, or they exploit known vulnerabilities in the security software itself. Some ransomware groups deploy vulnerable signed drivers (a technique called Bring Your Own Vulnerable Driver, or BYOVD) to gain kernel-level access and kill endpoint protection from below. The removal often happens in seconds, during off-hours, and the missing telemetry means your SOC sees nothing until it's too late.

Defending Against the "Removed Legitimate" Attack Pattern

1. Adopt a Zero Trust Posture for Software Updates

Zero trust isn't just a network architecture concept. Apply it to your software supply chain. Don't trust a package just because it's in a public repository. Pin dependency versions. Use lock files. Verify checksums against known-good values. Run software composition analysis (SCA) tools that flag unexpected changes in dependencies.

2. Monitor for Security Tool Tampering

If your EDR agent goes silent, that's not a hiccup — it's a five-alarm fire. Implement monitoring that alerts when security agents stop reporting. Many organizations have a gap here: the tool that's supposed to catch threats is itself the thing being removed, and nothing watches the watcher. Use a separate, lightweight heartbeat monitor that flags missing check-ins within minutes.

3. Enforce Multi-Factor Authentication Everywhere

The XZ Utils attack and the 3CX compromise both involved compromised credentials at some stage. Multi-factor authentication on developer accounts, repository access, CI/CD pipelines, and admin consoles is non-negotiable. MFA won't stop every attack, but it dramatically raises the cost for threat actors attempting credential theft.

4. Train Your People — Seriously

Every supply chain attack I've investigated had a human element. Someone approved a pull request without scrutiny. Someone clicked a phishing link. Someone ignored an anomaly. Cybersecurity awareness training gives your team the baseline knowledge to recognize when something is off — whether it's a suspicious package update or a social engineering attempt.

For targeted defense against the phishing campaigns that often precede these attacks, phishing awareness training for organizations provides phishing simulation exercises that test employees in realistic scenarios. I've seen organizations cut their phishing click rate by more than half within 90 days of implementing consistent simulations.

5. Implement Code Signing and Verification Pipelines

Every binary, script, and configuration change that touches production should be signed and verified. This isn't foolproof — the 3CX attack used a legitimate code signing certificate — but it raises the bar significantly. Pair code signing with build provenance tools like SLSA (Supply-chain Levels for Software Artifacts) to verify that what was built matches what was committed.

6. Conduct Regular Integrity Checks

Run file integrity monitoring (FIM) on critical system files, security tools, and application binaries. If a legitimate DLL is removed and replaced, FIM should catch the change. NIST's SP 800-53 Rev. 5 includes specific controls (SI-7) for software and information integrity verification that map directly to this threat.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average data breach cost at $4.88 million — a record high. Supply chain compromises and attacks involving removed legitimate components tend to be far more expensive than average because they persist longer and affect more systems before detection.

I've worked incidents where compromised software ran in production for months. The remediation wasn't just patching a vulnerability. It was rebuilding entire build pipelines, rotating every credential in the environment, and forensically analyzing thousands of endpoints. That's a seven-figure engagement before you even count regulatory fines, customer notification costs, and reputational damage.

Your Practical Checklist for This Week

You don't need to boil the ocean. Start with these specific actions:

  • Audit your dependency tree. Pick your three most critical applications and inventory every direct and transitive dependency. Flag any maintained by a single person or dormant projects.
  • Test your EDR tamper protection. Verify that your endpoint protection actually resists removal. Simulate the attack in a lab. You might be surprised.
  • Enable MFA on every code repository. GitHub, GitLab, Bitbucket — all of them. Enforce it at the organization level, not as an optional setting.
  • Run a phishing simulation. Baseline your organization's susceptibility. Use the results to prioritize training, not to punish employees.
  • Review CISA's supply chain security guidance. Their recommendations are practical and updated regularly. Incorporate them into your risk management framework.

Trust Is a Vulnerability Now

The fundamental shift in 2025 is this: trust itself has become an attack surface. When threat actors have removed legitimate software and replaced it with weaponized clones — and done so through trusted channels with valid signatures — your traditional perimeter defenses are irrelevant.

The organizations that survive this shift are the ones that verify everything, monitor for absence as much as presence, and invest in the human layer of defense. Technology alone won't save you when the attack comes disguised as a routine update from a trusted source.

Start with awareness. Build from there.